GDPR, Boards.ie and Vanilla, how does this work?

Hi @Boards.ie: Niamh , I do get that things must be rather chaotic at the office at the moment, but can you confirm points 1-4?

Another thing I've just thought of, can Vanilla link anonymous posts to usernames? A lot of people have posted very personal information anonymously in PI.

I had always taken this Boards assurance re PMs on trust (been here more years than my current incarnation) but I should have been more careful anyway. I have learned a big lesson! The Talk To forums used to be a great (sometimes the ONLY) way to engage with some companies to get a solution. Like you say Wibbs, I'd like a response from Boards now with regard to the deletion of these PMs, permanently and irrevocably.

As others have said, however, the disaster of the whole site transfer and the abysmal results in the very basic structure of the interface means that I will likely be sorely disappointed. I don't want to have to delete my entire profile to get rid of these PMs - even if I do it seems that that's not enough to safeguard my information. It really looks as if the DPC is the only route on this, unfortunately.

So as an aside, I was speaking to my DPO about certain issues I was working on in work, dealing with the Gards, DSR's etc. I shot the breeze with him about what's going on here. To be succinct, he was more forceful about the issue than I am in this thread. He forsees Boards being in trouble. As a realist, I don't see the Irish DPA doing much.

Best practice is that such a move is flagged in advance, with the sufficient details being provided so that the customer can make an informed decision.

Relying on boilerplate, especially when it comes to the protected categories of data, is an adventurous way of doing it. Of course, I'm sure that the @Boards.ie: GDPR team can show they carried out a rigorous DPIA in advance of this exercise, and that all the concerns here (such as not using encrpytion) are the right way to go about it.

No, its the DPC who set the best practice. Time will tell what the DPC make of this.

I'm sure it will all be fine. I can't imagine that someone decided to hike all the data over to Canada, engage new data storage provisions and decide to disapply stated (at regulation level) recommendations such as encryption, without running it past some data protection specialists, or even the DPC themselves who are quite open to talking about such things before they take place. That DPIA (requirement by the way, not best practice) would be an interesting read.

I dont understand the problem here. Canada seems to be the problem? WHats wrong with Canada, if the EU thinks it is ok then why are people concenrned.

So some users have put personal info in PM's - if the data was stored in France or Hungary or some other EU country would that make it more secure. I dont think so.

The same people who 13 days after a major site launch seem to shrug the shoulders when someone points out that the privacy notice, cookie policy, anything like that doesn't work.

Actually [https://dataprotection.ie/en/organisations/know-your-obligations/data-protection-impact-assessments]

The bit you cited is the headline.

Digging deeper into the guidelines, The Article 29 Working Party has adopted non exhaustive guidelines / criteria to determine whether processing is likely to result in a high risk... One of those is point 9:

"Data transfer across borders outside the European Union (recital 116), taking into consideration, amongst others, the envisaged country or countries of destination, the possibility of further transfers, or the likelihood of transfers based on derogations for specific situations set forth by the GDPR."

My point is clear. I feel that they do require a DPIA as they migrated the entirety of their data to a Third Country.

As far as being right or wrong, It's highly subjective unless a particular case goes to a court for ruling.

My interpretation of privacy policies stating that data can be shipped to Third Countries is that a subset of data can be shipped. Not finding a new home for established data. To me, this subset of data could be lists of emails shipped to MailChimp or similar for correspondence reasons, marketing or transactional.

Now, we can't access their previous privacy policy as the old site was decommissioned. However, I jumped onto the WayBackMachine via archive.org and accessed their privacy policy from a scrape on 31 May 2021. Sufficiently recent to show latest version as boards attempted the first migration early June 2021. It was last updated 26 April 2021. After I wrote all of this up, I double checked the Privacy Policy on a scrape from 30 June 2021 and it's last update date was also 28 April 2021 so it still hadn't been updated.

31 June 2021 Source [view-source:http://web.archive.org/web/20210627212150/https://www.boards.ie/content/privacy]

Apologies for the plentiful full Privacy Policy text below, but I believe it's required reading considering the current situation. The Boards Cookie Consent wouldn't go away on the WayBackMachine so I had to scrape the source HTML.

I'll give it to them, it's a well put together policy with a lot of thought gone into it. I didn't know they used Amazon AWS.

Now, analysing the policy, a few points jump out. All relevant points in the Privacy Policy at the bottom have been highlighted in BOLD.

Boards Data Protection Officer can be reached at datarequests@boards.ie

5.2 "... as any other purpose that we may disclose to you at the point at which we request your Personal Data ..." At the point where they request our personal data appears to be on sign up and any proactive contact after that point. Noting the word "may".

5.6 : The wording in that, although subjective, means to me a subset of data to carry out certain processes. They elaborate slightly further down.

5.7 : Their elaboration. The important part is that they mention "that we have engaged to perform certain services in connection with the operation of certain aspects of the Site". At no point did they state that the entire operation / site would be transferred to a third party, never mind a Third Country. To me, this means a subset of data.

5.8 : A listing of Third Parties and their uses of data.

5.9 : The only mention in the privacy Policy stating that they may transfer data in full. To be fair, the meaning of this clause is that boards.ie gets bought out or transferred to another company. This is not the current situation.

6.5 : This is now currently in doubt. Is the site now published in Ireland and governed by Irish Law?

6.6 : This is the biggy. No data is transferred outside of the EEA excepting certain third party services. Again, they mention services not entire operation. They also mention a few more third parties. New Relic appears to be a telemetry capturing company for analytics and software quality control. Bugsnag is used for crash / error reporting to improve software stability / quality.

9.1: They state that if this Policy is reviewed and updated, any and all changes will be advised to customers in advance, as well as obtaining consent if necessary.

Privacy Policy below, in full. Scraped at 31 May 2021 1:58am

"Privacy

1. Introduction

1.1 Boards Software Ltd (‘we’, ‘us’ ‘our’) is committed to protecting your Personal Data. This Privacy Notice applies to your use of the websites and applications: Boards.ie (the “Site”) and sets out how we collect, use and protect your personal data. If you do not agree with the data practices described in this Privacy Notice, please do not use the Site.

1.2 This notice (“Notice”) has been developed to inform our users about the privacy and security of personal data and to meet our obligations under the Data Protection Acts 1988 and 2018 and the General Data Protection Regulation (the “Data Protection Law”). Under Data Protection Law, personal data is information that identifies you as an individual or is capable of doing so (“Personal Data”).

1.3 We comply with Data Protection Law and this Notice applies to the personal data collected, processed and stored by us through your use of a Site.

1.4 For the purposes of Data Protection Law, we are the data controller of your Personal Data. You will find our contact details in the “Contact us” section below.

2. How we gather data and Personal Data

2.1 We gather data from your use of a Site for example through the use of cookies. We are not able to identify you from this data. You can find out how we use cookies and how to change your preferences in our Cookies Policy.

2.2 Technical details in connection with visits to the Site are logged by us and our internet service provider for our statistical purposes.

2.3 We gather Personal Data when you have logged in with a social media account, when you open an account or when you have provided us with Personal Data; for example, by contacting us via email, private message or through a Site.

3. What kinds of Personal Data do we collect?

3.1 We receive and store information you enter on the Site or give us in any other way, including when registering for a commenting account, installing an application, subscribing to a mailing list, making a purchase, as well as provided in your comments, posts and requests.

3.2 If, during your use of the Site, you log in with your social media account we will collect your social media account details as well as the name and e-mail address associated to that social media account (if available).

3.3 If, during your use of the Site, you post comments, we will keep a record of your commenting history.

3.4 The Site creates a user profile when you install an application. We will collect or process data you provide to us in the course of creating or updating a user profile. This information will vary but typically includes your device ID, the versions of our apps you have installed on your device, your reading interests in our Site.

3.5 If you register with Boards.ie we collect the information you supply on registration as well as any other information you provide to us by email or private message. We collect information which you post on Boards.ie and information relating to your use of Boards generally. This includes, for example, private messages, login and logout times, polls you've voted on, threads to which you have subscribed and posts you've thanked.

3.6 Our Site offers location based features. When you enable these features we ask for your permission to access location data. We do not track your location.

3.7 If, during your use of the Site, you sign up to notifications or e-mail newsletters, we will also collect your preferences.

3.8 If you purchase goods we will collect your shipping address, order contact, payment method and purchase history.

 Information you post

3.9 Any personal information which you volunteer in your public profile or post on the forums or sites will be available worldwide to anyone with access to the website.

3.10 For full details on Personal Data and posts, please refer to the sites’ Terms of Use.

4. Legal basis for processing

Given the varied functionality of each Site we rely on the following legal bases under Data Protection Law in processing your Personal Data:

Legal Basis

Example

Performance of a contract

We will process your Personal Data to the extent required to deliver the service requested.

Compliance with legal obligations

We may need to disclose Personal Data to comply with a request from law enforcement, or other government agencies or court order.

Legitimate interests

We may need to disclose Personal Data in the event of a complaint or legal action arising from any comment or content posted by that user. We may process Personal Data to personalise content or advertisements.

5. How we may use your Personal Data

5.1 Except as disclosed in this Privacy Notice, we will not disclose Personal Data that we collect to any parties other than those with whom we partner or are affiliated with, without your consent. Except as disclosed below, we will not sell, share, trade, rent, or give away your Personal Data.

5.2 We may use your Personal Data to process any requests made by you for example, to create a user account, subscribe to a mailing list or make a complaint about a comment/post, respond to your inquiry, and communicate with you when necessary to provide customer service and/or follow-up information related to a Site. We may also use information you provide to communicate with you about your interest in our events and our company, to help us improve, operate and enhance your experience on a Site, to promote our events, notify you about important functionality changes to a Site, new services, and special offers we think you will find valuable, to tailor advertisements, content, and other aspects of your experience on and in connection with a Site, for other administrative purposes, to prevent or detect abuses of our terms of use, for identifying, modifying or deleting nuisance or defamatory material posted by users, and to enable third-parties to carry out technical or other functions on our behalf as well as any other purpose that we may disclose to you at the point at which we request your Personal Data. We may combine non-personal information that you provide with supplemental information (including mailing address updates and demographic data) that we obtain from public sources or reputable third-parties. Information combined with personally identifiable information becomes, and is treated as, Personal Data under this Privacy Notice.

5.3 When you contact us, we may request your affirmative, positive consent to use your contact information for marketing or other business purposes. In the event you do not consent to the use of your contact information for marketing or other business purposes, your data will not be used for those purposes. If you provide your consent but subsequently do not wish to receive notifications about related opportunities, you will be able to modify your preferences by following the instructions on any marketing correspondence.

Other websites

5.4 The Site interfaces social media websites such as Facebook and Twitter, and may use social media plugins (e.g., the Facebook "Like" button, "Share to Twitter" button) to facilitate social media functions.

5.5 If you are a member of a social media platform or website, and log in to such social media or platform, the interfaces may allow the social media platform or website to connect your visit to a Site to your Personal Data. The social media plugins also may allow the social media website to share information about your activities on a Site with other users of their social media platform. We have no control over the information that other websites or social media websites or plugins collect, store, or use. Before you choose to access other websites from a Site or “like” or share information from a Site through any social media platform or website, please be certain that you review the privacy notice of that social media platform or website.

Do we disclose Personal Data to anyone else?

5.6 We disclose customer information to third parties only when it is necessary as part of business practices or when there is a legal or statutory obligation to do so. Whenever we disclose customer information to third parties, we will only disclose that amount of information necessary to meet such business need or legal requirement. Third parties that receive customer information from us must satisfy us as to the measures taken to protect the personal data such parties receive, in accordance with Data Protection Law and as stated in this Privacy Notice. Appropriate measures will be taken to ensure that all such disclosures or transfers of customer information to third parties will be completed in a secure manner and pursuant to contractual safeguards.

5.7 We may employ other companies and individuals to perform functions on our behalf, including processing credit card payments, marketing, and providing analytics assistance. From time to time, we may also share Personal Data or non-personally identifiable information with third-parties that we have engaged to perform certain services in connection with the operation of certain aspects of the Site, including to customise, deliver, measure, analyse, improve and support our services, content, advertising and layout, your interaction with those aspects, and to deliver more relevant messages and advertisements to you. These third-party service providers are authorised to use Personal Data only if needed to perform their functions on our behalf and are required to maintain the security of your personal information.

5.8 Third Parties we work with

The following is the list of companies we work with and may process data on our behalf. We include links to their privacy policy (available at the time of writing) for convenience:

Google (Advertising, Analytics, Notifications, Office Software and Cloud Storage)

Mailchimp (e-mail services)

Facebook, Twitter and Linkedin (Social Media Authentication)

Stripe, Paypal (Payments)

Amazon AWS (Cloud computing)

Pipedrive (CRM)

5.9 We may also change our ownership or corporate organisation while providing the Site. As a result, we may transfer your information to another company that is affiliated with us, with which we have merged, or which has acquired all or some of our assets. We will advise you if such a change of ownership or change of corporate structure takes place and we will update this Privacy Notice accordingly.

5.10 We may provide information, when obliged to do so under Data Protection Law and in response to properly made requests, for example, for the purpose of the prevention and detection of crime, and the apprehension or prosecution of offenders. We may also provide information for the purpose of safeguarding national security. In the case of any such disclosure, we will do so only in accordance with Data Protection Law.

5.11 We may also provide information when required to do so by law, for example under a court order, and may transfer data to legal counsel where same is necessary for the defence of legal claims.

5.12 We may also disclose Personal Data in connection with any complaint regarding your use of the Site. For example, in the event of a complaint or legal action arising from a comment or content posted.

6. How long do we keep Personal Data?

6.1 The period for which we retain information varies according to the use of that information. In some cases, there are legal requirements to keep data for a minimum period of time. Unless specific legal requirements dictate otherwise, we will retain information no longer than is necessary for the purposes for which the data was collected and processed (as described above).

6.2 User profiles may include personal data, for example when linked to a social media account. This information will be held for as long as you hold a user profile. Following the termination of a user profile we will retain the profile information for a period of up to two years.

6.3 Personal data submitted through participating in surveys will be kept for up to two years then aggregated (whereby the data is no longer personal data) and/or anonymised.

6.4 Following termination of the Terms of Use of a Site, your Personal Data shall continue to be retained for a period of up to seven years from the date of termination in accordance with Irish statutory limitation periods.

How do we protect data about you when or if it is transferred out of Europe?

6.5 Each Site is published in Ireland and is governed by Data Protection Law and Irish law.

6.6 We do not transfer any Personal Data outside of the EEA. However, certain third parties providing services to our Sites may transfer data outside of the EEA for example, for storage purposes. These third parties include, for example, Google, New Relic and Bugsnag. If this changes at any point in the future, this Privacy Notice will be updated to take account of this change. We only engage reputable third parties that provide appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available

7. How you can exercise your rights in respect of Personal Data we hold about you:

7.1 We shall vindicate all your rights under Data Protection Law. These rights are as follows:

your right to withdraw your consent to the processing of Personal Data at any time

your right to request from us access to personal data and to have any incorrect personal data rectified

your right to the restriction of processing concerning you or to object to processing

your right to have your personal data transferred to another service provider

your right to have personal data erased (where appropriate)

information on the existence of automated decision-making, if any, as well as meaningful information about the logic involved, its significance and its envisaged consequences

Vindication of your rights shall not affect any rights which we may have under Data Protection Law.

Exercising your rights, managing information and opting out

7.2 You may update or change information related to your account by updating the social media account linked to your profile, or by sending us an e-mail at datarequests@boards.ie. You may request that your information be removed from a Site by e-mailing us at the address provided above. You may also unsubscribe from our marketing communications by clicking on the “unsubscribe” link located on the bottom of our e-mails.

7.3 At any time you can close your Boards.ie user account. Closing your account means we will delete your password, remove any email subscriptions or notifications you may receive, delete all personal data we hold about you and turn off and delete your Private Messages. This process does not remove any posts you have made on the site.

7.4 You can update or correct your Personal Data, remove it from our system or exercise any of your rights by making a request to us at the contact information provided below. If for some reason access is denied, we will provide an explanation of why access has been denied.

7.5 We will confirm your request within 21 days of receipt, and process your request within 30 days of receipt.

8. How does a Site protect personal information about you?

8.1 We employ reasonable appropriate administrative, technical, personnel, procedural and physical measures to safeguard Personal Data against loss, theft and unauthorised access, uses or modifications. Security and testing are performed on systems containing personal data to verify control effectiveness. Security of these systems is monitored continuously.

8.2 While we try our best to safeguard your information once we receive it, no transmission of data over the Internet or any other public network can be guaranteed to be 100% secure. It is important for you to protect against unauthorised access to your password and to your computer. Be sure to sign off when finished using a shared computer.

How can you make a complaint about the Use of Personal Data?

8.3 Complaints on the use, retention and disposal of personal data can be submitted via email to datarequests@boards.ie.

8.4 As a user of a Site you also have the right to lodge a complaint with the Data Protection Commission.

9. Review

9.1 This policy will be reviewed and updated from time to time to consider changes in the law and the experience of the policy in practice. Any and all changes will be advised to customers and, if necessary, we will obtain your consent prior to applying any changes to any Personal Data collected from you prior to the date the change becomes effective. Your continued use of a Site after such changes will be subject to the then-current policy. We encourage you to periodically review this Privacy Notice to stay informed about how we collect, use, and disclose personal information.

10. Contact information

10.1 If you have questions about this Privacy Notice or our treatment of the information provided to us, please contact us at:

Name: Boards Software Ltd

ATTN: Data Protection Officer

Address: 4th Floor Latin Hall, Golden Lane, Dublin 8

E-mail: datarequests@boards.ie

--

Updated 26th April 2021"

I disagree with your first point but that's fine. I'll even let the DPIA go, if that ends that argument as that's not the main problem. However, you do notice, don't you, that many sections in GDPR don't use MUSTS and SHOULDS. They use softer words to indicate how you should be thinking when you treat data. They even call some of them them guidelines rather than regulations. A lot of GDPR is the spirit of data protection rather than the letter of the law. Even the DPIA text above "taking into consideration". There is no absolute affirmative action in that clause and is open to interpretation and mis-interpretation. Yet you say I'm wrong. I'm afraid only a court of law can make that statement :)

I agree with your second point. I had no problem [or more correctly, it didn't bother me as much as the current situation] with their Privacy Policy as Boards outlined in their policy which third parties they use and why. Migrating operations to ANY country outside of Europe wasn't in there and still required notice and / or consent. Boards don't do everything right. In fact, in my personal opinion they have been in breach of GDPR since day one by enforcing that the only way you could change your username [a defacto PII] was to purchase a subscription for minimum 1 month. That's not allowed under GDPR and that process is still in place today. Sure Niamh only cited it a couple of days ago in Feedback.

Actually, not really.

Technical problems are generally solvable - nothing they need to do is pushing the limits of computer science, its just a matter of getting it done.

Data protection problems, on the other hand, aren't endogenous to effort, and are determined by what you have done and how the DPC views that.

@RangeR

Pretty much the whole point of GDPR is that EU residents' data is covered by it, whether that data is held within the EU or anywhere else.

So our data is still covered by GDPR, the question is whether Vanilla are compliant with Canadian law, as the EU has decided that Canadian laws provide adequate protection.

Need clarification on Vanilla having US hosting centres, and fast.

But yes it's very disappointing that no hosting provider in the whole EU, never mind Ireland, was deemed adequate. Platform and hosting do not have to be tied together.

Boards is now totally dependent on Vanilla, not just platform but hosting as well. If Boards and Vanilla get into a dispute, Boards is screwed and migration away from Vanilla could be impossible.

Their funeral...

to whom it might concern, as it was not advertised or i didnt found... after heavy presurre here i believe, links finaly up and working. all other obviously still dead

https://www.boards.ie/content/privacy

https://www.boards.ie/content/cookie

Good morning @Boards.ie: Odhran, I appreciate the update.

I see in the Privacy Policy that you state that data won't leave the EEA, and that Vanila are down as software providers only (and not hosting), both of which are contradicted by statements from @Boards.ie: Niamh.

Can you post (or PM) the DPC incident number that they would have assigned to Boards following your chat with them?

For good order, can you clarify:

• Where the data is now hosted, and which company is actually hosting it?
• Do you consider a breach of personal data to have taken place?
• Which companies have read access to personal information such as users' Names, E-mail addresses, Social Media data accounts and IP logs?

I don't think anyone here is calling for GDPR fines or the like. Speaking for myself, I just want to know what you are doing with my data, if what you have recently with it complies with your polices and GDPR and what you are going to do in future to ensure that this sort of confusion and rather cavalier attitude towards your users' data doesn't happen again.

What is it that people dont get about boards.ie? Its a shithole vile site and has been for years,like a lot of others.i am in the unfortunate position of monitoring the mods and "admins" of this and other sites and i can tell you this is one of the most obnoxious sites ever,it has been for years. Do not trust it,personally i wouldnt.