Hi Stefan,
I'm sorry that this is your experience. We do take this feedback seriously and we have spent a lot of time trying to improve many aspects of the process over the past 12 months since the initial release of the Privacy API and toolset in Moodle.
The Data Registry is a powerful and useful tool, but it can be time-intensive to set up. GDPR legislation requires that you identify the reason for storing data, as well as the lawful basis for doing so, and the intended retention period. This identification of purpose should be as accurate as possible and not applied blanket to all data.
The key difficulty we have faced is that Moodle has not historically kept information about when a users interaction with content ends. Initially we considered any course without and end-date to be in-progress, but we have updated this to allow administrators to determine if open-ended courses should be considered blocking or not.
The other difficulty that we have faced is that ensuring the accuracy of the expiry calculation is an expensive process. In order to determine whether a user has 'expired', we must look to see which courses they are involved in and the activities within those courses, and then whether the retention for any of those has been reached. Whilst a user has ongoing involvement in an activity or course, or still has data in an activity or course which has not expired we cannot remove that user. Therefore we need to calculate the expiry status of every activity, block, and course that a user has content in. As you can imagine this is not a simple task where a user has many interactions.
When a user is deleted we attempt to remove all data for that user. The exceptions for this are for data which has been marked as Protected in the data registry. The protected status should only be used for data which is stored under the legal basis of Public Task, or Legal Obligation - these are explicitly defined as cases where the right to erasure does not apply under GDPR.
Regarding items not being removed from forum this sounds like a bug. It could be one which has been fixed (MDL-63632), or it could be an as-yet unreported bug. It would be great if you can test this with the latest versions of Moodle and provide replication instructions - we can only fix bugs that we know about. When dealing with user deletions and the forum we are only able to remove the content itself, and no the shell that it was in. This is because removal of the post should not affect grades (i.e. via ratings), and should not cause the removal of replies to the original post (i.e. data belonging to another user). When a course or activity expires then all content in that activity is entirely removed.
In regards the deletion of Data Requests, we deliberately do not remove deletion requests. These are kept to serve as a paper trail that the deletion was actually processed and this is allowed under GDPR. It falls under the basis of Legal Obligation as the record is required to prove that you received, and acted upon the request in accordance with the legislation. Related to this we do not anonymise all data in the user record because it is required to identify the user that the request has been processed for.
As I'm sure you have experienced the GDPR legislation is far from simple. In addition to this some countries have their own addendums to the core legislation, and it is possible to interpret some parts of the legislation differently from person to person.
During our implementation of the Policy API and associated tools we we did seek legal advice from a lawyer specialising in GDPR and believe that our interpretation is correct based on the advice that we have received.
I hope that this clarifies the situation,
Andrew
