gdpr-compliance-issue-1256 by dn-scribe · Pull Request #1 · scribe-security/odoo

dn-scribe · 2025-10-29T11:04:19Z

Assessment of the project's compliance to GDPR User-Data-Deletion Requirement

Criterion	Status
Data deletion mechanism exists	❌ Not user-triggered
Deletion completeness/cascade	⚠️ Partial (DB only)
User-triggerable deletion	❌ Absent
Verifiability / audit	❌ Absent
Retention periods defined	❌ Absent
No irreversible backups/logs	⚠️ Unknown/Absent
Documentation (policies)	❌ Absent
Automated tests for deletion	⚠️ Partial (cron)

Compliance Level: ❌ Non-Compliant — no clear deletion process exists for user-request data erasure.

Implement a user-request deletion API/UI to trigger erasure of personal data on demand (e.g., DELETE /api/user/{id}).
Extend deletion cascade to related records (attachments, mail logs, caches, backups) or mark them for expiration.
Introduce retention-period configuration (e.g., in ir.config_parameter) and document default values.
Add audit logging for deletion events (who requested, when, what was removed).
Publish documentation on data retention and deletion procedures (GDPR.md or docs/PRIVACY.md).
Create automated tests to simulate a full data erasure flow and verify no residual personal data remains.

Report generated based on compliance/gdpr/requirements/standard_req__data_deletion.md analysis.

dn-scribe added 2 commits October 29, 2025 13:03

gdpr-compliance-issue-1256

4aca161

fix: Suggested Fix

c556cb3