GDPR - "right to be forgotten" after anonymizing

Hello admins, I found many (many, many) GDPR topics but nothing that seemed to have this answer. I apologize if this is a duplicate.

I’m using Discourse with SSO, attached to a larger membership site. I’m trying to figure out what to do if a member of my site deletes their account.

Normally I’d say: well, I can call Discourse and anonymize their Discourse profile and that takes care of it. It’s probably okay that their posts stay public, and I’m going to change my TOS to specifically indicate that if you delete your account on my site, your public forum posts will remain under an anonymous username. That seems ok.

However, what happens if a week later, I get an email request from that person, requesting under GDPR that I delete all of their data?

Since I’ve already anonymized their account-- how can I determine what posts in Discourse were created by them?


Hard to say without a lawyer’s input, but I’ll present this as evidence:


…and in response to that, I’d argue that forum posts are always “being used for the purposes it was collected for.”


I can not in the best of my abilities find your data as it’s in a pool of anonymized data. If you can prove ownership of the data I will gladly remove it.

As this will be a great undertake by the user the thing dies there. Under GDPR you’re obligated to forget an user and erase any data that can get tracked or pinned to him, if he himself can not nobody will. This is a very light take on the matter and if you’re really worried in legal terms you should always consult a layer.


What about unstructured data though? I saw one case on a Discourse forum recently, where a user requested their posts being deleted because the posts themselves included identifying details.


Yes, that’s exactly what I’m thinking about. What if someone posts a selfie? Or their phone number? They delete their account on my site, as part of that (automated) process, their Discourse account is anonymized… and then the next day, I receive a GDPR removal request. I have to remove all their personal info from my site. Now I’m stuck.

I like this idea but I doubt it would hold up under the scenario I describe above.

Another option is that, instead of anonymizing, I could just delete them entirely from Discourse. Of course, the problem is that all their old messages go away, leaving holes in topics. Hmm. Not crazy about that either.


If they were the OP that would also remove entire topics.


Not really, as you’re permitted to keep records to the extent necessary to verify the anonymization request.

Has anyone actively complained to you that this procedure is insufficient?

1 Like

Hmm I’m not sure I follow exactly. You’re saying that when Discourse anonymizes, it returns the anonymized username? If so… then I guess I could keep a log of each anonymization and the before/after usernames, so I have a record. That’s not a bad idea.

I have already had a couple of requests to remove all messages from members who, luckily, weren’t anonymized yet… and I regularly receive GDPR “forget me” requests, right now 2-3 a month. But between the fact that I’m based in Europe and have a large European member base, combined with the fact that my community has good reason to be extremely sensitive about privacy… I think having a good and well-thought-out answer to “how do you handle my forum posts” is extremely important. Right now I am trying to figure that out.

1 Like

Here’s an article from a Dutch lawyer about this specific problem. Emphasis mine.

This problem was already recognized when the GDPR was introduced, and it is therefore stated in the right to forget that it does not apply if the processing (i.e. the publication) is necessary for the exercise of the fundamental right of freedom of expression (Article 17 paragraph 3 GDPR ). This means that a forum administrator can in principle prevent the removal of messages. A profile or registration of a user falls outside that fundamental right and must therefore be removed on request.


A friendly reminder: most of us here on Meta are not lawyers. For the few users that are lawyers, they’re not your lawyer. Arnoud (from the article Richard linked) isn’t your lawyer either.

We’re happy to discuss the technical side of handling GDPR data erasure requests. We can also discuss the community management side of it. We cannot provide answers to the legal side. For that, a lawyer, specifically your lawyer, is needed. One that knows both GDPR and the specifics of your circumstances. Any information provided here is not, and must not be considered legal advice.