DReffects2

Said someone who clearly never had an Abmahnung ? Take Facebook for example: all bad press aside, FB reacted accordingly. Even a Lithuanian hosting company I do business with has responded with preemptive solutions. As well as every other company I do business with. All but one: IPS. The law is known since 2016 - we're in 2018 and theres not even a data processing agreement.
I do realize "lets see and react" is very american, but that does not help me or even pays my legal fees.
Using your resources right is very much appreciated. But don't you feel that you should assist your EU customers and provide solutions instead of a legal uncertainty? I do not expect that the check-box thingy for contact forms will emerge as the way to do things in the long run - but after this has been decided by the highest courts over here YEARS will pass. And hundreds of thousands of euros will be spent in order to reach this. I do not have 100k lying around nor the time. All while you are in risk of getting those cease and desist letters on a daily basis.
And since even government-run websites implement checkboxes these days - i'd like to be better safe than sorry.
?

Said someone who clearly never had an Abmahnung ? Take Facebook for example: all bad press aside, FB reacted accordingly. Even a Lithuanian hosting company I do business with has responded with preemptive solutions. As well as every other company I do business with. All but one: IPS. The law is known since 2016 - we're in 2018 and theres not even a data processing agreement.
I do realize "lets see and react" is very american, but that does not help me or even pays my legal fees.
Using your resources right is very much appreciated. But don't you feel that you should assist your EU customers and provide solutions instead of a legal uncertainty? I do not expect that the check-box thingy for contact forms will emerge as the way to do things in the long run - but after this has been decided by the highest courts over here YEARS will pass. And hundreds of thousands of euros will be spent in order to reach this. I do not have 100k lying around nor the time. All while you are in risk of getting those cease and desist letters on a daily basis.
And since even government-run websites implement checkboxes these days - i'd like to be better safe than sorry.
?

For the data that leaves the EU please ensure that the hosting company in the US complies with the Privacy Shield Agreement. Please note that the previous "Safe Harbor" Agreement is not deemed enough according to the EU high courts.
There are several due diligence things for your to do:
Check and if your hoster in the US has a VALID certificate: www.privacyshield.gov/list These certificates are to be checked and renewed every 12 months If your hoster is not on the list you theoretically can bind him contractually but I guess that's not gonna happen. Your hoster needs to provide a data processing agreement that is GDPR compliant Personally, I would move the data to servers in the EU. Why host in the US in the first place?

@DReffects2 - I appreciate you've done extensive research as applicable to your situation jurisdiction. We have expended an enormous amount of time and resources aiding our EU clients with GDPR compliance to the best of our abilities and it's our understanding, we've actually done more than most similar platforms. A temporary line has to be drawn somewhere or we're going to end up with, as Matt said, a barrage of half-baked features and checkboxes everywhere. We have consulted with the ICO, our largest EU clients and perused legal resources and are confident that our implementation as of 4.3.3 will help satisfy your compulsory requirements under the GDPR. I know you don't like the "let's wait and see" approach on your remaining potential concerns, but that is in fact a key purpose of the judicial system -- interpreting and providing subsequent guidance on existing regulation.
We are committed to adapting and accommodating as needed, I assure you. We aren't, however, able to go crazy and toss things in based on armchair interpretations. From a layman perspective, a simple checkbox here and there seems easy. From a development perspective - you need to do something with that checkbox. As the contact form, when configured such, is merely an email form, there's nothing to do in the same way there's nothing to do when you actively send someone a traditional email -- you're sending the email because you want to initiate contact. If you wanted a "simple" checkbox on the contact form that's simply sending an email, you then need to provide a mechanism for obtaining consent, store the email address, store the consent, provide a mechanism to withdraw the consent to store the email, etc. None of that is necessary based on reasonable interpretations of the GDPR, so as developers with finite resources, we need to weigh out these requests that amount to a fair amount of development time with limited basis and simply say, if you're super concerned about untested, unchallenged, extreme interpretations for things like this, it's likely best, for your own peace of mind, to simply not use the feature.
I say with confidence that although ultimate compliance with any local, national or international law or regulation is the responsibility of the community owner; 4.3.3 is GDPR friendly. If you feel you need to be more restrictive based on additional member state requirements, interpretations or even personal peace of mind - you can of course disable embeds, disable the contact form, disable spam mitigation, disallow tech support and/or peruse third party solutions. It's my opinion, however, the EU authorities are not intending to cripple the Internet or make it cumbersome, inconvenient and unenjoyable to use; only to hold providers, controllers and processors to task for safeguarding data... and in that regard, it's only a good thing. 
There's a lot of information, opinions and suggestions floating through the comments here and it's difficult to keep track of. We welcome you to engage us via a support ticket for software and corporate specific information and, of course, you may use the client forums to discuss various scenarios, share opinions, tips, etc. 
We appreciate the feedback and participation. Let us know if we can be of further help.

For the data that leaves the EU please ensure that the hosting company in the US complies with the Privacy Shield Agreement. Please note that the previous "Safe Harbor" Agreement is not deemed enough according to the EU high courts.
There are several due diligence things for your to do:
Check and if your hoster in the US has a VALID certificate: www.privacyshield.gov/list These certificates are to be checked and renewed every 12 months If your hoster is not on the list you theoretically can bind him contractually but I guess that's not gonna happen. Your hoster needs to provide a data processing agreement that is GDPR compliant Personally, I would move the data to servers in the EU. Why host in the US in the first place?

Said someone who clearly never had an Abmahnung ? Take Facebook for example: all bad press aside, FB reacted accordingly. Even a Lithuanian hosting company I do business with has responded with preemptive solutions. As well as every other company I do business with. All but one: IPS. The law is known since 2016 - we're in 2018 and theres not even a data processing agreement.
I do realize "lets see and react" is very american, but that does not help me or even pays my legal fees.
Using your resources right is very much appreciated. But don't you feel that you should assist your EU customers and provide solutions instead of a legal uncertainty? I do not expect that the check-box thingy for contact forms will emerge as the way to do things in the long run - but after this has been decided by the highest courts over here YEARS will pass. And hundreds of thousands of euros will be spent in order to reach this. I do not have 100k lying around nor the time. All while you are in risk of getting those cease and desist letters on a daily basis.
And since even government-run websites implement checkboxes these days - i'd like to be better safe than sorry.
?

I just saw this and laughed:

I think consumers are starting to feel that way even more so than businesses.

I am no expert on UK law but I can tell you from experience that it is not allowed in Germany. It would be absolutely absurd if anyone could just install 8K PTZ Dome cams and zoom in on your girlfriends boobs, now would it?
While this has nothing to do with requirements for web tools I have to add: The new GDPR law trumps all local laws.
Not much of an impact in the UK i guess since they're leaving.... ?

@MattCan we have 4.3.3. as soon as possbile? Monday is a bank holiday in many european countries. We could use this day to set up everything finally regarding GDPR. Thanks for all your efforts!

You guys may wish to start a peer-based GDPR topic in the client lounge or similar to share your thoughts, tips and interpretations and carry on an ongoing dialogue amongst each other. You may pick up or be able to share some insightful information that will likely be lost in the shuffle here. 

I am no expert on UK law but I can tell you from experience that it is not allowed in Germany. It would be absolutely absurd if anyone could just install 8K PTZ Dome cams and zoom in on your girlfriends boobs, now would it?
While this has nothing to do with requirements for web tools I have to add: The new GDPR law trumps all local laws.
Not much of an impact in the UK i guess since they're leaving.... ?

I am no expert on UK law but I can tell you from experience that it is not allowed in Germany. It would be absolutely absurd if anyone could just install 8K PTZ Dome cams and zoom in on your girlfriends boobs, now would it?
While this has nothing to do with requirements for web tools I have to add: The new GDPR law trumps all local laws.
Not much of an impact in the UK i guess since they're leaving.... ?

eRecht24 (among many other established services) explicitly advises webmasters to implement checkboxes for forms. eRecht is a premier service for data privacy issues. The contact form in IPS does not require a user to be registered first, nor does the comment function for articles.
https://www.e-recht24.de/news/abmahnung/10651-abwarnung-kontaktformulare-einwilligung.html

Indeed it is. Matt, you've stated in another blog that the GDPR is very vague at times.  You ask three lawyers and get four answers. None of them are legally binding.
I've seen dozens of lawsuits years ago about the cookie notice thingy. It was a HUGE hassle for everyone, even if you were proven right in court after thousands of dollars.
Most data privacy advisors currently advise to implement checkboxes to be safe than sorry. I've read about alternating interpretations on this, but until this has been fought out in court the situation remains unchanged: You can only be safe if you do more than maybe required. Most of the large companies have equipped their websites with checkboxes in contact forms or at least a dedicated data privacy notice right before the submit button. Many have removed contact forms altogether.
I do fully understand that this a huge annoyance for everyone involved.

Excellent observation! This needs to be addressed asap ?

On the subject of deletion. 
Does 4.3.3 fix the issue with quotes and edits present in earlier versions?
Example:
A user named Anton posts something, he later edits the post (it now contains 'Edited by Anton' in the bottom),
a second user named Bertha quotes Anton's post and gets a post which contains "2 hours ago, Anton said:" 
Anton now wants to be deleted. His account is now called 'Guest' and the content stays. How is the "edited by Anton" in the bottom of the first post, and the "2 hours ago, Anton said:" in Bertha's post handled? 
Both clearly identifies Anton as Anton as should (according to our legal counseling) be removed to be compliant.
Is the option to "delete and rename" available through the API? 
 
 

@Matt
I highly appreciate your efforts with this blog post. Your writing shows a lot of common sense and from a website publisher's perspective I do fully agree.
But (and that's a big but) unfortunately the courts over in Europe have time and time again surprised us with its findings and the new law (and even the old data privacy laws within the separate EU member states) do not share that common sense.
While US Courts effectively can make laws, the courts over here can not. Each and every case is subject to interpretation of the written law and as you've noticed: the law is far from being exact. I'd like to address a few flaws with the law and the effects on communities driven by IPS. As you I am not a lawyer but reside in the one country with the single most cease-and-desist orders in relation to online business, copyright infringement and intellectual property claims: Germany. Hallo und Guten Tag.
Let me go over the utilities the IPS suite now offers:
The right to be informed Thank you - the cookie bar was long overdue ? Right to DELETE
This is a unbelievably tricky subject. Reading through the comments and even your post about an EU customer I wonder if anyone has ever read the laws on intellectual property (over in Europe).
If any part of anything I post here or in any other online community reaches the threshold of originality ("Schöpfungshöhe") it is automatically protected by a copyright law. (If you stretch the interpretation to its limits even this post right here could be covered since I aim to provide helpful information.) This copyright never expires and is not transferable to anyone else. Your original content will always be yours. The only way for a website publisher to keep the more creative posts of former users is, if those users have transferred an non-restricted usage rights to the publisher. The one and only way by law to have a copyright transferred from one person to another is by death of the original author. So even if you delete a former member from the community and keep the posts you are not immune to the Abmahnung. Years and years later a relative who inherited the intellectual property of a deceased member of your community could come after you. This is very very relevant when users are posting self-taken photographs or write fanfiction. There are ways to transfer unrestricted usage rights via your terms of service and I strongly suggest anyone within the EU does implement those. I haven't deleted anyone recently but I do recall that once deleted, the posts from a deleted member that then are logged under a "guest" name cannot be selected collectively afterwards. So if you delete a member and keep the posts there is no way to do a second cleansing if this specific idiot tries to make your life hard. Also there's a requirement to inform any third parties about the deletion of a specific dataset. So if your community system transferred personal data to Facebook (status updates...) you need to inform Facebook about the deletion. There's an exemption if this would require a "high effort" but what that means is for the courts to decide ? Suggestions to solve this issues: Have users sign away usage rights during sign-up via a checkbox (like with the opt-in for emails) Make posts of deleted members search-able afterwards in the ACP to get rid of them if needed Another big issue I see is with IP addresses. While it is absolutely common sense that an IP address is NOT personal information, the courts ruled otherwise. Time and time again. I will spare you tons of links and just post this one about a ruling from Germany's highest court:
https://www.lto.de/recht/hintergruende/h/bgh-urteil-vizr13513-dynamische-ip-adressen-personenbezogene-daten-speicherung-internetseiten-bundesrepublik/
Within this ruling you find the following:
IP addresses in itself, even dynamic ones, are personal data that need to be protected While website publishers certainly have an interest to protect their infrastructure this interest only applies when there is a specific threat which is not the case during normal operations All in all the IPs are NOT needed to serve the website to the visitor and therefore are not to be documented Fun fact about this: the one that went to court was a member of a political party. The one he sued was the country Germany. The court ruled in his favor. The highest European court came to the very same conclusion in 2016.
Therefor we absolutely need an option to disable the collection of IP addresses and purge previously collected data. (since that's not new with the GDPR)
I recognize that you might be able to run a few db-queries to purge the IPs but since the GDPR requires companies to have a method description for all things related to IT this is not enough. Each tool used within your companies IT structure needs to be GDPR compliant on its own. Therefore the exclusion of IP address data collection has to be implemented within Invisionpower Software to be legal.
A few more features required in relation to GDPR:
A opt-in checkbox for the contact form that has to be checked before the user can send you his information with a disclaimer that tells the user that the information he sends will be stored and used to answer his question. YES, this is f*cking obvious and seems totally retarded... ? Needs to be documented... An option to export all user data (posts, images, profile information) in a "standardized machine-readable form" See the right of transfer (§20 GDPR) https://www.datenschutz-grundverordnung.eu/grundverordnung/art-20-ds-gvo/ Each and every opt-in by a user has to be documented. IPS has implemented this for the opt-in for emails since every opt-in is now for a predefined specific purpose I'd argue that also the opt-ins for thread-updates, personal message etc. need to be gathered and documented. Age verification (I saw this in previous version - does it still exist?) ISP needs to provide a Data Processing Agreement - even if you do not host my communites your support can access them via an admin account for support. Therefor the agreement is needed. I have attached a document in english from a large european hosting provider. Maybe that's of help to you. I need one by May 24th.  
You're dead wrong here, sorry.
Hallo "Abmahnung". That's the real problem. I suspect tens of thousands of Abmahnungen will leave the fax machines on May 25th at 00:01 am.
Data Processing Agreement.pdf

Great update. Huge step in the right direction. ?
 
There is no debate about that. That has been determined time and time again by the highest of courts in Europe. IP addresses are personal information. ?
Thanks for the retention feature! Highly appreciated! I guess setting this to 0 days would make it fully compliant ?
yes!! Also this would allow to delete all of member 3312s' content even if the member itself was removed.
I am very pleased to see that IPS is finally taking action on this ? The remaining timeframe ist very very very very harsh unfortunately. 
Two things I still miss in your blog:
A data processing agreement Options to opt-in for each use of the comment, contact, posting feature with documented history (like you've implemented for admin bulk mails) I do miss the good old days with ikonboard. User credentials were stored unencrypted, no one cared. Better world back then ?

Great update. Huge step in the right direction. ?
 
There is no debate about that. That has been determined time and time again by the highest of courts in Europe. IP addresses are personal information. ?
Thanks for the retention feature! Highly appreciated! I guess setting this to 0 days would make it fully compliant ?
yes!! Also this would allow to delete all of member 3312s' content even if the member itself was removed.
I am very pleased to see that IPS is finally taking action on this ? The remaining timeframe ist very very very very harsh unfortunately. 
Two things I still miss in your blog:
A data processing agreement Options to opt-in for each use of the comment, contact, posting feature with documented history (like you've implemented for admin bulk mails) I do miss the good old days with ikonboard. User credentials were stored unencrypted, no one cared. Better world back then ?

eRecht24 (among many other established services) explicitly advises webmasters to implement checkboxes for forms. eRecht is a premier service for data privacy issues. The contact form in IPS does not require a user to be registered first, nor does the comment function for articles.
https://www.e-recht24.de/news/abmahnung/10651-abwarnung-kontaktformulare-einwilligung.html

Indeed it is. Matt, you've stated in another blog that the GDPR is very vague at times.  You ask three lawyers and get four answers. None of them are legally binding.
I've seen dozens of lawsuits years ago about the cookie notice thingy. It was a HUGE hassle for everyone, even if you were proven right in court after thousands of dollars.
Most data privacy advisors currently advise to implement checkboxes to be safe than sorry. I've read about alternating interpretations on this, but until this has been fought out in court the situation remains unchanged: You can only be safe if you do more than maybe required. Most of the large companies have equipped their websites with checkboxes in contact forms or at least a dedicated data privacy notice right before the submit button. Many have removed contact forms altogether.
I do fully understand that this a huge annoyance for everyone involved.

Something to consider for a future release. You should be able to hook into it. 

Great update. Huge step in the right direction. ?
 
There is no debate about that. That has been determined time and time again by the highest of courts in Europe. IP addresses are personal information. ?
Thanks for the retention feature! Highly appreciated! I guess setting this to 0 days would make it fully compliant ?
yes!! Also this would allow to delete all of member 3312s' content even if the member itself was removed.
I am very pleased to see that IPS is finally taking action on this ? The remaining timeframe ist very very very very harsh unfortunately. 
Two things I still miss in your blog:
A data processing agreement Options to opt-in for each use of the comment, contact, posting feature with documented history (like you've implemented for admin bulk mails) I do miss the good old days with ikonboard. User credentials were stored unencrypted, no one cared. Better world back then ?

My imprint is and was correct. I do not claim to be something I am not in the imprint.
I was served because i declared myself the "Geschäftsführer" while using common language in a blog entry.
You honestly do think that a CEO of a company with thousands of employees is not allowed to call himself the "boss" in letters and E-Mails? Do you recall the Schlecker drug stores? Anton Schlecker was a sole proprietor,  he employed 36.000 people. He was not allowed to call himself "Manager" or "CEO" on his business cards despite being the boss.
I do employ two people. I consider myself their boss. My employees think of me as their boss. I am not allowed to call myself boss on paper. I specifically chose this example to demonstrate how complex and misleading EU and German law can be at times. And this exact problem also exists with the official translation of the EU GDPR law. It is not exact in any way, at times very misleading and up for interpretation and on lots of instances fail to apply common sense.
Take the requirement for a dedicated opt-in checkbox for contact forms. Everyone knows that if you submit data via a contact form it gets stored in order to provide an answer to your question - just like everyone knows that if you employ people you are their boss. Yet the interpretation of the law requires you to point out the obvious. If you do not, you can be in legal trouble.
A little bit perhaps. I just wanted to raise awareness on the at times strange laws here. Looking forward to your new blog! ?
 

Please consult a German or at least EU-based lawyer about this and take this matter more seriously.
Receiving and paying for an "Abmahnung" ist day-to-day business over here. Such cases do not need to be brought to court, in fact that's the whole point of the Abmahnung. An arbitrary "competitive relationship" is enough to get one of these letters - more than often there's no way to defend against this without risking a huge amount of money in court.
Fees and costs are determined by LAW by a fictional litigious value with the lowest of values starting at 10.000-20.000 EUR which results in about 700-1.200 EUR in legal fees you have to pay to your lawyer AND the lawyer of the opposition. This is per incident.
Bringing this to court to defend yourself would result in even more costs for the first court instance alone. Taking the "usual" 50.000 EUR litigious value this brings you to:

That's about 11.300 USD of risk for defending against a bogus claim. That's why most of the time its common sense to pay for the Abmahnung after a little bit of negotiating.
During the last 15 years running a small company I was subject to seven Abmahnungen. While two of them raised valid points the rest were based on the kind of bullsh*t laws we have and purely for the sake of profit.
The last one I got was for calling myself the manager of my company. Which technically is not true since I am an "sole proprietor" with two employees and therefor no "company" with its own juristic person exists. So legally there is no "company" and since there's no manager or CEO does not exist - so you get an Abmahnung. This one alone cost me 1.250 EURO and it makes no common sense because within common german language use you simply call yourself the manager or CEO of your company. There actually are not even different German words for my position in my own uhm... company available in the dictionary. By law am allowed to call myself "Sole proprietor" on my business card. But no one does that because it sounds rather stupid and a bit untrustworthy. I could run a fortune 500 company and not be allowed to be the "CEO" or "Manager" of that company as long as the legal status is the one of a sole proprietor. If someone from the competition calls you and asks you "are you the boss" and you answer with "yes" you'll get an Abmahnung due to "competitive distortion". Makes no sense at all.
The german trade association IHK is currently warning about a new wave of Abmahnungen because they do know about crooked lawyers. There's a whole business structure here. Competitive distortion will be the number one claim starting May 25th.
My legal experts tell me: If the tool you are using is in itself not GDPR compliant the outcome of your undertaking is not GDPR compliant. While I am most certainly be able to include tons of stuff within my terms and conditions those do NOT have legal binding due to their unexpected nature and therefor are void. (See https://dejure.org/gesetze/BGB/305c.html )
To be valid those unexpected terms and conditions have to be acknowledged individually by the user. This not only goes for all the intellectual property stuff but also for the new requirements of the GDPR. That's why I was asking for individual checkboxes during signup, commenting, contact forms etc.
The most pressing issue is a data processing agreement and the collection of personal data that's unnecessary (IP Addresses...). Please address that.
Thanks! ?

@Matt On deletion of members: 
Could there be an option to define the name to attribute to on that page directly? So we could input for example "Member 3312" (where 3312 would be their memberId). This will keep the discussion still somewhat reader friendly, so it would still be possible to differentiate different accounts as having written in the discussion, for readers reading old content. 
Alternatively let the Anonymize attribution do a md5 hash on the (memberId+some community specific value that is unlikely to be changed) and grab the first 8 letters or something. 

@Matt
I highly appreciate your efforts with this blog post. Your writing shows a lot of common sense and from a website publisher's perspective I do fully agree.
But (and that's a big but) unfortunately the courts over in Europe have time and time again surprised us with its findings and the new law (and even the old data privacy laws within the separate EU member states) do not share that common sense.
While US Courts effectively can make laws, the courts over here can not. Each and every case is subject to interpretation of the written law and as you've noticed: the law is far from being exact. I'd like to address a few flaws with the law and the effects on communities driven by IPS. As you I am not a lawyer but reside in the one country with the single most cease-and-desist orders in relation to online business, copyright infringement and intellectual property claims: Germany. Hallo und Guten Tag.
Let me go over the utilities the IPS suite now offers:
The right to be informed Thank you - the cookie bar was long overdue ? Right to DELETE
This is a unbelievably tricky subject. Reading through the comments and even your post about an EU customer I wonder if anyone has ever read the laws on intellectual property (over in Europe).
If any part of anything I post here or in any other online community reaches the threshold of originality ("Schöpfungshöhe") it is automatically protected by a copyright law. (If you stretch the interpretation to its limits even this post right here could be covered since I aim to provide helpful information.) This copyright never expires and is not transferable to anyone else. Your original content will always be yours. The only way for a website publisher to keep the more creative posts of former users is, if those users have transferred an non-restricted usage rights to the publisher. The one and only way by law to have a copyright transferred from one person to another is by death of the original author. So even if you delete a former member from the community and keep the posts you are not immune to the Abmahnung. Years and years later a relative who inherited the intellectual property of a deceased member of your community could come after you. This is very very relevant when users are posting self-taken photographs or write fanfiction. There are ways to transfer unrestricted usage rights via your terms of service and I strongly suggest anyone within the EU does implement those. I haven't deleted anyone recently but I do recall that once deleted, the posts from a deleted member that then are logged under a "guest" name cannot be selected collectively afterwards. So if you delete a member and keep the posts there is no way to do a second cleansing if this specific idiot tries to make your life hard. Also there's a requirement to inform any third parties about the deletion of a specific dataset. So if your community system transferred personal data to Facebook (status updates...) you need to inform Facebook about the deletion. There's an exemption if this would require a "high effort" but what that means is for the courts to decide ? Suggestions to solve this issues: Have users sign away usage rights during sign-up via a checkbox (like with the opt-in for emails) Make posts of deleted members search-able afterwards in the ACP to get rid of them if needed Another big issue I see is with IP addresses. While it is absolutely common sense that an IP address is NOT personal information, the courts ruled otherwise. Time and time again. I will spare you tons of links and just post this one about a ruling from Germany's highest court:
https://www.lto.de/recht/hintergruende/h/bgh-urteil-vizr13513-dynamische-ip-adressen-personenbezogene-daten-speicherung-internetseiten-bundesrepublik/
Within this ruling you find the following:
IP addresses in itself, even dynamic ones, are personal data that need to be protected While website publishers certainly have an interest to protect their infrastructure this interest only applies when there is a specific threat which is not the case during normal operations All in all the IPs are NOT needed to serve the website to the visitor and therefore are not to be documented Fun fact about this: the one that went to court was a member of a political party. The one he sued was the country Germany. The court ruled in his favor. The highest European court came to the very same conclusion in 2016.
Therefor we absolutely need an option to disable the collection of IP addresses and purge previously collected data. (since that's not new with the GDPR)
I recognize that you might be able to run a few db-queries to purge the IPs but since the GDPR requires companies to have a method description for all things related to IT this is not enough. Each tool used within your companies IT structure needs to be GDPR compliant on its own. Therefore the exclusion of IP address data collection has to be implemented within Invisionpower Software to be legal.
A few more features required in relation to GDPR:
A opt-in checkbox for the contact form that has to be checked before the user can send you his information with a disclaimer that tells the user that the information he sends will be stored and used to answer his question. YES, this is f*cking obvious and seems totally retarded... ? Needs to be documented... An option to export all user data (posts, images, profile information) in a "standardized machine-readable form" See the right of transfer (§20 GDPR) https://www.datenschutz-grundverordnung.eu/grundverordnung/art-20-ds-gvo/ Each and every opt-in by a user has to be documented. IPS has implemented this for the opt-in for emails since every opt-in is now for a predefined specific purpose I'd argue that also the opt-ins for thread-updates, personal message etc. need to be gathered and documented. Age verification (I saw this in previous version - does it still exist?) ISP needs to provide a Data Processing Agreement - even if you do not host my communites your support can access them via an admin account for support. Therefor the agreement is needed. I have attached a document in english from a large european hosting provider. Maybe that's of help to you. I need one by May 24th.  
You're dead wrong here, sorry.
Hallo "Abmahnung". That's the real problem. I suspect tens of thousands of Abmahnungen will leave the fax machines on May 25th at 00:01 am.
Data Processing Agreement.pdf