Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

GDPR and Boards.ie post removal policy **update linked in OP 24/5/18**

1131416181922

Comments

  • Registered Users, Registered Users 2 Posts: 122 ✭✭traveller0101


    Absolutely. Under GDPR when you have an active account your posts are your data and you have every right to delete them. It would be petty and vindictive of us in the extreme to want to close down your account just because you invoked your god-given (or least GDPR-given) rights! :)

    Hopefully, even if a user decides to delete all their posts that won't stop them contributing to Boards and continuing to post in the future.

    What does active account have anything to do with it? If you tie together IP addresses, then you should be deleting all the data linked to that person.


  • Registered Users, Registered Users 2 Posts: 30,123 ✭✭✭✭Star Lord


    What does active account have anything to do with it? If you tie together IP addresses, then you should be deleting all the data linked to that person.

    An IP address is not necessarily linked to a person. They can, and usually are, shared. Most people do not have static IP addresses, but rather one that's randomly assigned by their isp, and can change at any given time.


  • Closed Accounts Posts: 21,730 ✭✭✭✭Fred Swanson


    This post has been deleted.


  • Registered Users, Registered Users 2 Posts: 22,815 ✭✭✭✭Esel
    Not Your Ornery Onager


    Star Lord wrote: »
    An IP address is not necessarily linked to a person. They can, and usually are, shared. Most people do not have static IP addresses, but rather one that's randomly assigned by their isp, and can change at any given time.

    Still traceable via ISP though, no?

    Not your ornery onager



  • Registered Users, Registered Users 2 Posts: 10,905 ✭✭✭✭Bob24


    Star Lord wrote: »
    An IP address is not necessarily linked to a person. They can, and usually are, shared. Most people do not have static IP addresses, but rather one that's randomly assigned by their isp, and can change at any given time.

    Sometimes it can be linked, sometimes it can't.

    But in any case to be GDPR compliant the only practical option when you log user IP addresses is to treat them as personal data.


  • Advertisement
  • Banned (with Prison Access) Posts: 2,492 ✭✭✭pleas advice


    Inactive Accounts

    Under the GDPR principle of not retaining personal data longer than is required we intend to email all inactive users (users who have not logged onto Boards for 6 years or more) to see if they still want to remain a member of Boards. Inactive users will have 30 days to log onto the site. If they do so within the 30 days we will remove them from the inactive user list. If they do not we will assume that they no longer wish to retain their Boards account and we will begin the process of closing their accounts..

    Will this be an ongoing thing, or a once-off?


  • Moderators, Category Moderators, Arts Moderators, Business & Finance Moderators, Entertainment Moderators, Society & Culture Moderators Posts: 18,341 CMod ✭✭✭✭Nody


    Will this be an ongoing thing, or a once-off?
    Well to remain compliant over time I'd guess it will be done as a once a year or similar exercise as the 6 year limit is arbitrary there is no need to do it daily/weekly etc.


  • Registered Users, Registered Users 2 Posts: 36,422 ✭✭✭✭LuckyLloyd


    Well to be fair, Boards have tackled this head on - fair play.

    I won't lie that I enjoy the irony that those who closed accounts in the past - i.e. those most eager to run away from their past on the site - will now not have the opportunities to benefit from or abuse the new rights that stem from GDPR.


  • Closed Accounts Posts: 9,057 ✭✭✭.......


    This post has been deleted.


  • Closed Accounts Posts: 212 ✭✭Boards.ie: Sean


    Esel wrote: »
    Seán - say a third party gets access to a device with a logged-in account, and requests deletion? The owner would know nothing and find all their posts gone.

    Or a tired and emotional user requests deletion and later regrets doing so.

    Have you given any thought to restoration in these scenarios?
    Beasty wrote: »
    Once processed the deletion cannot be reversed and I'm sure the site would not want to be perceived to being obstructive in any way when observing such legal rights. It will all be dealt with by the office.

    The privacy policy indicates requests will be processed within 30 days, but does not indicate any "cooling off period". Maybe they could introduce an automatic "are you sure" reply, or a minimum processing period within those 30 days
    Bob24 wrote: »
    Since GDPR requires boards to permanently delete personal data upon request, it wouldn't be very reasonable to expect them to have any long term restoration process*. They could have some kind of cooling off period whereby the data is marked for deletion but only really deleted after a week and a second confirmation from the requester, but IMO it could be over engineering it a bit for a very small number of cases - and there would be a risk of some people accusing boards of dragging its feet to process requests.

    Also while I'm not saying it could never happen, since the deletion process will require to provide identification documents, the chances of someone impersonating an other person are reduced.


    * it was explained that the deleted post will remain in backups for 30 days though, so I guess technically restoration would be possible within that timeframe, but TBH if it was me I don't think I would bother with selectively restoring a database for a post that someone regrets deleting (a case of mass deletion due to boards mistake might be different but I doubt it would happen very often).

    So, I think these are very fair and valuable points and based on the feedback we have now updated our procedures regarding requests to delete posts.

    As before, in order to verify identity a user should send such requests via PM. Once we have received any such request we will send out a confirmation email to the email address associated with the user's account, informing them that a request has been received to delete some or all of their posts.

    The user will then have 7 days during which they can email us back cancelling the request to delete their posts.

    If we do not hear back from them within 7 days we will then begin the process of removing their posts from our systems.

    It is important to note that there are no additional steps or barriers introduced here when a user wishes to delete their posts. As before, all they have to do is send us a single PM requesting such. They are free to ignore the confirmation email we send them as after 7 days we will go ahead and begin removing the posts.

    However, as suggested this does introduce an confirmation step and a cooling off period in cases of malicious requests or when a user might have been feeling a bit overly tired and emotional!

    Thanks for the very helpful feedback :)


  • Advertisement
  • Closed Accounts Posts: 212 ✭✭Boards.ie: Sean


    Esel wrote: »
    By deletion, I clearly implied deletion of all posts.

    Verification of requests must be robust.

    Do the new terms say that a request for all personal data will result in an encrypted file being provided, with the key in a separate e-mail? How secure is that process?
    Patww79 wrote: »
    This post has been deleted.
    Turtwig wrote: »
    Are PM's not readable from your email though? You don't need to log onto boards to read a PM.

    The issue here is that if a user's email account is compromised then an attacker could either get access to a copy of their personal data that we store on our systems.

    This is true. But it also the case that even before last Friday and the introduction of GDPR this was true. If an attacker compromised a user's email account and had a quick look around the logon procedure for the site, then they could access nearly all the same information.

    How? Well, they'd go to Boards and click on the Forgot Password option on the login screen. They'd enter the email address of the compromised account and get a password reset email. This would then allow them to log onto that account. The personal data we send out as a result of GDPR is data we hold in your Control Panel settings, your posts and your PM's. In the scenario I'm describing an attacker would have access to all this data once they'd logged onto the compromised account other than soft deleted posts.

    So, if a user's email account is compromised then their Boards account can also be compromised. The current solutions we have put in for GDPR have the same level of account security as we have had (and AFAIK have been happy with) for years.

    We aren't claiming that we have the highest level of security and we definitely could put in place more robust procedures, for example requiring that a much more secure level of identity verification be provided before we would process GDPR requests. But that could be seen as introducing additional barriers to people being able to reasonably access their rights to the personal data and we need to balance security with this right of reasonable access.

    In this regard, we are not different for many other sites in that illicit access to an account can be obtained by compromising the user's email account and requesting a password reset email be sent to that compromised account.

    Finally, it should be noted that we don't process any special or senstive categories of personal data. GDPR defines special categories of personal data as data revealing "racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation". We capture none of this data during registration or subsequently; services that do process these types of data may need a much higher level of security.


  • Closed Accounts Posts: 212 ✭✭Boards.ie: Sean


    What does active account have anything to do with it? If you tie together IP addresses, then you should be deleting all the data linked to that person.
    Star Lord wrote: »
    An IP address is not necessarily linked to a person. They can, and usually are, shared. Most people do not have static IP addresses, but rather one that's randomly assigned by their isp, and can change at any given time.
    Esel wrote: »
    Still traceable via ISP though, no?
    Bob24 wrote: »
    Sometimes it can be linked, sometimes it can't.

    But in any case to be GDPR compliant the only practical option when you log user IP addresses is to treat them as personal data.

    GDPR defines personal data as "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"

    Our advice is that IP addresses are a type of identifier which may allow for the identification of an individual, thereby turning that person into an “identifiable natural person” and bringing that information within the scope of the definition of personal data. However, online identifiers are not in all circumstances a form of personal data. They do not inevitably lead to the identification of a natural person, but are merely recited as one of the identifiers which may allow for the identification of a natural person. Often, it is the case that IP addresses become Personal Data in circumstances in which, when the IP address is combined with other information, an individual becomes identifiable.

    In the case of closed accounts all other personal data (other than the Boards username) has been deleted permanently. IP addresses are allocated regionally, and as afar as we know the most accurate we can get to is the locality level. Of course, for big institutions like universities, locality may be enough in that they may be the only entity in the locality the IP address is pointing to. However, in these cases we still can't identify the individual as they typically have 100's or 1000's of people working there.

    For individuals, getting a as far as a locality doesn't allow us to identify a specific individual. Their ISP could, but we can't.

    If our advice regarding our legitimate interest in retaining the IP addresses for posts for ant-spamming purposes changes and we are advised that we should not be retaining the IP addresses of closed accounts then we will update our processes accordingly and clear all post IP addresses from posts associated with those accounts.

    But in the absence of any such updates and based on the advice we have received we will continue with our current policy. Thanks


  • Closed Accounts Posts: 212 ✭✭Boards.ie: Sean


    Will this be an ongoing thing, or a once-off?
    Nody wrote: »
    Well to remain compliant over time I'd guess it will be done as a once a year or similar exercise as the 6 year limit is arbitrary there is no need to do it daily/weekly etc.

    You're right, we will do it on a regular basis


  • Closed Accounts Posts: 18,268 ✭✭✭✭uck51js9zml2yt


    Is there any possibility of Boards providing figures on a periodic basis of how many people have requested a deletion of their posts?


  • Technology & Internet Moderators Posts: 28,822 Mod ✭✭✭✭oscarBravo


    Esel wrote: »
    Still traceable via ISP though, no?

    An ISP won't provide that information to boards.ie under any circumstances.


  • Registered Users, Registered Users 2 Posts: 22,584 ✭✭✭✭Steve


    Will GDPR affect the email notifications?

    I've noticed a few sites have stopped sending the content of a reply in the email.


  • Closed Accounts Posts: 126 ✭✭Hurling Rankings


    This post has been deleted.


  • Moderators, Category Moderators, Arts Moderators, Business & Finance Moderators, Entertainment Moderators, Society & Culture Moderators Posts: 18,341 CMod ✭✭✭✭Nody


    This post has been deleted.
    Yes; it's been in the ToU for I don't know how long that boards can close an account at their discretion at any time, from section 7.
    Boards.ie Limited may at its absolute discretion refuse you access to the site and/or cancel/terminate your user privileges without prior notice for any reason and you shall not be entitled to any compensation in respect of cancellation/termination of your user privileges. If we disable your account you will not be entitled to create another account without our permission.


  • Banned (with Prison Access) Posts: 2,492 ✭✭✭pleas advice


    Does that include actually closing an account, rather than banning it? (I suppose it includes whatever Boards deems it includes)

    re. closing inactive accounts
    You're right, we will do it on a regular basis
    There's an account that posted a few times on the MMA forum about 6 years ago, be a shame to see that one closed


  • Closed Accounts Posts: 126 ✭✭Hurling Rankings


    This post has been deleted.


  • Advertisement
  • Closed Accounts Posts: 39,022 ✭✭✭✭Permabear


    This post has been deleted.


  • Registered Users, Registered Users 2 Posts: 10,905 ✭✭✭✭Bob24


    Permabear wrote: »
    This post had been deleted.

    I think it’s a very grey area. I.e. is the problem simply that the full content of your posts is still present (in which case deletion would be required), or that it is still associated to your username in the system (in which case breaking that relashionship would be be sufficient)?


  • Closed Accounts Posts: 39,022 ✭✭✭✭Permabear


    This post has been deleted.


  • Registered Users, Registered Users 2 Posts: 16,414 ✭✭✭✭Trojan


    No one is sure what is required to comply with the GDPR, and no one will be until we see courts interpretations. But for now, each organisation has taken its own legal counsel and made a decision on what they believe to be the correct way to comply.


  • Closed Accounts Posts: 39,022 ✭✭✭✭Permabear


    This post has been deleted.


  • Registered Users, Registered Users 2 Posts: 22,584 ✭✭✭✭Steve


    Permabear wrote: »
    This post had been deleted.

    Even a legal professionals paid-for advice at this point just going to be qualified speculation. It will all hinge on the first case that goes to court and on the judge that hears the case and their interpretation of the law. Once precedent has been set, you will find legal professionals will adjust their advice based on it.


  • Closed Accounts Posts: 39,022 ✭✭✭✭Permabear


    This post has been deleted.


  • Registered Users, Registered Users 2 Posts: 10,339 ✭✭✭✭LoLth


    One way of looking at quoted posts could be:

    a post made by you is your personal information that you have left in a public place. you have every right to take it away. Just like a football in a park.

    a quote of your post is not yours but is the property of the person quoting. They are just quoting something they found in a public place. where you left it for anyone to read and respond to in all its glory and detail.

    If you get your post deleted, you cannot request someone else's post be deleted unless you can prove that it is identifying you personally (as boards has always done when users post personal details and someone else quotes them).

    to use the football analogy. you can take the ball home but you cannot force everyone who took photos in the park that day to delete all photos that contain your ball regardless of it being the focal point of the photo or just in the background

    I'm not a practitioner of law so I am open to other interpretations but that would be my take on it. GDPR does not absolve users of responsibility for their data.

    Just did a quick read there of a German blog that describes their issue with this exact problem. in Germany they cannot transfer ownership of data apparently but other forums can use Creative Commons licensing to make the distinction between original post and posts derived from that original. The original remains the property of the poster but any post derived from it (ie: quoting) would be the property of the new poster and not the poster of the quoted content.


  • Closed Accounts Posts: 39,022 ✭✭✭✭Permabear


    This post has been deleted.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 6,026 ✭✭✭Amalgam


    I don't agree with what boards are trying to convey to users, it is not a take it or leave it situation, it is a progressive one, very much balanced in favour of the user, not the forum. The GDPR isn't here to accommodate boards in any way, it is here to accommodate users.

    My guess is boards is going to push back/obscure options, until a legal precedent is set (a good or bad one..), in an Irish court.

    I run a PHPBB board and it is very much head in the sand on their support forum, the software is currently not compliant. Everything has to be erased. The problem is, for the sake of log reporting, the nature of tables, PHPBB and similar forum fronts hold onto traces of information like hairs on a toffee apple..

    My board will probably be left like a swiss cheese because of the GDPR, but I understand why it exists and am perfectly happy to be compliant.


  • Registered Users, Registered Users 2 Posts: 301 ✭✭dollylama


    Amalgam wrote: »
    I don't agree with what boards are trying to convey to users, it is not a take it or leave it situation, it is a progressive one, very much balanced in favour of the user, not the forum. The GDPR isn't here to accommodate boards in any way, it is here to accommodate users.

    My guess is boards is going to push back/obscure options, until a legal precedent is set (a good or bad one..), in an Irish court.

    I run a PHPBB board and it is very much head in the sand on their support forum, the software is currently not compliant. Everything has to be erased. The problem is, for the sake of log reporting, the nature of tables, PHPBB and similar forum fronts hold onto traces of information like hairs on a toffee apple..

    My board will probably be left like a swiss cheese because of the GDPR, but I understand why it exists and am perfectly happy to be compliant.

    Surely we won't end with a situation where a user can request posts be deleted but quotes of those posts remain? That just defeats the purpose entirely


  • Registered Users, Registered Users 2 Posts: 6,026 ✭✭✭Amalgam


    dollylama wrote: »
    Surely we won't end with a situation where a user can request posts be deleted but quotes of those posts remain? That just defeats the purpose entirely

    PHPBB may implement a quote delete solution in a future release, so, the issue is certainly being discussed online. The problem is a geographical one, if you depend on software written in the US, they may care less about your GDPR needs, whereas in Germany, most likely, GDPR will be keeping the courts busy, at some point..


  • Registered Users Posts: 136 ✭✭Batzoo


    Therefore, the process for requesting your personal data is as follows:
    • For identity verification purposes the data access request must be sent via a Private Message (PM) to the following recipient Boards.ie: GDPR (if for any reason you are unable to access or send a PM please email datarequests@boards.ie and we will get back to you with further instructions).
    • Data access requests will only be processed for the user account from which the PM was sent. We will not process data access requests for personal data related to 3rd party accounts

    You may need to get some more legal advice in regards to this as the above although advisable and a good place to start, it is not entirely accurate!

    A subject can use a designated third party to request information on their behalf, you cannot or have no right to prohibit this.

    While you can and should specify a means of verification such as the PM, the method of the data request cannot be imposed or be exclusive. Technically if I was to request my information in this post (which I am not at this time), it is a valid subject access request and you would have 30 days to respond. All mods should be made aware of this possibility and be able to pass access requests to the designated data controller without haste. The request does not even have to state it is a request, so long as it is obvious to a casual reader of the intent. To me this seems crazy, but hey I did not make it up.

    While there also appears to be confusion over user names and IP addresses, I can assure you that if you use your user name on any other site, or your user name @gmail.com etc; A huge amount of information can be mined from it. This information can then be used to build a bigger profile and so on. Likewise with IP addresses. While they may be dynamic, the pool of addresses will not be too great that a profile cannot also be gathered and cross referenced with other info, all without any priveleged or elevated access. Basically a username or IP address can be used to identify a data subject.

    While I legally cant state with certainty if posts(or quoted posts) have to be deleted under GDPR when requested, I can sure as hell tell you that I can use posts from specific users(not every user) here and tell you where they live to the house number. What colour car the drive, where they work, what they eat for breakfast, what colour their wife's hair is, how many children they have and so on. I can extract this data manually in a few hours. I am sure I could script it even quicker. So yes posts, even just a user name are part of a bigger picture that is a subjects ID and if I can do it without elevated access, boards can do it with admin access. So IMHO posts, user names and even IP addresses are identifiable and should be deleted if requested.

    Again, run the first bit of this post past your legal team, and if they think I am wrong on this point, you should get a new legal team as they are given bad advice. Designated 3rd party's are allowed, and although you should(and correctly have) specified a method for requests, you cannot exclusively specify the method of the access request. All written requests by paper, email, pm or even an in forum post are equally valid(but you can specify a verification method in response to this request).


  • Registered Users, Registered Users 2 Posts: 33,518 ✭✭✭✭dudara


    I think you might have mixed up the different meanings/uses of the term “third parties”. Yes, requests from authorised third parties (e.g. agents) are permitted under GDPR, and have to be verified that they are indeeed authorised to act on your behalf.

    Howerever, what Sean is saying is that you cannot request data for someone else’s account (e.g. a third party). You can only request access for your own data (either directly or via an agent).


  • Registered Users Posts: 136 ✭✭Batzoo


    dudara wrote: »
    I think you might have mixed up the different meanings/uses of the term “third parties”. Yes, requests from authorised third parties (e.g. agents) are permitted under GDPR, and have to be verified that they are indeeed authorised to act on your behalf.

    Howerever, what Sean is saying is that you cannot request data for someone else’s account (e.g. a third party). You can only request access for your own data (either directly or via an agent).


    Again, not looking for an argument, but why say I mixed it up and not "Sean" or Boards? The original statement says:
    Data access requests will only be processed for the user account from which the PM was sent. We will not process data access requests for personal data related to 3rd party accounts
    There is no ambiguity here. The statement is false and wrong. You are obliged to process access requests regardless of which account they where sent from. And again, you cannot dictate the method or format in which these requests are sent. And you are obliged to process third party requests for third party accounts so long as you can verify the owner of the requested account has authorized the third party as an agent. The only thing that is crucial is that you can verify that the data owner/subject has authorized this, regardless of which 3rd party account requested the information.

    I realize this may be confusing times for admins who are lumbered with this task and they receive different advice from many parties but I can assure you there is no confusion or misunderstanding on my behalf. I will also remind you that terms and conditions cannot and should not be written in confusing or easy to misinterpret ways. They are required to be clear and unambiguous.


  • Advertisement
  • Administrators, Social & Fun Moderators, Sports Moderators Posts: 78,351 Admin ✭✭✭✭✭Beasty


    Just to be clear all requests are dealt with by the office. Admins and Mods have nothing to do with that

    Whatever views we express here are our own, and we are really not in a position to argue the legalities. Again that's an office responsibility


  • Registered Users, Registered Users 2 Posts: 33,518 ✭✭✭✭dudara


    Batzoo wrote: »
    Again, not looking for an argument, but why say I mixed it up and not "Sean" or Boards? The original statement says: There is no ambiguity here. The statement is false and wrong. You are obliged to process access requests regardless of which account they where sent from. And again, you cannot dictate the method or format in which these requests are sent. And you are obliged to process third party requests for third party accounts so long as you can verify the owner of the requested account has authorized the third party as an agent. The only thing that is crucial is that you can verify that the data owner/subject has authorized this, regardless of which 3rd party account requested the information.
    I think we're saying similar things but in different ways. Verifying the identity of the requestor is crucial, as an organisation does not want to disclose the personal data of an unrelated party. I believe that this is what Sean was referring to when he referenced third parties. I do not believe he was referring to authorised third party agents.
    I realize this may be confusing times for admins who are lumbered with this task and they receive different advice from many parties but I can assure you there is no confusion or misunderstanding on my behalf. I will also remind you that terms and conditions cannot and should not be written in confusing or easy to misinterpret ways. They are required to be clear and unambiguous.

    I'm quite well versed in the GDPR as an individual, but I am not responsible for GDPR compliance at Boards. That is a matter for HQ, not for the Admins and Mods. I am discussing it here as an individual, the same as all of us.


  • Registered Users Posts: 136 ✭✭Batzoo


    Beasty wrote: »
    Just to be clear all requests are dealt with by the office. Admins and Mods have nothing to do with that

    Whatever views we express here are our own, and we are really not in a position to argue the legalities. Again that's an office responsibility

    Even though you feel you have nothing to do with it, you are part of Boards. Boards have authorized you to administer forums and as such, all admins should be made aware of what an access request is and how to recognize them and who to forward them on to.


    So to break it down.
    If I PM a Subject Access Request to any admin or mod on any forum on Boards.ie, they are responsible for it. This is stipulated. They should forward it on to the Data Controller without haste as it is a valid request. The 30 days start from when I make contact with any representative of Boards, not from when the Data Controller gets wind of it. As a Boards Admin you should have been made aware of this from the office or HQ. Again, not looking to make requests or cause headaches, just trying to clear some confusion.


  • Registered Users Posts: 136 ✭✭Batzoo


    dudara wrote: »
    I believe that this is what Sean was referring to when he referenced third parties. I do not believe he was referring to authorised third party agents.
    As I said ambiguity is frowned upon. What you believe was the meaning is not what I read. These things should be clear and not open to opinion or believe as such.
    dudara wrote: »
    I'm quite well versed in the GDPR as an individual, but I am not responsible for GDPR compliance at Boards. That is a matter for HQ, not for the Admins and Mods. I am discussing it here as an individual, the same as all of us.
    Again I realize that Admins and mods are individuals and in many cases volunteers, but you are authorized entities of Boards and as such you are Boards. You are responsible whether you like it or not and cannot wash your hands of this responsibility.

    Basically what I am getting at is, If I was to make a request by PM to you, here and now! Would you know who to forward this request onto in the Boards empire as such. You technically cant spread it willy nilly to all and sunder in the admin circle. You have to send it directly to a specific individual assigned or hired for the role.

    Just to throw another log on the flames, but I am sure it is already accounted for. An access request would also include PM's sent between admins that mention the user that makes the request. So if an infraction occurred and the admins were discussing this through PM, the subject is entitled to these PM's. These should also not be redacted to any major degree unless they specifically reveal information about another uninvolved 3rd party as such.


  • Administrators, Social & Fun Moderators, Sports Moderators Posts: 78,351 Admin ✭✭✭✭✭Beasty


    The site has taken legal advice and I am sure someone from the office will be considering the points you raise


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 6,026 ✭✭✭Amalgam


    Beasty wrote: »
    The site has taken legal advice and I am sure someone from the office will be considering the points you raise

    :rolleyes:


  • Registered Users, Registered Users 2 Posts: 22,584 ✭✭✭✭Steve


    Batzoo wrote: »
    Just to throw another log on the flames, but I am sure it is already accounted for. An access request would also include PM's sent between admins that mention the user that makes the request. So if an infraction occurred and the admins were discussing this through PM, the subject is entitled to these PM's. These should also not be redacted to any major degree unless they specifically reveal information about another uninvolved 3rd party as such.
    Not sure if there is truth to that, besides, you are assuming such discussions take place on the boards platform. They may not.


  • Registered Users, Registered Users 2 Posts: 301 ✭✭dollylama


    Boards really need to clarify how they will handle quoted posts when a user requests their posts be deleted.

    I've done a quick spot check of some posters in this thread and most have somewhere in the region of 25 - 50% of their posts quoted. So even if you request your posts be deleted, up to half of them will be left behind as quoted posts are not removed!

    If a user is to have the right to have their posts deleted, surely quotes of their post can't be left behind. If they are left behind, it just makes a mockery of the right to deletion and will deter users from requesting a deletion at all as it is only 50% effective!

    It can't be too difficult to look for quoted posts against the current and past usernames and strip them from the post that quoted them


  • Registered Users, Registered Users 2 Posts: 22,584 ✭✭✭✭Steve


    dollylama wrote: »
    Boards really need to clarify how they will handle quoted posts when a user requests their posts be deleted.
    As of now, from what I have read, their position is to not delete them except were there is personally identifiable information. This has been the case for many years previous to GDPR.
    If a user is to have the right to have their posts deleted, surely quotes of their post can't be left behind. If they are left behind, it just makes a mockery of the right to deletion and will deter users from requesting a deletion at all as it is only 50% effective!
    'Surely' 'Probably' 'It should be thus' 'It's an outrage' is not relevant when applying a legal directive and determining the appropriate action.

    As I said previously, the 'appropriate action' may not be known for some time to come until the directive / law is tested in a court of law.


  • Administrators, Entertainment Moderators, Social & Fun Moderators, Society & Culture Moderators Posts: 18,759 Admin ✭✭✭✭✭hullaballoo


    Batzoo, where does the GDPR say that a data subject can request access via a non-party?


  • Registered Users, Registered Users 2 Posts: 6,026 ✭✭✭Amalgam


    I have recieved a warning from hullaballoo for a rolleyes.

    To clarify:

    boards.ie is trying to put the cart before the horse, it is not for boards.ie to decide to accommodate users.

    Banned or not, 'active' or not, users have a right to manage data. Banning or stonewalling does not remove the forum's obligation to act on the new legislation.

    The dry statement by Beasty above, says quite a lot by saying nothing, or help to alleviate fears that boards.ie will indeed be 'combative' towards the GDPR.


  • Administrators, Entertainment Moderators, Social & Fun Moderators, Society & Culture Moderators Posts: 18,759 Admin ✭✭✭✭✭hullaballoo


    As I have been pointing out since the beginning of this thread, many people are misunderstanding the purpose and scope of the GDPR.

    It quite clearly does not make data subjects the supreme arbiters of everything like many are suggesting. It gives data subjects rights over their personal data and the treatment of it as against data controllers, yes. It certainly does that.

    But what people here seem to be repeatedly missing is that personal data isn't everything you've ever posted on the internet. It's also not your IP address. Your emails address is personal data if it can be used to identify you. If your email address is asdflaknasdf@spammail.com then no, that's not personal data.

    Also as I have said before, the GDPR does quite an admirable job at providing scope for proportionality and reason when it comes to the obligations on processors and controllers.

    In this post, I'm not targeting anyone specifically but what seems abundantly clear to me is that many of the self-proclaimed GDPR experts haven't read/understood the document. It is quite a remarkable and beneficial step towards protecting individuals against those who would use their personal information against their will and it is to be commended on that basis. It is not a stick to beat small businesses that don't process data other than for the purposes it was given with.


  • Administrators, Social & Fun Moderators, Sports Moderators Posts: 78,351 Admin ✭✭✭✭✭Beasty


    Amalgam wrote: »
    The dry statement by Beasty above, says quite a lot by saying nothing, or help to alleviate fears that boards.ie will indeed be 'combative' towards the GDPR.
    How the hell can I say anything else? I am not a lawyer. The Office are dealing with this. They are offline.

    You may think I have nothing better to do than read the GDPR legislation, but even if I did, I would expect guidance from those consulting lawyers rather than commenting off the hoof on someone's own legal interpretation


  • Registered Users Posts: 136 ✭✭Batzoo


    Steve wrote: »
    Not sure if there is truth to that, besides, you are assuming such discussions take place on the boards platform. They may not.
    This is fact, if you are discussed in a pm between admins, this is part of your online profile and data and falls under GDPR. But it is true to say that it could be denied that any discussion ever took place and unless the data is audited it would be hard for a data subject to prove otherwise.

    Also I make no assumptions, it is common knowledge and can be seen on these boards in dispute resolution, where people object to an infraction and one admin says they will talk to the admin or mod who issued it to clarify the reasons and get back.

    Basically if it is stored in a db or filing cabinet and mentions you or anything that can identify you its your data and covered under GDPR. It does not matter if it was not meant for your eyes originally, you are entitled to see it now should you request. The only exceptions I am sure of, are if it is related to an ongoing legal investigation or such.


  • Registered Users, Registered Users 2 Posts: 301 ✭✭dollylama


    I'm gonna be upfront and say I've little to no understanding of what GDPR permits or not and I'm certainly no legal eagle

    I'm just highlighting what is a bizarre situation whereby Boards will allow you to have posts deleted but will not delete those very same posts when in a quote. Ignoring GDPR here... why bother deleting posts at all if they're only gonna do a half effort


  • Advertisement
This discussion has been closed.
Advertisement