The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
I'm clear on that but would suspect this is more for a customer -> service provider relationship as opposed to an employee->employer relationship. I would expect an employer has the right to keep records on their employment history. Note that I'm just curious as I've never heard anyone applying GDPR regs to employees. I did find this though so it does seem it cover it to some extent though the details are beyond me: https://www.taylorwessing.com/globaldatahub/article-changes-to-employee-data-management-under-the-gdpr.html
There's the line that employees as data subjects have "the right to be forgotten under certain circumstances" which is quite vague.
Though even in this case first as it's really just a name and probably a company email address and second as there is always the option to delete an account if requested so I'm not sure I would agree that it would be necessary for GDPR compliance but agree it would be nice to have just as a matter of good housekeeping. Again a disclaimer I'm not at all involved in the decisions around this but am just interested.
We have an actual case where we are going to integrate Dynatrace with a companys AD using SAMLv2. In this case, the comapany asked us
a) Why Dynatrace needs to keep a local copy of the user at all
b) If there is a possibility of autodeleting a user.
So their though process is as follows. Employee Alice quits the company. Her user account in the company will follow the normal processed, and be removed from the AD in due time. However the user in Dynatrace will not. And according to them this is not in line with GDPR.
Don't know about SaaS, but you can delete users and groups (also create them) using REST API in Dynatrace Managed. I'm pretty sure Dynatrace has similar API for SaaS, but it's probably not public.
Typically enterprise customers do have an IAM tool, which handles such cases and creates/deletes users in applications. When someone quits a company, the IAM tool is in charge of deactivating and deleting accounts.
I've never seen a tool which would "autodelete" users if they cannot be found anymore in AD/LDAP.
This question becomes very critical, and it is important to enable some sort of functionality for all tools in order to comply with GDPR regulations when it comes to removal of user accounts. A local copy of a user containing mail adresse is as far as I can understand personal data. Especially when mail adress i directly linked with the name and a user ident, which they are, more often than not. As Tarjei mentions the user also has the right to removal of their personal data.
We do have service providers as customers, which makes it necessary to be able to automatically remove users from the various Dynatrace tools. I think Tarjei is asking for "last login" in order to be able to identify which users are inactive, and thus should be removed. This grouping of users I imagine could be a possible methodology for group deleting users that aren't active.
Obviously this would in some scenarios bring up another important functionality regarding re-enablement of users deleted, that needs handling... Again, without being in breach of GDPR regulations.