Skip to main content

Personal data

Personal data

Overview

The user profile will contain personal data. This means it must be properly processed by clients.

GDPR data subject rights

The User Profile API cannot fulfill all data subject rights in its own. However, it is designed to make it easier to comply with them.

The right to be forgotten is supported for

  • individual systems by erasing the system user profile, or
  • all systems by erasing the base profile.

The right to rectification is supported in

  • individual systems by updating the system user profile, or
  • all systems by updating the base profile.

The rights related to limiting processing must primarily be handled in the user management system that handles user consent. The User Profile Service will only see information that has been:

  • Sent as part of federated attributes, for which a consent should have been given.
  • Added willingly to the system user profile by the user itself.

The right to be informed cannot be fulfilled by the API as it cannot produce a meaningful access log without knowing the purpose and full context in which the data is requested. Clients should use the data classification in the profile to create meaningful access logs.