I have been doing some testing on my localhost regarding the manual and bulk user deletion process and I would to know if it’s really necessary to have the Data Request/Deletion enabled, in order to correctly removed their data?
When deleting a user account either by manual or bulk, the email is hashed and the usernames altered, with the record flagged as deleted, therefore their profile isn’t available anymore on the user interface.
Some user data like course enrolments, groups, grades are deleted, but the user name on forum posts isn’t anonymised (this has been also mentioned on an older post here with a tracker issue created). Other activity data isn’t deleted like scorms, quiz attempts, assignments, badges… so, these would need to be implemented on the deleting process?
So those policies were created in order to make moodle GDPR compliant but if we don’t enable them, there isn’t an advantaged or more correct process for this?
But if I enable the GDPR policies then I have to be careful with the data retention periods or so because then the accounts wouldn’t be removed if the contexts haven’t expired, right? Eg. Courses, activities… although we can delete them, then they appear under data requests and if I click on approve I don’t notice any difference on the database…