News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

SMF & GDPR Personally Identifiable Information

Started by kitz, April 11, 2018, 01:35:54 PM

Previous topic - Next topic

LiroyvH

#20
I'll reply to this thread with a bit more details later (lack o' time now), all I will say now is that we (SM) are looking in to GDPR and once the advisory report (with the help of our legal representation) is ready for submission to and review by the SMF team, SMF may potentially end-up making tools available to make compliance easier for our users. (Unlikely that such a thing will be available before the 25th though.)


I'm now replying from a personal view and for discussion sake. The content of this post does not (necessarily) represent the ideas or interpretations of GPDR by Simple Machines, and as always: if you want to be sure you're in compliance or want to know if you even have to comply: call a lawyer, they're the ones that will truly know and can judge your situation best... Hopefully. :P


Quote
We are a family friendly forum and age is of no consequence

Actually, I believe it *is* of consequence to some extent.
Quote
Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

So it would appear that you at least need to store that someone said they were 16. And if they said no, you either have to decline access or ask for parental consent. If you ask for parental consent, it seems that you need to make an effort to verify that someone indeed gave consent and was authorised to do so.
Quote
The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

Which is why Microsoft for example is now demanding $0.50 USD credit card payments from the consenting parent to verify it's them.
It's why WhatsApp will simply be asking if they're 16 or not rather than getting consent and declines if below 16. (Shifts responsibility; the child lying about age is already one point behind on WhatsApp in any argument, should one arise.)



Quote
But that still refers to companies....what about the wee tiny small forum owner not doing business with anyone, just sittin around chattin.

Good question. That's a tricky one. Note that having ads or a paid subs will likely automagically need you to comply as I bet that makes it commercial. Donations are perhaps a gray area;
Quote
This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

petb

Thanks a lot I appreciate that.
It would be really nice if the German SMF Admins are helped here by SMF site.

Very helpful would be e.g. the possibility to deactivate "all" unwanted profile fields, including date of birth, etc., just all the fields that are not necessary for the use of the forum.

In my opinion, only the login details (login name and password) or perhaps the email address if used for verification are necessary.

Also, there is currently no way for users to request a renewed consent to the terms of use and to save this consent.
That would also be very helpful.

Kindred

Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

petb

#23
Great, thank you.  :)

Another Point is the cookie information.
Any hint about this?

Bigguy

QuoteGood question. That's a tricky one. Note that having ads or a paid subs will likely automagically need you to comply as I bet that makes it commercial. Donations are perhaps a gray area;

Well there won't be any of that on my site but I guess to be safe I should comply with it as best I can. Thanks for the info.

vbgamer45

I am planning to do a plugin that will address a couple of the GDPR issues.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Bigguy


petb


Conay

#28
For our forum we updated the ToS (though I'm not sure the 'User Agreement Update' mod works on my forum) in order to detail stuff about GDPR, and released this statement:

QuoteAs our service provider is based in the UK and we serve individuals within the European Union (including, for now, the UK), we will, from 25 May 2018, be bound by the General Data Protection Regulations (GDPR, Regulation (EU) 2016/679 [nofollow]). The GDPR will apply to [site] as a Data Controller.

Our lawful basis for processing data is consent. All users are required to agree to terms and conditions prior to registering for the forum, and we provide an EU cookie notice at the first contact.

Following the GDPR, each individual has the right to: be informed, access, rectification, erasure, restricted processing, data portability and object. This post will outline how we intend to allow members to exercise their rights under this Regulation.

Quote from: Your rightsThe right to be informed

The right to be informed encompasses our obligation to provide 'fair processing information', typically through a privacy notice. It emphasises the need for transparency over how we use personal data.

In terms of personal data, the only data we collect is data in which you supply, with the exception of your IP address, hostname and your most recent click. As we are an anonymous forum, little personal data is collected and we do not require you to provide any additional personal data, with the exception of your email address. We also collect your IP address/hostname (in the event of a ban needing to be placed on your account, for the purposes of dealing with hacking, and if we are required to contact your ISP), and your username (for post identification). Further, the forum automatically uses a cookie, a text file containing bits of information (such as your username and password), in your browser's cache. This is ONLY used to keep you logged in/out. The software does not collect or send any other form of information to your computer.

Any formal requests should be made to [email]. All emails must come form the email associated with your account.

The right of access

The right of access means you have the right to: confirmation that their data is being processed and access to your personal data.

Your data is being processed. All data we have is accessible via your profile. If you want us to provide you with additional information (such as your IP address), then please use the contact email above.

The right to rectification

This gives you the right to have your personal data rectified. Personal data can be rectified if it is inaccurate or incomplete.

The right to erase

The right to erasure is also known as 'the right to be forgotten'. The broad principle underpinning this right is to enable you to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

On the forum, this can be dealt with by requesting to delete your account. A deletion will have to be approved by an administrator (to protect against accounts being deleted maliciously). Posts can be individually deleted, and can be deleted en masse. A full deletion requires a request being sent to the email above.

The right to restrict processing

You have a right to 'block' or suppress processing of personal data. When processing is restricted, we are permitted to store the personal data, but not further process it.

Our data processing is as restricted as possible. Processing generally requires you to act on our website, therefore not using the website will cease such processing.

The right to data portability

This allows you to obtain and reuse your personal data for your own purposes across different services. This allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

Ultimately all posts you make, unless made in a restricted forum where you have lost access, and other information you provide are all accessible. If you wish for us to send you the data we hold, a request should be made to the email above.

The right to object

You have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), direct marketing (including profiling), and processing for purposes of scientific/historical research and statistics.

We do not generally process data for these purposes.

More information on your rights can be found here [nofollow].

Data breaches

In accordance with GDPR, if we become aware of a data breach, we are obliged, within 72 hours, to notify any users involved. As we do not believe such a breach would result in a risk to the rights and freedoms of individuals, breaches will not be reported to the supervisory authority.

Children

The GDPR contains new provisions intended to enhance the protection of children's personal data. As we do not identify individual's beyond their IP address, username and email address, we do not believe any action is required.

Other provisions

As our data processing does not possess a high risk to the rights and freedoms of individuals, we are not required to undertake a Data Protection Impact Assessment (DPIA), nor are we required to appoint a Data Protection Officer (DPO). We reserve the right to reveal information we hold about you (or any other related information collected on this service) in the event of a formal complaint or legal action arising from any situation caused by your use of this forum, in accordance with the laws of the United Kingdom.

We will consider on an ongoing basis all other requirements.

It would be really useful for SMF to make some small adjustments (i.e. allowing users to anonymise their posts when they delete their account), but I'm honestly not sure beyond that if there's much that can be done - though the default ToS should be updated, too

Our updated ToS (we reduced the size of the existing ToS and added the following at the end):
QuoteData Protection

You have the right to: be informed, access, rectify, erase, restrict processing, data portability and object. Details on your rights, in a accordance with the EU General Data Protection Regulations, can be found [link to above statement].

The only data we collect is data in which you supply, with the exception of your IP address, hostname and your most recent click. As we are an anonymous forum, little personal data is collected and we do not require you to provide any additional personal data, with the exception of your email address. We also collect your IP address/hostname (in the event of a ban needing to be placed on your account, for the purposes of dealing with hacking, and if we are required to contact your ISP), and your username (for post identification). Further, the forum automatically uses a cookie, a text file containing bits of information (such as your username and password), in your browser's cache. This is ONLY used to keep you logged in/out. The software does not collect or send any other form of information to your computer.

We reserve the right to reveal information we hold about you (or any other related information collected on this service) in the event of a formal complaint or legal action arising from any situation caused by your use of this forum, in accordance with the laws of the United Kingdom. In accordance with GDPR, if we become aware of a data breach, we are obliged, within 72 hours, to notify any users involved.

LiroyvH

@Conay
Anonimising postcontent is pretty much impossible to automate.
You can change the username, but if someone ends their post with "regards, - full name": tough luck.
However, it appears that post content may not be subject to the right to be forgotten persuant Article 17, notably sectio 3. relevant quotes:
Quote
Paragraphs 1 and 2 shall not apply to the extent that processing
is necessary:
for exercising the right of freedom of expression and information;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Conay

Quote from: CoreISP on April 26, 2018, 07:40:20 PM
@Conay
Anonimising postcontent is pretty much impossible to automate.
You can change the username, but if someone ends their post with "regards, - full name": tough luck.
However, it appears that post content may not be subject to the right to be forgotten persuant Article 17, notably sectio 3. relevant quotes:
Quote
Paragraphs 1 and 2 shall not apply to the extent that processing
is necessary:
for exercising the right of freedom of expression and information;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing

Perhaps the exemption applies, but to offer the option to anonymise usernames (i.e. switch their username to 'Deleted user #X') along with a warning in the description that any identifiable information in posts themselves won't be deleted would be helpful.

LiroyvH

Technically that's possible already by first changing their username before deleting the account.
It's an extra step as of right now, but not super difficult.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

drewactual

of interest or maybe not... I keep getting emails from googs, as i'm sure most of y'all with analytics kickin' on your pages have also...

they don't seem to have much concern about sites that don't cater to Europe or Switzerland, going as far as to state ".... if you're not doing business with EU or Switzerland, you can ignore the remainder of this message."

it seems to me after several notices of changes in their product due to the GDPR, 'they' aren't concerned unless you're expressly doing 'business' inside the EU's (and Switzerland- don't forget Switzerland!!! googs certainly doesn't) jurisdiction.

Bigguy



Bigguy


vbgamer45

GPDR Helper For SMF 2.0.x

Warning does not guarantee GPDR compliance. No warranty provided.

Includes:
Allows member to export their data. Their profile and post information
On member deletion clears IP address and email from posts and assigns a new username to all old posts.
Includes a privacy policy page, adds link in the footer e and adds a section for consent on registration
Stores the date/time that the privacy policy was changed and option to force to reagree
Stores the date/time that the registration agreement was changed and option to force to reagree
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

@rjen

Quote from: vbgamer45 on April 29, 2018, 03:41:30 PM
GPDR Helper For SMF 2.0.x

Warning does not guarantee GPDR compliance. No warranty provided.

Includes:
Allows member to export their data. Their profile and post information
On member deletion clears IP address and email from posts and assigns a new username to all old posts.
Includes a privacy policy page, adds link in the footer e and adds a section for consent on registration
Stores the date/time that the privacy policy was changed and option to force to reagree
Stores the date/time that the registration agreement was changed and option to force to reagree

Thanks!

Would it be possible to also include custom profile fields in teh export from the profile?
Running SMF 2.1 with latest TinyPortal at www.fjr-club.nl

vbgamer45

Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

@rjen

A user cannot decline the updated agreements.
I would suggest decline option added results in the user be logged off immediately
Running SMF 2.1 with latest TinyPortal at www.fjr-club.nl

Advertisement: