> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes Auth0 features that help you comply with the GDPR requirements on the user's right to access, correct, and erase their personal data.

# GDPR: Right to Access, Correct, and Erase Data

As per articles 15, 16, 17, and 19 of GDPR, users have the right to get a copy of their personal data you are processing, ask for rectifications if they are inaccurate, and ask you to delete their personal data.

With Auth0, you can access, edit, and delete user information manually, using the Dashboard, or programmatically, using the <Tooltip tip="Management API: A product to allow customers to perform administrative tasks." cta="View Glossary" href="/docs/glossary?term=Management+API">Management API</Tooltip>.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  The contents of these documents are not intended to be legal advice, nor should they be considered a substitute for legal assistance. The final responsibility for understanding and complying with GDPR resides with you, though Auth0 will assist you in meeting GDPR requirements where possible.
</Callout>

## Manual process

You can view, edit, and delete user information at [Auth0 Dashboard > User Management > Users](https://manage.auth0.com/#/users). Drill down to a user to view their information. The information you can change is:

| Field              | How to edit                                                                                                                                             |
| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Email**          | Click Edit. Set the new email.                                                                                                                          |
| **Email verified** | Click **Edit** at the **Εmail** field. Click the **Set email as verified** link.                                                                        |
| **Metadata**       | Both the `app_metadata` and the `user_metadata` objects are editable from this screen. Edit the JSON at the **Metadata** section and save your changes. |
| **Blocked**        | Not directly editable. Click **Actions > Block User** at the top right of this screen. To unblock click **Actions > Unblock User**.                     |
| **Email**          | Not directly editable. Click **Actions > Change Email** at the top right of this screen.                                                                |
| **Password**       | Not directly editable. Click **Actions > Change Password** at the top right of this screen.                                                             |

To delete a user, click **Actions > Delete User**.

## Programmatic process

You can retrieve, edit, and delete user information using our API. Choose an endpoint that matches your needs:

* Retrieve a user using the ID as search criteria
* Retrieve a user using the Email as search criteria
* Export all users to a file using a long running job
* Update a user. Note that not all fields are editable (see the next section). Keep in mind that:

  * The properties of the new object will replace the old ones. The `user_metadata` and `app_metadata` fields are an exception to this rule. These properties are merged instead of being replaced, though the merge happens only on the first level.
  * If you are updating `email_verified`, `phone_verified`, `username`, or `password`, you must set the `connection` parameter.
  * If your are updating `email` or `phone_number`, you must set the `connection` and the `client_id` parameters.
* Delete a user based on the ID

In order to call any of the API endpoints, you will need an valid <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=access+token">access token</Tooltip>. This token must have the required permissions per endpoint. Each endpoint at the Management API explorer has a scopes section that lists the scope(s) that the access token must contain in order to access it. Once you know which endpoint you want to access, and you have a valid access token, you are ready to send your request.

## Editable data

The following user information can be updated using the API:

* blocked
* email\_verified
* email
* verify\_email
* password
* phone\_number
* phone\_verified
* verify\_password
* user\_metadata
* app\_metadata
* username

The following user information are **not** editable:

* given\_name
* family\_name
* name
* nickname
* picture

## Searchable fields

You can search for users using the following:

* All the normalized user profile fields
* The profile information under the `user_metadata` object:

  * name
  * nickname
  * given\_name
  * family\_name

You are responsible for ensuring customer is erased or data is updated in any other databases that Auth0 is not connected to.

## Learn more

* [GDPR: Conditions for Consent](/docs/secure/data-privacy-and-compliance/gdpr/gdpr-conditions-for-consent)
* [GDPR: Data Minimization](/docs/secure/data-privacy-and-compliance/gdpr/gdpr-data-minimization)
* [GDPR: Data Portability](/docs/secure/data-privacy-and-compliance/gdpr/gdpr-data-portability)
* [GDPR: Protect and Secure User Data](/docs/secure/data-privacy-and-compliance/gdpr/gdpr-protect-and-secure-user-data)