Not sure if GDPR applies to most of us:
If really needed, I would first use the new system notification for setting up parameters and printing conditions.
I would also use the login framework to delete user information after logout.
I guess it should be enough...
Well, the user id is saved in WinCC OA e.g. with alert acknowledge and there is no known way (or at least I don't know any) to remove it.
So, do we need the explicit consent of the user before login into a system (you don't need to print the conditions, a simple notification would be enough, I think)?
What should we do if the user withdraws the consent (of course, you should provide an easy way of removing it)? Would it be enough to deactivate the user and delete its user name?
If you delete the users at logout, then you break the link between user and id no? As WinCC OA saves ack/setpoint/comments using user id, thus you have no way to know real username of a disconnected user (as it is not existing in system)
Also if all your users are having access to all data, then you should consider using Authorization Check Plug-in to put some restrictions, avoiding to let sensitive data available to any connected user.
And by "having access to all data" I meant that once you have the user name in an SSO system, you could obtain theoretically access to all data contained in AD relating this user, and that could be a lot. That's why I mean that a WinCC OA application should be concerned about GDPR, specially if it is using SSO.
With the default settings the '_Ui_.UserName' is archived and could be used to retrieve the user name (even after another name has been assigned to the user id).If you delete the users at logout, then you break the link between user and id no?