How to delete all the participations and participant data for a specific email?
We have decided to stay as close as possible to the official names of the GDPR Policy.
Data deletion is under the rule called : Right to be forgotten
If we refer to the GDPR Documentation it requires to do a POST to a specific route.
POST {{gdprApi}}/v1/gdpr/rules/forgottenRight
Body interface
interface ProfilesDelete {
// static value
ruleType: 'GDPR_ForgottenRight';
clientId: number;
// ruleTypePayload contains a list of user Ids to be deleted
ruleTypePayload: {
profiles: number[];
};
// optional (default FALSE): boolean value to simulate a deletion. If test at true is provided, a full GDPR process will be launch but will not delete the profiles.
test: true;
// text is required for logging
justification: string;
// Qualifio' User ID of the Requester.
userId: number;
}
A developer will directly see that the API does not accept emails in the body but rather a numeric array of profiles
info
👉 profiles: number[];
Those profileIds are the exactly the participation IDS inside qualifio CRM ecosystem.
There is a way to retrieve those but we need to use another route called: searchProfiles
Instead of a thousand words here is a simple example:
- Search all profiles using specified email (here joao@qualifio.com for the test)
GET /v1/gdpr/profiles?clientId=2449&email=joao@qualifio.com HTTP/1.1
Host: api.qualif.io
x-api-token: *******TOKEN_FOR_ACCOUNT_2449*******
Accept: application/json
Result
[
{
"id": 78,
"firstName": "joao",
"lastName": "test1",
"function": "",
"gender": "",
"email": "joao@qualifio.com",
"birthDay": null,
"company": "",
"address": "129329",
"box": "",
"country": "",
"createdAt": "2021-10-13T17:17:29.990Z",
"updatedAt": "2021-12-14T11:03:18.123Z",
"language": "FR",
"ip": "91.183.156.86",
"fb_uid": "0",
"locality": "toto",
"login": "",
"number": "",
"phone": "",
"trigramme": "joao|test2|joao@qualifio.com",
"zipcode": "",
"isEmailValid": 0
},
{
"id": 79,
"firstName": "test",
"lastName": "test2",
"function": "",
"gender": "",
"email": "joao@qualifio.com",
"birthDay": null,
"company": "",
"address": "toto",
"box": "",
"country": "",
"createdAt": "2021-11-09T18:02:53.057Z",
"updatedAt": "2021-11-09T18:02:53.057Z",
"language": "FR",
"ip": "172.19.0.1",
"fb_uid": "0",
"locality": "joao",
"login": "",
"number": "",
"phone": "",
"trigramme": "test|test2|joao@qualifio.com",
"zipcode": "",
"isEmailValid": 0
},
{
"id": 85,
"firstName": "joao",
"lastName": "test3",
"function": "",
"gender": "",
"email": "joao@qualifio.com",
"birthDay": null,
"company": "",
"address": "oto",
"box": "",
"country": "",
"createdAt": "2021-12-08T11:58:05.570Z",
"updatedAt": "2021-12-08T11:58:05.570Z",
"language": "FR",
"ip": "109.136.26.142",
"fb_uid": "0",
"locality": "toto",
"login": "",
"number": "",
"phone": "",
"trigramme": "joao|test3|joao@qualifio.com",
"zipcode": "",
"isEmailValid": 0
}
]
We retrieved 3 participants using the same email.
info
❓ Why ? Because the participant used the same email but not always the same combinaison of “lastname”, “firstname” and “email”. At Qualifio the crmKey is based on that specific trigram.
- Delete those participants
To delete all the participant and participation data for the 3 participants we just retrieved we can finally use the forgottenRight route. We only need the id field (here: 78, 79 and 85).
HTTP call
POST /v1/gdpr/rules/forgottenRight?clientId=2449&direct=true HTTP/1.1
Host: api.qualif.io
x-api-token: *******TOKEN_FOR_ACCOUNT_2449*******
Accept: application/json
Content-Type: application/json
Content-Length: 183
{
"ruleType": "GDPR_ForgottenRight",
"clientId": 2449,
"ruleTypePayload": {
"profiles": [78, 79, 85]
},
"justification": "example justification text",
"userId": *******DPO_FOR_ACCOUNT_2449*******
}
Result
{
"ruleStatus": {
"status": "APPROVED",
"updatedAt": "2022-01-31T13:29:58.121Z",
"isAuto": true,
"acceptedBy": 0,
"acceptedAt": "2022-01-31T13:29:58.121Z"
},
"_id": "61f7e45694efba001186ebcd",
"ruleType": "GDPR_ForgottenRight",
"clientId": 2449,
"ruleTypePayload": {
"profiles": [],
"clientId": 2449,
"test": false
},
"justification": "example justification text",
"userId": ****,
"createdAt": "2022-01-31T13:29:58.121Z",
"updatedAt": "2022-01-31T13:29:58.121Z",
"__v": 0
}
info
⚠️ Note: "_id": "61f7e45694efba001186ebcd" it’s the id of the rule and is required at the step 3 to check the status
If the HTTP CODE: 200 OK, the system understood and will all the data related to those participants on all Qualifio systems. Note that the system is asynchronous and will complet its job as soon as possible.
info
⚠️ See that we specified “direct=true” as query parameter when creating the ForgottenRight rule. The direct true option allow the rule to be created and executed on the fly without an additional step of approval by the DPO.
- Check GDPR process status (optional)
As the system is asynchronous, you might be tempted to double check the result later to see if the process was fully successful. GDPR API provides the following route: get rule ById
GET /v1/gdpr/rules/61f7e45694efba001186ebcd?clientId=2449 HTTP/1.1
Host: api.qualif.io
x-api-token: *******TOKEN_FOR_ACCOUNT_2449*******
Result
{
"ruleStatus": {
"status": "FINISHED",
"updatedAt": "2022-01-31T13:30:00.938Z",
"isAuto": true,
"acceptedBy": 0,
"acceptedAt": "2022-01-31T13:29:58.121Z",
"finishedAt": "2022-01-31T13:30:00.938Z"
},
"_id": "61f7e45694efba001186ebcd",
"ruleType": "GDPR_ForgottenRight",
"clientId": 2449,
"ruleTypePayload": {
"profiles": [
{
"crmId": 78,
"crmKey": "anonymous@qualifio.com"
},
{
"crmId": 79,
"crmKey": "anonymous@qualifio.com"
},
{
"crmId": 85,
"crmKey": "anonymous@qualifio.com"
}
]
},
"justification": "example justification text",
"userId": ****,
"createdAt": "2022-01-31T13:29:58.121Z",
"updatedAt": "2022-01-31T13:29:58.121Z",
"__v": 0,
"user": {
"firstName": "Joao",
"lastName": "Pinto",
"email": "joao@qualifio.com",
"clientId": 2449
}
}
Status is defined under ruleStatus and status. Here we can see that the process is “FINISHED”