> If I put my data there, that's my problem, but you're not allowed to do that.
is it really? that's a part I did not really understand about the regulation and can't find anything about voluntarily relinquishing control of personal data.
i.e: I leave my personal name and email address on a public forum. Google later add that post to it's index, or another random company like Web Archive or archive.is scrapes it.
What are my rights? What are their obligations? is the forum owner liable for my action if I didn't explicitly agree for my data to be shared by him to all unforeseeable future scrapers?
> as a controller holding my data, you're responsible for safeguarding the data
this confuses me even more. say I'm running an analytic system. I track users trough a cookie. tracking cookies are, for some reason, personal information. if an user delete the cookie from their browser and then ask to fulfill my obligations about erasing his data from my system, how do I identify him? who's liable then?
> I leave my personal name and email address on a public forum. Google later add that post to it's index, or another random company like Web Archive or archive.is scrapes it.
I wish there was an official guide on how to run a forum properly, because all forums suffer from the same problems.
What I figured out so far:
You as a forum administrator must delete that personal data on request. This could mean digging through all posts of a user and delete all PII, although you don’t have to delete all posts if they contain no PII.
You as a forum administrator must get your privacy policy right and possibly make it harder for third parties to index PII. This depends on your intentions and whether or not people know that your forum is public.
Say, your forum is about car parts. You could set a subforum that asks members to introduce themselves (where PII are most likely) to noindex or hide from the public.
This way, you’ve put in reasonable effort to protect your users and your obligation is done. Indexing by third parties is now out of your control.
But say you run a medical forum where people post health data (considered super sensitive) and are expected to post a lot of PII, you might have to set the entire board to ”members only“.
Although I’m not sure about any of this and to some extend, most forums provide value by being visible to visitors and indexes by Google. Quite sad.
IMHO this is not talked about much because that's not a new GDPR issue; GDPR introduces a bunch of new things about e.g. consent of processing data, but the "right to be forgotten" and requests to delete my PII that someone else posted to your forum is pretty much unchanged, it was a thing in EU legislation for quite some time already (might be a full decade?) so all the "here's what to do now" articles don't touch this.
> the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure
so it seems a "disallow" in robots would solve the issue with crawlers and public data, but that works at page levels, not content level. pushing a crawl request after information erasure may not be enough, since we need to inform the controllers on why the data has changed, not just that it has changed.
The last part of your question is easy to answer. Before you start processing personal information, you need to ask the affected persons for consent. So now you know how to identify them.
If you want to get away without consent, you need to design your system in such a way that it doesn't hold personal information. E.g., maybe randomize the raw tracking data as first processing step, and only keep the randomized version.
is it really? that's a part I did not really understand about the regulation and can't find anything about voluntarily relinquishing control of personal data.
i.e: I leave my personal name and email address on a public forum. Google later add that post to it's index, or another random company like Web Archive or archive.is scrapes it.
What are my rights? What are their obligations? is the forum owner liable for my action if I didn't explicitly agree for my data to be shared by him to all unforeseeable future scrapers?
> as a controller holding my data, you're responsible for safeguarding the data
this confuses me even more. say I'm running an analytic system. I track users trough a cookie. tracking cookies are, for some reason, personal information. if an user delete the cookie from their browser and then ask to fulfill my obligations about erasing his data from my system, how do I identify him? who's liable then?