This document contains instructions on how to process each type of Account Deletion or Data Access request. It is split into two stages; Submission Handling and Request Processing, to be followed in that order. Each request will go through the same flow from opening to completion that is outlined in the chart below. All requests must be fulfilled within 30 calendar days.
We are only able to process Account Deletion and Data Access requests if they are submitted through the official Personal Data Request form. If a request is received via any other method, we will close it and direct the user to open a request through the form.
When a user submits a request through the form, an issue is automatically created in the Personal Account Requests Service Desk, even for invalid requests. Comments made in the issue will be emailed to the user. You will communicate with the user through the issue on the progress of their request.
The purpose of this stage is to instruct you on how to close out invalid requests.
When a request is received through Zendesk as a support ticket, do one the following:
If the ticket is regarding an Account Deletion request, apply the Support::SaaS::Account Deletion Instructions - GitLab.com macro, and mark the ticket as solved.
If the ticket is regarding a Data Access request, apply the General::Personal Data Access Request Instructions macro, and mark the ticket as solved.
If the ticket is regarding a combination of both, use a variation of both macros above, and mark the ticket as solved.
If a request to the Personal Account Requests Service Desk is submitted directly via email, add the
account-deletion::invalid label, add a comment to the issue with the snippet below, then close the issue.
It looks like you've emailed this request in to us directly. In order for us to best assist you please re-submit this request via our [Personal Data Request form](https://support.gitlab.io/account-deletion/). Doing so will allow us to process your request more quickly and efficiently. This request will now be closed. We eagerly await your resubmission. Thank you!
NOTE: Requests sent in through the official form will include a copy of the form entries in the initial description of the issue.
If the request submitted is spam, apply the label
Invalid Request::Spam, then close the issue.
If a user has submitted multiple requests via the form, apply the
/duplicate quick action to the duplicate issues, and respond with the following before closing the duplicates:
It looks like you have submitted multiple requests for the same purpose.
I'm closing this issue in favour of #123, and we will continue processing your request on the other issue.
Find the appropriate workflow below to process requests submitted to our Personal Account Requests Service Desk, based on their request type.
As a reminder, before processing a request you should make sure that you have already Streamlined Your Workflow to make requests easier to process.
The following are the types of requests that a user can file. Click the link for each to jump to the associated workflow for processing that request.
Currently, only GitLab.com Account Deletion or Full Deletion requests are auto-checked upon form submission.
This workflow applies to both GitLab.com Account Deletion and Full Deletion requests. When a request is submitted for either of these types, the following form entries are verified using built-in automated checks:
After submission, the automated checks will either fail or succeed.
You Should Know: If any of the automated checks fail, the user will receive an auto-generated response detailing the reason we are unable to process their request. The issue created will be marked as invalid with "Invalid Request Received" noted in the title. These issues are scheduled to automatically close, and the label "account-deletion::invalid" will be applied. No action is required.
If all of the automated checks succeed, the user will receive a set of Verification Challenge questions in an auto-generated response. Users have a total of 7 calendar days to respond to the challenge questions.
At this stage, do the following:
FREEaccount, add the
account-deletion::personallabel to the issue. If the account is tied to a paid namespace with a signed contract in Salesforce (a corporate request), add the
account-deletion::corporatelabel to the issue.
Awaiting::Challenge Answerslabel and wait for the user to reply with the answers to the questions. If they do not reply within 7 calendar days, proceed to No Response. If they do reply within 7 calendar days, proceed to Step 2: Evaluate.
If the user fails to respond within 7 calendar days, apply the
Account Verification Failed and
Deletion Request:: Denied labels to the issue, and close it using the following snippet:
We have not heard back from you with responses to our verification challenge questions, which are required in order to verify your identity before we process your request. We will now close this request. If you still wish to proceed please feel free to submit a new request via our [Personal Data Request Form](https://support.gitlab.io/account-deletion/).
Evaluate the answers to the challenge questions that the user has provided using the Account Verification workflow with a data classification of
RED along with the Risk Factor Worksheet (GitLab internal) for data and privacy requests to confirm if the verification passes or fails.
If the verification passes, proceed to Step 3: Create Meta Issue.
If the verification fails and the user is not the sole owner of the groups and projects in their account, proceed to Verification Failed.
If the verification fails and the user is the sole owner of the groups and projects on their account, proceed to Verification Failed (Sole Owner Exception).
If the user fails the challenge questions, apply the
Account Verification Failed and
Deletion Request:: Denied labels, and respond with the following snippet before closing the issue:
Unfortunately, the answers to our verification challenges have failed. As a result, we are unable to process your account deletion request. This issue will be closed.
If the user fails the challenge questions, but they are the sole owner of groups and projects, we can consider approval for an exception by working through the following:
Deletion Request::Exception Approvedto the issue if approved).
Note: If a situation requires further review, and falls outside of the above criteria for a sole owner, please reach out to the #privacy-team_help Slack channel to discuss approving an exception with a Support Manager and the Privacy team.
If the user has logged in and/or updated their project and groups within the last year, respond with the following before closing the issue:
Unfortunately, the answers to our verification challenges have failed, and your account appears to have had recent activity within the last year. As a result, we are unable to process your account deletion request at this time. This issue will be closed, however you may try your request again at a later date.
Proceed with processing the request by doing the following:
TYPE_OF_REQUESTwith the appropriate type of request.
Thank you for stepping through the process with us and verifying your account ownership. We have now started the process to fulfill your TYPE_OF_REQUEST request. Please note that it takes up to 30 days for the request to be processed as it's handled by different teams.
I will let you know once the deletion process is complete.
Create a new confidential issue in the Personal Account Requests Service Desk using one of the following templates, depending on the request type, and populate the issue title with the email address of the original request:
Follow the instructions in the top of the template, then complete each step in the issue that begins with
Support Engineer: in order.
Use this workflow for requests to delete user data from the Portal (customers.gitlab.com).
Support Engineer:in order.
Use this workflow for requests to delete user data from Sales or Marketing systems.
Support Engineer:in order.
Users can request the following to obtain information about their data. Use this workflow for requests to access full details about what data we have on the user.
Use the following workflows based on the type of request submitted.
Account Verification Failedlabel to the issue:
We have not heard back from you, which is required in order to validate your email address before we process your request. We will now close this request. If you still wish to proceed please feel free to submit a new request via our [Personal Data Request Form](https://support.gitlab.io/account-deletion/).
Support Engineer:in order.
Use this workflow for general question submissions.