On Thu, 2021-11-25 at 09:50 -0800, Kévin Martins wrote:
> If a user has not logged in for a certain time (for example 36 months
> for GDPR), schedule an email (X months before) to the user to warn
> him that his account will be deleted.
> Once this delay is over, anonymize the account.
Why anonymize the account? I don't see any use in keeping the obsolete
account record in Keycloak database, as it is not going to ever be
reused. Also from my understanding even the UUID associated to the
account may be considered personal data in some conditions (e.g. if you
have access to enough data elsewhere to match the UUID to its non-
anonymized owner).
I would use an external e-mailing service to run periodic campagins to
try to reach owners of unused accounts with something more friendly
(and, more importantly, more trackable, and not as damaging for the
reputation of your own SMTP servers).
Then just before deletion in Keycloak lock and "archive" the account by
copying essential data to some other restricted database for
contractual or legal requirements. After all these requirements expire
you will have to remove the data from the archive database as well.
--
Julien Plissonneau Duquène