Data protection by design and by default in Bitbucket Server and Data Center
Article 25 of the GDPR sets forth the principle of data protection by design and by default. This is a broad principle with varying meaning and application depending on the context and type of personal data being processed. This principle is unique to each organization, and should always be evaluated with the assistance of legal counsel to determine all efforts required to comply. These efforts may include ensuring certain third party applications you use to process personal data are configured to default to the most privacy-friendly settings available whenever personal data is input. Below is a summary of relevant settings and configurations available through certain Atlassian products, and a discussion of any limitations.
Permissions and restrictions for content
Bitbucket Server contains a permission system that limits the access of specified users to repositories. By default, only administrators have access to repositories. Non-admin users can be given access to all repositories on a system, all repositories within a specific project, or individual repositories. In addition, access to a repository may be given to all anonymous users (those without an account on the system).
All users with access to a repository can see the repository's full Git history. Each change within a Git repository includes the author's display name, email and avatar photo (either the avatar photo uploaded to Bitbucket Server or a photo on the third-party Gravatar site). Logged-in users with access to the repository can also see pull requests and other user's comments on commits.
Any logged-in user may view another user's profile information (user name, display name, email address and avatar).
By default, Bitbucket Server will not show any data to anonymous users. If a repository administrator enables public access to a repository, data contained within that repository's Git history is available to anonymous users. Each change within a Git repository includes the author's display name, email and avatar photo (either the avatar photo uploaded to Bitbucket Server or a photo that the user stored on the third-party Gravatar site). For public repositories, this data (author display name, email and avatar photo) is displayed to anonymous users.
Anonymous users may not view a user's profile information (though some of the user profile information is available from public repositories).
Bitbucket Server can be configured for public signup (similar to the public signup feature in Jira). This feature allows anybody with access to the instance to create an account.
With this feature enabled, an anonymous user can easily sign up and get access to more user data (user profiles, comments on commits and pull requests, etc).
The Bitbucket Server permissions system does not control access to user profile information. Any logged-in user can see another user's profile.
Data in Git repositories
Each change within a Git repository includes the author's display name, email and avatar photo (either the avatar photo uploaded to Bitbucket Server or a photo that the user stored on the third-party Gravatar site). For public repositories, this data (author display name, email and avatar photo) is displayed to anonymous users.
There may be limitations based on your product version.
Note, the above-related GDPR workaround has been optimized for the latest version of this product. If you are running on a legacy version of the product, the efficacy of the workaround may be limited. Please consider upgrading to the latest product version to optimize the workarounds available under this article.
Third-party add-ons may store personal data in their own database tables or on the filesystem.
The above article in support of your GDPR compliance efforts applies only to personal data stored within the Atlassian server and data center products. To the extent you have installed third-party add-ons within your server or data center environment, you will need to contact that third-party add-on provider to understand what personal data from your server or data center environment they may access, transfer or otherwise process and how they will support your GDPR compliance efforts.