GDPR and stuff
- Thread starter Ace Modder
- Start date
Associate
Article 4 defines personal data:
'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
So an online identifier, such as a forum name is included, and I suspect that Subject Access Requests would therefore include any information pertaining to that username. Only on day 3 of my training course though so may be mistaken.
'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
So an online identifier, such as a forum name is included, and I suspect that Subject Access Requests would therefore include any information pertaining to that username. Only on day 3 of my training course though so may be mistaken.
Soldato
So if you ever forget your email address you could always message OC's to retrieve it 
Technically, the changes to the privacy policy don't need to be sent to you. Those emails asking if they can still email you are quite risky, because if they don't already have consent to email you, they can't send you an email asking if they can email you. The alternative, however, is that if they don't have your confirmed consent then they have to delete you, so many companies are taking the risk. If they have been super forward thinking and have been using your data for legitimate business interests and only market to people whose consent they have, then they don't need to email you about anything.
Caporegime
Giggidy
It's not just your name and address, your email address and even your IP address is considered Personally Identifying Information under EU rules. Its not just that we can request details of what you hold, it is also making sure that as an organisation you are taking the right steps and controls to protect this information.
Then there are vast amounts of personal information posted here by users. Peoples age, gender, sexuality, race, where they live are all available for some of us if you search hard enough and do the linking.
This legislation is about so much more than just "oh, we can't opt people in to emails without asking them".
Then there are vast amounts of personal information posted here by users. Peoples age, gender, sexuality, race, where they live are all available for some of us if you search hard enough and do the linking.
This legislation is about so much more than just "oh, we can't opt people in to emails without asking them".
Associate
Day 3!?
Our GDPR training was a 1 hour session, and I couldn't manage to go on it. Which explains why I seem to be taking the lead for our section
I was more referring to the forums. Which are full of personal data. It might not seem so, but if you pull together, disconnected posts from the same user you could build up a decent profile of someone.
If you are an IT person working with databases, you will be used to doing this. I assume hackers and social engineering would be even more skilled at it.
Permabanned
I think people will be able to request all information held about them. As that could be in any post I think OCUK will be unable to comply.
I think people will be able to request that all data on the forum about them be deleted. I think OCUK will be unable to comply.
There's also a question of how long posts should be stored on the forum for. The wrong answer is indefinitely. The right answer is probably 1 year.
Soldato
I dont think that's correct?
If you've given a company permission to email you then they are legitimately allowed to email you under the current rules. The rules around you giving permission are being tightened so after 25th May, they wont have the correct permission to email you.
They are allowed to contact you before that date (if you've previously given permission) and ask your permission to continue contacting you under the new rules.
I would have thought that given anything in posts is being placed into the public domain voluntarily by the user, OcUK won't have any obligations relating to that data.
Anything the forum is holding behind the scenes, be that emails or usernotes or whatever else that's personal to a user will be a different matter.
Associate
That would be my take on it too.
Soldato
Permabanned
Nah that's not really cleared up.
That caveat is about the right to processing. i.e. OCUK can store my data if I post it.
It's not about the right to erasure, aka the right to be forgotten.
Link: https://ico.org.uk/for-organisation...tion-gdpr/individual-rights/right-to-erasure/
That caveat is about the right to processing. i.e. OCUK can store my data if I post it.
It's not about the right to erasure, aka the right to be forgotten.
Link: https://ico.org.uk/for-organisation...tion-gdpr/individual-rights/right-to-erasure/
Soldato
What makes you think there will be any difficulties in deleting all of your data?
Permabanned
Because it's a tricky thing to do. For example I could post something and it could be quoted.
Happy for someone to settle it by saying "yes you can request your data be deleted and it works".
Soldato
If your post gets quoted by someone else that becomes their right to freedom of expression and you dont have the right for it to be deleted.