The information provided by IFTAS is for general guidance and informational purposes only. It does not constitute legal advice and should not be relied upon as such. IFTAS is not a law firm and does not offer legal services. For advice on legal or regulatory matters, please consult a qualified professional.

The General Data Protection Regulation is an EU law that protects personal data and privacy. It gives individuals rights over their data, like access and the right to be forgotten, and sets rules for how online service providers – including Fediverse services – can use it. Services must ensure data is protected, used transparently, and only for the reason it was collected. It applies to all servers visible in the EU, regardless of where they are based, aiming to give people more control over their personal information.

Responding to a GDPR Request

As someone running or moderating a community, especially on decentralised platforms, you may receive a GDPR request. These requests are part of the General Data Protection Regulation (GDPR), a law that gives people more control over their personal data.

A GDPR request is when someone asks you to do something with their personal data. The most common requests are:

• Access: “What personal data do you have about me?”
• Erasure: “Please delete my personal data.”
• Correction: “This data is wrong; please fix it.”
• Objection: “I don’t want my data to be used in this way.”
• Portability: “Please send me my data in a readable format.”

People have the legal right to ask these things, and your role as a community admin or moderator includes helping meet those rights.

Step-by-Step: How to Handle a GDPR Request

1. Acknowledge the request

Let the person know you’ve received their request and that you will respond. You should do this as soon as possible, ideally within a few days. A simple message like

“Thanks for your message. I’ve received your data request and will respond as soon as I can. Under GDPR, I aim to respond within one month.“

is all you need.

2. Verify their identity

Before sharing or deleting personal data, you must make sure the person making the request is actually the person the data is about.

This is important to protect user privacy and prevent someone else from accessing another person’s information.

You can verify identity in a few simple ways, depending on your platform:

• Ask them to send the request from the same account or email address they used to create that account.
• If the request comes from outside your platform, ask them to prove ownership of their account (for example, by replying to a private message or using a one-time code).
• If you are unsure, don’t share personal data until you’re satisfied they are who they say they are.

Be cautious: Never ask for sensitive personal documents like ID cards unless absolutely necessary. Always keep verification reasonable and proportionate. However, if you can’t verify identity, record that outcome and let them know you cannot comply with their request.

3. Understand what they are asking

Make sure you are clear on what kind of request it is. If the request is vague or unclear, ask for more details.

4. Check what data you actually hold

As a moderator or admin, the data you can access may be limited. For example, on a decentralised platform, you might only hold:

• Username
• Email address and IP address
• The posts or messages made in your community (posts held elsewhere, even through federation, are not under your control)
• Admin notes or moderation logs related to that user (and you do not always have to share these, merely acknowledge that you have them)

If someone asks you for data you do not control, you are not responsible for it. Always be clear about what you can and cannot do.

5. Take action

Depending on the request, you might need to:

• Share a copy of their data (access)
• Fix incorrect information (correction)
• Delete their posts or account (erasure) – and if possible request that they do this themselves using their own credentials if your platform offers a self-delete option
• Remove their data from moderation logs if appropriate (you are free to keep administrative records, including moderation reports and outcomes)
• Stop using their data in a specific way (objection)

Make sure the action you take is reasonable and fair.

6. Reply to the person

Let them know what you’ve done, or explain why you can’t do something. Always use respectful, clear language.

“Your posts have now been deleted, and deletion requests are automatically sent to the servers your account was connected to. Please note we keep some records to prevent abuse and ensure community safety, in line with GDPR’s “legitimate interest” principle.“

7. Keep a record

It’s good practice to keep a private note of the request and how you responded. This helps show that you are taking data rights seriously.

Things to Remember

• You don’t need to be a legal expert. You just need to act in good faith and respond in a fair, respectful, and timely way.
• Not all data must be deleted. You can keep some data if there is a valid reason, such as keeping your community safe or complying with other laws.
• Be honest about what you can control. If you can’t access certain data or you don’t have it, just explain that.
• Verifying identity is a must. Never share or delete someone’s data unless you’re confident the request is genuine.

Resources

• Mastodon Privacy Policy Generator: helps Mastodon admins to adapt the pretty good privacy policy from https://eupolicy.social for the GDPR compliance of their instance. (Works well for most federated platform.)