GDPR Breach - Website ignoring my "stop processing my data" request.........

[coffeerequired]

Withdrew consent for a website to use some articles I contributed as I disagreed with some things they did later on. 

I asked them to remove the material, and they completely ignored it. According to the ICO website regarding the "right to erasure" they should have removed it straightaway, no? How do I sort it out? ICO?

[dx100uk]

thats not how it works no.

was this a public website whereby anyone could freely contribute after registering?

dx

[coffeerequired]

Sorry, not sure what you mean by that exactly. It was a community group website to oppose certain local developments. Anyone who was in the group could write articles there. 

 

[dx100uk]

then sadly theres not a lot you can do about it.

thats not what the right to erase is there for.... read things properly.

its not personal data

Right to erasure | ICO

dx

[coffeerequired]

It seems to be "personal data". 

What is personal data? | ICO

I looked also at what reasons they could refuse my request.

The closest I found they could use as an excuse is if they have legitimate reasons to still retain or process the data but, that looks unlikely.

Even though I left long ago, they still use quotes from my articles in recent pieces they publish on the website and social media and full articles remain on the website.

[honeybee13]

What personal data of yours do you think is in the articles please?

HB

[dx100uk]

all they might be ever made to do, is as we do here, which is remove the 'username' but the article itself is not personal data 'just' because you wrote it.

it will still remain but with no identification as to whom wrote it.

dx

 

 

[coffeerequired]

That's part of what I'm trying to nail down.

Going by this definition from the ICO website - 

“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);

an identifiable natural person is one who can be identified, directly or indirectly,

in particular by reference to an identifier such as

a name,

an identification number,

location data,

an online identifier

or to one or more factors specific to the

physical,

physiological,

genetic,

mental,

economic,

cultural or

social identity of that natural person”.

Some have my full name attached. - Some do not.

Many are articles I wrote that are minutes of meetings but, they contain quite a bit personal analysis as it relates to the community and also as it relates to my personal circumstances in the community.

Also, some without my name relate to me and I could be identified from the contents of the article. 

Although many articles I wrote are published without my name and shows the group's name (pseudonymisation) as the author, many of them still contain identifiable information/data within the articles that relates to me which still makes it personal data.

"Pseudonymising personal data can reduce the risks to the data subjects and help you meet your data protection obligations.

However, pseudonymisation is effectively only a security measure.

It does not change the status of the data as personal data.

Recital 26 makes it clear that pseudonymised personal data remains personal data and within the scope of the UK GDPR."

What is personal data? | ICO

I might not be so miffed but, they continue to use quotes from my articles in their website documents & items on social media that contain my personal data.

I want them also to stop processing/using it.

[dx100uk]

it's a very gray area whereby you freely provided said website with what you have above.

why not ask the ICO directly about this?

they have a portal you can post on.

dx

 

[coffeerequired]

Thanks.

Good idea.

Whereabouts is the portal? 

From what I've gleaned, I don't really think whether its been "freely provided" creates any issue over whether its "personal data" or not.

Ie. Health information given in a GP's medical history questionnaire is "freely provided" but, doesn't make it exempt from being considered as "personal data".

I just don't see anywhere where there is a distinction between "freely provided" or otherwise?

[dx100uk]

just type no need to keep hitting quote...

Advice services for members of the public | ICO

data given to your GP is already deemed confidential to the NHS system before you give it. no comparison to your situation.

If you simplify your issue, it's one which could be likened to 'buyers regret'.

at the time you believed in 'the product' and left a favourable review, but later found it was a chocolate teapot, but the site still uses your 'review' that you'd left and you don't like it being further used to enhance their sales or good product standing.

the issue of they carry/reuse articles that specifically have information that directly identifies 'you' is another totally separate matter,

Out of the two -

i would suspect the ICO will advise you upon how to properly request the site removes ALL information that directly identifies 'you' and they must thus do so. should they fail, then the ICO will give them a rather server kick to do it, if they don't.

however, the two might well 'cross' and the site latterly finds it's easier to simply remove all your content and not use it going fwd. rather than editing every 'post'

HTH

dx

 

[coffeerequired]

Good call. I've already assessed a few articles. (About 35 of them) Some of them, I think ICO would say you need to erase all info that relates and is identifiable to the author but, the rest of the article can remain but, many of the articles, the whole lot needs to go. I don't think it needs to be "directly identifying" though. See here even if "anonymised": 

What about anonymised data?

The UK GDPR does not apply to personal data that has been anonymised. Recital 26 explains that:

“…The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”

This means that personal data that has been anonymised is not subject to the UK GDPR. Anonymisation can therefore be a method of limiting your risk and a benefit to data subjects too. Anonymising data wherever possible is therefore encouraged. 

 

However, you should exercise caution when attempting to anonymise personal data. Organisations frequently refer to personal data sets as having been ‘anonymised’ when, in fact, this is not the case. You should therefore ensure that any treatments or approaches you take truly anonymise personal data. There is a clear risk that you may disregard the terms of the UK GDPR in the mistaken belief that you are not processing personal data.

In order to be truly anonymised under the UK GDPR, you must strip personal data of sufficient elements that mean the individual can no longer be identified. However, if you could at any point use any reasonably available means to re-identify the individuals to which the data refers, that data will not have been effectively anonymised but will have merely been pseudonymised. This means that despite your attempt at anonymisation you will continue to be processing personal data.    

You should also note that when you do anonymise personal data, you are still processing the data at that point."

 

What is personal data?

ICO.ORG.UK

Going by this I think I can recognise what is reasonable to request via right of erasure, no?

If they want to keep the non-identifiable info that doesn't specifically relate to me they can but, otherwise, not. Seem a correct assumption?

 

 

[coffeerequired]

I've had more of a look into this. Its nothing to do with or akin to "buyer's regret". Its clear in the GDPR articles.

There are 6 categories of "lawful basis" for processing. Contract, consent, vital interest, legitimate interest, legal obligation or public task. 

Right of erasure applies to personal data processed on the lawful basis of consent which is what you called "freely given". 

Article 7 (Conditions of consent). 

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

Further, in Article 17 (Right to erasure) controller is obligated to erase personal data upon request by the data subject without undue delay.

Article 17. 1(b) if the data subject withdraws consent. 

Not only that, but, it goes further and states at 2.

"Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data."

https://www.legislation.gov.uk/eur/2016/679/article/17

Its fairly clear cut. Personal data "freely given" in any way, shape, or form is by consent & that consent can be withdrawn at any time & data subjects personal data must be erased without undue delay by the data controller.  

They've been asked twice to remove it & by not complying they've breached the DPA & GDPR. 

Looks like I have recourse to report to ICO and apply to get a court order if they continue not to comply plus compensation if I can prove material or non-material damages. 

The cheeky gits are using my personal data for SEO purposes too. 

ICO & Letter before action time then I guess.

[coffeerequired]

Check your email Admin.

[köszönöm]

Yea, check your email Admin.

[coffeerequired]

Anyone who missed what was going on here... The purpose of this thread here was to give a demonstration of how ignorant the admin & moderators here are re the GDPR & the DPA 2018.

Absolutely stunning to me that the folk running this forum are 100% clueless about the GDPR & DPA and have the gall to be giving anyone "advice" on it & are even arrogant about their professed & demonstrated ignorance of it.

Other people elsewhere online even recommend folk come here for advice about their rights which is how I initially came upon it but, realised quickly they've not a clue.

They've not a clue what "personal data' is as demonstrated above.

They've not a clue about the "right to erasure" either - also demonstrated above.

They don't realise I've already made enquiries into their position, including what is written in the "forum rules" re "right to erasure" (right to be forgotten) but, I have.

Look at their own privacy notice on this forum, another good example, here's what they've got to say about children:

"CHILDREN
The Consumer Forums does not
differentiate between adults and
children in relation to its data use
policy, and the same safeguards are 
applied regardless of age. However
we remind parents to be vigilant over
their children's use of the Internet, and
if they have any concerns 
about the Consumer Forums.."

The GDPR says exactly the opposite of what is written in their privacy notice on this forum. Children are given special protections in the GDPR - Recital 38.

Yet the people running this public forum believe they can just make up their own rules & completely disregard the rights of the users of this forum including the reckless disregard of special protections of children's data.

If you've come here for help in the past and have found they will not delete your personal data when requested (note: it does not matter if you use a username/online identifier, if the info relates to you and you can be identified by the data by any means its "personal data") - know that they've either lied or at minimum misrepresented the truth to you when they said they do not & cannot delete your personal data.

What does the ICO have to say about it?

It states clearly on their website, easy to find for anyone & is an easy to understand interpretation of Article 17 of the GDPR.

"What should the organisation do?
The organisation should delete your data, unless an exemption in data protection law applies (see below).
They should also tell anyone else they have shared your data with about the erasure. They can only refuse to do this if it would be impossible or involve disproportionate effort. If you ask, they must also tell you that they have shared your data with other organisations.
If your data has been made public online – such as on social networks, forums or websites – then the organisation must take reasonable steps to inform the people with responsibility for these sites to erase links or copies of that data."
https://ico.org.uk/for-the-public/your-right-to-get-your-data-deleted/

Again, this is the polar opposite of what is written in the forum rules of this website. 3.1 - 3.4. also, none of the exemptions apply in the link above.

There seems to be a fantasy belief by admin that public domain data is exempt from the rights of the data subject. Also, untrue. See the ICO & also here from the DP Network:

6. Public domain data
The Right to Erasure also applies to personal data which has been made public in an online environment (‘The Right to be Forgotten’).You need to be ready to take reasonable steps to inform other organisations who are handling the personal data; asking them to erase links to, copies of, or replication of the data.
https://dpnetwork.org.uk/managing-erasure-requests/#:~:text=The%20Right%20to%20Erasure%20also,or%20replication%20of%20the%20data.

Plus plenty of case law in this regard.

The nature of this website is such that some detail which relates to you & makes you identifiable "personal data" must be given in order to explain the situation to receive help. So, that section of the rules is laughable in the face of facts of the GDPR, "personal data" & "rights of erasure".

The reality is that in a public forum, you should be able to delete all your own personal data whenever you want of your own accord as you can on Facebook, Twitter & all other large organisations operating forms of public forums. You shouldn't need to ask the admin. Even Steemit, where all data is held on an uneditable blockchain, they have measures to erase your personal data from the public domain. Yet, CAG here thinks they are above the law in this regard.

Also, they are of the belief they can edit your personal data here anytime they like & even edit it in such a way to make it look as though you said something that you did not. This is a huge NO.

You have a right to object to this sort of processing of your data and also the right of rectification under the GDPR.

But, they aren't going to tell you this.. have a look at their privacy notice which should contain, by law, everything regarding your GDPR rights which I have written here.

You can withdraw your consent of processing your personal data at anytime after which, as they cannot rely on any of the exemptions in the GDPR, they must rectify or erase your personal data WITHOUT UNDUE DELAY. You can do this in writing, right here on the forum, in a letter or even verbally and they must comply. They have 30 days to comply.

Not only that, but, they must take reasonable steps to inform the people with responsibility for other websites to erase links or copies of that data - contrary to what is currently written in their forum rules!

If they do not comply, you have the right to seek a court order compelling them to comply with their legal obligations under the GDPR and also to seek material & non-material damages against the data controller.

You can do that by first contacting the data controller of this website:

Reclaim the Right Ltd. (the irony )
Marc Brooke Gander
262 Uxbridge Road
Hatch End
England
HA5 4HS

Put him on notice that you wish to exercise your rights under the GDPR & perhaps you already have done that by making requests on this forum. If you have already made a request on this forum for personal data to be removed & they have not complied with your request after 30 days they are now in breach of the DPA & GDPR.

If he does not comply, you can send a Letter Before Action following pre-action protocol in England and then proceed to file a claim against him in court.

The admin will probably delete this post informing you of how to exercise your rights ironically, but, I've already made a copy of this thread (and many others relating) and if this post is edited or deleted, I will post the details elsewhere on the internet so people will be aware of how they can exercise their rights under GDPR against Reclaim the Right Ltd. 

[dx100uk]

duplicate usernames same person

spots havent changed...

 

[coffeerequired]

Sometimes things need learned the hard way mate. Its called creative justice. 

Please do inform your users when you will update your privacy notice & "forum rules" to a reasonable legal standard.   

When do you plan to delete the thread containing my personal data I've requested you to delete now 3 times? 

 

[BankFodder]

We have not received any emails or any communication from anyone recently asking for deletion or erasure of data.
If you are referring to details contained in your account profile which you submitted when registering for an account here then we would certainly delete that and remove all references including IP addresses.

If you are referring to material that you have published on the forum, then that doesn't fall within the definition of personal data. For that purpose we are "publishers" in exactly the same way as a newspaper is.

If you feel that some of the posts you have made could identify you then we would be very happy to have a look and if it doesn't change the sense of what you have posted, we will be very pleased to try and edit them so that they are more anonymous.

I should tell you that this issue has come up with the ICO before and the ICO has confirmed that we are publishers.

Please consider my above suggestions – but if you feel that this is unsatisfactory then I suggest that you make a complaint to the ICO and of course we will comply with whatever decision the ICO makes.

In the meantime you might want to send us an email to admin email address and set out exactly what you are looking for.

We have received nothing from you