Crowd: Records of processing activities
Article 30 of the GDPR requires that data controllers and data processors (as defined under the regulation) keep detailed records of what personal data elements they process, why they process the data, where the data is stored, transferred, shared and with whom, how the data is secured and any limitations that may apply to an individual's request to have personal data erased. When you use Atlassian server of data center products, our products may be an application within the scope of your records of processing activities. Whether or not you need to document records of processing activities associated with personal data stored within the product is a determination you should always make with the assistance of legal counsel.
Please note, when you store personal data in Atlassian server or data center products, the personal data stays on systems within your own environment. Atlassian does not access, store, or otherwise process the personal data you choose to store within the products and is neither a data controller or processor for that data.
Below is a list of related articles you may find helpful in compiling the information required for your own records of processing activities:
Every user management operation and change to a user's personal data in Crowd, is logged in the audit log, including:
- user creation
- data updates
- group assignment.
Please read Browsing the audit log for more information.
All workarounds are compatible with Crowd 3.2 and later.
Crowd doesn't provide a way to track access to personal data. In general, access to personal data is restricted to users accessing their own personal data, and to Crowd administrators. Please read Crowd: Data protection by design and by default.
You can enable generic access logging, to be able to track requests to pages and REST resources containing personal data. Please read How do I enable Access Logging for Crowd for more information.
There may be limitations based on your product version.
Note, the above-related GDPR workaround has been optimized for the latest version of this product. If you are running on a legacy version of the product, the efficacy of the workaround may be limited. Please consider upgrading to the latest product version to optimize the workarounds available under this article.
Third-party add-ons may store personal data in their own database tables or on the filesystem.
The above article in support of your GDPR compliance efforts applies only to personal data stored within the Atlassian server and data center products. To the extent you have installed third-party add-ons within your server or data center environment, you will need to contact that third-party add-on provider to understand what personal data from your server or data center environment they may access, transfer or otherwise process and how they will support your GDPR compliance efforts.