GDPR - Forget User API Queries

We are trying to make API calls to “forget” users as part of GDPR compliance. We understood that in order to delete an user account, there are several calls involved:

  1. Delete-use:
    https://developer.atlassian.com/cloud/jira/platform/rest/v3/?utm_source=%2Fcloud%2Fjira%2Fplatform%2Frest%2F&utm_medium=302#api-rest-api-3-user-delete
    To request delete of the user
  2. In order to call the above, we need an AccountID, to get this we need to call get-user:
    https://developer.atlassian.com/cloud/jira/platform/rest/v3/?utm_source=%2Fcloud%2Fjira%2Fplatform%2Frest%2F&utm_medium=302#api-rest-api-3-user-get
  3. To make call number 2, we need a ““Bearer”: “<access_token>”” and we are unable to find the part of documentation that will help get this for us.
    Can someone please help? To summarize, help me understand how to get a bearer token.

See: https://developer.atlassian.com/cloud/confluence/oauth-2-jwt-bearer-tokens-for-apps/

The bearer token is only available for apps. The delete-use piece is not available for apps… :frowning:

If you’re just interacting with the jira api, you’re just removing the user from Jira - not from Atlassian ID which is where all of the personal data is located. I don’t think that it’s programmatically possible to trigger the forget me process. @akassab might have more info though…

From a GDPR point of view, forgetting a user is initiated by the user who wants to be forgotten. To kick off the process, the user has to log into their Atlassian account and delete it. There is a 14 day grace period where the user can reverse their decision. After the grace period, any apps storing PD for the user will receive a “closed” status in the response to their privacy reporting. This is the signal that the apps must use to erase the user’s personal data. At this point, your app is responsible for erasing personal data pertaining to the account. There is, however, no need to call delete user since that will be taken care of by the product.

2 Likes