Right of access by the data subject in Bitbucket Server and Data Center

Under Article 15 of the GDPR, individuals have the right to understand what personal data is being processed about them and the lawfulness of the processing. The GDPR requires that you take reasonable steps to provide this information to the individual, where requested. Whether or not you need to provide the individual with access to personal data stored within the product and the lawfulness of the processing will vary on a case-by-case basis, and is a determination you should always make with the assistance of legal counsel.  Once you have determined you have an obligation to provide an individual with access to personal data processed through the product, we have provided the following instructions on how to do so within certain Atlassian products. 

Description

The following table lists where user account-level personal data may be stored in a default Bitbucket Data Center installation. 

What is it?What does it get used for?Where is it stored
Your username (such as jsmith)

Your username is stored so you can log into Bitbucket

Login information is stored in the database
Your username is used as your personal project key (such as ~jsmith)Information about personal projects is stored in the database
Your username is stored in the search index when you have a personal projectThe search index is stored on the file system

Your username will appear in the audit log when you make administrative changes to Bitbucket

Audit logs is stored in the database and on the file system

Your username will appear in access logs, as you browse pages and use Git with Bitbucket

Access logs are stored on the file system

Your username will appear in Bitbucket mentions in pull request and commit comments

Comments are stored in the database
Your username will be used to keep track of your application preferencesApplication preferences are store in the database
Your username may be used to store access tokens to external systems (Jira, Hipchat, 3LO, etc)Access tokens are stored in the database
Your Display Name (such as John Smith)

Your display name is stored on your profile, so Bitbucket can display your name instead of your username

Your profile is stored in the database
Your display name is stored in the search index when you have a personal projectThe search index is stored on the file system
Your display name may be stored in pull request and commit commentsComments are stored in the database
Your display name is stored whenever you commit to a Git repository and in cached Git dataGit repositories and caches are stored on the file system
Your Email Address (such as jsmith@example.tld )

Your email address is stored on your profile, so Bitbucket knows where to send you notifications about content

Your profile is stored in the database

Your email address is stored with any GPG keys you upload to Bitbucket

GPG keys are stored in the database

Your email address is stored whenever you commit to a Git repository and in cached Git dataGit repositories and caches are stored on the file system
Your Avatar photo

Your avatar photo may be stored on your profile to help identify you to other users of Bitbucket.

By default, Bitbucket will look for your avatar in Gravatar, using a one-way hash of your email address.

Avatar photos are stored on the file system

Workaround

Please read  Bitbucket: Right to erasure  for steps on how to remove this personal data.

Additional notes

There may be limitations based on your product version.

Note, the above-related GDPR workaround has been optimized for the latest version of this product. If you are running on a legacy version of the product, the efficacy of the workaround may be limited. Please consider upgrading to the latest product version to optimize the workarounds available under this article.

Third-party add-ons may store personal data in their own database tables or on the filesystem.

The above article in support of your GDPR compliance efforts applies only to personal data stored within the Atlassian server and data center products. To the extent you have installed third-party add-ons within your server or data center environment, you will need to contact that third-party add-on provider to understand what personal data from your server or data center environment they may access, transfer or otherwise process and how they will support your GDPR compliance efforts.

If you are a server or data center customer, Atlassian does not access, store, or otherwise process the personal data you choose to store within the products. For information about personal data Atlassian processes, see our Privacy Policy.

Last modified on Sep 30, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.