Commit f06822e5 authored by Lee Matos's avatar Lee Matos 🗽

Merge branch 'gdpr-revamp' into 'master'

Simplifies GDPR workflows

See merge request !41183
parents 6acc8853 aa306784
Pipeline #122589324 passed with stages
in 11 minutes and 43 seconds
......@@ -12,103 +12,30 @@ category: Legal
## Overview
Use a workflow on this page when a user requests the deletion of their GitLab.com account either through a Zendesk ticket or via an email to `gdpr-request@gitlab.com`.
Use the appropriate workflow on this page when a user requests the deletion of their GitLab.com account either through a Zendesk ticket or via an email to `gdpr-request@gitlab.com` (which forwards to the [GDPR Request Service Desk](https://gitlab.com/gitlab-com/gdpr-request/issues/service_desk)). **These requests must be filled within 30 days.**
## Workflows
### Requests received through Zendesk
>**Note:** This workflow only applies if the user **has not** accepted the revised terms of service. If they have accepted it, they have access to GitLab.com and can delete their account and retrieve their data themselves.
When a request is received through Zendesk as a ticket, do the following:
If a request is received through Zendesk as a ticket:
1. Apply the [**GitLab.com::GDPR Deletion - GitLab.com**](https://gitlab.zendesk.com/agent/admin/macros/360027176693) macro and mark the ticket as solved.
1. Apply the **"Account::GDPR Deletion - GitLab.com"** Macro
This will simply advise the user to email `gdpr-request@gitlab.com` in order to have their request processed.
This macro will simply advise the user as follows and close the ticket:
The request will then be serviced when received in the [GDPR Request Service Desk](https://gitlab.com/gitlab-com/gdpr-request/issues/service_desk) (process detailed below).
```
Hi,
### Requests received through the GDPR Request Service Desk (`gdpr-request@gitlab.com`)
We understand that you want to completely remove your GitLab.com account.
When a user emails `gdpr-request@gitlab.com` an issue is automatically created in the [gdpr-request issue tracker](https://gitlab.com/gitlab-com/gdpr-request/issues) via the [Service Desk](https://docs.gitlab.com/ee/user/project/service_desk.html) feature, meaning comments made on the issue will be emailed to the submitter.
Due to the complexity of servicing these requests, we're asking our users to please email `gdpr-request@gitlab.com`.
When a request is received in this manner, do the following:
Please ensure that you:
- send the email from the address associated with your GitLab.com account
- include the GitLab username you'd like removed
Please note that:
- in many circumstances, we will not be able to provide a full export of associated repositories
- any groups that you're a sole owner in will be deleted, along with any projects contained therein
Once you've submitted your request, we'll have the various teams remove your associated data and send you final confirmation when deletion is complete.
Please also note, that if you have accepted the updated ToS we will **not** take action on this request and redirect you to https://gitlab.com/profile/account.
From there, you can delete your account and associated data yourself.
Thanks for your understanding.
```
### Requests received through `gdpr-request@gitlab.com`
>Note: The following snippet is for reference **only**. Prefer the [issue template in the gdpr-request tracker](https://gitlab.com/gitlab-com/gdpr-request/blob/master/.gitlab/issue_templates/deletion-meta-issue.md).
When creating the issue, please make sure to include the regional [Data Protection Officer](/security/#data-protection-officers) for visibility.
```
## Related issue: ___
1. [ ] Support Agent: Impersonate the user to verify the user has **not** accepted the GDPR terms or `TermAgreement.find_by(user_id: User.find_by!(username:'<username>'))`. (If they have accepted: stop and advise them how to delete their account themselves)
1. [ ] Support Agent: Verify that the `username` is associated with the originating email on GitLab.com
1. [ ] Support Agent: Create a new *confidential* issue in the `gdpr-request` issue tracker with the originating email address as the title.
- [ ] Copy the contents of this workflow into it.
- [ ] Link the original issue in the **Related issue** field above
- [ ] Respond to the original issue with a note indicating that it has been received.
1. [ ] Support Agent: Check in SFDC for any records related to this email address and have the account owner remove them. If there are none, remove ~SFDC-removal
- [ ] Support Agent: Once you've contacted the account owner, add them as an assignee in this issue
- [ ] Account owner: remove all records in SFDC pertaining to this account, when finished, remove the ~SFDC-removal tag
1. [ ] JJ: Ensure that this email address is removed from all mailing lists and deleted from the database completely. Remove the ~email-list-removal tag.
1. [ ] Support Agent: Tag a ZD admin to ensure that this email address (and associated tickets) are removed from ZenDesk
- [ ] ZD Admin: delete all user data in ZD and remove ~ZD-removal
1. [ ] Support Agent: If the submitter has requested their data, discuss this with your manager before proceeding
- [ ] Create an ~"SE Escalation" to initiate an export and wait for it to be completed before proceeding
1. [ ] Support Agent: Delete any groups that are blocking the deletion
1. [ ] Support Agent: Delete the user and remove the ~GitLab-removal tag
1. [ ] Support Agent: If all steps above have been completed, notify the user their request has been completed by commenting on the original issue and closing both this issue and the original.
/label ~meta-issue ~email-list-removal ~SFDC-removal ~ZD-removal ~GitLab-removal
/assign @darawarde me
/confidential
```
#### Response template for incoming requests
```
Greetings,
We have received your request for account deletion. We're working on removing any personally identifiable information on GitLab.com and associated systems. You'll receive an additional notice once this process is complete.
Thanks for your understanding,
<Person who owns the request>
```
#### Response template for successfully deleted accounts
```
Greetings,
As requested, your GitLab.com account has been deleted and all personally identifiable information related to your account had been removed.
Please do note that while your personal data has been removed from all production systems, it may persist in backup copies until they expire. GitLab.com backups expire every 2 weeks.
As allowed by the GDPR, we'll also maintain a copy of your original account deletion request sent to `gdpr-request@gitlab.com` and this message as a record of our compliance.
Regards,
<Person who owns the request>
```
__________________
1. Create a new confidential issue in the `gdpr-request` issue tracker using the [`deletion_meta_issue` template](https://gitlab.com/gitlab-com/gdpr-request/issues/new?issuable_template=deletion_meta_issue) (click the link to create one) and populate the title with the email address of the original requestor.
1. Link the original issue in the **Related issue** field.
1. Complete each step in the issue template that begins with `Support Engineer:`.
---
**Macros**
......
......@@ -12,192 +12,44 @@ category: Legal
## Overview
Use this workflow when a user is requesting information under GDPR Article 15 either through a Zendesk ticket or the `gdpr-request` issue tracker. **These requests must be filled within 30 days.**
Use the appropriate workflow on this page when a user is requesting information under GDPR Article 15 either through a Zendesk ticket or via an email to `gdpr-request@gitlab.com` (which forwards to the [GDPR Request Service Desk](https://gitlab.com/gitlab-com/gdpr-request/issues/service_desk)). **These requests must be filled within 30 days.**
The request may look something like:
---
1. Please confirm to me whether or not my personal data is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases.
a. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store.
b. Additionally, please advise me in which countries my personal data is stored, or accessible from. In case you make use of cloud services to store or process my data, please include the countries in which the servers are located where my data are or were stored.
c. Please provide me with a copy of, or access to, my personal data that you have or are processing.
- In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store.
- Additionally, please advise me in which countries my personal data is stored, or accessible from. In case you make use of cloud services to store or process my data, please include the countries in which the servers are located where my data are or were stored.
- Please provide me with a copy of, or access to, my personal data that you have or are processing.
1. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of my personal data.
1. Please provide a list of all third parties with whom you have (or may have) shared my personal data.
1. If you are additionally collecting personal data about me from any source other than me, please provide me with all information about their source, as referred to in Article 14 of the GDPR.
1. If you are making automated decisions about me, including profiling, whether or not on the basis of Article 22 of the GDPR, please provide me with information concerning the basis for the logic in making such automated decisions, and the significance and consequences of such processing.
1. I would like to know whether or not my personal data has been disclosed inadvertently by your company in the past, or as a result of a security or privacy breach.
---
## Workflows
### Requests received through Zendesk
If a request is received through Zendesk as a ticket:
1. Apply the **"Account::GDPR Article 15 - GitLab.com"** Macro
This macro will simply advise the user as follows and close the ticket:
```
Hi,
We understand that you want some information about the personal data GitLab has about you per Article 15 of the GDPR.
Due to the complexity of servicing these requests, we're asking our users to please email `gdpr-request@gitlab.com`.
Please ensure that you:
- send the email from the address associated with your GitLab.com account (if you have one)
- include the GitLab username if applicable
Once you've submitted your request, we'll have the various teams review our systems for your personal data and send you final confirmation after this process is complete.
Thanks for your understanding,
```
### Requests received through `gdpr-request@gitlab.com`
If a request was submitted to `gdpr-request@gitlab.com` it will show up as an open issue in the `gdpr-request` issue tracker.
1. Create a new issue in the `gdpr-request` issue tracker using the `GDPR-Section-15-Request` template and populate the title with the email address of the requestor.
2. Work through the checklist provided by the template and, when directed to, respond to the original issue with the [Request received response](/handbook/support/workflows/gdpr_article-15.html#request-received-response) and [Request completed response](/handbook/support/workflows/gdpr_article-15.html#request-completed-response) templates.
>Note: The following snippet is for reference **only**. Prefer the [issue template in the gdpr-request tracker](https://gitlab.com/gitlab-com/gdpr-request/blob/master/.gitlab/issue_templates/GDPR-Section-15-Request.md)
When creating the issue, please make sure to include the regional [Data Protection Officer](/security/#data-protection-officers) for visibi
lity.
```
## Related issue: ___
1. [ ] Agent: Identify if the requestor has an account on GitLab.com
1. [ ] Agent: Verify that the `username` is associated with the originating email on GitLab.com
1. [ ] Agent: Create a new *confidential* issue in the `gdpr-request` using the GDPR-Section-15 template
- [ ] Link the original issue in the **Related issue** field above
- [ ] Respond to the original issue with a note indicating that it has been received.
1. [ ] Agent: Check in SFDC for any records related to this email address
- [ ] Agent: If they are listed as a prospect, contact the owner to see if they can give any context for how this user was put into SFDC
- [ ] Agent: If they are listed a customer (or former customer), note that below.
- [ ] Agent: If they have a billing address, company name or phone number note that below.
1. [ ] Agent: Check to see if they have a user account in ZD, check the box below if they do.
1. [ ] Agent: Check to see if they have an account on customers.gitlab.com, check the box below if they do.
- [ ] See if they have a billing address or organization name listed and note it below.
1. [ ] JJ: Check in Marketo to see if they exist, check the box below if they do
1. [ ] JJ: Check in MailChimp to see if they exist, check the box below if they do
1. [ ] Services Agent: If all steps above have been completed, notify the user using the template in the GDPR Article 15 Workflow by commenting on the original issue and closing both this issue and the original.
## Relationship with GitLab:
- [ ] GitLab.com User
- [ ] Newsletter subscriber
- [ ] Prospect
- [ ] Did a trial of GitLab.com or Self-managed
- [ ] Provided information in person at a marketing event
- [ ] Other???
## Data we have
- [x] Name
- [x] Email
- [x] IP address
- [ ] Social identities (if provided on GitLab.com profile)
- [ ] Location (if provided on GitLab.com profile)
- [ ] Billing address
- [ ] Company / Organization Name
- [ ] Phone number
## Places where their data exists
- [ ] GitLab.com
- [ ] customers.gitlab.com
- [ ] Zuora (if they have a subscription)
- [ ] SFDC
- [ ] ZD
- [ ] MailChimp
- [ ] Marketo
- [ ] Outreach
/label ~meta-issue
/assign @darawarde me
/confidential
/due in 3 weeks
```
#### Request received response
```
Greetings,
We have received your Article 15 GDPR request. We're working on identifying any personally identifiable information on GitLab.com and associated systems.
You'll receive an additional notice once this process is complete.
Thanks for your understanding,
<Person who owns the request>
```
#### Request completed response
```
Per your request under Article 15 of the GDPR please review the following:
1. Your personal data is being processed as a result of your having ______ (signed up for our newsletter || signed up for a GitLab.com account || attended a webinar). You provided to us the following personal data:
- Name
- Email
- IP address
- Social identities
- Location
- Billing Address
- Company / Organization Name
- Phone number
GitLab.com data may be stored in GCP, Azure or AWS clouds, all in US regions. All data on GitLab.com that is stored is accessible to you through https://gitlab.com/profile and https://gitlab.com/profile/active_sessions.
If you were a GitLab customer, you can access your customer data at https://customers.gitlab.com/customers/edit
2. We use your data to:
- verify account ownership in the event that credentials are lost or forgotten
- send email updates (if you have opted in)
- generate invoices and bill you (if you are a customer)
When a request is received through Zendesk as a ticket, do the following:
3. We have not shared your personal data with any 3rd parties. However, we do use 3rd party companies to process personal data as a part of normal company operations. As such, we have (or may have) used the following 3rd parties to process your personal data:
- Zendesk (in the event you have created a support request, either by email or through the support portal at https://support.gitlab.com)
- Marketo (in the event that you requested to be on our email list, either by opting in at account signup or through our website https://about.gitlab.com)
- MailChimp (in the event that you requested to be on our email list, either by opting in at account signup or through our website https://about.gitlab.com)
- Zuora (in the event that you are a GitLab.com or GitLab Self-managed customer and provided billing information)
- Mailgun (we use this service to send outgoing emails from GitLab.com such as account confirmation emails, password resets and other notifications)
- Salesforce (in the event that you are a GitLab.com or GitLab Self-managed customer, or provided your personal information in a demonstration or trial)
- license.app (in the event that you are a GitLab.com or GitLab Self-managed customer, or provided your personal information in a demonstration or trial)
- Outreach (in the event that you are a GitLab.com or GitLab Self-managed customer, or provided your personal information in a demonstration or trial)
- Drift (in the event that you have ever reached out to us via webchat)
- Cookiebot (in the event that you have accepted cookies from GitLab)
1. Apply the [**Account::GDPR Article 15 - GitLab.com**](https://gitlab.zendesk.com/agent/admin/macros/360027176693) macro and mark the ticket as solved.
4. We have not collected any personal data about you from any source other than yourself.
This macro will simply advise the user as follows and close the ticket:This will simply advise the user to email `gdpr-request@gitlab.com` in order to have their request processed.
5. We don't make any automated decisions about you based on your personal information.
The request will then be serviced when received in the [GDPR Request Service Desk](https://gitlab.com/gitlab-com/gdpr-request/issues/service_desk) (process detailed below).
6. As of the time of writing we have not positively identified any cases in which we inadvertently disclosed any of your personal data, whether by volition or as a result of a security or privacy breach.
### Requests received through the GDPR Request Service Desk (`gdpr-request@gitlab.com`)
If you have any additional queries, please contact gdpr-request@gitlab.com
When a user emails `gdpr-request@gitlab.com` an issue is automatically created in the [gdpr-request issue tracker](https://gitlab.com/gitlab-com/gdpr-request/issues) via the [Service Desk](https://docs.gitlab.com/ee/user/project/service_desk.html) feature, meaning comments made on the issue will be emailed to the submitter.
Thank you,
When a request is received in this manner, do the following:
<name>
1. Create a new confidential issue in the `gdpr-request` issue tracker using the [`gdpr_section_15_request` template](https://gitlab.com/gitlab-com/gdpr-request/issues/new?issuable_template=gdpr_section_15_request) (click the link to create one) and populate the title with the email address of the original requestor.
1. Link the original issue in the **Related issue** field.
1. Complete each step in the issue template that begins with `Support Engineer:`.
```
---
**Macros**
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment