Right to rectification in Bitbucket Server and Data Center

Under Article 16 of the GDPR, you have the right to have inaccurate personal data rectified. The GDPR requires that you take reasonable steps to rectify the individual's personal data where requested.  An example of such a request may be an individual requesting their display name be updated to reflect a name change.  Whether or not modifying personal data stored within the product is within the scope of reasonable steps required to honor the individual's request will vary on a case-by-case basis, and is determination you should always make with the assistance of legal counsel.  Once you have determined you have an obligation to rectify personal data, we have provided the following instructions on how to do so within certain Atlassian products.  

Personal data stored within the product can be divided into one of two areas: 1) account-level personal data; and 2) free-form text.  Account-level personal data are data fields that exist within the product for the sole purpose of identifying an individual throughout the product.  Examples of account-level personal data include the user's display name, profile picture or avatar and email address.  These data elements are generally visible from the user's profile and are used throughout the product to point back to the user's profile when the user is @mentioned or tagged on in certain spaces or content.  Changing account-level personal data elements will automatically populate that change throughout the product where the relevant account-level data elements appear. 

If you have included personal data in free-form text, either typed into content spaces or as a custom field label, you will need to use the product's global search feature to surface this personal data and recitfy it on a case-by-case basis.    

Description

These workarounds will help users change their personal data in Bitbucket Server. 

Version compatibility

All versions of Bitbucket Server.

Workaround

Changing display name, email address and avatar photo

Bitbucket Server's configuration affects how users change their display name and email address.

Users managed and stored in an Internal Directory

When users are managed and stored within the Bitbucket Server internal directory, they can view and edit their profile data, including changing their display name, email address and avatar photo.

Users managed and stored in an External Directory

When Bitbucket Server is integrated with a directory server, display name and email address are fetched from the directory server and must be changed there. Users may still change their avatar photo from within Bitbucket Server.

Limitations

Username

Once a user has been created, it is not possible to change their username.

Data in Git repositories

When someone makes a change to a Git repository, the display name and email address they provide (which may be different from the display name and email address stored in Bitbucket Server) are stored with the change. Changing this information is only possible through a process called "rewriting history", which requires rewriting the original change and all following changes.

Given Git's value as an audit tool and chain of authorship, most development teams strongly discourage rewriting history.

Audit, access, application and webhook logs

Bitbucket Server logs information for auditing and diagnostic purposes. All these logs may contain the user's username, display name and email address. The access and application logs may also contain the user's IP address. Any personal data stored in these logs is non-modifiable.

Please read How to read the Bitbucket Server Log FormatsAudit Logging in Bitbucket Server and Troubleshooting webhooks to see the kind of data stored in the logs. 

The following table shows the default retention policy for logs:

Audit logsKeep up to 100 25MB files
Access logsKeep up to 10 25MB files
Application logsKept for 31 days
Webhook logsKept for 30 days

After the above limits have been reached, the logs are deleted. System administrators may change the above defaults.

Additional notes

There may be limitations based on your product version.

Note, the above-related GDPR workaround has been optimized for the latest version of this product. If you are running on a legacy version of the product, the efficacy of the workaround may be limited. Please consider upgrading to the latest product version to optimize the workarounds available under this article.

Third-party add-ons may store personal data in their own database tables or on the filesystem.

The above article in support of your GDPR compliance efforts applies only to personal data stored within the Atlassian server and data center products. To the extent you have installed third-party add-ons within your server or data center environment, you will need to contact that third-party add-on provider to understand what personal data from your server or data center environment they may access, transfer or otherwise process and how they will support your GDPR compliance efforts.

If you are a server or data center customer, Atlassian does not access, store, or otherwise process the personal data you choose to store within the products. For information about personal data Atlassian processes, see our Privacy Policy.

Last modified on May 31, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.