Enable easy deletion of the entire account by the user himself

What and who is affected by this issue/request?

  • Admins: Consideration and Installation / Implementation
  • Users: Using the feature

Where on the platform does it happen?

on the profile page

How do we replicate the issue?

Try do delete your account by yourself.

Expected behavior (i.e. solution)

I expect a single button that will immediately delete my account without any detours.

Example from Instagram:

Example from Facebook:
image

These are just two of many examples. Every online platform has this option to easily delete your account yourself. Why not us here?

Other Comments

At least from a GDPR perspective, a complete deletion of all personal and owned data must be easily possible. Probably a PM to the admin is enough from a legal perspective, but why so complicated? Why can’t users simply delete their account at the push of a button like they can on any other online platform?
Are there any particular reasons for making it as difficult as possible for the user as it is currently handled?
Do we want to prevent account deletion by any possible means? If yes, why?

There is a similiar plugin for make it easier, but not to do it by yourself:

There is already option to delete entire OSM account if I am right.

Providing option to delete just community.openstreetmap.org part of OSM account may be nice (as long as it does not enable block evasion etc) but is in no way required by GDPR.

AFAIK they can already do it with OSM account in its entirety. Not idea is it handled as expected by the forum.

Yes that is correct, however as far as I interpret the information correctly, this only deletes the account on the openstreetmap.org site and not here in Discourse. Or am I completely wrong?

In case it was misleading, I’m talking here in this post about deleting the account in Discourse, not on osm.org

According to Art.17 - EU-DSGVO - “Right to erasure”, every user within the EU has the right to have all their data deleted. (Link)

I am not a lawyer, but “[…] the right to obtain from the controller the erasure of personal data concerning him or her without undue delay […]” is already “required by GDPR” in my eyes. Or am I misinterpreting here again?

In addition, it also says “without undue delay” again in writing. The question is whether a court has already decided what “undue delay” means. In case of doubt, however, this requires the immediate deletion, which would not be legally effective by the detour via a DM.

That the GDPR also expects a simple way for a user to download all their data at once, I’ll leave out here.

This is repetitive now, but will my entire forum (Discourse) account be deleted, including all the data and information I have written, if I delete my account on openstreetmap.org? I just can’t find that specific point on this site. Please help me where it says that. If that’s the case, should that definitely be added there or not?

Screenshot:

I don’t know, but if there is an issue with that it’s much more likely to get actioned if you prove that there’s a problem (create new OSM account, test post to Discourse, delete new OSM account) than if no-one is sure whether there is a problem or not.

I just tried it with a new user. After deletion my Discourse account still exists, but it is temporarily on hold. That means I can’t post anything anymore, but my posts are still there.
2022-11-29 13_25_02-Window

Of course, the question is also why we do not distinguish between the forum and the map. Why do I always have to have my forum posts and my map posts deleted together? Why can’t this be done separately?

1 Like

I will use this as a post to check if it’s still there after I will delete my OSM account.

1 Like

This is a test.

I have already deleted my OSM account, but I can still post something here. This is funny.

1 Like

I have to correct myself. The first account was put “on hold” because I wrote something with “test”. The second account is not affected because I did not use a trigger word.

This account has just been deleted from openstreetmap.org. I made a change on the map, which also still exists. See Way: ‪Lindau‬ (‪1118057021‬) | OpenStreetMap

This post is also still here: Hello to all OSM contributors

I assume that deleting OSM account should delete also this part of OSM account.

As you can see here, I’m still able to answer you although I have deleted my OSM account.

that is normal

account is deleted, OSM edits are not deleted (and OSM can do this). In case of users breaking rules and adding GDPR-covered data to OSM database it can be hidden (DWG should be notified)

then either it is a bug or request made here should be fullfilled

Yes, it says so in the bullet points on the page where you delete the account. I had not taken this as unusual.

Once you log-off here you won’t be able to log-in again. AFAIK, there is no mechanism that informs the forum about deleted account, only the auth system that allows you to log-in or not.

/cc @TomH @Firefishy

2 Likes

keeping posts also can be fine (I am not a lawyer!)

So to sum up the whole issue:
It is not possible for a user to simply and immediately delete all their data here on the forum.

It is my right to have ALL my data deleted. This also includes my self-made postings here. To what extent this is a violation of the GDPR, I am not able to judge, since I am also not a lawyer, but my understanding tells me that this could already be one.

Yes, but if I never delete my cookies again, I can operate with a deleted account until forever.

that is untrue, for example there is no obligation to delete contributions to OSM or what is necessary to prevent abuse

And to be more forum-specific: GDPR covers only personal data, likely forum posting are not covered by it.

(also not a lawyer)

1 Like

But my username should be deleted / anonymized and all data attached to my account should be deleted. And someone should check all my forum postings if there is any personal information posted.

EDIT: Since none of us here is a data protection lawyer. Does the OSM(F) have a data protection officer who takes care of such things?

We’re also going in circles a bit here. Some people want to delete their account here, which only a handful of people can do here and for this reason there have already been “complaints”, at least in the German forum. Since the deactivation in this case took some time, this already passes " Without undue delay " from my point of view.

Here are the options I see at the moment:

  1. all moderators should be able to deactivate / delete users here in the forum to grant a faster response time.
  2. users should be able to delete / deactivate themselves.
  3. we should clarify at a higher instance, how exactly we are subject to the GDPR here. I think that would also be in the sense of OSMF, because in doubt threatens a lawsuit.

This is clearly an upstream issue with Discourse. I’d suggest commenting here: Add Account Deletion - feature - Discourse Meta

4 Likes