The notes below can be useful when assessing how your usage of TeamCity complies with the General Data Protection Regulation (GDPR) (EU) 2016/679 regulation. These notes are meant to address the most basic questions and can serve as an input to the assessment of your specific TeamCity installation.
The notes are based on TeamCity 2017.2.4 which is actual at the moment of GDPR enforcement date. Please update your TeamCity instance at least to the version as previous versions might contain issues not in line with the notes below.
TeamCity and Users' Personal Data
The most important user-related data stored by TeamCity is:
When you want to delete personal data of a specific user, the best way to do it is to delete the user in TeamCity. This way all the references to the user will only continue to store the numeric user id and full name, while the username as well as email all the other user information will not be stored anymore. Note that Audit records will keep the name of the user responsible for an action on the TeamCity server, e.g. the user who deleted the build, modified a build configuration, etcmention internal numeric user id after the user deletion.
If the user triggered any bulds builds (i.e. had the "Run build" permission in any of the projects which are still present on the server), the user's username and full name will were be recorded in the build's "teamcity.build.triggeredBy" parameters as text values as those were part of the build's "environment". If you need to remove those, you can either delete the related builds (and all the builds which artifact- or snapshot-depend on them), or delete parameters of those affected builds (the parameters are stored in archived files under <TeamCity Data directory>\system\artifacts***\.teamcity\properties directories).
After the user deletion and other data cleaning, make sure to reset search index to prune possibly cached data of the deleted user from the search index.
If user had "Edit project" permission, the full name / username can appear in:
VCS usernames in VCS-related data :
Username can also appear in access credentials configured in different integrations like VCS roots, issue tracker, database access, etc. (these are stored in the the settings files and audit diff files in the TeamCity Data Directory and VCS roots usernames are also stored in the database for the current and previous versions of the VCS roots)
To ensure user's details are not stored by TeamCity you might want to to check the TeamCity-backing storage that no occurrences of the data are stored: the database, Data Directory and the TeamCity home directory (logs, and memory dumps which are regularly placed under the "bin" directory).
If you want the users to accept a special ageement before using your TeamCity instance, you can install a dedicated plugin developed by JetBrains for this purpose. Refer to the plugins's documentation for more details.