Back to All Scenarios
PASSEDsecurity / gdpr_data_retention_violation
GDPR Data Retention Violation — PII Not Purged
A GDPR compliance scan discovers that the automated data retention purge job has been silently skipping records due to a foreign key constraint error. 2.3 million EU user records past their retention period have not been deleted, violating GDPR Article 5(1)(e) storage limitation principle.
Pattern
UNKNOWN
Severity
CRITICAL
Confidence
95%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | UNKNOWN | UNKNOWN | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 18 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
GDPR data retention policy: 24 months post-account-closure. Automated purge job running daily. Foreign key constraint error silently swallowed. 2.3 million records overdue for deletion. Some records 18 months past retention deadline.
Injected Error Messages (2)
data retention purge job CRITICAL failure — automated GDPR data deletion job 'gdpr-purge-eu-users' has been silently failing on 2.3 million records since 2025-09-15, foreign key constraint on 'user_activity_log' table preventing CASCADE deletion, error swallowed by catch-all exception handler, 2.3 million EU user PII records past 24-month retention period, oldest overdue record: 18 months past deletion deadline, GDPR Article 5(1)(e) storage limitation violation
GDPR compliance dashboard RED — data retention SLA breached for 2.3 million EU data subjects, affected data categories: name, email, phone, address, payment history, browsing history, retention policy requires deletion 24 months after account closure, automated remediation blocked by database referential integrity constraints, DPA notification may be required, legal team alerted
Neural Engine Root Cause Analysis
The GDPR data deletion job 'gdpr-purge-eu-users' is failing due to foreign key constraints on the 'user_activity_log' table that prevent CASCADE deletion of user records. The application's catch-all exception handler is silently swallowing these database constraint errors, masking the failure for months. This has resulted in 2.3 million EU user PII records remaining in the system 18 months past their required deletion deadline, creating a severe GDPR compliance violation under Article 5(1)(e) storage limitation principles.
Remediation Plan
1. Immediately disable the faulty exception handler to surface actual errors 2. Review database schema and identify all foreign key relationships preventing user deletion 3. Implement proper CASCADE DELETE constraints or modify deletion logic to handle dependent records first 4. Create emergency data purge script to delete the 2.3M overdue records following proper referential integrity order 5. Add proper error logging and alerting to the deletion job 6. Implement database transaction rollback handling 7. Schedule immediate legal/compliance review for GDPR breach assessment and potential regulatory notification
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmnckegrt08woobqebeeeuc2c