Dealer API

Appearance

User Data Deletion Compliance

This document is designed to help partners comply with the legal requirements of deleting user data from their systems when a user is deleted from our system. It provides detailed procedures on how to identify deletions through our API and ensure that all associated data is also removed from partner systems in accordance with privacy regulations.

Overview

When a user is deleted from our system, it triggers a legal and compliance requirement for partners to remove any related personal data from their databases. This guide offers a step-by-step method to detect such deletions and securely purge corresponding records.

Step-by-Step Compliance Process

Step 1: Authenticate and Access User Changes

  1. Obtain a Cognito Access Token:

Securing your API calls is crucial, and a valid authentication token is required to initiate any API requests. To obtain and implement an authentication token in your API calls efficiently, please follow the step-by-step instructions in our Authentication Guide.

  1. Set Up API Request: Use the following command to request user changes:
    bash
    curl -X GET "https://kitten-api.prod.ps.axelspringer.de/api/user/changes/{since}" \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer <Your_Cognito_Token>"
    Replace {since} with the timestamp of your last query, formatted in milliseconds since the epoch. For example, to request changes since Jun 13 2024, use 1718229600000 (equivalent to 2024-06-13T00:00:00+02:00 in ISO 8601).

Step 2: Process the API Response

  • Sample API Response:

    json
    {
  "data": [
    {
      "csuId": "CSUID_12f4-28faa172c3b144bf9120ae5d1119bc52",
      "lastModified": "2024-06-13T03:30:00.000Z",
      "action": "delete"
    },
    {
      "csuId": "CSUID_43e2-d7db172bb6e744af8370de9f2346bd01",
      "lastModified": "2024-06-13T07:45:00.000Z",
      "action": "delete"
    }
  ],
  "meta": {
    "next": 1718236200000
  }
}

    This response indicates that the user associated with csuId CSUID_xyz-ad71e172b6d744bf8100se8d2891ac97 has been deleted from the system.

  • Identify Deletions: Iterate through the data array and check for entries with "action": "delete". Extract and log the csuId for each deleted user.

  • Using the meta.next Field: The meta.next field is critical for pagination. It provides the timestamp for the next page of results:

    • If meta.next is not null: This indicates that more data is available, and you should make another request using this timestamp as the new {since} parameter.
    • If meta.next is null: This means there are no more records to fetch, and you have reached the end of the data set.

  • Subsequent Requests: To continue fetching the rest of the data, use the value from meta.next in your subsequent request. Repeat this process until the meta.next value is null.

Step 3: Initiate Data Deletion in Partner Systems

  1. Delete User Data: For each identified csuId, remove all related data from your systems. This includes any personally identifiable information, account records, or transaction histories linked to that ID.

  2. Confirm Deletion: Implement confirmation checks to ensure that all data associated with the deleted csuId has been thoroughly removed.

  3. Record Deletion Actions: Keep a log of all deletion actions including the csuId, timestamp of deletion, and confirmation of data removal. This log will be essential for audits and compliance checks.

Step 4: Frequency of API Consumption

It is advised to consume the user changes feed at least on a daily basis. For optimal results, checking the API hourly is recommended to ensure timely detection and deletion of user data.

Step 5: Auditing and Compliance Verification

  • Routine Audits: Conduct regular audits of your deletion logs to verify compliance with data protection laws.

Best Practices for Data Deletion

  • Automation: Automate the detection and deletion processes to minimize human error and ensure timely compliance.
  • Security Measures: Use secure methods for data deletion to prevent unauthorized data recovery.
  • Documentation: Maintain comprehensive documentation of your data deletion policies and procedures for training and regulatory review.

Support

For additional guidance or support, please refer to our Developer Guides or contact our Support Team.