Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

GDPR, Boards.ie and Vanilla, how does this work?

135678

Comments

  • Registered Users Posts: 1,478 ✭✭✭kaymin


    Do you know for certain you haven't already provided consent? In the Privacy Notice you signed up to when subscribing did that Notice indicate Boards could transfer data to a third country that has an adequacy decision?



  • Registered Users Posts: 1,478 ✭✭✭kaymin


    Boards are saying the EU have determined Canada provides adequate protection of personal data. It's not Boards that determines these matters.



  • Registered Users Posts: 16,183 ✭✭✭✭Leg End Reject




  • Registered Users Posts: 1,373 ✭✭✭ezra_


    Best practice is that such a move is flagged in advance, with the sufficient details being provided so that the customer can make an informed decision.

    Relying on boilerplate, especially when it comes to the protected categories of data, is an adventurous way of doing it. Of course, I'm sure that the @Boards.ie: GDPR team can show they carried out a rigorous DPIA in advance of this exercise, and that all the concerns here (such as not using encrpytion) are the right way to go about it.



  • Posts: 3,637 ✭✭✭[Deleted User]


    The onus is on Boards to decide if a service provider they’re engaging as a data processor meet with the required standard of protection required to be provided to safeguard our personal data.

    If I can determine in one hour that the DPC in Canada says their laws are not up to scratch, why didn’t someone at Boards do the same and err on the side of caution?

    That would be the right thing to do. It wasn’t done though.



  • Advertisement
  • Registered Users Posts: 1,478 ✭✭✭kaymin


    Just because they don't follow what's best practice in your eyes doesn't make it wrong or illegal.



  • Registered Users Posts: 1,478 ✭✭✭kaymin


    Why don't you ask the EU which has given Canada an adequacy decision? Boards is following EU law.



  • Registered Users Posts: 1,373 ✭✭✭ezra_


    No, its the DPC who set the best practice. Time will tell what the DPC make of this.

    I'm sure it will all be fine. I can't imagine that someone decided to hike all the data over to Canada, engage new data storage provisions and decide to disapply stated (at regulation level) recommendations such as encryption, without running it past some data protection specialists, or even the DPC themselves who are quite open to talking about such things before they take place. That DPIA (requirement by the way, not best practice) would be an interesting read.



  • Posts: 3,801 ✭✭✭[Deleted User]


    The most that will happen here is a warning to boards. What data is being transferred for you? My data is my email, and that's it for most I would assume. And my email was throwaway.



  • Registered Users Posts: 1,478 ✭✭✭kaymin


    A DPIA is not required in this instance.  A DPIA is only mandatory where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”.



  • Advertisement
  • Registered Users Posts: 1,373 ✭✭✭ezra_




  • Registered Users Posts: 218 ✭✭The Buster


    I dont understand the problem here. Canada seems to be the problem? WHats wrong with Canada, if the EU thinks it is ok then why are people concenrned.

    So some users have put personal info in PM's - if the data was stored in France or Hungary or some other EU country would that make it more secure. I dont think so.



  • Posts: 3,637 ✭✭✭[Deleted User]


    If you take the time to read what people have contributed, myself and others, there's no need for you to remain ignorant of the issues we're raising. In any case, even if you decide to ignore the issue, dismissing others concerns in this case is a pointless exercise. Boards have legal obligations which they have failed to meet. They've also failed now for 10+ days to correct their failure.



  • Registered Users Posts: 7,197 ✭✭✭CantGetNoSleep


    The same people who 13 days after a major site launch seem to shrug the shoulders when someone points out that the privacy notice, cookie policy, anything like that doesn't work.



  • Moderators, Education Moderators, Technology & Internet Moderators, Regional South East Moderators Posts: 24,056 Mod ✭✭✭✭Sully


    They didn't.

    Others, who don't represent Boards, have.



  • Registered Users Posts: 7,265 ✭✭✭RangeR


    Actually [https://dataprotection.ie/en/organisations/know-your-obligations/data-protection-impact-assessments]

    The bit you cited is the headline.

    Digging deeper into the guidelines, The Article 29 Working Party has adopted non exhaustive guidelines / criteria to determine whether processing is likely to result in a high risk... One of those is point 9:

    "Data transfer across borders outside the European Union (recital 116), taking into consideration, amongst others, the envisaged country or countries of destination, the possibility of further transfers, or the likelihood of transfers based on derogations for specific situations set forth by the GDPR."



  • Registered Users Posts: 7,265 ✭✭✭RangeR


    Canada isn't the problem. Their data protection laws aren't as good as ours but are deemed adequate. The problems are manifold:

    1. Boards didn't give prior notice to it's customers [us] that the data migration was taking place. This is flagrant breach of GDPR. Consent must be asked explicitly and given explicitly. There is no room in the regs to ask for forgiveness not permission in this scenario. Customers must have been given notice to rectify their data before the move. Whether that's account / data deletion en-mass or individually.
    2. To a lesser extent, Boards deemed it safe to use a hosting provider in a Third Country rather than one of the thousands in EU which would be covered by the more strict and robust GDPR.
    3. Again to a lesser extent to point 1, Boards appear to be treating data security with abandon. Under GDPR every website must have a Privacy Policy, Cookie Policy, Cookie Consent. The new site has none of these. This is a massive oversight and indicative that GDPR regulations were nowhere in the mindset of the migration.
    4. Many, many, many users, past and present, have a significant amount of personal identifiable information on boards. Personally, I've been here since it was quake.ie. Users have shared things out in public message and private messages. The details of which have been stated many times in this thread.
    5. Trust. I trusted Boards with my data up until the migration. That trust was never in doubt until someone made the decision to migrate to a Third Country without permission. And by permission, please see point 1. I no longer have trust in Boards management. I just don't trust that they will do the right thing. I trust that they will try to find every loophole in the law to justify the migration.

    I'm well aware that I'm in the minority. I know that the majority don't care or think about their data security. I know that many users may have been a little careless with sharing too much data on a public forum. The regulations don't discriminate between foolish and not foolish users. It protects all of them.

    If the data was held in France or Hungary, as you say, it might not have been technically more secure but it would have been covered by the most strict Data Protection laws in the world.



  • Registered Users Posts: 1,478 ✭✭✭kaymin




  • Registered Users Posts: 1,478 ✭✭✭kaymin


    What did Boards privacy statement state in relation to transfers to third countries prior to the upgrade?

    Also you are wrong on a couple of things:

    The effect of an adequacy decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.

    Article 49 section 1 states that in the absence of an adequacy decision or of appropriate safeguards, a transfer or a set of transfers of personal data to a third country or an international organization shall take place only under certain conditions, for example:

      a) explicit consent from the data subject, company must inform the data subject of all the risks that can occur when the data is transferred there;

    i.e. explicit consent is not required if the transfers are to a country with an adequacy decision.



  • Registered Users Posts: 7,265 ✭✭✭RangeR


    My point is clear. I feel that they do require a DPIA as they migrated the entirety of their data to a Third Country.

    As far as being right or wrong, It's highly subjective unless a particular case goes to a court for ruling.

    My interpretation of privacy policies stating that data can be shipped to Third Countries is that a subset of data can be shipped. Not finding a new home for established data. To me, this subset of data could be lists of emails shipped to MailChimp or similar for correspondence reasons, marketing or transactional.

    Now, we can't access their previous privacy policy as the old site was decommissioned. However, I jumped onto the WayBackMachine via archive.org and accessed their privacy policy from a scrape on 31 May 2021. Sufficiently recent to show latest version as boards attempted the first migration early June 2021. It was last updated 26 April 2021. After I wrote all of this up, I double checked the Privacy Policy on a scrape from 30 June 2021 and it's last update date was also 28 April 2021 so it still hadn't been updated.

    31 June 2021 Source [view-source:http://web.archive.org/web/20210627212150/https://www.boards.ie/content/privacy]

    Apologies for the plentiful full Privacy Policy text below, but I believe it's required reading considering the current situation. The Boards Cookie Consent wouldn't go away on the WayBackMachine so I had to scrape the source HTML.

    I'll give it to them, it's a well put together policy with a lot of thought gone into it. I didn't know they used Amazon AWS.


    Now, analysing the policy, a few points jump out. All relevant points in the Privacy Policy at the bottom have been highlighted in BOLD.

    Boards Data Protection Officer can be reached at datarequests@boards.ie

    5.2 "... as any other purpose that we may disclose to you at the point at which we request your Personal Data ..." At the point where they request our personal data appears to be on sign up and any proactive contact after that point. Noting the word "may".

    5.6 : The wording in that, although subjective, means to me a subset of data to carry out certain processes. They elaborate slightly further down.

    5.7 : Their elaboration. The important part is that they mention "that we have engaged to perform certain services in connection with the operation of certain aspects of the Site". At no point did they state that the entire operation / site would be transferred to a third party, never mind a Third Country. To me, this means a subset of data.

    5.8 : A listing of Third Parties and their uses of data.

    5.9 : The only mention in the privacy Policy stating that they may transfer data in full. To be fair, the meaning of this clause is that boards.ie gets bought out or transferred to another company. This is not the current situation.

    6.5 : This is now currently in doubt. Is the site now published in Ireland and governed by Irish Law?

    6.6 : This is the biggy. No data is transferred outside of the EEA excepting certain third party services. Again, they mention services not entire operation. They also mention a few more third parties. New Relic appears to be a telemetry capturing company for analytics and software quality control. Bugsnag is used for crash / error reporting to improve software stability / quality.

    9.1: They state that if this Policy is reviewed and updated, any and all changes will be advised to customers in advance, as well as obtaining consent if necessary.



    Privacy Policy below, in full. Scraped at 31 May 2021 1:58am

    "Privacy

    1. Introduction

    1.1 Boards Software Ltd (‘we’, ‘us’ ‘our’) is committed to protecting your Personal Data. This Privacy Notice applies to your use of the websites and applications: Boards.ie (the “Site”) and sets out how we collect, use and protect your personal data. If you do not agree with the data practices described in this Privacy Notice, please do not use the Site.

    1.2 This notice (“Notice”) has been developed to inform our users about the privacy and security of personal data and to meet our obligations under the Data Protection Acts 1988 and 2018 and the General Data Protection Regulation (the “Data Protection Law”). Under Data Protection Law, personal data is information that identifies you as an individual or is capable of doing so (“Personal Data”).

    1.3 We comply with Data Protection Law and this Notice applies to the personal data collected, processed and stored by us through your use of a Site.

    1.4 For the purposes of Data Protection Law, we are the data controller of your Personal Data. You will find our contact details in the “Contact us” section below.

    2. How we gather data and Personal Data

    2.1 We gather data from your use of a Site for example through the use of cookies. We are not able to identify you from this data. You can find out how we use cookies and how to change your preferences in our Cookies Policy.

    2.2 Technical details in connection with visits to the Site are logged by us and our internet service provider for our statistical purposes.

    2.3 We gather Personal Data when you have logged in with a social media account, when you open an account or when you have provided us with Personal Data; for example, by contacting us via email, private message or through a Site.


    3. What kinds of Personal Data do we collect?

    3.1 We receive and store information you enter on the Site or give us in any other way, including when registering for a commenting account, installing an application, subscribing to a mailing list, making a purchase, as well as provided in your comments, posts and requests.

    3.2 If, during your use of the Site, you log in with your social media account we will collect your social media account details as well as the name and e-mail address associated to that social media account (if available).

    3.3 If, during your use of the Site, you post comments, we will keep a record of your commenting history.

    3.4 The Site creates a user profile when you install an application. We will collect or process data you provide to us in the course of creating or updating a user profile. This information will vary but typically includes your device ID, the versions of our apps you have installed on your device, your reading interests in our Site.

    3.5 If you register with Boards.ie we collect the information you supply on registration as well as any other information you provide to us by email or private message. We collect information which you post on Boards.ie and information relating to your use of Boards generally. This includes, for example, private messages, login and logout times, polls you've voted on, threads to which you have subscribed and posts you've thanked.

    3.6 Our Site offers location based features. When you enable these features we ask for your permission to access location data. We do not track your location.

    3.7 If, during your use of the Site, you sign up to notifications or e-mail newsletters, we will also collect your preferences.

    3.8 If you purchase goods we will collect your shipping address, order contact, payment method and purchase history.

     Information you post

    3.9 Any personal information which you volunteer in your public profile or post on the forums or sites will be available worldwide to anyone with access to the website.

    3.10 For full details on Personal Data and posts, please refer to the sites’ Terms of Use.


    4. Legal basis for processing

    Given the varied functionality of each Site we rely on the following legal bases under Data Protection Law in processing your Personal Data:

    Legal Basis

    Example

    Performance of a contract

    We will process your Personal Data to the extent required to deliver the service requested.

    Compliance with legal obligations

    We may need to disclose Personal Data to comply with a request from law enforcement, or other government agencies or court order.

    Legitimate interests

    We may need to disclose Personal Data in the event of a complaint or legal action arising from any comment or content posted by that user. We may process Personal Data to personalise content or advertisements.


    5. How we may use your Personal Data

    5.1 Except as disclosed in this Privacy Notice, we will not disclose Personal Data that we collect to any parties other than those with whom we partner or are affiliated with, without your consent. Except as disclosed below, we will not sell, share, trade, rent, or give away your Personal Data.

    5.2 We may use your Personal Data to process any requests made by you for example, to create a user account, subscribe to a mailing list or make a complaint about a comment/post, respond to your inquiry, and communicate with you when necessary to provide customer service and/or follow-up information related to a Site. We may also use information you provide to communicate with you about your interest in our events and our company, to help us improve, operate and enhance your experience on a Site, to promote our events, notify you about important functionality changes to a Site, new services, and special offers we think you will find valuable, to tailor advertisements, content, and other aspects of your experience on and in connection with a Site, for other administrative purposes, to prevent or detect abuses of our terms of use, for identifying, modifying or deleting nuisance or defamatory material posted by users, and to enable third-parties to carry out technical or other functions on our behalf as well as any other purpose that we may disclose to you at the point at which we request your Personal Data. We may combine non-personal information that you provide with supplemental information (including mailing address updates and demographic data) that we obtain from public sources or reputable third-parties. Information combined with personally identifiable information becomes, and is treated as, Personal Data under this Privacy Notice.

    5.3 When you contact us, we may request your affirmative, positive consent to use your contact information for marketing or other business purposes. In the event you do not consent to the use of your contact information for marketing or other business purposes, your data will not be used for those purposes. If you provide your consent but subsequently do not wish to receive notifications about related opportunities, you will be able to modify your preferences by following the instructions on any marketing correspondence.

    Other websites

    5.4 The Site interfaces social media websites such as Facebook and Twitter, and may use social media plugins (e.g., the Facebook "Like" button, "Share to Twitter" button) to facilitate social media functions.

    5.5 If you are a member of a social media platform or website, and log in to such social media or platform, the interfaces may allow the social media platform or website to connect your visit to a Site to your Personal Data. The social media plugins also may allow the social media website to share information about your activities on a Site with other users of their social media platform. We have no control over the information that other websites or social media websites or plugins collect, store, or use. Before you choose to access other websites from a Site or “like” or share information from a Site through any social media platform or website, please be certain that you review the privacy notice of that social media platform or website.

    Do we disclose Personal Data to anyone else?

    5.6 We disclose customer information to third parties only when it is necessary as part of business practices or when there is a legal or statutory obligation to do so. Whenever we disclose customer information to third parties, we will only disclose that amount of information necessary to meet such business need or legal requirement. Third parties that receive customer information from us must satisfy us as to the measures taken to protect the personal data such parties receive, in accordance with Data Protection Law and as stated in this Privacy Notice. Appropriate measures will be taken to ensure that all such disclosures or transfers of customer information to third parties will be completed in a secure manner and pursuant to contractual safeguards.

    5.7 We may employ other companies and individuals to perform functions on our behalf, including processing credit card payments, marketing, and providing analytics assistance. From time to time, we may also share Personal Data or non-personally identifiable information with third-parties that we have engaged to perform certain services in connection with the operation of certain aspects of the Site, including to customise, deliver, measure, analyse, improve and support our services, content, advertising and layout, your interaction with those aspects, and to deliver more relevant messages and advertisements to you. These third-party service providers are authorised to use Personal Data only if needed to perform their functions on our behalf and are required to maintain the security of your personal information.

    5.8 Third Parties we work with

    The following is the list of companies we work with and may process data on our behalf. We include links to their privacy policy (available at the time of writing) for convenience:

    Google (Advertising, Analytics, Notifications, Office Software and Cloud Storage)

    Mailchimp (e-mail services)

    Facebook, Twitter and Linkedin (Social Media Authentication)

    Stripe, Paypal (Payments)

    Amazon AWS (Cloud computing)

    Pipedrive (CRM)

    5.9 We may also change our ownership or corporate organisation while providing the Site. As a result, we may transfer your information to another company that is affiliated with us, with which we have merged, or which has acquired all or some of our assets. We will advise you if such a change of ownership or change of corporate structure takes place and we will update this Privacy Notice accordingly.

    5.10 We may provide information, when obliged to do so under Data Protection Law and in response to properly made requests, for example, for the purpose of the prevention and detection of crime, and the apprehension or prosecution of offenders. We may also provide information for the purpose of safeguarding national security. In the case of any such disclosure, we will do so only in accordance with Data Protection Law.

    5.11 We may also provide information when required to do so by law, for example under a court order, and may transfer data to legal counsel where same is necessary for the defence of legal claims.

    5.12 We may also disclose Personal Data in connection with any complaint regarding your use of the Site. For example, in the event of a complaint or legal action arising from a comment or content posted.


    6. How long do we keep Personal Data?

    6.1 The period for which we retain information varies according to the use of that information. In some cases, there are legal requirements to keep data for a minimum period of time. Unless specific legal requirements dictate otherwise, we will retain information no longer than is necessary for the purposes for which the data was collected and processed (as described above).

    6.2 User profiles may include personal data, for example when linked to a social media account. This information will be held for as long as you hold a user profile. Following the termination of a user profile we will retain the profile information for a period of up to two years.

    6.3 Personal data submitted through participating in surveys will be kept for up to two years then aggregated (whereby the data is no longer personal data) and/or anonymised.

    6.4 Following termination of the Terms of Use of a Site, your Personal Data shall continue to be retained for a period of up to seven years from the date of termination in accordance with Irish statutory limitation periods.

    How do we protect data about you when or if it is transferred out of Europe?

    6.5 Each Site is published in Ireland and is governed by Data Protection Law and Irish law.

    6.6 We do not transfer any Personal Data outside of the EEA. However, certain third parties providing services to our Sites may transfer data outside of the EEA for example, for storage purposes. These third parties include, for example, Google, New Relic and Bugsnag. If this changes at any point in the future, this Privacy Notice will be updated to take account of this change. We only engage reputable third parties that provide appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available


    7. How you can exercise your rights in respect of Personal Data we hold about you:

    7.1 We shall vindicate all your rights under Data Protection Law. These rights are as follows:

    your right to withdraw your consent to the processing of Personal Data at any time

    your right to request from us access to personal data and to have any incorrect personal data rectified

    your right to the restriction of processing concerning you or to object to processing

    your right to have your personal data transferred to another service provider

    your right to have personal data erased (where appropriate)

    information on the existence of automated decision-making, if any, as well as meaningful information about the logic involved, its significance and its envisaged consequences

    Vindication of your rights shall not affect any rights which we may have under Data Protection Law.

    Exercising your rights, managing information and opting out

    7.2 You may update or change information related to your account by updating the social media account linked to your profile, or by sending us an e-mail at datarequests@boards.ie. You may request that your information be removed from a Site by e-mailing us at the address provided above. You may also unsubscribe from our marketing communications by clicking on the “unsubscribe” link located on the bottom of our e-mails.

    7.3 At any time you can close your Boards.ie user account. Closing your account means we will delete your password, remove any email subscriptions or notifications you may receive, delete all personal data we hold about you and turn off and delete your Private Messages. This process does not remove any posts you have made on the site.

    7.4 You can update or correct your Personal Data, remove it from our system or exercise any of your rights by making a request to us at the contact information provided below. If for some reason access is denied, we will provide an explanation of why access has been denied.

    7.5 We will confirm your request within 21 days of receipt, and process your request within 30 days of receipt.


    8. How does a Site protect personal information about you?

    8.1 We employ reasonable appropriate administrative, technical, personnel, procedural and physical measures to safeguard Personal Data against loss, theft and unauthorised access, uses or modifications. Security and testing are performed on systems containing personal data to verify control effectiveness. Security of these systems is monitored continuously.

    8.2 While we try our best to safeguard your information once we receive it, no transmission of data over the Internet or any other public network can be guaranteed to be 100% secure. It is important for you to protect against unauthorised access to your password and to your computer. Be sure to sign off when finished using a shared computer.

    How can you make a complaint about the Use of Personal Data?

    8.3 Complaints on the use, retention and disposal of personal data can be submitted via email to datarequests@boards.ie.

    8.4 As a user of a Site you also have the right to lodge a complaint with the Data Protection Commission.


    9. Review

    9.1 This policy will be reviewed and updated from time to time to consider changes in the law and the experience of the policy in practice. Any and all changes will be advised to customers and, if necessary, we will obtain your consent prior to applying any changes to any Personal Data collected from you prior to the date the change becomes effective. Your continued use of a Site after such changes will be subject to the then-current policy. We encourage you to periodically review this Privacy Notice to stay informed about how we collect, use, and disclose personal information.


    10. Contact information

    10.1 If you have questions about this Privacy Notice or our treatment of the information provided to us, please contact us at:

    Name: Boards Software Ltd

    ATTN: Data Protection Officer

    Address: 4th Floor Latin Hall, Golden Lane, Dublin 8

    E-mail: datarequests@boards.ie

    --

    Updated 26th April 2021"



  • Advertisement
  • Registered Users Posts: 5,845 ✭✭✭trellheim


    Hello - the bottom bar still says Hosted by Digiweb - which is correct, please ?



  • Registered Users Posts: 1,478 ✭✭✭kaymin


    From your own post, a DPIA is required when

    Data transfer across borders outside the European Union (recital 116), taking into consideration, amongst others, the envisaged country or countries of destination, the possibility of further transfers, or the likelihood of transfers based on derogations for specific situations set forth by the GDPR.

    The data is transferred to Canada, a country with an EU adequacy decision and therefore with equivalent data protection laws as in the EU. There is no indication that data will be transferred further and transfers are not based on derogations. It's fairly obvious that a DPIA is not warranted.

    In respect of the previous privacy policy, Boards stated that 'certain third parties providing services to our Sites may transfer data outside of the EEA for example, for storage purposes.'

    Yet you had no issues with using boards knowing your data could be sent to unnamed third countries? And you only now have an issue because data is being sent to Canada, a country with equivalent data protection measures as the EU?



  • Registered Users Posts: 2,738 ✭✭✭Pelvis Parsley


    Vanilla use hosting in both Canada AND California. Just to highlight...



  • Posts: 3,637 ✭✭✭[Deleted User]


    Chicago is also referenced. Probably the Interxion datacentre. I had to pursue our own hosting provider for 6 weeks so they could get an updated ISO 27001 certificate from Interxion when it was needed to meet out own compliance requirements for a US based customer.

    I think it's pretty disgraceful that the responses and questions being asked here from @Boards.ie: Odhran , @Boards.ie: Niamh and @Boards.ie: GDPR are going unanswered.

    User concerns about the protection of their personal data should have a higher priority of response IMO and I think it's just another clear indication of just how little Boards Software Limited (incorporated at the end of last year, as it happens) care about their users, our concerns and most importantly, our statutory rights.

    Are you folks going to actually reply here, or are you still too busy scrambling around trying to cover your arses at this time?



  • Registered Users Posts: 7,197 ✭✭✭CantGetNoSleep


    Well have you seen any sufficient response from any boards employee or leadership about the fact that the links don't work, hosting information is still correct, over two weeks after a site was launched?



  • Registered Users Posts: 7,265 ✭✭✭RangeR


    I disagree with your first point but that's fine. I'll even let the DPIA go, if that ends that argument as that's not the main problem. However, you do notice, don't you, that many sections in GDPR don't use MUSTS and SHOULDS. They use softer words to indicate how you should be thinking when you treat data. They even call some of them them guidelines rather than regulations. A lot of GDPR is the spirit of data protection rather than the letter of the law. Even the DPIA text above "taking into consideration". There is no absolute affirmative action in that clause and is open to interpretation and mis-interpretation. Yet you say I'm wrong. I'm afraid only a court of law can make that statement :)

    I agree with your second point. I had no problem [or more correctly, it didn't bother me as much as the current situation] with their Privacy Policy as Boards outlined in their policy which third parties they use and why. Migrating operations to ANY country outside of Europe wasn't in there and still required notice and / or consent. Boards don't do everything right. In fact, in my personal opinion they have been in breach of GDPR since day one by enforcing that the only way you could change your username [a defacto PII] was to purchase a subscription for minimum 1 month. That's not allowed under GDPR and that process is still in place today. Sure Niamh only cited it a couple of days ago in Feedback.



  • Registered Users Posts: 7,265 ✭✭✭RangeR


    I think they have bigger things to worry about than the site not working properly.Definite squeaky bum time in some offices in Dublin :)



  • Registered Users Posts: 1,373 ✭✭✭ezra_


    Actually, not really.

    Technical problems are generally solvable - nothing they need to do is pushing the limits of computer science, its just a matter of getting it done.

    Data protection problems, on the other hand, aren't endogenous to effort, and are determined by what you have done and how the DPC views that.



  • Registered Users Posts: 1,478 ✭✭✭kaymin


    I stated that a DPIA is not required / not warranted which I suppose is analogous to saying you are wrong - either way I don't need a lesson on the subtleties of GDPR wording. The decision as to whether a DPIA should be prepared is never going to be decided in a court of law rather based on the consideration of the facts which I have done.

    They migrated storage to Canada and storage in third countries was something that was specifically called out in the old privacy statement. So your second paragraph makes no sense in light of this nor your attitude now to them transferring storage to a third country with an adequacy decision.



  • Advertisement
  • Registered Users Posts: 33,650 ✭✭✭✭Hotblack Desiato
    Restaurant at the End of the Universe


    @RangeR

    To a lesser extent, Boards deemed it safe to use a hosting provider in a Third Country rather than one of the thousands in EU which would be covered by the more strict and robust GDPR.

    Pretty much the whole point of GDPR is that EU residents' data is covered by it, whether that data is held within the EU or anywhere else.

    So our data is still covered by GDPR, the question is whether Vanilla are compliant with Canadian law, as the EU has decided that Canadian laws provide adequate protection.

    Need clarification on Vanilla having US hosting centres, and fast.

    But yes it's very disappointing that no hosting provider in the whole EU, never mind Ireland, was deemed adequate. Platform and hosting do not have to be tied together.

    Boards is now totally dependent on Vanilla, not just platform but hosting as well. If Boards and Vanilla get into a dispute, Boards is screwed and migration away from Vanilla could be impossible.

    Their funeral...

    It took a while but I don't mind. How does my body look in this light?



Leave a Comment

Rich Text Editor. To edit a paragraph's style, hit tab to get to the paragraph menu. From there you will be able to pick one style. Nothing defaults to paragraph. An inline formatting menu will show up when you select text. Hit tab to get into that menu. Some elements, such as rich link embeds, images, loading indicators, and error messages may get inserted into the editor. You may navigate to these using the arrow keys inside of the editor and delete them with the delete or backspace key.

Advertisement