Confluence: Right of access by the data subject

Introduction

Under Article 15 of the GDPR, individuals have the right to understand what personal data is being processed about them and the lawfulness of the processing. The GDPR requires that you take reasonable steps to provide this information to the individual, where requested. Whether or not you need to provide the individual with access to personal data stored within the product and the lawfulness of the processing will vary on a case-by-case basis, and is a determination you should always make with the assistance of legal counsel.  Once you have determined you have an obligation to provide an individual with access to personal data processed through the product, we have provided the following instructions on how to do so within certain Atlassian products. 

Description

The following table lists where account-level user personal data may be stored in a default Confluence installation. 

What is it? What does it get used for? Where is it stored

User profile information, such as:

  • Website
  • IM
  • Phone
  • "About Me" profile
  • Position
  • Department
  • Location

Generally, these are provided by the user, and can be edited on the User Profile screen.

In some cases, an administrator may use a third party add-on to fill in some or all of this information automatically.

Profile information is stored in the database
Avatar

The avatar is used to help identify a user to other users of Confluence. Generally, this is provided by the user and can be edited on the User Profile screen.

In some cases, an administrator may use a third party add-on to fill in some, or all, of this information automatically.

Profile information is stored in the database
Username (such as jsmith) The username is stored so a user can log into Confluence. User information is stored in the database
The username is used as the personal space key (such as ~jsmith). Information about spaces is stored in the database
The username will appear in the search index. The search index is stored on the file system
The username will appear in the audit log when making administrative changes to Confluence. The audit log is stored in the database
The username will appear in access logs, as the user browses pages in Confluence. The access logs are stored on the file system
The username may appear in Confluence content, particularly when mentions are used. Content is stored in the database
Display Name (such as John Smith) The display name is stored in the User Table, so Confluence can display the user's display name instead of the username. User information is stored in the database
The display name may appear in Confluence content. Content is stored in the database
Email Address (such as jsmith@example.tld) The email is stored so that Confluence knows where to send the user notifications about content. User information is stored in the database

Workaround

To remove any or all of this user personal data, please see Confluence Server: Right to erasure.


Limitations

In some cases, user personal data may be provided to Confluence by an external user management system. You'll need to make any edits or deletions of user personal data within the external user management system. All specific Confluence steps to achieve user personal data deletion in these cases are covered in Confluence Server: Right to erasure.


Additional notes

There may be limitations based on your product version.

Note, the above-related GDPR workaround has been optimized for the latest version of this product. If you are running on a legacy version of the product, the efficacy of the workaround may be limited. Please consider upgrading to the latest product version to optimize the workarounds available under this article.

Third-party add-ons may store personal data in their own database tables or on the filesystem.

The above article in support of your GDPR compliance efforts applies only to personal data stored within the Atlassian server and data center products. To the extent you have installed third-party add-ons within your server or data center environment, you will need to contact that third-party add-on provider to understand what personal data from your server or data center environment they may access, transfer or otherwise process and how they will support your GDPR compliance efforts.

If you are a server or data center customer, Atlassian does not access, store, or otherwise process the personal data you choose to store within the products. For information about personal data Atlassian processes, see our Privacy Policy.

Last modified on May 11, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.