New GDPR (General Data Protection Regulation) and phpBB

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Suggested Hosts
maxrpg
Registered User
Posts: 66
Joined: Thu Jul 30, 2009 12:33 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by maxrpg » Tue Apr 17, 2018 8:22 pm

This is what I've come up with so far which will hopefully cover what is needed and allow me to retain a users content should they decide to be forgotten.
On the 25th of May 2018 the new GDPR will kick in and apply to all EU member states, this law replaces the current Data Protection law in the UK.
Although this law applies only to EU member states it does apply to any individual whose data is used outside of the EU. Our site is a hobby/community forum where we neither sell or profit from any of its content, the GDPR really only applies to businesses and organizations which we are not, but this is a good opportunity for us to inform you about how we use your data in-line with the GDPR and our own terms & conditions and user-agreement.

For clarification purposes we use the terms ‘you’ and ‘your’ as being the person, member, user, individual, human being, Earthling reading the following information and all the following applies to you.

How your data is used
Your data (E-mail address, IP address(s), username) is used in combination with a ‘cookie’ to store data submitted to the site such as – but not limited to; posts, topics, chat, private messages, social updates, newsletters and contest entries. We identify these submissions as ‘content’.
A ‘cookie’ is required in order to use the site for the purposes of logging in, keeping you logged in and submitting content to the site. Without the use of a ‘cookie’ the sites content is read-only.

Your E-mail address is used for the purposes of registration verification, e-mail notifications and newsletters. Your e-mail address is entered by you at the point of registration and stored in our secure database in order to identify who you are when logging in and for the purposes mentioned above.

Your Username is used to identify who you are when logging in to the site through the use of a ‘cookie’ along with a unique encrypted password chosen by you at the point of registration. This is used to identify and indicate to other users that you are the individual who submitted content to the site.

Your IP Address(s) are also used to identify who you are when logging in to the site through the use of a ‘cookie’ and again to identify and indicate to other users that you are the individual who submitted content to the site.

Your IP Address(s) and Username are stored in our database at the point of content submission so we can identify that it is you who made the content submission, this includes, but is not limited to; private messages between you and other members, posts, topics and contests.

Your E-mail Address is also used to send you site activity notifications such as, but is not limited to; topic and post updates, receiving private messages, username and/or password recovery, newsletters, all of which are activated or deactivated via the use of your personal user control panel and you can opt-in or out of these notifications at any time.

Who has access to your data?
Your personal information including, but not limited to; E-mail address, IP Address(s) are stored securely in our database is accessible only by the site owner and administrators of our site. You have the ability to view and change your E-mail Address and Username from your personal user control panel.

Your IP Address(s) and Username are also visible to our site moderators who may be required to change, alter, amend, append, remove or delete your content submissions should they violate our site terms and conditions. Should you be found to be violating our site terms and conditions your IP Address(s) may be visible should the site owner, administrators or moderators feel that you should be banned or warned for the violation.

Other members of the site, including but not limited to; guests, bots will see your Username displayed in any and/or all content submissions made by you.

You are responsible for your own content submissions and any personal, private, confidential information contained within those submissions are your responsibility and you make those submissions of your own free will with the full understanding that the information contained within your submission is visible to any person(s) who visit, view, read the site content.

Consent to use your data
By registering an account, creating an account, you are agreeing to the sites terms and conditions as they currently stand at the time and date of your registration. When registering an account, creating an account, you ticked the appropriate box giving confirmation that you have read all of these terms and conditions and agree to them in there entirety.

By adjusting notification settings by opting-in, ticking the box, in your personal user control panel you are giving permission to receive the notifications specified by you. You opt-in, tick the boxes of your own free will and understand what they mean at the point of saving, submitting, locking in your chosen notification preferences.

Any content submissions made by you on the site are your responsibility and you make the submissions of your own free will. By submitting content to the site you are giving permission for that content to be, but not limited to; saved, displayed, shared, viewed, moderated, commented on, indexed, searchable.

You agree for all your content submission to be stored securely in the site database and, with the exception of your personal, private, confidential information, your content submissions may be, but not limited to; used, retained, shared by the site owners, users, administrators, bots, moderators, search engines and for promotional and informational purposes.

What's the 'right to be forgotten'?
Under various laws, legislation and the GDPR you have the right to request that ALL your personal data be deleted from the site. You can make such a request by contacting the site administrator at any time.

When your request to be forgotten and have your data deleted is received, processed and verified, your personal account and all associated information, including, but not limited to; your E-mail address, Username, Private messages will be deleted from our database permanently without the possibility of recovery.

All none personal, private, confidential information such as, but not limited to; posts, topics, chat, social updates, will be retained by the site. All of your content submissions including, but limited to; posts, topics, chat, social updates will be anonymized so they cannot be tracked back to you.

Any content submissions made by you that contain any of your personal, private, confidential information were submitted to the site and made viewable, visible, public of your own free will and by doing so the information contained within your submissions are no longer personal, private or confidential and these content submissions will be retained and remain on site.

What if we suffer a data breach?
We, us, the site will always store your personal information securely in our database and will make every effort to ensure that it remains secure by, but not limited to; ensuring our database, software, is kept up-to-date, monitored, backed up and encrypted wherever possible.

In the event of a data breach we, us, the site will notify you at the earliest opportunity of the breach occurring and what data has been breached, how we are dealing with it and what steps we, us, the site are taking to ensure your date is secure.
Good/Bad? :?

User avatar
GanstaZ
Registered User
Posts: 522
Joined: Wed Oct 11, 2017 10:29 pm
Location: Zverse

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by GanstaZ » Tue Apr 17, 2018 8:38 pm

What do you mean by this:
Any content submissions made by you that contain any of your personal, private, confidential information were submitted to the site and made viewable, visible, public of your own free will and by doing so the information contained within your submissions are no longer personal, private or confidential and these content submissions will be retained and remain on site.
Voting?)
"When answer lies in the question,.. question becomes redundant!"

maxrpg
Registered User
Posts: 66
Joined: Thu Jul 30, 2009 12:33 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by maxrpg » Tue Apr 17, 2018 8:53 pm

GanstaZ wrote:
Tue Apr 17, 2018 8:38 pm
What do you mean by this:
Any content submissions made by you that contain any of your personal, private, confidential information were submitted to the site and made viewable, visible, public of your own free will and by doing so the information contained within your submissions are no longer personal, private or confidential and these content submissions will be retained and remain on site.
Voting?)
If a member makes a post and for example puts their email address, real name, address or age etc. in the post then that is their choice as they know the posts are publicly viewable so technically it is no longer private/confidential because they've knowingly and willingly made it public themselves.

I have an ingrowing toenail which only I know about...but now you and anyone else who reads this knows about it because I've just said it knowing that anyone can read it. It's no longer private :? lol

User avatar
GanstaZ
Registered User
Posts: 522
Joined: Wed Oct 11, 2017 10:29 pm
Location: Zverse

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by GanstaZ » Tue Apr 17, 2018 8:56 pm

Smells like fb).. Well, what you posted above may need some edits, but as i see it, it's not bad.
"When answer lies in the question,.. question becomes redundant!"

User avatar
3Di
Registered User
Posts: 12943
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by 3Di » Tue Apr 17, 2018 9:02 pm

What posted in private forums should be considered not public though.
Want to compensate me for my interest? Donate
Please PM me only to request paid works. Thx.
Extensions, Scripts, MOD porting, Update/Upgrades
My development's activity º PhpStorm's proud user

User avatar
tojag
Registered User
Posts: 336
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag » Tue Apr 17, 2018 9:03 pm

Pretty good. Except for this:
maxrpg wrote:
Tue Apr 17, 2018 8:22 pm
Any content submissions made by you that contain any of your personal, private, confidential information were submitted to the site and made viewable, visible, public of your own free will and by doing so the information contained within your submissions are no longer personal, private or confidential and these content submissions will be retained and remain on site.
Even if the data is public, it may still be a personal data that identifies a specific natural person. For example, the address of residence given in the post, telephone number, e-mail, etc. On my forum I often see that users post such data in posts, although I warn against this. It is a matter of awareness, which it was one of goal of GDPR. Unfortunately for us owners /admins:(
So I'm still looking for a way to keep posts of deleted users. The only thing that comes to my mind is to delete posts containing personal data on a regular basis by moderators.

Edit:
The problem of the right to be forgetten is that it concerns just the publicly available data. That's what applies to them! That's why Google deletes publicly available data from search results.
I know, this is stupid, very stupid.

User avatar
Lumpy Burgertushie
Registered User
Posts: 65022
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by Lumpy Burgertushie » Tue Apr 17, 2018 9:09 pm

I agree with the above about if you post it in a public forum then you lose the right to call it private information.
what happened to personal responsibility for your actions.

if you are not smart enough to understand that posting in a public forum makes your info public then it is not the forum's owners job to save you from yourself. it is also not the government's job to save you from yourself.

robert
I am available for custom work on a donation basis. Please send me a PM with your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

OK, so what's the speed of dark?

User avatar
tojag
Registered User
Posts: 336
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag » Tue Apr 17, 2018 9:48 pm

I wrote it many times, GDPR is not about public or private data, but about personal data that can identify a specific natural person. Personal data may be private, hidden but also public.
I can not write in the forum regulations - if you enter your address or email in the posts, you are stupid and even the government will not protect you.
The right to be forgotten was invented, among others to such cases.
You can pin the advertisement on a board - "Car for sale. My address is xxxxx, phone 123456. Greg".
Can you take this notice off when you no longer want it to be available? You can. On this principle, the right to be forgotten arose.

User avatar
Lumpy Burgertushie
Registered User
Posts: 65022
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by Lumpy Burgertushie » Tue Apr 17, 2018 10:02 pm

in your example, the person who put that info in the public domain should and does have the right to go back and either delete it or ask the board owner to delete it for them.

however, it is not/should not be the board owner's responsibility , it should be the poster's responsibility to take care of their own personal info.

and it is about private or public information. anything posted on blog/board etc. that is open to the public becomes public information. if the person does not want something to be public DO NOT POST IT in a public forum etc. heck, DO NOT POST IT anywhere online if you do not want it to become publicly available.

it is really very simple and is just common sense to most people.
governments forcing board owners to have to be reponsible for their poster's being stupid is just plain stupid.

robert
I am available for custom work on a donation basis. Please send me a PM with your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

OK, so what's the speed of dark?

User avatar
AmigoJack
Registered User
Posts: 5332
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by AmigoJack » Wed Apr 18, 2018 7:51 am

maxrpg wrote:
Tue Apr 17, 2018 8:22 pm
Who has access to your data?
Your personal information including, but not limited to; E-mail address, IP Address(s) are stored securely in our database is accessible only by the site owner and administrators of our site.
(At least the word "which" is missing here). No, your database is effectively accessible to everyone who uses a software which, in return, accesses the database. Just one bug/hole in phpBB can be enough and the whole content of the database could be crawled. Hence the word "securely" is misleading, if not wrong. Instead of making promising you can't keep you better point out that there's no automated transmission of the data, and no other service accesses the data.

maxrpg wrote:
Tue Apr 17, 2018 8:22 pm
What if we suffer a data breach?
We, us, the site will always store your personal information securely in our database and will make every effort to ensure that it remains secure by, but not limited to; ensuring our database, software, is kept up-to-date, monitored, backed up and encrypted wherever possible.
Nowadays it is possible to encrypt the DBMS, but are you really doing that? Also if your server automatically creates database backups, does it use encryption to store them?

Lumpy Burgertushie wrote:
Tue Apr 17, 2018 10:02 pm
anything posted on blog/board etc. that is open to the public becomes public information. if the person does not want something to be public DO NOT POST IT in a public forum etc. heck, DO NOT POST IT anywhere online if you do not want it to become publicly available.
No: even using a software offline won't protect me from accidentially making it available to others. GDPR aims at protection by design: if the data (being offline) would be stored encrypted to begin with, then anyone breaking into my house and accessing that storage device (thieves, house owner, police...) should not be able to make use of what they get. And back from this hopefully rare case to the real world: sometimes you're forced to use an online service (crappy or inexistent phone support, no realtime communication possible, too much/detailled data to communicate it via audio, visiting the USA...) and then you want the input you made to be effectively accessible to as few people as possible. Not by enforcing access restrictions to otherwise plaintext data, but by using encryption which makes it irrelevant who has access to the data.
The worst thing about censorship is ███████████

maxrpg
Registered User
Posts: 66
Joined: Thu Jul 30, 2009 12:33 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by maxrpg » Wed Apr 18, 2018 8:19 am

I don't think keeping users posts when their account is deleted is an issue because their username, email address etc is no longer associated with them.

The problem lies in whether or not that specific user has disclosed personal information within any of those posts because it would be incredibly difficult to wade through all their posts just to remove a piece of personal data and keep the rest, you could create a script to automatically go through their posts and detect/delete email addresses within posts but if they've added their home address or age etc then it becomes a problem because those are not easy to detect.

Even then you have another issue of other users quoting posts that contain personal information or copying a specific piece of information and including it in their post...in this case it would be ridiculous to even try to remove them all.

The GDPR says your site must have a tick box for users to tick off that they have read and agree to your terms and conditions, so having a term within your conditions stating that if the user posts personal information on the site that they know and understand that the information is made public should cover you when it comes to retaining their posts. If a user posts personal information knowing full well it will be made public, by definition, it is no longer personal.

If someone asks to be forgotten then deleting their account is simple and you can keep their posts as long as they are made anonymous with nothing that can identify that user as being the one who posted it. If having it in your T&Cs is not good enough then I guess, as someone mentioned above, the only way to ensure users posts don't contain any personal information is by deleting/editing them as and when they are posted.

This is a tough one.

User avatar
tojag
Registered User
Posts: 336
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag » Wed Apr 18, 2018 9:17 am

maxrpg wrote:
Wed Apr 18, 2018 8:19 am
The GDPR says your site must have a tick box for users to tick off that they have read and agree to your terms and conditions, so having a term within your conditions stating that if the user posts personal information on the site that they know and understand that the information is made public should cover you when it comes to retaining their posts. If a user posts personal information knowing full well it will be made public, by definition, it is no longer personal.
No. It is not private but it can be personal according to GDPR and the user can request the deletion of this data to be no longer identifiable.
I still think that you are confusing the concept of public data and private data with the definition of personal data according to GDPR. This definition has nothing to do with privacy but with the possibility of identifying a specific natural person based on this data. Below is a part of GDPR
GDPR wrote:(26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.
Even pseudonymous data can not be considered unidentifiable. Therefore, you can not leave the nickname of the person who deleted the account, because by entering this nickname into the phpBB search engine, you can extract all the posts of that person. These posts may contain various information on the basis of which to create a profile and identify a specific natural person. Especially when someone explicitly provides identification in the posts. Personally, I change the user being removed to anonymous and then delete the account.
maxrpg wrote:
Wed Apr 18, 2018 8:19 am
If someone asks to be forgotten then deleting their account is simple and you can keep their posts as long as they are made anonymous with nothing that can identify that user as being the one who posted it. If having it in your T&Cs is not good enough then I guess, as someone mentioned above, the only way to ensure users posts don't contain any personal information is by deleting/editing them as and when they are posted.
This is true. Therefore I am looking for possibility to keep posts but at now I don't see any other way than this above.
The safest thing for administrators is to let users delete posts. But it can be a huge loss in the content of the website :(
That is why Google has fought for a long time with the EU for the right to display everything in the search results, but it has given way.

andrewilley
Registered User
Posts: 106
Joined: Fri Sep 12, 2008 7:28 pm
Location: Birmingham UK
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by andrewilley » Wed Apr 18, 2018 10:46 am

tojag wrote:
Tue Apr 17, 2018 9:48 pm
You can pin the advertisement on a board - "Car for sale. My address is xxxxx, phone 123456. Greg".
Can you take this notice off when you no longer want it to be available? You can. On this principle, the right to be forgotten arose.
I thought the current "right to be forgotten" (stupid isn't it - and yes very Orwellian; Ministry of Truth or what?) applied to search engines returning personal content results, not to the actual original online content itself. For example, if a newspaper or public court transcript truthfully reports on some actual event which involved a person, that person's "right to be forgotten" does not apply to redacting the online newspaper article itself, but to Google/etc not being allowed to return that content if someone searches for it. Removing the actual original content would require different legislation (libel, defamation, etc). I could be wrong, but that's how it seems here in the UK anyway. Presumably the new GDPR goes further?

Andre
--- Admin of www.portorleans.org

User avatar
tojag
Registered User
Posts: 336
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag » Wed Apr 18, 2018 12:09 pm

Look into Article 17 Right to erasure (‘right to be forgotten’) of GDPR. This applies to all data controllers, not just search engines.
According to GDPR, you can store your data only with the consent of the person you are referring to (unless you can do so on the basis of other rights). If the consent is revoked (account on the forum removed) you have no grounds to have such data in its database. You will delete the profile, but you want to keep the posts, only what if they contain personal data? Because you do not have permission anymore.

I have to write a very good record about the prohibition of placing personal data in posts. And what about attachments? Are they removed when the account is being closed? If the attachment contained a photo of the user, it is his image, which is treated as a personal data. Of course, the user can delete the attachment himself, but if something is overlooked?

Information on convictions is a special category of personal data treated in a special way by GDPR. Look ino article 10.

zorni
Registered User
Posts: 119
Joined: Mon Mar 23, 2009 10:29 pm
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by zorni » Wed Apr 18, 2018 12:33 pm

Btw in the UK the upcoming Data Protection Bill is nearly the same as the GDPR. Just with some minor changes.

Post Reply

Return to “phpBB Discussion”

Who is online

Users browsing this forum: No registered users and 28 guests