Confluence: Right to rectification
Under Article 16 of the GDPR, you have the right to have inaccurate personal data rectified. The GDPR requires that you take reasonable steps to rectify the individual's personal data where requested. An example of such a request may be an individual requesting their display name be updated to reflect a name change. Whether or not modifying personal data stored within the product is within the scope of reasonable steps required to honor the individual's request will vary on a case-by-case basis, and is determination you should always make with the assistance of legal counsel. Once you have determined you have an obligation to rectify personal data, we have provided the following instructions on how to do so within certain Atlassian products.
Personal data stored within the product can be divided into one of two areas: 1) account-level personal data; and 2) free-form text. Account-level personal data are data fields that exist within the product for the sole purpose of identifying an individual throughout the product. Examples of account-level personal data include the user's display name, profile picture or avatar and email address. These data elements are generally visible from the user's profile and are used throughout the product to point back to the user's profile when the user is @mentioned or tagged on in certain spaces or content. Changing account-level personal data elements will automatically populate that change throughout the product where the relevant account-level data elements appear.
If you have included personal data in free-form text, either typed into content spaces or as a custom field label, you will need to use the product's global search feature to surface this personal data and recitfy it on a case-by-case basis.
Every user has the right to view and edit their personal data. Confluence provides the appropriate user interface to do that, however, depending on how your company incorporates your user details, that experience may differ.
Where Confluence users are managed and stored within Confluence Internal Directory, every individual can view and edit their profile data to their liking. Please read You User Profile for further information.
Confluence can be integrated with the company's central LDAP directory, and users can be fetched from there. If that integration is in read-only mode, then Confluence users are only allowed to view their profile details from their user profile page. To modify this information, you will need to reach out to your LDAP directory administrator for further instructions.
If the LDAP directory integration is in read/write mode, then Confluence users are able to view and edit this information from their user profile page, and those changes will be propagated to the LDAP directory. See the documentation on LDAP directories for details.
In the case of Internal Directory, only Confluence administrators are allowed to change a username, to ensure that usernames aren't duplicated. Each active user must have a unique username, so no two active users can have the same. Please read Change a Username for further information.
Non-editable personal data
There are some personal data stored in Confluence that cannot be modified:
Confluence as an application stores information in log files that are useful in case an error or a problem happens at the application level. By default, Confluence stores a history of 5 log files, 20MB each in size. Those logs will be rolled over once new messages come in.
Any personal data stored in the logs cannot be modified. Please read Working with Confluence Logs for further information.
Confluence Audit Logs
The audit log allows administrators to look back at changes that have been made in your site. This is useful when you need to troubleshoot a problem or if you need to keep a record of important events, such as changes to global permissions. You'll need Confluence administrator permissions to view the audit log, however, this data cannot be modified.
Please read Confluence Audit Log, if you want to know more about what events are being stored in the audit logs.
Confluence provides the ability for users to Export Content to Word, PDF, HTML and XML. Any personal information that is included in a page that is then exported, cannot be modified in the export.
There may be limitations based on your product version.
Note, the above-related GDPR workaround has been optimized for the latest version of this product. If you are running on a legacy version of the product, the efficacy of the workaround may be limited. Please consider upgrading to the latest product version to optimize the workarounds available under this article.
Third-party add-ons may store personal data in their own database tables or on the filesystem.
The above article in support of your GDPR compliance efforts applies only to personal data stored within the Atlassian server and data center products. To the extent you have installed third-party add-ons within your server or data center environment, you will need to contact that third-party add-on provider to understand what personal data from your server or data center environment they may access, transfer or otherwise process and how they will support your GDPR compliance efforts.