GDPR: Right to access, correct, and erase data
As per articles 15, 16, 17, and 19 of GDPR, users have the right to get a copy of their personal data you are processing, ask for rectifications if they are inaccurate, and ask you to delete their personal data.
With Auth0, you can access, edit, and delete user information:
You can view, edit, and delete user information at Dashboard > Users. Drill down to a user to view their info. The information you can change are:
|Field||How to edit|
|Click Edit. Set the new email.|
|Email verified||Click Edit at the Εmail field. Click the Set email as verified link.|
|Blocked||Not directly editable. Click Actions > Block User at the top right of this screen. To unblock click Actions > Unblock User.|
|Not directly editable. Click Actions > Change Email at the top right of this screen.|
|Password||Not directly editable. Click Actions > Change Password at the top right of this screen.|
To delete a user, drill down and click Actions > Delete User.
You can also retrieve, edit, and delete user information using our API.
First, pick an endpoint that matches your needs:
- Retrieve a user using the ID as search criteria
- Retrieve a user using the Email as search criteria
- Export all users to a file using a long running job
- Update a user. Note that not all fields are editable (see the next paragraph: Editable data). Keep in mind that:
- The properties of the new object will replace the old ones. The user_metadata and app_metadata fields are an exception to this rule. These properties are merged instead of being replaced, though the merge happens only on the first level.
- If you are updating email_verified, phone_verified, username, or password, you must set the connection parameter.
- If your are updating email or phone_number, you must set the connection and the client_id parameters.
- Delete a user based on the ID
In order to call any of the API's endpoints, you will need an valid Access Token. This token must have the required permissions per endpoint.
To learn more about these tokens and how you can generate one, see Access Tokens for the Management API.
Once you know which endpoint you want to access, and you have a valid Access Token, you are ready to send your request.
The following user information can be updated using the API:
The following user information are not editable:
You can search for users using the following:
- All the normalized user profile fields
- The profile information under the user_metadata object:
What else do I have to do?
You are responsible for ensuring customer is erased or data is updated in any other databases that Auth0 is not connected to.