Our company plans to use Atlassian software as standard support tools for software development.
We prefer the cloud-based option but according to the European and German laws we have to comply with DPD (Data Protection Directive), and as of May 25th 2018 to GDPR. (General Data Protection Regulation)
All implementations that do not comply are illegal. As of May next year violations can be fined with a maximum of 4% of the violators turn-over!
Yet I don’t see any discussion about this matter. Atlassian still states it does store customer’s data in a location it chooses. Also in the US, with is a violation of both DPD and GDPR.
Please inform me if Atlassian is complying with DPD, and if it is going to comply with GDPR. And how it is done.
Dear Atlassian team,
as you wrote in the announcement from the 1. December, you are committed and preparing for the GDPR, which comes in into force in Europe on the 25. May this year.
Unfortunately, this date is approaching and there is still some information missing, not only for me. The following questions need to be answered urgently in order to continue using your software:
- Will there be a Data Processing Agreement? (or should we send ours? ;)) This is a general requirement!
- Can we make sure or OnDemand instance is hosted in your data center in Ireland?
- What about privacy requirements as described for example in CONFCLOUD-7837 ?
I know/hope you guys are probably busy tackeling these challenges but our data protection officer is asking when we can expect information regarding the GDPR from Atlassian as our data processor.
Please be reminded that there will be severe penalties. Without clarification of the points, the further operation of the software after the 25. May is not possible for us and actually all your customers in Europe.
if I should overlook something, I ask for a pointer ;)
Request your Data Processing Addendum (DPA) via email@example.com
Some months ago Atlassian suggested that they are opening their first data center located in Europe. I don't know what happened after, but it may worth some Googling...
OK, I looked this up for you: https://www.atlassian.com/trust/infrastructure
As it says it is "CURRENTLY IN PRIVATE BETA" and:
Atlassian has extended its cloud hosting infrastructure to Ireland. European customers of JIRA or Confluence cloud will benefit from improved performance and other advantages of local data storage.
This step is mainly meant for "user experience improvement"
Storing data in Europe is one condition comply with GDPR, but not the only one.
Atlassian still states it will store all data in a location of their choice.
Meanwhile I got an answer from Atlassians legal office stating: "We are relying on our Privacy Shield certification to satisfy the onward transfer requirements under GDPR”
Our legal department estimates it is not enough to comply.
Same here, I'm told Privacy Shield won't be enough. We need the option to host inside the EU.
The Beta in Europe is in Ireland, so that would solve it, if I understand correctly. But only if Atlassian will guarantee that if you ask for EU data, it will only be held and processed in the Irish centre.
We are by now looking for an alternative. It is a pity because we like the Atlassian products. The way Atlassian behaves seems to show that they do not care about their European business. Maybe to them, it is neglectable, otherwise, they will wake up to customers changing to competitors.
This does generate some work for partners - as a test or demo Cloud system is used by a company, then they realise it's not suitable, they ask us to help migrate them to server. Either their own hosted one, or by one of us that does managed services. It's not the main driver of Cloud to Server migrations, but it's not insignificant.
Have you considered a managed service? (Your comment suggests you don't want to run it yourself)
Actually we are considering both options. We already have a partner offering both solutions.
We might consider an alternative
May be you should start an office on the other side of the channel :)
Atlassian needs to make a Data Processing Agreement with their customers in addition to Privacy Shield. This is a must-have if customers should be able to comply with GDPR.
Have a look at this recent announcement (published Dec 01st, 2017). Although it does not give any additional info regarding the EU data storage it starts with "Atlassian is committed to compliance with the General Data Protection Regulation (GDPR), which will go into effect May 25, 2018. "
They say they are Privacy Shield certified, which is good in terms of transferring data outside EU, also under the new GDPR. But they still need to enter Data Processing Agreements with their customers, regardless of all other efforts they do.
Thanks - still no mention of Data Processing Agreement being available. When are we going to get it? Other companies - AWS, Salesforce, CA, etc already published their self-signed agreement. We need one from Atlassian.
Sorry to hijack the post, but as an organisation located in the UK just like many others on this thread? For us to be GDPR compliant we have to have our data stored in the EU.
Will that happen in time for May 25th? Will we be able to guarentee that our data will be held in Ireland?
And the penalty is 4% of annual revenue or €10 million, whichever is greater. Just to underline to Atlassian that people will not be fucking around with non-compliance. :)
I just wanted to let you now that there will be a new Jira app for anonymization by next week. An app for Confluence will be following shortly after. All the details are available already in the Atlassian Marketplace as well as in our Blog and website.
Disclaimer: I'm the product manager at the vendors company and am only posting this as the app does exactly what the initial question is all about.
I'd also like an answer on this. We're currently looking at various ticketing solutions and Jira is winning on most points, but lack of GDPR compliance may be the sticking point.
Dear Atlassian team,
We are trawling through old Jira issues manually removing GDPR data. We find however that if we are updating the original issue log that the original description is kept in the comments.
Please urgently advise how I can remove those from the comments.
I'm the Head of Marketing at Actonic and if you need a complete GDPR/DSGVO solution for Jira, please have a look at our app „GDPR (DSGVO) and Security for Jira“. It provides all the tools you need to become fully compliant quickly and easily. There's also a version for Confluence. Both can be found in the Atlassian Marketplace.
I hope this will be useful for some people here. Thank you!
Hello Community 🤗 I’m Nikhil, a Product Manager on the Jira Cloud team working on performance improvements. Performance is an ongoing journey and we continue to invest heavily in it. We under...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events