New GDPR (General Data Protection Regulation) and phpBB

[tojag]

Tlem You are wrong and very much. You as a forum owner provide you with a service. You are responsible for fulfilling the GDPR requirements. For forum users, writing on it can be a hobby, for you it is an activity subject to GDPR.
I see that you do not understand GDPR completely. You are extracting fragments detached from the whole. At any place, GDPR does not treat IP, for example, differently from other data described in the definition. At any place, GDPR does not treat private and public personal data. In both cases, these are personal data and are protected by law.
GDPR requires the right to be forgotten, this also applies to the archives of databases. It is currently one of the biggest technical problems - archives may require older versions of systems. Read what troubles big companies have in this area.
GDPR does not require anything from the person whose data it processes, it requires everything from you. You must show relevant information, collect consent, provide rights, etc. The user does not have to either remember their posts or browse them and look for what was in them. GDPR transfers this to the administrator. Admin is responsible for providing information to the user if he is in charge and asks what data he has. Admin must delete or anonymize this data. Not a user.
The only thing I'm hoping for is that really run out of resources and time to check everyone.
Good night

[tlem]

This is your point of view.
Mine and that of many others is different and obviously you will not change your mind.

Personally, everything on my forums is voluntary, without ads and I do not sell or transmit any information to anyone. The only income is donations made by some members once or twice a year and to be quite honest Article 6 and 7 of the GDPR allows me to sleep soundly.

So wait and see.

[Lumpy Burgertushie]

Tlem You are wrong and very much. You as a forum owner provide you with a service. You are responsible for fulfilling the GDPR requirements. For forum users, writing on it can be a hobby, for you it is an activity subject to GDPR.
I see that you do not understand GDPR completely. You are extracting fragments detached from the whole. At any place, GDPR does not treat IP, for example, differently from other data described in the definition. At any place, GDPR does not treat private and public personal data. In both cases, these are personal data and are protected by law.
GDPR requires the right to be forgotten, this also applies to the archives of databases. It is currently one of the biggest technical problems - archives may require older versions of systems. Read what troubles big companies have in this area.
GDPR does not require anything from the person whose data it processes, it requires everything from you. You must show relevant information, collect consent, provide rights, etc. The user does not have to either remember their posts or browse them and look for what was in them. GDPR transfers this to the administrator. Admin is responsible for providing information to the user if he is in charge and asks what data he has. Admin must delete or anonymize this data. Not a user.
The only thing I'm hoping for is that really run out of resources and time to check everyone.
Good night

why is your opinion about what the DGPR requires any more likely to be the truth that any of the other people who have posted in this topic?

I would bet that even the people who wrote this pile of crap don't really know exactly what it all means.

remember, whatever you think it all means is just your opinion based on your understanding of it. that is also true of everyone else here.

it is all opinions because there is nothing absolutely clear about any part of it that I have read here in this topic.

robert

[Lumpy Burgertushie]

Although we charge for club membership, we are not a profit-making organisation

If the UK is no longer a part of the EU then I doubt that it applies to them any more than it would to the US or any other country.

however, it will certainly all be fought out in court eventually. probably by finding the new law unlawful to begin with.

just go on about your life with your board and don't worry about it so much.
"they" are not going to come along and take away your birthday because you are in some minor infraction of a law that nobody really understands anyway.


robert

[Mick]

Although we charge for club membership, we are not a profit-making organisation

If you go to the ICO website there’s a simple survey you can follow.

[david63]

If the UK is no longer a part of the EU then I doubt that it applies to them any more than it would to the US or any other country.

The UK is still in the EU and even when we leave all EU law will be made into UK law so GDPR will still apply.

[tojag]

why is your opinion about what the DGPR requires any more likely to be the truth that any of the other people who have posted in this topic?

A few years ago when I wrote here that IP and email are personal data, everyone here had a different opinion because they probably did not read the regulations.
Now no one denies it.
I would like to read here from some people "I'm sorry, you were right"
I really would like to be wrong, unfortunately my interpretations of the law are usually correct.
That's why I will stay with anonymisation. Maybe it will protect me in the case of control.

[david63]

I would still contend that currently for the majority of users an IP address is not personal data, but I do accept that it is defined as such in the regulations.

• How can an IP address be personal when I can have it one day, somebody else tomorrow and somebody else the day after?
• How can an IP address be personal when everyone in the house uses the same IP address?
• How can an IP address be personal when it is used from, say, an office where there are possibly hundreds of users?
• How can an IP address be personal when it is accessed via a mobile gateway?

This part of the regulation is aimed at static IP addresses and until such time as IPv6 is rolled out (if ever!) then the vast mojority of users worldwide are using dynamic IP address.

[tojag]

David, but it does not matter our perception of this. With many laws, people do not agree, but they must respect them. In particular, specialists in a given field see this field differently than other ordinary people. GDPR has been created to protect people who do not necessarily know what is happening with their personal data. I think that the intention was to deal with large companies and institutions, but it also came in small and we have to submit to it

[CHItA]

David, but it does not matter our perception of this. With many laws, people do not agree, but they must respect them. In particular, specialists in a given field see this field differently than other ordinary people. GDPR has been created to protect people who do not necessarily know what is happening with their personal data. I think that the intention was to deal with large companies and institutions, but it also came in small and we have to submit to it

GDPR doesn't differentiate between personal data that is made public or handled invisibly to the user (except in some minor ways like if a user puts his "sensitive" personal data in a post, so makes it explicitly public then you can "process" it, which otherwise would be forbidden). And GDPR considers everything personal data that could be used as a part of the puzzle to identify you. So while IP addresses don't really identify anyone, it could be the case that if you have other data, you could use that with the IP address to identify someone. Is this dumb? Maybe, but that is what is in the regulation.

I really would like to be wrong, unfortunately my interpretations of the law are usually correct.

Your interpretation is correct to the extent that what you seem to want to do would comply with GDPR. However, you definitely do not need consent for all personal to be collected/processed (which you seem to think) as that is just one of many lawful basis for collecting and processing personal data.

[tlem]

Hi tojag, I have some questions to ask you?

- Is your forum a professional, political, or associative forum?
- Do you collect information other than that collected by your phpBB forum?
- Do you market the information collected by your forum such as email addresses, IP addresses, personal information indicated by your members, etc ...
- Do you know the CNIL (National Commission of Computing and Freedoms), and do you credit what is issued by it?
- Can you read French documents?

[tojag]

GDPR doesn't differentiate between personal data that is made public or handled invisibly to the user (except in some minor ways like if a user puts his "sensitive" personal data in a post, so makes it explicitly public then you can "process" it, which otherwise would be forbidden). And GDPR considers everything personal data that could be used as a part of the puzzle to identify you. So while IP addresses don't really identify anyone, it could be the case that if you have other data, you could use that with the IP address to identify someone. Is this dumb? Maybe, but that is what is in the regulation.

That's what I constantly say Thanks for understanding this too. This is the definition of personal data in GDPR but probably not everyone understands it. Public or private it is no difference.

Hi tojag, I have some questions to ask you?

- Is your forum a professional, political, or associative forum?
- Do you collect information other than that collected by your phpBB forum?
- Do you market the information collected by your forum such as email addresses, IP addresses, personal information indicated by your members, etc ...
- Do you know the CNIL (National Commission of Computing and Freedoms), and do you credit what is issued by it?
- Can you read French documents?

No, I've read the GDPR in the original.
I created this topic to ask a few key questions. Read the first post. Most have been resolved, but question 3 remained: "Will it be able to keep posts after the user opt out of the forum?"
You seem to have forgotten what I was asking for, or completely going in another direction. My question remains open.
Your questions does not make sense in this context because we are all subject to this law.
Remember also that the existing law 95/46/EU applies for a week. The network is full of documents relating to the current (old) law. There are also many of them on the websites of the national supervisory authorities. Check if what you read concerns GDPR or current (old) law because now the interpretations are different.

[CHItA]

"Will it be able to keep posts after the user opt out of the forum?"

This was also already answered. Don't process them based on consent and then you don't have to (except on a case by case basis if the author requests it and the request is reasonable). If you process them based on consent then you probably have to remove the personal data from the posts and probably from quotes, replies, whatever else.

Also, please try to keep this a civilized discussion.

[tojag]

OK. In that case, my issues have been resolved.
Thank you all for participating in the discussion.

Since the set of questions from the first post has been exhausted, please close the thread.

[kinerity]

We don't close topics just because it was requested. Everyone is welcome to share their thoughts/ideas on the new law. As long as the discussion remains civilized, there's no need to put a lock on it.