Server and Data Center GDPR FAQ

What is GDPR?

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. See www.eugdpr.org for more details regarding the regulation.

Who does GDPR affect?

The GDPR not only applies to organisations located within the EU, but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

When is the GDPR coming into effect?

The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by government; meaning it will be in force on the 25th of May, 2018.

What kind of information does GDPR apply to?

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

What rights will individuals have under GDPR?

There are 8 fundamental rights of individuals under GDPR. These are:

  • The right to be informed - Organisations must be completely transparent in how they are using personal data.
  • The right of access. (Art. 15 GDPR)- Individuals will have the right to know exactly what information is held about them and how it is processed.
  •  The right of rectification (Art. 16 GDPRIndividuals will be entitled to have personal data corrected or supplemented if it is inaccurate or incomplete.
  • The right to erasure (Art. 17 GDPR) - Also known as 'the right to be forgotten', this refers to an individual's right to having their personal data deleted or removed (subject to some limitations) without the need for a specific reason as to why they wish to discontinue. 
  • The right to restrict processing (Art. 18 GDPR) - Refers to an individual's right to block or suppress processing of their personal data.
  • The right to data portability (Art. 20 GDPR)- This allows individuals to retain and reuse their personal data for their own purpose.
  • The right to object (Art. 21 GDPR) - In certain circumstances, individuals are entitled to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.
  • Rights of automated decision making and profiling (Art. 22 GDPR) - The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them, or is based on automated processing.

What is Atlassian Doing to Comply with GDPR?

Atlassian's policy is to respect all laws that apply to our business and this includes GDPR. Atlassian also appreciates that our customers have requirements under GDPR that are directly impacted by their use of Atlassian products and services, and Atlassian is committed to supporting our customers's GDPR compliance efforts. This steps we are taking can be read on this blog.

How Does Atlassian Support GDPR Compliance Efforts for Server and Data Center Customers?

When you use Atlassian Server and Data Center products, Atlassian provides those products in a downloadable format.  Atlassian does not access, collect, store or otherwise process personal data in connection with providing those downloadable products to Server and Data Center customers, except in limited cases where such data is provided for incidental support services. Atlassian may access analytics events associated with your technical use of the products, but only where permitted by your administrator.  Such analytics information is filtered to exclude any personal data prior to the analytics information leaving your environment.  For more information on the analytics information collected through Atlassian downloadable products, please see our Privacy Policy.  

Because Atlassian does not access, collect, store, handle or otherwise process personal data in connection with providing our Server products to customers, GDPR-specific obligations do not attach to Atlassian by virtue of providing customers a Server or Data Center version of our products.  However, we appreciate that our customers may have GDPR-specific obligations regarding the access, modification and deletion of personal data processed using Atlassian Server and Data Center products.  We have prepared a Guide to Server and Data Center GDPR Support to assist customers in this area. 

Does Atlassian offer a Data Processing Agreement (DPA) for Server or Data Center Customers? 

Atlassian does not offer a DPA when you use Atlassian Server or Data Center products.  DPAs are required where Atlassian is acting as a data processor of personal data. When you use Atlassian Server or Data Center products, Atlassian does not have access to or process any Personal Data. The data stays entirely in your environment and is accessed and hosted solely by you. As such, many of the the obligations under GDPR that apply to data processors do not apply to Atlassian in the Server or Data Center context.  

What is Atlassian's security policy and guarantees for personal data transferred outside of the EU as they relate to Server?

When you use Atlassian Server or Data Center products, Atlassian does not have access to or process any Personal Data. The data stays entirely in your environment and is accessed and hosted solely by you. As such, Atlassian does not transfer your personal data when you use Atlassian Server or Data Center products.  For more information on the security configurations available to you through various Atlassian Server of Data Center products, please see our Guide to Server and Data Center GDPR Support.

How can we ensure that our use of Atlassian Server or Data Center products is GDPR compliant?

Atlassian appreciates that our customers have requirements under GDPR that are directly impacted by their use of Atlassian products and services, and Atlassian is committed to supporting our customers' GDPR compliance efforts. Please see the relevant GDPR support guides for BambooBitbucketConfluenceCrowdFisheye/CrucibleHipchatJira Core, JIRA Software and JIRA Service Desk, or Portfolio for Jira Server.

How can we ensure that our use of Bamboo Server is GDPR compliant?

Please see the Bamboo Server GDPR support guides

How can we ensure that our use of Bitbucket Server or Data Center is GDPR compliant?

Please see the Bitbucket Server and Data Center GDPR support guides

How can we ensure that our use of Confluence Server or Data Center is GDPR compliant?

Please see the Confluence Server and Data Center GDPR support guides

How can we ensure that our use of Crowd Server or Data Center is GDPR compliant?

Please see the Crowd Server and Data Center GDPR support guides

How can we ensure that our use of Fisheye Crucible Server is GDPR compliant?

Please see the Fisheye Crucible Server GDPR support guides

How can we ensure that our use of Hipchat Server is GDPR compliant?

Please see the HipChat Server and Data Center GDPR support guides

How can we ensure that our use of JIRA Core, JIRA Software and JIRA Service Desk Server or Data Center is GDPR compliant?

Please see the Jira Core, JIRA Software and JIRA Service Desk Server and Data Center GDPR support guides

How can we ensure that our use of Portfolio for Jira Server is GDPR compliant?

Please see the Portfolio for Jira Server GDPR support guides

Last modified on May 11, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.