If a person decides to post 'personal information' on your forum, that is his decision which he has made knowing it will be seen by everyone. It has nothing to do with the personal data YOU have collected about him. You didn't collect it did you?
If a person decides to post 'personal information' on your forum, that is his decision which he has made knowing it will be seen by everyone. It has nothing to do with the personal data YOU have collected about him. You didn't collect it did you?
Consent can only be revoked if you collected data based on consent. If you collect posts and attachments etc based on your (or someone else's) legitimate interest (e.g. the integrity of discussion, your users interest to be able to discuss a topic or access some information) then they have no right to be forgotten. Legitimate means "reasonable" or "not unjustified" and not "according to law". So I would keep usernames and posts and attachments, and give the user the option to delete their account with all their profile fields, IPs etc. The only thing that GDPR requires is that you describe in your privacy whatever that you collect what data based on consent and what data based on other basis.tojag wrote: ↑Wed May 16, 2018 6:10 pm Yes, I collect data in posts. You do it on your own forum too. GDPR is not limited to private data but applies to all personal data, even those disclosed to the public. This is what the GDPR is for anyone who has previously agreed to the publication so that he can later withdraw it and delete the data. I thought that by deleting user contact details I will anonymize posts, but now I am thinking about these attachments, photos and links.
All big players allow you to delete user content. I do not think it will bypass the forums.
I would like to be wrong.
Or you specify on what other bases you collect the data. There is nothing in GDPR that would require you to collect posts based on consent and not any other bases that are specified in GDPR. You can choose whatever bases for collecting data you just have to be able to back it up.
Read the last 5 words. Now read them again.Personal data
- The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
- This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
So, in theory this can be utilised for post content, and thus:It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
In the case of the forum, there are legitimate interests to continue in many cases. My read of this is forum owners have to use best judgement on a case by case basis.you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
There are exceptions to the right to be forgotten. If a post contains personal data, and you collect posts based on legitimate interest you have the right to refuse to remove that said personal data. In this case the only thing that GDPR actually says is that you evaluated that the your legitimate reason (e.g. the integrity of your content, your users right to get informed etc.) is more important then the person's interest to have that data removed. That is what the regulation says.tojag wrote: ↑Fri May 18, 2018 12:21 pm If someone requests you to delete your account and personal information, then you have no choice. This person does not have to indicate posts containing personal data. All he has to do is make a request. According to GDPR, someone can ask you what personal data belong to him, you have as administrator. If you give him only private data from the profile and in the posts will be still public personal data, which you also keep on your server, You must also provide this data. Therefore, it is safe to provide a link to posts as possible places where personal data is available. But then you also have to delete these posts with the account being deleted. It is simple and logical.
The only possibility is the anonymisation of posts - username and all data in posts that can point to a specific phisical figure including photos and links (because they can lead to profiles on other websites). But that means a lot of work on a deleted account if there are a lot of posts.
However, I see no other way to keep posts.
This is true in part. the IP address is personal data collected, but the text of a message is not.On the forum you always collect data in posts based on consent which the user expressed by accepting the rules of the forms. Forum regulations are a contract. However, each contract can be canceled.
Pretty much exactly this. There's such a thing as common sense. Am I gonna trash some users account just because he wants it deleted? No. Will I delete/modify/redact a post where he put a phone number for someone to contact him? Sure. But, again. We don't need laws to tell us that.CHItA wrote: ↑Fri May 18, 2018 11:06 pm Now, if the user has a good reason to have something removed is reasonable, I would assume that any administrator would remove it regardless of the regulations and laws. In a community that I believe most our users would want to create this would be a no-brainer. What this means is that most of you would just have to continue what they do anyways.