Data protection has been an important issue for the operator of a forum at least since the GDPR came into force. WoltLab offers with WoltLab Suite a professional forum software for a GDPR compliant operation of an own forum. We explain the most important things to consider.
Create a Forum with WoltLab Suite
1. Privacy Policy
Your forum requires a privacy policy, which informs the users of the forum about the processing of their personal data that takes place in your forum.
The following information should always be included in the privacy policy:
- Name and address of the person in charge
- Purposes for which personal data are processed
- Legal basis for data processing
- Data storage duration
- Rights of the persons concerned
WoltLab Suite already comes with a ready-to-use privacy policy that covers the standard range of functions. This includes e.g. the use of the contact form, third party login or media providers like YouTube. Nevertheless it can be useful to customize the privacy policy provided in the forum individually via the page administration in the admin panal for the following reasons:
- The name and address of the operator of the forum must be stated in the privacy policy.
- The privacy policy should not have unnecessary content. Passages that are superfluous because the corresponding function in the forum is not used or is deactivated should therefore be removed from the privacy policy.
- The supplied privacy policy does not cover areas that could potentially arise from your own customizations or the installation of third-party plugins. This can be, for example, an integration of advertisements (e.g. Google AdSense), analysis tools (e.g. Google Analytics), additional third party logins, media providers etc.. When using such functions, the data protection declaration may have to be supplemented by further passages. Many third party providers already offer ready-made text modules that only need to be inserted.
2. Storage of IP addresses
The long-term storage of IP addresses in a forum is legally questionable, as the GDPR requires that personal data (including IP addresses) is to be stored only for as long as necessary. In addition, a user has the right to request information about the data stored about them, as well as to request complete deletion of the data. Both would be difficult to implement in practice if many stored IP addresses have accumulated for a user who, for example, has written many forum posts. We therefore recommend disabling the permanent storage of IP addresses. The corresponding setting can be found in the administration interface under "Configuration -> Options -> Modules -> System -> Save IP addresses".
Database Queries to Remove Stored IP Addresses
Disabling the permanent storage of IP addresses prevents future addresses from being stored, but it has no impact on existing ones in your database. You may run the following database queries once to erase the previously saved IP addresses.
-- General, applies to everyone
UPDATE wcf1_conversation_message SET ipAddress = '';
UPDATE wcf1_user SET registrationIpAddress = '';
-- Only execute this one if the forum app is installed
UPDATE wbb1_post SET ipAddress = '';
-- Only execute this one if the blog app is installed
UPDATE blog1_entry SET ipAddress = '';
-- Only execute this one if the calendar app is installed
UPDATE calendar1_event SET ipAddress = '';
-- Only execute these ones if the filebase app is installed
UPDATE filebase1_file SET ipAddress = '';
UPDATE filebase1_file_download SET ipAddress = '';
UPDATE filebase1_file_version SET ipAddress = '';
-- Only execute this one if the gallery app is installed
UPDATE gallery1_image SET ipAddress = '';3. SSL/TLS Encryption
The GDPR requires appropriate technical and organisational measures to protect the data entered in forms from being access by third parties. SSL/TLS encryption secures the communication between the user and the website and thus provides a sufficient level of protection. Furthermore, the use of encryption is expressly recommended by some search engines, e.g. Google, and has a positive effect on search result rankings.
The activation of SSL/TLS encryption is solely performed and controlled by the web server, please contact your provider if you require assistance to get this to work. Neither WoltLab Suite 3.x/5.x nor Burning Board 4.1 will require any configuration in this regards.
4. Embedding External Content
The embedding of external content such as images or videos in e.g. user-generated forum posts leads to direct data transfer through the browser to the respective third party site, which also transfers personal data. Users must be informed about such data transfer in the privacy policy, stating a legal basis. Since the information must be provided separately for each external provider, it is recommended to keep the number of providers as small as possible and to prohibit the embedding of external images via the configuration and to use the integrated file attachment function instead.
5. Right to Erasure (Art. 17 GDPR)
Users can demand from the operator of a forum that the personal data concerning them be completely deleted. This includes, for example, the e-mail address, possibly stored IP addresses, but also forum posts, if they contain personal data. WoltLab Suite's user administration allows the user profile as well as the content created by a user to be deleted easily and conveniently.
6. Right to Data Portability (Art. 20 GDPR)
Users of the forum have the right to receive personal data concerning them in a structured, common and machine-readable format. WoltLab Suite provides a suitable function in the user administration for the corresponding export of this data.