Use the appropriate workflow on this page when a user requests one of the following (under GDPR Article 15, CCPA) through a Zendesk ticket or via form submission to our Account Deletion and Other Requests project. These requests must be filled within 30 days.
Account deletion and data access requests go through a few stages before they can be closed, and it can be difficult to keep track of what stage in the process each request is in at any given time. Consider creating an issue board within the account deletion project and use the
meta-issue labels to track the progress of each request. See this board for an example.
Users requesting deletion are required to confirm their intent to delete at the time of submission. After submission, the form entries are automatically checked and validated (such as the username, email address, and if the account is part of a paid namespace).
An issue in our Account Deletion and Other Requests project will be created for invalid requests, however all invalid requests will have
Invalid request received in the title of the issue, and are scheduled to automatically close. No action is required for these issues.
Examples of personal requests that you may receive (based on the request type) are below.
When a request is received through Zendesk as a ticket, do the following:
For account deletions, apply the Support::SaaS::Account Deletion Instructions - GitLab.com macro, and mark the ticket as solved.
For data access requests, apply the General::Personal Data Access Request Instructions macro, and mark the ticket as solved.
The only requests we need to take action on are:
When a user submits a personal request using the Personal Data Request form, an issue is automatically created in the Personal Account Requests Service Desk, meaning comments made on it will be emailed to the submitter.
Upon submission, the submitter will receive an autoresponder depending on the request and outcome of the initial validation. The autoresponse they receive will be in the initial description of the issue, along with a copy of the form entries that were submitted.
NOTE: Users have a total of 14 days to respond to the challenge questions. In order to keep track of the requests that are pending a response to the challenge questions, you can apply the
Awaiting::Challenge Answerslabel, if it does not already exist.
If verification fails or is otherwise not possible, apply the
Account Verification Failed label and respond with the following:
Unfortunately, the answers to our verification challenges have failed. As a result, we are unable to process your account deletion request. This issue will be closed.
gdpr-request issue tracker, create a new confidential issue using the delete_meta_issue template for account deletions, or the personal_data_request template for data access requests. Populate the title with the email address of the original requestor.
Link the original issue in the Related issue field.
Follow the instructions in the top of the template, then complete each step in the issue template that begins with
Support Engineer: in order.
An overview of this process is outlined in the chart below.
When checking the user account in admin, the user will be badged as a "Group Managed Account". Double check that the user is no longer a member of any group.
In these cases, we can delete the account so that a new user account can be created.
Support::SaaS::Group Managed Account Deletionmacro, which outlines the criteria and deletion.