I think it is important to list the user data that SonarQube handles per account (you can check the SonarQube’s database schema “User” table):
- Email Address
- Last connection date
- Creation date
And as per GDPR “If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.”. I am sure you are perfectly aware of this - I just want to make sure we are on the same page before discussing the issue.
Now, having this in mind, SonarQube offers the possibility to deactivate a user account either via the Web API or the UI. When deactivating a user, its Email Address is erased from the database. Still, the name and login are kept on the record, which is technically needed today in order not to compromise the database integrity.
Since we cannot offer SQL queries to remove this record from the database, I would suggest exploring the data obfuscation method so that the user cannot be identifiable and therefore the “Personal Data” notion of GDPR is not triggered - which should allow you to be GDPR compliant (double check with your legal advice). For this, you can use the POST api/users/update endpoint and obfuscate both the login and name of the user record before proceeding to its deactivation.
Please note that there is also a ticket on our side (SONAR-7243) as we plan to allow administrators to fully delete a user record with all its data in the future. You can vote/follow on this ticket if the obfuscation approach does not satisfy your needs.