Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+8 votes
in Q2A Core by
edited by
Is there technically anything to be done in Q2A to meet GDPR requirements?
Q2A version: 1.8.0
What would technically imply for Q2A to be "GDPR ready"?
I've read somewhere that users need to have the option to have their profile pages private

3 Answers

0 votes
Good question. I don't know exactly what is required by GDPR. Q2A allows deleting of accounts by Administrators, so users can ask to have their account deleted. However, users cannot delete their own accounts, not sure if that is a requirement.

Very little information is kept in the profiles anyway. Users can easily delete everything there if they need to.
By using this after selecting the qa_user
DELETE FROM `qa_users` WHERE email = 'user@email.com';
DELETE FROM `qa_users` WHERE handle = 'username';
@ProThoughts Thanks for reminding :)
@arasahmed That is a bad way because it will still keep user points and user posts alive - provided the deletion is allowed by the Database.
As long as their posts don't contain identifying information and pseudonymization is properly used to dissassociate the posts from their initial account leaving questions asked by a deleted account should not be an issue I believe.
The main points that affect code are:

A check for private policy consent on contact form.
A check for private policy consent for not logged user on question, answer and comment forms if this option is allowed.
A check for private policy consent on register (that is correct now).

All the checks have to be unchecked by default.

A small extract that inform of main points of private policy (responsible, purpose, legitimation, recipient and rights) previous to consent should be placed with the check.
+1 vote

If Scott does not know, then most probably Q2A is not ready for GDPR.

Complying with GDPR is vital. Any business found not sticking to the rules could be charged fines of up to €20 million or 4% of the company's global annual turnover.



MAYBE a quick and dirty way to comply is to disable registering, delete existing users and allow only multimedia logins ( https://github.com/alixandru/q2a-open-login ).

That's silly, user registration is not banned by GDPR. The rules are about data retention. If you use social login you'd still need to remove accounts/data.

There is nothing in Q2A that inherently goes against GDPR. Any user accounts and personal data can easily be removed manually.
I think these two points are mandatory:

A check for private policy consent on contact form.

A check for private policy consent for not logged user on question, answer and comment forms (if this option is allowed).

As you say, other things like deleting and sharing data can be done manually.
edited by
How about the automatic email notifications for replies etc, even for LOGGED in users?  Do we need consent to send those?  Or can these be covered from the T&C or Privacy policy consent?

Also the warning for the cookies.  I see more and more sites asking for consent for their cookies.  Does Q2A use cookies?
as stated by desgrapador, current forum status is not enough to comply with the law at 100%. Is there any plugin or modification we can do to really improve it?

Especially to add new required checkboxes before asking a question or comment (logged and anonymous users)

An anonymous user sees this:
"Email me at this address if my question is answered or commented on:"

This option is CHECKED by default.  This is against GDPR.  It should be OFF by default.
You can change that in Admin > Posting > Select the check box for email notifications by default

But yes, it should be off by default as well as other checkboxes that should be opt-in and not opt-out if they interact with personal information. At least in Europe
edited by
You are right!  I changed it and now all users (registered and anonymous) need to OPT-IN to get email notifications, for each post they make.  This fixes it!

Thank you again.

Now, to make Q2a user-friendly, there should be an option in the user profile to permanently activate this, if the user really wants it.
"...Is there any plugin or modification we can do...?"
Here's a discussion about letting users delete their accounts

It's possible but it takes a whole bunch of customization either as a plug-in or as core modifications.

The bottom line, in my opinion, is each live Q2A website has somewhat diverged from
what the Q2A platform currently offers and, in this case, this feature has to be
implemented differently for each one of them.
+2 votes
Thanks, good article. Unless I’m mistaken I don’t think there’s anything Q2A needs to do. You can already delete users and/or hide their posts.
How about the cookies?  Is there a way to disable cookies for people that are not logged in?  I prefer to allow only anonymous postings and get rid of cookies.  

I have a very hard time implementing the OPT-IN cookie consent for Q2A.
You don’t need consent for necessary cookies.
What about adding a new required checkbox before asking a question or comment (logged and anonymous users)?

Not just the Email me one. I'm talking about the By sending this message you agree to our privacy policy or something like that.