8

One question about the GDPR:
Can one say you have to remove all Data about him including things like IP-Bans? Because then you could not punish someone for breaking your rules.
How is that handled?

Comments
  • 2
    They have reasonable grounds to have that data on you so it's fine.
  • 4
    @neodite technically you can let your IP ban be removed. Otherwise here in Germany I can just unplug my router to get a new one.

    On the other hand if you get banned by your Username/UserID you are legally able to let your ban be removed. If your username is your mail or is resolvable to identify you even in a slight way it's personal data. So remove your bans!

    Also they have to remove your data from their backups.

    The only possible way for, let's say online games, is a user account system where they just delete your Useraccount to "ban" you
  • 2
    To remove your ban (email account) they would also need to remove your whole account from said platform.

    Couldn't be used to get around a ban.
  • 0
    @neodite I think he is talking about online games haha
  • 7
    You can hash the E-Mail/IP, so it's not personally identifyable anymore.
  • 0
    @sudorm-rf Jeah... No a hashed email is useless for websites :D and they still can claim that you delete that email even if it's hashed
  • 3
    @SteffTek how is a hashed e-mail useless for banning purposes?
  • 0
    @sudorm-rf like I said, you still have to delete that data if your client want it
  • 2
    An IP address is not personal information. Blocking any kind of ip addresses or ranges is your good right.

    And a one-way hashed username or email address is not personal information either.
  • 0
    @Npstr the new GPDR in the EU says it's personal information
  • 0
  • 0
    *Flies away*
  • 1
    But it is not. It only becomes so together with other data, like the ISP tracking who owns which dynamic IP at what time.

    Are you an ISP? Then yes, tracking IPs of your customers is personal data.

    Blocking random IPs /ranges is not personal data, even as an ISP.
  • 0
    @Npstr Jeah random is still legal, but say you have a.... Minecraft is probably the best reference. You have a Minecraft server, someone is destroying other people creations, so you IP-ban him. So it's not random anymore
  • 1
    Hey I think we are confusing two things here.

    One of these is the general discussion whether IP addresses are considered personal information, but it might actually be entirely irrelevant. Read on.

    The other thing is what I would call a bit of misunderstanding about the GDPR: If you have a legitimate reason, you are absolutely allowed to safe the minimum required data for that purpose. Even better if it gets cycled automatically (fail2ban, properly set up ip logs). So if you have a temporary blacklist of IPs and use an industry standard one-way hashing algorithm to keep a blacklist of emails / usernames to keep out users that abuse your ToS, thats a perfectly fine use case there, and no, user may not force you to remove their information from there.

    You might have to mention this practice somewhere to be fully GDPR compliant. Have a look at the term "legitimate interests" for more info.

    As usual with legal mumbo jumbo, IANAL and might just be talking out of my ass here.
  • 1
    @Npstr yes, the GDPR is confusing as fuck. We'll see how far it is going :D
Add Comment