New GDPR (General Data Protection Regulation) and phpBB

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Suggested Hosts
cally6008
Registered User
Posts: 292
Joined: Wed Nov 26, 2008 10:18 pm

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by cally6008 »

I haven't read all the posts so not sure if this link has been posted already


GDPR and a Public Forum

Discussion in 'General Data Protection Regulation (GDPR) Forum' started by Alfa-Man, Apr 29, 2018.

https://www.ukbusinessforums.co.uk/thre ... um.387728/
maxrpg
Registered User
Posts: 95
Joined: Thu Jul 30, 2009 12:33 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by maxrpg »

I think the bottom line in all this in order to be GDPR compliant you need to do the following:
When a user requests to be deleted you should delete their account and all posts - this will comply with the right to be forgotten
Settings such as 'receive messages/emails from administrators/board' need to be set to NO by default - this will comply with subscribing
Update your T&Cs to show that you don't share/sell/make public their information with anyone - complies with data sharing

Want to keep uses posts after deleting their account:
Actively moderate all posts to make sure they don't contain any personal information and edit/delete those posts as required. Or activate post approval for everyone.
As long as no posts contain the members personal information you could, before deleting their account, change their username to something like "Keeper001" and do the same for others as and when members request account deletion, "Keeper002", "Keeper003" and so on.

Doing the above would leave nothing in the posts (including username) which can be classed as personal data or that could be used to identify a specific individual. If a user complains that your forum has kept their posts when they asked for their account to be deleted the simplest response would be "Prove it?", "Prove these posts were yours." ...they can't because those posts no longer contain any information that can be traced back to that user. So what is there to complain about.

The other issue I suppose could be web archiving sites, scrapers that go through your site and grab the page data or take screenshots that could show the members username etc. A quick and mostly effective solution to that could be to hide usernames, avatars, signatures from bots browsing your site...or block them altogether.
My go to phpBB based site and hangout is Codenstuff
User avatar
GanstaZ
Registered User
Posts: 1187
Joined: Wed Oct 11, 2017 10:29 pm
Location: GZOverse

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by GanstaZ »

There's no need to make many account for posts (keeping). Just have one account as robot or whatever and change a poster that wants to be forgotten to that single account. If it contains personal data, remove it & done. Of course it may be a good idea to put a rule in a privacy, that we will keep posts, but if it contains personal data, it shall be removed.

It's pointless to complain about posts, that are public & doesn't contain any personal/private data.
Usus est magister optimus! phpBB pre-Triton & latest php environment.
When answer lies in the question, question becomes redundant!
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag »

You write well, but ... this stupid GDPR considers almost everything for personal data. Read the definition from the regulation. It can be a style of speaking, writing, appearance, style of walking (!), Any features that characterize a person. On a technical forum like this is simple because we write about phpBB. In a forum like my people, they write about themselves and their lives and problems. So I have a real dilemma with these posts, but I want to keep them after deleting the account because otherwise the whole forum will fall.
CHItA
Development Team Member
Development Team Member
Posts: 166
Joined: Sat Dec 06, 2008 10:27 pm
Location: London, UK

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by CHItA »

rajpb wrote: Tue May 08, 2018 5:22 am
CHItA wrote: Sun May 06, 2018 7:32 pm Yeah, and nobody will comply with GDPR that doesn't do business in the EU and the EU cannot do anything about it (just apply the same logic if the US would try to force a speeding ticket on you because you drove 130 in Poland on the highway or 200 in Germany). Probably that is why.
Well, EU can't force You to apply GDPR in phpbb. But it can force EU citizens to not use programs which have no GDPR applications. So if You don't apply GDPR it is possible that all phpbb forums in EU will be closed.
What you quoted was in relation to phpbb.com as the original question was about that if I understood correctly.

On another note, it seems to me that many of you take offense whenever someone points out that GDPR is somewhat stupid or non-applicable in some cases. It is completely fine and I agree that it is important that our users can comply with legal requirements, however, it seems to me that many of you also believe that this regulation is for bullying everyone which is just ridiculous.

Lastly, on the topic of deleting or not deleting posts: GDPR 9/2/e) allows processing of any personal data of the super sensitive type if it was explicitly made public by the data subject. So along with the fact that you and or a third party might have legitimate interest in keeping the posts (6/1/f), you can keep usernames as well.

And now, let ICO explain it even better:
You may prefer to consider legitimate interests as your lawful basis if you wish to keep control over the processing and take responsibility for demonstrating that it is in line with people’s reasonable expectations and wouldn’t have an unwarranted impact on them. On the other hand, if you prefer to give individuals full control over and responsibility for their data (including the ability to change their mind as to whether it can continue to be processed), you may want to consider relying on individuals’ consent.
Now, probably this is about as reasonable as any of the previous analysis of GDPR before. I'm not a lawyer, you're not lawyers, so let's chill out a bit. The functionality proposed in the extensions is more then enough on the technical side of things for anyone to comply with GDPR. In my personal opinion you can keep usernames if you remove all other data, as after that nobody can ever prove that the CHItA on your african snail forum is me or not thus it is not a personal identifier in anyways anymore.
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag »

Joomla is preparing a release in line with GDPR. They plan to build basic elements in the core. In addition, there will be a new API providing privacy for extension programmers.
WordPress today has several ready Plugins to ensure compliance with GDPR. Invision also has some solutions. Will only phpBB remain without this?
The entire European community of phpBB is waiting for solutions on which David63 and Tas2580 are working. Gentlemen, you are our hope!
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26456
Joined: Fri Aug 29, 2008 9:49 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by Mick »

tojag wrote: Thu May 10, 2018 7:55 amThe entire European community of phpBB is waiting for solutions
I doubt that very much, for example, I’m not.
  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel
Wes of StarArmy
Registered User
Posts: 291
Joined: Fri Mar 04, 2005 2:59 am
Location: StarArmy.com
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by Wes of StarArmy »

Another forum software I used is adding a feature where people's "personal information" fields like location, age, etc. can be exported by the admin as a simple XML file and also imported back. The idea is to satisfy the right to data portability. Also they changed the logs so that the information about consenting to the privacy policy is stored permanently.

That's basically all a forum needs to work with the GDPR. Otherwise just uncheck your email opt in boxes in user registration and rename any account before you delete it and I think you're pretty golden.

The main work I had to do was just updating my privacy policy which I ended up paying money to get help with since I am not a lawyer.
User avatar
ajtruckle
Registered User
Posts: 118
Joined: Tue Apr 19, 2005 10:37 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by ajtruckle »

I have been on holiday for a week in America and I have had many emails pumped through on this subject here. I suggest you lock it. You can’t have many chiefs. At the end of the day you will supply any changes that you see fit. And we will appreciate that and work within it.

I use MantisBT and there is no complications about this stuff. Not even sure what they are doing.

Andy
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag »

Return to the possibility of storing entries after deleting a user account...
What about attachments? Is the deletion after the account is deleted or not? I never checked it.
What happens if it stays in posts? I know, the user can delete attachments from the UCP before deleting the account. But he/she can forget about it. Some attachments may contain photos with a face. Some links in posts may go to photos on an external server or post author sites/profile in soccial media. It can reveal their identity...
So, delete posts? :(
User avatar
lopoto
Registered User
Posts: 111
Joined: Thu Feb 12, 2015 3:13 pm

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by lopoto »

Gregory, you take care of the big things, leave it and go for a walk, life is not ending with GDPR

The EU is again straightening bananas :mrgreen:
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by 2600 »

tojag wrote: Tue May 15, 2018 9:27 pm Return to the possibility of storing entries after deleting a user account...
What about attachments? Is the deletion after the account is deleted or not? I never checked it.
What happens if it stays in posts? I know, the user can delete attachments from the UCP before deleting the account. But he/she can forget about it. Some attachments may contain photos with a face. Some links in posts may go to photos on an external server or post author sites/profile in soccial media. It can reveal their identity...
So, delete posts? :(
When you delete a user account all of their post's and attachments should be deleted as well. At least that's what I have discovered with test accounts.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
canonknipser
Registered User
Posts: 2096
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by canonknipser »

John connor wrote: Wed May 16, 2018 2:44 pm When you delete a user account all of their post's and attachments should be deleted as well.
Only if you choose "Delete Posts" when deleting the user account. If you keep the posts, the attachments are kept as well and both are assigned to the guest user.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag »

However, it does not look good. There is a great risk that retaining posts may reveal the identity of a person who does not want to.
User avatar
GanstaZ
Registered User
Posts: 1187
Joined: Wed Oct 11, 2017 10:29 pm
Location: GZOverse

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by GanstaZ »

Where's the problem? Remove data, that points to private info & all will be good. This pointless (seems like endless) cycle is like Don Quixote fight against windmills.
Usus est magister optimus! phpBB pre-Triton & latest php environment.
When answer lies in the question, question becomes redundant!
Post Reply

Return to “phpBB Discussion”