GDPR compliance

Please note:

If a user wants to be deleted, this means “deleted” in the sense of GDPR.

It does NOT mean : “anonymise the user in 1 place only” !!!

Everybody can still be identified by the eldest journo helper in the Internet, the google cache:

What are you suggesting? I don’t have power over the Internet.

As far as I understand (but IANAL bla bla…) Discourse has been made to be GDPR compliant.

Anonymisation is a valid means of ‘account removal’ if it is done correctly. See: Anonymisation and GDPR. There’s one issue in a forum context, namely that the content of your posts may contain PII. For this reason I ask the member to check and edit their posts. When the member indicates they are satisfied I anonymize.

Note that there is another option: full account removal, including deletion of all posts of the member. This is potentially highly disruptive to the forum if the member was very active. It will leave holes in many threads, and erase the responses of other members if the action cause topics to be deleted. After the removal, quoted text of the member by others still remains. My understanding is that forum staff do not have to offer this option, but for new members with only a few posts this might be provided as an alternative to anonymisation.

With regards to other external parties that collect PII from the public forum, there are 2 distinct situations: 1) You used these parties deliberately (e.g. Google Analytics) --> you must mention them in your Privacy Policy with a link to their privacy policy (which must be GDPR-compliant), list PII collected, cookies used, etc. 2) Party is beyond your control. In most cases the external party is responsible for informing the party from which it collects PII on a case-by-case basis. See: Public data & GDPR. (That this doesn’t happen is probably either due to legal loopholes being used or the harvester just being non-compliant, but all this is beyond the responsibility of the forum).

As for SocialHub itself. There’s the Terms of Services and Privacy Policy. I think these are the standard ones that Discourse provides with their software installation, which cover the ‘Public Forum’ use case, but unfortunately especially the ToS uses a lot of legalese and might be worded in more friendly, understandable manner. I think (not an expert) it might also specify the default license to be used for posts on the forum (e.g. CC-BY-SA), as well as a more explicit warning that your content will be public and what that implies (technically the forum settings might avoid search engine indexing, but that may not be desirable for a technology forum, and is not watertight anyway).

Note: The Solid forum has an ongoing GDPR discussion: GDPR in this forum.

noindex tag for anonymised result is the minimum.

Since GDPR is different in every country, I am referring to §17 german DSGVO and “right to be forgotten”.