diff --git a/webservice/tests/privacy_test.php b/webservice/tests/privacy_test.php
index b7804d76fc9..d7b4da0ec00 100644
--- a/webservice/tests/privacy_test.php
+++ b/webservice/tests/privacy_test.php
@@ -32,6 +32,7 @@ use core_privacy\local\request\approved_contextlist;
 use core_privacy\local\request\transform;
 use core_privacy\local\request\writer;
 use core_webservice\privacy\provider;
+use core_privacy\local\request\approved_userlist;
 
 require_once($CFG->dirroot . '/webservice/lib.php');
 
@@ -229,6 +230,188 @@ class core_webservice_privacy_testcase extends provider_testcase {
         $this->assertEmpty($data);
     }
 
+    /**
+     * Test that only users with a user context are fetched.
+     */
+    public function test_get_users_in_context() {
+
+        $component = 'core_webservice';
+        // Create user u1.
+        $u1 = $this->getDataGenerator()->create_user();
+        $u1ctx = context_user::instance($u1->id);
+        // Create user u2.
+        $u2 = $this->getDataGenerator()->create_user();
+        $u2ctx = context_user::instance($u2->id);
+        // Create user u3.
+        $u3 = $this->getDataGenerator()->create_user();
+        $u3ctx = context_user::instance($u3->id);
+        // Create user u4.
+        $u4 = $this->getDataGenerator()->create_user();
+        $u4ctx = context_user::instance($u4->id);
+        // Create user u5.
+        $u5 = $this->getDataGenerator()->create_user();
+        $u5ctx = context_user::instance($u5->id);
+
+        // The lists of users for each user context ($u1ctx, $u2ctx, etc.) should be empty.
+        // Related user data have not been created yet.
+        $userlist1 = new \core_privacy\local\request\userlist($u1ctx, $component);
+        provider::get_users_in_context($userlist1);
+        $this->assertCount(0, $userlist1);
+        $userlist2 = new \core_privacy\local\request\userlist($u2ctx, $component);
+        provider::get_users_in_context($userlist2);
+        $this->assertCount(0, $userlist2);
+        $userlist3 = new \core_privacy\local\request\userlist($u3ctx, $component);
+        provider::get_users_in_context($userlist3);
+        $this->assertCount(0, $userlist3);
+        $userlist4 = new \core_privacy\local\request\userlist($u4ctx, $component);
+        provider::get_users_in_context($userlist4);
+        $this->assertCount(0, $userlist4);
+        $userlist5 = new \core_privacy\local\request\userlist($u5ctx, $component);
+        provider::get_users_in_context($userlist5);
+        $this->assertCount(0, $userlist5);
+
+        // Create a webservice.
+        $s = $this->create_service();
+        // Create a ws token for u1.
+        $this->create_token(['userid' => $u1->id]);
+        // Create a ws token for u2, and u3 as the creator of the token.
+        $this->create_token(['userid' => $u2->id, 'creatorid' => $u3->id]);
+        // Create a service user (u4).
+        $this->create_service_user(['externalserviceid' => $s->id, 'userid' => $u4->id]);
+
+        // The list of users for userlist1 should return one user (u1).
+        provider::get_users_in_context($userlist1);
+        $this->assertCount(1, $userlist1);
+        $expected = [$u1->id];
+        $actual = $userlist1->get_userids();
+        $this->assertEquals($expected, $actual);
+        // The list of users for userlist2 should return one user (u2).
+        provider::get_users_in_context($userlist2);
+        $this->assertCount(1, $userlist2);
+        $expected = [$u2->id];
+        $actual = $userlist2->get_userids();
+        $this->assertEquals($expected, $actual);
+        // The list of users for userlist3 should return one user (u3).
+        provider::get_users_in_context($userlist3);
+        $this->assertCount(1, $userlist3);
+        $expected = [$u3->id];
+        $actual = $userlist3->get_userids();
+        $this->assertEquals($expected, $actual);
+        // The list of users for userlist4 should return one user (u4).
+        provider::get_users_in_context($userlist4);
+        $this->assertCount(1, $userlist4);
+        $expected = [$u4->id];
+        $actual = $userlist4->get_userids();
+        $this->assertEquals($expected, $actual);
+        // The list of users for userlist5 should not return any users.
+        provider::get_users_in_context($userlist5);
+        $this->assertCount(0, $userlist5);
+
+        // The list of users should only return users in the user context.
+        $systemcontext = context_system::instance();
+        $userlist6 = new \core_privacy\local\request\userlist($systemcontext, $component);
+        provider::get_users_in_context($userlist6);
+        $this->assertCount(0, $userlist6);
+    }
+
+    /**
+     * Test that data for users in approved userlist is deleted.
+     */
+    public function test_delete_data_for_users() {
+
+        $component = 'core_webservice';
+        // Create user u1.
+        $u1 = $this->getDataGenerator()->create_user();
+        $u1ctx = context_user::instance($u1->id);
+        // Create user u2.
+        $u2 = $this->getDataGenerator()->create_user();
+        $u2ctx = context_user::instance($u2->id);
+        // Create user u3.
+        $u3 = $this->getDataGenerator()->create_user();
+        $u3ctx = context_user::instance($u3->id);
+        // Create user u4.
+        $u4 = $this->getDataGenerator()->create_user();
+        $u4ctx = context_user::instance($u4->id);
+        // Create user u5.
+        $u5 = $this->getDataGenerator()->create_user();
+        $u5ctx = context_user::instance($u5->id);
+
+        // Create a webservice.
+        $s = $this->create_service();
+        // Create a ws token for u1.
+        $this->create_token(['userid' => $u1->id]);
+        // Create a ws token for u2, and u3 as the creator of the token.
+        $this->create_token(['userid' => $u2->id, 'creatorid' => $u3->id]);
+        // Create a service user (u4).
+        $this->create_service_user(['externalserviceid' => $s->id, 'userid' => $u4->id]);
+        // Create a service user (u5).
+        $this->create_service_user(['externalserviceid' => $s->id, 'userid' => $u5->id]);
+
+        // The list of users for u1ctx should return one user (u1).
+        $userlist1 = new \core_privacy\local\request\userlist($u1ctx, $component);
+        provider::get_users_in_context($userlist1);
+        $this->assertCount(1, $userlist1);
+        // The list of users for u2ctx should return one user (u2).
+        $userlist2 = new \core_privacy\local\request\userlist($u2ctx, $component);
+        provider::get_users_in_context($userlist2);
+        $this->assertCount(1, $userlist2);
+        // The list of users for u3ctx should return one user (u3).
+        $userlist3 = new \core_privacy\local\request\userlist($u3ctx, $component);
+        provider::get_users_in_context($userlist3);
+        $this->assertCount(1, $userlist3);
+        // The list of users for u4ctx should return one user (u4).
+        $userlist4 = new \core_privacy\local\request\userlist($u4ctx, $component);
+        provider::get_users_in_context($userlist4);
+        $this->assertCount(1, $userlist4);
+
+        $approvedlist = new approved_userlist($u1ctx, $component, $userlist1->get_userids());
+        // Delete using delete_data_for_user.
+        provider::delete_data_for_users($approvedlist);
+        // Re-fetch users in u1ctx - the user data should now be empty.
+        $userlist1 = new \core_privacy\local\request\userlist($u1ctx, $component);
+        provider::get_users_in_context($userlist1);
+        $this->assertCount(0, $userlist1);
+
+        $approvedlist = new approved_userlist($u2ctx, $component, $userlist2->get_userids());
+        // Delete using delete_data_for_user.
+        provider::delete_data_for_users($approvedlist);
+        // Re-fetch users in u2ctx - the user data should now be empty.
+        $userlist2 = new \core_privacy\local\request\userlist($u2ctx, $component);
+        provider::get_users_in_context($userlist2);
+        $this->assertCount(0, $userlist2);
+
+        $approvedlist = new approved_userlist($u3ctx, $component, $userlist3->get_userids());
+        // Delete using delete_data_for_user.
+        provider::delete_data_for_users($approvedlist);
+        // Re-fetch users in u3ctx - the user data should now be empty.
+        $userlist3 = new \core_privacy\local\request\userlist($u3ctx, $component);
+        provider::get_users_in_context($userlist3);
+        $this->assertCount(0, $userlist3);
+
+        $approvedlist = new approved_userlist($u4ctx, $component, $userlist3->get_userids());
+        // Delete using delete_data_for_user.
+        provider::delete_data_for_users($approvedlist);
+        // Re-fetch users in u4ctx - the user data should now be empty.
+        $userlist4 = new \core_privacy\local\request\userlist($u4ctx, $component);
+        provider::get_users_in_context($userlist4);
+        $this->assertCount(0, $userlist4);
+
+        // The list of users for u5ctx should still return one user (u5).
+        $userlist5 = new \core_privacy\local\request\userlist($u5ctx, $component);
+        provider::get_users_in_context($userlist5);
+        $this->assertCount(1, $userlist5);
+
+        // User data should only be removed in the user context.
+        $systemcontext = context_system::instance();
+        $approvedlist = new approved_userlist($systemcontext, $component, $userlist5->get_userids());
+        // Delete using delete_data_for_user.
+        provider::delete_data_for_users($approvedlist);
+        // Re-fetch users in u5ctx - the user data should still be present.
+        $userlist5 = new \core_privacy\local\request\userlist($u5ctx, $component);
+        provider::get_users_in_context($userlist5);
+        $this->assertCount(1, $userlist5);
+    }
+
     /**
      * Create a service.
      *