This document contains instructions on how to process each type of Account Deletion or Data Access request. It is split into two stages; Submission Handling and Request Processing, to be followed in that order. Each request will go through the same flow from opening to completion that is outlined in the chart below. All requests must be fulfilled within 30 calendar days.
We are only able to process Account Deletion and Data Access requests if they are submitted through the official Personal Data Request form. If a request is received via any other method, we will close it and direct the user to open a request through the form.
When a user submits a request through the form, an issue is automatically created in the Personal Account Requests Service Desk, even for invalid requests. Comments made in the issue will be emailed to the user. You will communicate with the user through the issue on the progress of their request.
The purpose of this stage is to instruct you on how to close out invalid requests.
When a request is received through Zendesk as a support ticket, do one the following:
If the ticket is regarding an Account Deletion request, apply the Support::SaaS::Account Deletion Instructions - GitLab.com macro, and mark the ticket as solved.
If the ticket is regarding a Data Access request, apply the General::Personal Data Access Request Instructions macro, and mark the ticket as solved.
If the ticket is regarding a combination of both, use a variation of both macros above, and mark the ticket as solved.
If a request to the Personal Account Requests Service Desk is submitted directly via email, add the account-deletion::invalid label, add a comment to the issue with the snippet below, then close the issue.
Greetings,
It looks like you've emailed this request in to us directly. In order for us to best assist you please re-submit this request via our [Personal Data Request form](https://support.gitlab.io/account-deletion/). Doing so will allow us to process your request more quickly and efficiently. This request will now be closed. We eagerly await your resubmission. Thank you!
Regards,
NOTE: Requests sent in through the official form will include a copy of the form entries in the initial description of the issue.
If the request submitted is spam, apply the label Invalid Request::Spam, then close the issue.
If a user has submitted multiple requests via the form, apply the /duplicate quick action to the duplicate issues, and respond with the following before closing the duplicates:
Greetings,
It looks like you have submitted multiple requests for the same purpose.
I'm closing this issue in favour of #123, and we will continue processing your request on the other issue.
Regards,
Find the appropriate workflow below to process requests submitted to our Personal Account Requests Service Desk, based on their request type.
As a reminder, before processing a request you should make sure that you have already Streamlined Your Workflow to make requests easier to process.
The following are the types of requests that a user can file. Click the link for each to jump to the associated workflow for processing that request.
Currently, only GitLab.com Account Deletion or Full Deletion requests are auto-checked upon form submission.
This workflow applies to both GitLab.com Account Deletion and Full Deletion requests. When a request is submitted for either of these types, the following form entries are verified using built-in automated checks:
After submission, the automated checks will either fail or succeed.
You Should Know:
If any of the automated checks fail, the user will receive an auto-generated response detailing the reason we are unable to process their request. The issue created will be marked as invalid with "Invalid Request Received" noted in the title. These issues are scheduled to automatically close, and the label "account-deletion::invalid" will be applied. No action is required.
If all of the automated checks succeed, the user will receive a set of Verification Challenge questions in an auto-generated response. Users have a total of 7 calendar days to respond to the challenge questions.
At this stage, do the following:
FREE account, add the account-deletion::personal label to the issue. If the account is tied to a paid namespace with a signed contract in Salesforce (a corporate request), add the account-deletion::corporate label to the issue.Awaiting::Challenge Answers label and wait for the user to reply with the answers to the questions. If they do not reply within 7 calendar days, proceed to No Response. If they do reply within 7 calendar days, proceed to Step 2: Evaluate.If the user fails to respond within 7 calendar days, apply the Account Verification Failed and deletion request:: denied labels to the issue, and close it using the following snippet:
Greetings,
We have not heard back from you with responses to our verification challenge questions, which are required in order to verify your identity before we process your request. We will now close this request. If you still wish to proceed please feel free to submit a new request via our [Personal Data Request Form](https://support.gitlab.io/account-deletion/).
Regards,
If the user account is not blocked or banned, skip this section.
If the user is blocked due to a user deleting their own account (see the admin note on the account):
Greetings,
As an account deletion has been initiated, the account stays in a blocked state for 7 days until it is permanently deleted. New accounts with the same email address or username cannot be created during that time.
You will need to wait 7 days, starting the day of the deletion request, to create a new account with the same email address or username.
Regards,
For all other blocked or banned reasons:
Greetings,
The account which you have submitted a request for is blocked. We have submitted a request for our Security team to review. Once they have reviewed, we will provide you an update.
Regards,
If the account is unblocked or unbanned, let the user know, then follow the rest of the process as normal. If needed, include other information about the verification process in the next reply.
Greetings,
Our security team has unblocked the account. We are proceeding with the request.
Regards,
If the account stays blocked or banned, apply the Account Verification Failed and Deletion Request:: Denied labels to the issue, and close it with the following:
Greetings,
At this time, we cannot delete your account because your data must be retained in order for us to comply with our legal obligations, such as protecting against illegal or fraudulent activities; infringement of IP rights; distribution of harmful or offensive content; violations of the security or integrity of a computer or network.
Regards,
Evaluate the answers to the challenge questions that the user has provided using the Account Verification workflow with a data classification of RED along with the Risk Factor (GitLab internal) for data and privacy requests to confirm if the verification passes or fails.
If the verification passes, proceed to Step 3: Create Meta Issue.
If the verification fails and the user is not the sole owner of the groups and projects in their account, proceed to Verification Failed.
If the verification fails and the user is the sole owner of the groups and projects on their account, proceed to Verification Failed (Sole Owner Exception).
If the user fails the challenge questions, apply the Account Verification Failed and Deletion Request:: Denied labels, and respond with the following snippet before closing the issue:
Greetings,
Unfortunately, the answers to our verification challenges have failed. As a result, we are unable to process your account deletion request. This issue will be closed.
Regards,
If the user fails the challenge questions, but they are the sole owner of groups and projects, we can consider approval for an exception by working through the following:
Deletion Request::Exception Approved to the issue if approved).Note: If a situation requires further review, and falls outside of the above criteria for a sole owner, please reach out to the #privacy-team_help Slack channel to discuss approving an exception with a Support Manager and the Privacy team.
If the above conditions are not met, respond with the following before closing the issue:
Greetings,
Unfortunately, the answers to our verification challenges have failed, and your account appears to have had recent activity within the last year. As a result, we are unable to process your account deletion request at this time. This issue will be closed, however you may try your request again at a later date.
Regards,
Proceed with processing the request by doing the following:
TYPE_OF_REQUEST with the appropriate type of request.Greetings,
Thank you for stepping through the process with us and verifying your account ownership. We have now started the process to fulfill your TYPE_OF_REQUEST request. Please note that it takes up to 30 days for the request to be processed as it's handled by different teams.
I will let you know once the deletion process is complete.
Regards,
Create a new confidential issue in the Personal Account Requests Service Desk using one of the following templates, depending on the request type, and populate the issue title with the email address of the original request:
Deletion Meta Issue - Full for Full Deletion requests.
Deletion Meta Issue - GitLab-com for GitLab.com Account Deletion requests.
Follow the instructions in the top of the template, then complete each step in the issue that begins with Support Engineer: in order.
Use this workflow for requests to delete user data from the Portal (customers.gitlab.com).
Support Engineer: in order.Use this workflow for requests to delete user data from Sales or Marketing systems.
Support Engineer: in order.Users can request the following to obtain information about their data. Use this workflow for requests to access full details about what data we have on the user.
Use the following workflows based on the type of request submitted.
Account Verification Failed label to the issue:Greetings,
We have not heard back from you, which is required in order to validate your email address before we process your request. We will now close this request. If you still wish to proceed please feel free to submit a new request via our [Personal Data Request Form](https://support.gitlab.io/account-deletion/).
Regards,
data-access-request::denied label to the issue:Greetings,
You've opened a Data Access Request which is used specifically to obtain a copy of any personally identifiable information GitLab holds on you. In the course of filing this request, you've asked for data beyond the scope of what can be provided. Usage and other out-of-scope account data can be obtained by logging into your GitLab.com account and cannot be provided through a Data Access Request. If you have specific questions about this kind of data, please review your options for support at https://about.gitlab.com/support. Regarding this request, we can: - continue the process and provide a report of all in-scope personally identifiable information. - close this request with no further action Please let us know how you would like to proceed.
Regards,
Support Engineer: in order.Use this workflow for general question submissions.