New GDPR (General Data Protection Regulation) and phpBB

[andrewilley]

I was a bit puzzled that phpBB (at least v3.2.1 that I'm running) doesn't seem to have a link back to the Terms of Use (or even Privacy Policy if wanted; I link mine from Terms of Use anyway though) easily accessible on each page, such as somewhere in the generic footer area. So I took a quick look and have added it to the footer bar that currently contains Contact, Team, Members, Delete Cookies, etc.

If anyone wants to do the same on a vanilla Prosilver installation, the file you need to edit is navbar_footer.html inside the folder /styles/prosilver/template. Just add the following lines between one of the existing similar entries (precisely where you place it is up to you - I added mine near the end of the file, so the new item shows before "Contact" in the footer bar). This code is responsive and language-mapped:

Code: Select all

	<li class="rightside" data-last-responsive="true">
		<a href="{U_TERMS_USE}" role="menuitem">
			<i class="icon fa-info-circle fa-fw" aria-hidden="true"></i><span>{L_TERMS_USE}</span>
		</a>
	</li>

Andre

[Talk19Zehn]

DGSVO in Europe

Hello, a data collection includes, for example, the user notes in the moderation range or discussions in inaccessible areas about registered users. This need has to be proven?
If facts do not really correspond, that data collection (personality right) basically does not apply. Messages that are collected that suggest a criminal offense (* insult, for example) and much more are not transparent.

The operator has in my view, the registered user in principle to inform. Such a function is missing. Transparency is basically not given by default.

Hidden files, user discussions, erroneous * messages and much more is not allowed to inform users according for/to my informations, possibly not important, a phrase in europe?

Furthermore, data collection means more than suspected.
If I, you, he, she had knowledge of it, at least a self-report would also be possible vis-à-vis state authorities.

By the way: IPs to be transferred via the contact page is not allowed, if there is no consent.
And so on ...

Sorry if this great software => phpBB does not meet the required conditions, challenge.

Best regards

====
Edit: 25.04.2018, 23:55
I personally think support in concepts is certainly important and desirable by the developers from the European area. We can only inform and sensitize the regulations.


Okay, best wishes at All

[AmigoJack]

DGSVO in Europe

No, in Germany only, and there it's DSGVO. I.e. Austria has voided almost all penalties, making its national version quite harmless.

IPs to be transferred via the contact page is not allowed, if there is no consent

Unrelated if you say that yourself or if you're quoting: TCP/IP transfers IP addresses with every request and every response. Do not access websites if you don't want to give consent.

[andrewilley]

Unrelated if you say that yourself or if you're quoting: TCP/IP transfers IP addresses with every request and every response. Do not access websites if you don't want to give consent.

Some goes with Cookies, but that hasn't stopped the Eurocrats deciding that people need to be warned and protected from every last one of them.

And if they knew anything about technology they'd know that WAN IP addresses do NOT identify a unique person, they identify a router connection or at worst a specific device (and in most cases they are dynamic and change regularly anyway).

In short, they seem to be clueless idealists - but maybe that's why they are bureaucrats rather than working in the tech field themselves.

Andre

[Talk19Zehn]

Hello, GDPR / DSGVO
--> European - Member state of the European Union: https://en.wikipedia.org/wiki/Member_st ... pean_Union
BTW:
United Kingdom's exit from the EU, United Kingdom - Brexit: https://en.wikipedia.org/wiki/Brexit
and more aboaut the history of European Union–United Kingdom relations: https://en.wikipedia.org/wiki/History_o ... _relations


--> european --> Datenschutz-Grundverordnung (short DSGVO, in english GDPR for General Data Protection Regulation)

General Data Protection Regulation (GDPR) - language english: https://gdpr-info.eu/
read for informations perhaps here -> Chapter 3 - Rights of the data subject: https://gdpr-info.eu/chapter-3/

Datenschutz-Grundverordnung (DSGVO) - language german: https://dsgvo-gesetz.de/
u.a. siehe beispielsweise in -> Kapitel 3 - Rechte der betroffenen Person: https://dsgvo-gesetz.de/kapitel-3/


In terms of e-mails ......
E-Mail: contact_admin.txt (examples language-dependent)
phpBB3\language\en\email\contact_admin.txt

Code: Select all

Hello {TO_USERNAME},

The following is an e-mail sent to you through the administration contact page on "{SITENAME}".

<!-- IF S_IS_REGISTERED -->
The message has been sent from an account on the site.
Username: {FROM_USERNAME}
E-mail address: {FROM_EMAIL_ADDRESS}
IP Address: {FROM_IP_ADDRESS}
Profile: {U_FROM_PROFILE}
<!-- ELSE -->
The message was sent from a guest who specified the following contact information:
Name: {FROM_USERNAME}
E-mail address: {FROM_EMAIL_ADDRESS}
IP Address: {FROM_IP_ADDRESS}
<!-- ENDIF -->


Message sent to you follows
~~~~~~~~~~~~~~~~~~~~~~~~~~~

{MESSAGE}

or phpBB3\language\de\email\contact_admin.txt

Code: Select all

Hallo {TO_USERNAME},

die folgende Nachricht wurde dir als Administrator über die Kontakt-Funktion auf „{SITENAME}“ gesendet:

<!-- IF S_IS_REGISTERED -->
Die Nachricht wurde von einem registrierten Benutzer gesendet.
Benutzername: {FROM_USERNAME}
E-mail-Adresse: {FROM_EMAIL_ADDRESS}
IP-Adresse: {FROM_IP_ADDRESS}
Profil: {U_FROM_PROFILE}
<!-- ELSE -->
Die Nachricht wurde von einem Gast gesendet, der folgende Kontaktdaten angegeben hat:
Name: {FROM_USERNAME}
E-mail-Adresse: {FROM_EMAIL_ADDRESS}
IP-Adresse: {FROM_IP_ADDRESS}
<!-- ENDIF -->


Es folgt die an dich gesendete Nachricht
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

{MESSAGE}

This (examples) output is contain in the memberlist_email.html
And there you find currently still only one Event <!-- EVENT memberlist_email_before --> So the contact page can be rewritten only by detours. Is that right?
And guests can not request a copy of emails. ==> Okay, okay, so we can use ext/hifikabin/obscurecontactus, but than the entries in the contact page are no longer available, reachable.

Best regards

[LaxSlash1993]

So, it just dawned on me that I never posted these here. These may be useful for the discussion:

https://www.linkedin.com/pulse/nightmar ... arbaliotis
https://www.linkedin.com/pulse/postcard ... eader-card
https://www.linkedin.com/pulse/nightmar ... eader-card

[Satusnovus]

I've read discussions here about deleting posts if someone ask to do so. Well from the start of my forum one of the regulations of my board is that posts will never be deleted unless they are in conflict with the regulations.

Only problem seems to be that a post is linked with an IP address and if someone asks me to delete the IP addresses can I do that with keeping the posts?

[HiFiKabin]

Don't forget you have a 'right to archive' which linked to your other post on the Privacy Ext may make things clearer

[maxrpg]

Here's what I have done so far in order to comply, as best I can, to the GDPR.

Have Mass emails and notifications turn OFF by default
with a notice at first login informing the user they have to turn them on if they want to receive them.

Change the policy and T&C text to cover privacy, data usage etc. Add link to them in the footer.
Even though a lot of it is there already.

Add text in the form of an attention grabbing notice above the SUBMIT button on the posting page saying "Remember: Do not include any personal information about yourself or anyone else in your posts". Along with this I have added some code (modification) to the posting file at the point of submission which checks if the text contains an e-mail address, phone number or social media link/url, if it does then the post will be flagged to be checked/edited/approved by a moderator before it goes public.

Given users the option to download their personal data
CSV file containing everything we have on them including post titles, dates & times, All IP addresses they've used etc.

Added a "Delete my account" button in the UCP.

I don't think I can do much more than that. If people fail to read the terms of the site etc and choose to ignore all the warnings about posting their personal data then that is there problem, they can't say they weren't warned over and over and over again.

I honestly don't know what else we could possibly do. I'm sick of this GDPR stuff now.

Maximum fine of 20 million euros or 4% of your annual turnover for non compliance, you say? - Considering no money is made from my site I wish you good look with that one. See you in court lol

[tojag]

Don't forget you have a 'right to archive' which linked to your other post on the Privacy Ext may make things clearer

I repeat again - on the basis of GDPR you do not have the right to archive any personal data if the user wants to delete his data.

Maxrpg, you did what I did. At this point, the most difficult interpretation is whether posts are personal data. If so, they should also be deleted. If not, they can be kept on the basis of relevant provisions of the forum regulations. I have it recorded that the user grants me an indefinite license to use the content of posts in every possible aspect.
I have not come up with anything better for now.

I will not delete IP. GDPR treats IP as a personal data but only in combination with other data that can identify someone. Since I do not have access to these other data, because these are data held by telecommunications companies, I do not have the possibility to connect an IP to a specific person because a telecommunications company can not share such data with me. It would be a violation of the law by this company.

The EU really got us a big problem with this GDPR.

[GanstaZ]

Archiving data Article 89

[andrewilley]

Archiving data Article 89

For example, here is just one clause out of many:

Where personal data are processed for scientific or historical research purposes or statistical purposes, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.

And they seriously expect anyone to understand, let alone comply, with this utterly meaningless bureaucratic twaddle? Even with English as my first language, and 10 GCSEs and 4 A-Levels under my belt, I have not the slightest clue what they are on about. And there's another 55,000+ words of this rubbish that we are apparently meant to wade through just to run a piddling little informational website which has been working just fine for 10 years.

And then they have the bare-faced cheek to suggest that websites should be writing their Terms & Conditions in plain language so people can understand what they are signing up to?! Are they taking the p!ss or what?

Andre

[GanstaZ]

Well.. if someone doesn't understand what is written in regulations or rules, they have a right to ask for clarification & that is all. GDPR is just a manipulation & money making system. It seems, that it will be the biggest data collector/analyzer & not much of a protector.

[tojag]

Archiving data Article 89

This law applies only to state institutes, historical or statistical institutes, for public purposes such as health protection or similar. This does not apply to private forums. Your private forum, even if it is run by a charity, foundation or company, is not a public interest in the understanding of GDPR. Public goals are goals set by the state and by the state are controlled. My, our, your forums are just only a private deal not a public interest. I would like to be wrong.

[LaxSlash1993]

Where personal data are processed for scientific or historical research purposes or statistical purposes, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.

Translation: Each member state of the EU may decide on its own on a case by case basis if the information retained is absolutely necessary for the furthering of scientific or historic research or statistical keeping, provided that information would render that historical and statistical tracking useless if it was missing... and the exclusion of data subject rights would be absolutely necessary for such purposes.

This makes me question the whole logic and theory that logs must be rotated, accounts must be deleted, things have to be erased... etc. To me, this makes it seem like the law is intended only for tracking cookies and targetted advertisements. Would make for an interesting defense in court, if any of you are in the EU and the scope of this bs.

Then again, the ICO appears to not even know the law based on the conflicting responses to various inquiries posted around the net that people receive... I gotta wonder if the ECJ will even know what the 's going on with this law. A good lawyer could tie them up with all sorts of appeals.

This law applies only to state institutes, historical or statistical institutes, for public purposes such as health protection or similar. This does not apply to private forums. Your private forum, even if it is run by a charity, foundation or company, is not a public interest in the understanding of GDPR. Public goals are goals set by the state and by the state are controlled. My, our, your forums are just only a private deal not a public interest. I would like to be wrong.

Huh? How are forums not in the public interest?

I seriously think that "public interest" is just an addition to it, not saying that the archiving can only occur if it's in the public's best interest, as per the above quote/paragraph.