Bamboo: Right to restriction of processing
Introduction
Under limited circumstances, Article 18 of the GDPR allows a data subject to request that the processing of their personal data be restricted, rather than entirely deleted. The right of the data subject under Article 18 is highly contextual and you should seek the advice of legal counsel in processing any such request. If you require the ability to restrict processing specific personal data within an Atlassian product, we suggest you follow the instructions set forth in the Right of Rectification article, replacing any personal data elements with elements that do not identify the individual in order to restrict any further processing until the issue is resolved. When and if the processing may resume, you can replace the non-identifying elements with the original personal data elements.
Description
Personal Data (PD) for a specific user can be spread across multiple components of Bamboo. We've detailed these components and areas in the Bamboo: Right of access by the data subject article.
The recommended approach of limiting access to a user's PD in Bamboo is to anonymize their PD, as described in Bamboo: Right to erasure. If the data can't be anonymized, we've provided some workarounds in this article to help you:
Version Compatibility
All workarounds are compatible with Bamboo 6.5 and later.
Workarounds
Deleting a user's account
See Deleting or deactivating a user for more information on deleting a user.
Affected personal data processing
- Other users won't be able to mention the user.
- The user will not be presented/suggested in user pickers.
- The user will not receive email notifications.
Limitations
- The user is deleted, and therefore won't be able to log in or use Bamboo.
Delete other entities (plans / results / deployment projects / deployment versions / releases)
Permissions in Bamboo are additive. If a user has global permission to view plans or project permission to view plans in a project, they will still be able to see plans even if they don't have permissions to see that specific plan. Deleting entities does not have an immediate effect. Although these entities are marked for deletion in the database, and they are hidden in the UI and REST API, they can still be retrieved with the direct database query.
A database query is the only way to know for sure if an entity exists or has been deleted.
Even after deletion, there will still be places like the agent logs, where some data will be left for a possibly indefinite time period.
Affected personal data processing
- Limited user PD visibility to other users
- Limited access to Entity/PD via REST API
Limitations
- There may still be some PD on the agents, that will not have been removed.
Additional notes
There may be limitations based on your product version.
Note, the above-related GDPR workaround has been optimized for the latest version of this product. If you are running on a legacy version of the product, the efficacy of the workaround may be limited. Please consider upgrading to the latest product version to optimize the workarounds available under this article.
Third-party add-ons may store personal data in their own database tables or on the filesystem.
The above article in support of your GDPR compliance efforts applies only to personal data stored within the Atlassian server and data center products. To the extent you have installed third-party add-ons within your server or data center environment, you will need to contact that third-party add-on provider to understand what personal data from your server or data center environment they may access, transfer or otherwise process and how they will support your GDPR compliance efforts.
If you are a server or data center customer, Atlassian does not access, store, or otherwise process the personal data you choose to store within the products. For information about personal data Atlassian processes, see our Privacy Policy.