GDPR, Boards.ie and Vanilla, how does this work?

The data is in canada.

With respect, that isn't quite an answer.

I'm not worried about mods, as unless Mod Utils has radically changed in the last while, they can't see my personal information. I've always been comfortable with the Boards.ie team being able to link my identity to the special data categories. Now this Canadian company, along with some other Canadian company have access to this as well? On the basis of 'they promise they won't look'?

Can you confirm that:

a) Vanilla have access to user's personal information; and

b) This un-named third party hosting company also have access to the plain-text of user's personal information;

c) Assuming a) and b) are correct, you have performed a DPIA with regard to the processing by these parties of both the special categories and ordinary data?

d) Care to publish this DPIA?

might also remove the lie saying the sites hosted by digiweb at the bottom of the page

Sending an email is hardly jumping through hoops.

So there are little things like no Privacy Policy, no Cookie Policy, no Cookie Consent, no mention anywhere on how to delete account, no mention of a DPO etc. Those things will come in time but unforgiveable that they weren't thought about prior to migration. EVERY company factors these things into any new website in the EU, unless they don't really care about data security.

The BIG thing is that they migrated their data hosting from a First Country [Ireland] to a Third Country [Canada] without consent. Now all the talk from Boards so far is that Canada has adequate Data Protection laws in place and that may be. But the BIG law/regulation that Boards broke, and they could be in trouble with this, is that they migrated the data to that Third Country without any prior notice. Consent wasn't asked and certainly not given. At this stage, it's too late as the data is already there. If I was their DPO, I'd be VERY concerned.

This point has been brought up in Feedback for the past few days and has been overlooked and not answered by Boards staff.

Can consent be granted by including a clause in a privacy policy to say that your data may be transferred our of EEA to a 3rd party?

As mentioned by others and most recently @RoYoBo, many PM's to other users or the likes to the Talk To company reps include sensitive detail like account numbers, phone numbers, email addresses, even home addresses. This is a huge concern.

It will be interesting to see what the DPC makes of all this.

Ok. Wow. A deep dive. I'd also like to reiterate that this is not just noise, pushback and being difficult. It's at the very heart of the matter.

There are now many more questions than answers. The apparent unwillingness for Boards to be transparent about this move in a GDPR setting is unsettling.

Picking apart bits of the first PDF link [https://vanillaforums.com/legal/VanillaForumsSecurityOverview4.5.pdf]

"What kind of data does Vanilla store? Vanilla is a forum, so we store user records and user generated content. Some of it is access-restricted based on application RBAC ACLs. PII can be shielded from accidental access." So, how does Vanilla know where PII is stored? How does it know what is PII if some users put their PII in PM's?

"Where is Vanilla’s data stored? Vanilla operates private cloud environments in both the US (San Francisco) and Canada (Montreal).". Admittedly, Niamh said that the data is in Canada only.

"Can this data be encrypted at rest? Yes. Vanilla can use Full Disk Encryption (FDE) on its database servers at higher plan levels."

"Are any fields encrypted? No. Our data needs to be searchable. When higher data security is required, we make use of Full Disk Encrypted". This one sort of contradicts the one above about FDE and a previous comment [I think] by Boards that data is encrypted at rest. So is it encrypted at rest AND searchable from the forums, or not?

"Where is backup data stored? We store compressed and encrypted backups in a single-purpose access-controlled Amazon S3 bucket (redundant file storage service).". Where is this bucket located?

"Server-to-server API communications are secured using SSL". I'll assume this is a typo and they mean https/tls.

"Are VMs individually firewalled? Yes. Each VM has a stateful software firewall installed which is customized to its workload. Repeated failed SSH access results in throttling." A software firewall? Is this just IPTables on Ubuntu? What if the server is compromised with root access. IPTables can be reconfigured by the bad actor. A hardware firewall should be used for security. Admittedly, many companies use IPTables thinking it's adding full security. It is, until it isn't.

"Vanilla is willing to sign EU Model Clauses to bridge the gap between Safe Harbor and Privacy Shield, and to reflect the latest “Schrems II” decision." EU Model Clauses are another name for Standard Contractual Clauses. Those that have been keeping up over the past couple of years, especially in light of the recent declaration that Privacy Shield was deemed inadequate, most companies, especially in USA and apparently Vanilla, are relying on SCC's. However, there is little consensus between the various Data Protection Authorities as to the long term legalities of such SCC's but I suppose the CJEU has ordered that they be allowed. It's highly likely that SCC's will come before CJEU at some point soon. Considering that, Vanilla are WILLING to sign an SCC. Have they done that for Boards? What's the effective date on that contract?

On the subject of PIPEDA... The European Commission’s adequacy decision concerning Canada is restricted to commercial organizations. The reason for this is PIPEDA’s applicability criteria: the law only applies to the collection, use or disclosure of personal information in the course of a commercial activity and includes federally-regulated businesses like banks, airlines and telecommunications companies. Snip taken from [https://www.endpointprotector.com/blog/pipeda-vs-gdpr-the-key-differences/]. The entire article is an interesting read, showing the differences between PIPEDA and GDPR. Specifically with PIPEDA: consent can be implied, no right to be forgotten [or it's implied rather than explicit] so your account may be terminated but your data may exist up to the maximum retention period, no data portability, companies may not need to be PIPEDA complaint if they operate outside of Canada [remember that US hosting center?]

Correct. Our data was shipped off without our required consent.