GDPR, Boards.ie and Vanilla, how does this work?

[Deleted User] · 05-08-2021 11:08am

I posted on the email thread at 8am that I had received a security alert from Microsoft relating to the email address I use for boards.ie. I haven’t had a response yet to that post from any staff member.

I never use this email address and never check it. It could be 5 years or more since I last looked at it. It’s just out of sight and out of mind. I followed Microsoft procedure and changed the password

Seems to be a few posters in here that know what they’re talking about when it comes to GDPR and privacy and I’d be grateful if you’d advise me on what else I may need to do.

[Deleted User] · 05-08-2021 2:00pm

What was the specific warning from Microsoft?

theres generally a panic about GDPR, often by people who overthink it.

Firstly you don’t have to be informed of data movement between compliant countries. There’s no actual computer with your name on it. You data, even if held with one company, is held in multiple data centres and/or moves between them and thus between countries.

data movement under GDPR to a third non EU country depends on adequacy decision

https://www.dataprotection.ie/en/organisations/international-transfers/transfers-personal-data-third-countries-or-international-organisations

An adequacy decision means that the European Commission has decided that a third country or an international organisation ensures an adequate level of data protection.

here’s a lost of countries that adhere to the adequacy decision:

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection.

from here

https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

[Deleted User] · 05-08-2021 2:18pm

This was the email

jammiedodgers · 05-08-2021 3:09pm

If you use the same password anywhere else make sure you change it @Strawberry Milkshake

db · 05-08-2021 8:11pm

https://www.boards.ie/discussion/comment/117700472#Comment_117700472

It was on the old site when I registered back in 2003 and I don't use many forums but it would be on most of those I have registered on.

Esel · 05-08-2021 8:36pm

https://www.boards.ie/discussion/comment/117712235#Comment_117712235

Are you saying there was an option on the old Boards vBulletin site to allow users to see your email address?

db · 05-08-2021 8:47pm

https://www.boards.ie/discussion/comment/117712349#Comment_117712349

Yes, it was definitely there when I signed up. It is possible it was removed from the profile page some time after that but the field would have remained in the database to reappear on the Vanilla profile page with whatever value was there previously.

Esel · 05-08-2021 9:00pm

https://www.boards.ie/discussion/comment/117712394#Comment_117712394

That is verrry interesting!

Carfacemandog · 06-08-2021 1:12pm

https://www.boards.ie/discussion/comment/117709332#Comment_117709332

https://www.boards.ie/discussion/comment/117669293#Comment_117669293

OK this is concerning, because I have received multiple emails like this in the last week or two. I didn't think much of it initially, but they line up pretty much exactly with when boards.ie came back online.

Edit - was replying to strawberry milkshake. For some reason a second post has been quoted, and now I can't seem to remove it on mobile. Could this migration and 'facelift' have gone worse?

Carfacemandog · 06-08-2021 1:18pm

I won't lie, this whole thread has been a nightmare to read and the repeatedly unanswered questions despite being asked multiple times, basically say all they need to.

The behaviour of some mods has also been... expected. Many people very upset over what appears to be multiple GDPR breaches and (surprise surprise) a complete lack of care for users and their privacy, and some of them think this is the right time and place to come in with the mockery and snark?

Sadly, as I said, utterly expected. I would imagine the official staff must be cringing when reading them. I've worked in customer service before, and can only imagine having to deal with multiple complaints that appear very much founded, while "colleagues" take the opportunity to heckle the complainers.

[Deleted User] · 06-08-2021 1:41pm

@Carfacemandog

I logged the issue with the data protection commissioner. Considering HQ are still not responding it was the only thing I could do.

RangeR · 06-08-2021 1:49pm

https://www.boards.ie/discussion/comment/117715283#Comment_117715283

While I totally understand that, it's possible that the DPC will come back and request you to exchaust all avenues with the company. They aren't replying here but you could send a formal letter of complaint via registered post, to their head office, addressed to their Data Protection Officer, giving them 30 days to reply. I know this is a pain but it's the final exhaustive measure before bringing in the DPC.

Carfacemandog · 06-08-2021 1:57pm

@Strawberry Milkshake @RangeR

You're both right, looks like it might need escalating but always, always, always keep the receipts (re. Reg post etc).

It also turns out that boards continuing to claim they are hosted by digiweb on the desktop site is indeed fooling people. Strawberry milkshake made a thread in After Hours which was promptly closed, but surely enough ilpeople are still under the impression that their data is in the EU under Digiweb.

Can someone please address this? It has been raised multiple times in this thread but appears to have just been ignored on each occasion, unless I missed an answer somewhere.

https://www.boards.ie/discussion/comment/117715215#Comment_117715215

Giblet · 06-08-2021 2:01pm

https://www.boards.ie/discussion/comment/117715411#Comment_117715411

I'm just lazy! They explain this in the pinned post in Feedback. The bigger issue here would be, how would they execute a Right to be Forgotten request, and what would it involve.

Remember, they need a policy on the following.

Threads, Posts, PMs, Quoted messages, Aggregations / feeds, backup rotation (and purging when restored from pre the request), log rotation, long term storage (Tape / Cloud), as well as requests to third party processors that such a request was issued.

As well as requests to handle deleting / editing posts which contain PII data of another person.

Not everything has to be deleted immediately, but there is requirement that it eventually is removed.

brimal · 06-08-2021 2:15pm

Why is privacy policy and cookie policy still not visible on mobile??

Leg End Reject · 06-08-2021 3:00pm

https://www.boards.ie/discussion/comment/117715569#Comment_117715569

Good question, just don't hold your breath waiting on an answer.

Silly Gilly · 06-08-2021 5:27pm

I've started a Twitter thread on the issues. It includes some of Ireland's top tech journalists, along with the former Talk To companies plus the Data Commissioner. If people add their voice it will give more weight to the complaints.

https://twitter.com/gillian_om/status/1423679147826728963

Fr_Dougal · 06-08-2021 5:32pm

I’d imagine the likes of Liberty Insurance, and Bank of Ireland won’t like what’s going on. Especially considering how heavily regulated both the banking and insurance sectors are, boards.ie are falling short in their GDPR compliance with this PM issue and their Data Breach.

[Deleted User] · 06-08-2021 6:02pm

The companies that had talk to forums should be held accountable too though. All of those forums are archived, not deleted. Where were the procedures for the reps to delete PMs after X amount of time?

They all just packed up and never looked back.

El Gato De Negocios · 06-08-2021 7:33pm

https://www.boards.ie/discussion/comment/117716749#Comment_117716749

Quite possible they thought the same as we all thought, that a deleted message is actually deleted. I'd find it very hard to believe that they would just shut up shop and simply abandon the accounts without some form of clean up. Most likely that as each query received by them (or any of the talk to reps) gets resolved they "deleted" all associated messages.

Leg End Reject · 06-08-2021 7:51pm

https://www.boards.ie/discussion/comment/117716749#Comment_117716749

Others have said they did delete them and that if you went back to them about a previous issue they asked for all the info again as they delete it to comply with data protection.

It seems they thought delete meant delete too. That's an issue for Boards regardless of whether they were aware of it or not.

el Fenomeno · 06-08-2021 8:13pm

https://www.boards.ie/discussion/comment/117717131#Comment_117717131

Yes, I don't think it's unreasonable to assume that the Talk To forum reps deleted their private messages, and as far as they were concerned, that meant they were deleted for good.

Much like regular forum users, that was a perfectly valid assumption to make.

Why these PMs weren't completely deleted from the Boards back end is what needs to be answered. I wouldn't be holding Talk To reps accountable for that.

[Deleted User] · 06-08-2021 9:49pm

What a mess.

Not happy with his this has been handled. Cloak and daggers before the move and then we find out the host has all our data in Canada and the sites a sieve of personal information.

I have send an erasure request which by the way boards, is a very standard plugin on most platforms like mybb, vboard, phpBB and WordPress. Users can just click a button in their profiles. So I'm baffled why it's such an issue for you lot.

Fr_Dougal · 07-08-2021 12:47pm

If anyone is having issues or had issues with old PMs reappearing and they were related to to any of the business from the TalkTo forums, contact those companies Data Controller. Most of these companies have a strict policy on where data should reside, and would be horrified to find out that boards.ie have made them non-compliant with their own terms and conditions regarding data.

They will follow up with the Data Commissioner for you. It’s not just the current TalkTo companies that you can contact, you can contact all of them including the archived companies.

These companies will be very interested to find out that boards.ie moved their customers data outside of the EU.

trellheim · 07-08-2021 12:52pm

As those of us with many years database schema migration between platforms know very well indeed, detailed user acceptance testing of everything is important.

I'd have had my bollox nailed to the wall tho as an example to others in the job if I'd moved production out of the EU without user signoff first. But thats just me