Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

GDPR, European "General Data Protection Regulation"

GeertWeijsGEA
GeertWeijsGEA September 11, 2017

Our company plans to use Atlassian software as standard support tools for software development.


We prefer the cloud-based option but according to the European and German laws we have to comply with DPD (Data Protection Directive), and as of May 25th 2018 to GDPR. (General Data Protection Regulation)
All implementations that do not comply are illegal. As of May next year violations can be fined with a maximum of 4% of the violators turn-over!
Yet I don’t see any discussion about this matter. Atlassian still states it does store customer’s data in a location it chooses. Also in the US, with is a violation of both DPD and GDPR.
Please inform me if Atlassian is complying with DPD, and if it is going to comply with GDPR. And how it is done.

Best regards,

Geert Weijs

Answer
Watch
Like # people like this
19618 views

15 answers

1 accepted

3 votes
Answer accepted
Atlassian recommended
RJ Gazarek
RJ Gazarek
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 1, 2021

Hi everyone!

We still get quite a bit of traffic on this question and page, so wanted to make sure that everyone visiting has the latest information.  Sorry for responding to a very old post, but just in case anyone comes across it, here you go!  

The long and short of it is, we are currently meeting all legal obligations laid out in GDPR, and continue to do so as we've interpreted in the most recent Schrems II court case ruling last year. 

GDPR

You can always find our latest stance on GDPR at this link just like my colleague Lauren listed: https://www.atlassian.com/trust/privacy/gdpr

This is something we take very seriously, and protecting our customer's data is an utmost priority for us. 

Schrems II

After the Schrems II court case decision last summer of 2020, we released our statement on it, which you can find here: https://www.atlassian.com/trust/privacy/latest-updates/international-data-transfers

Atlassian is actively monitoring this space, to see how interpretations are being handled, and as courts set precedence against this decision. We are also actively participating in the privacy community.  

Data Residency

Atlassian is committed to offering Data Residency in those countries where our customers need it the most.  You can find information on our current Data Residency offering here: https://support.atlassian.com/security-and-access-policies/docs/understand-data-residency-and-realms/

Cloud Roadmap

I also encourage everyone to follow our cloud roadmap here, I've highlighted the Data Residency parts specifically with this link: https://www.atlassian.com/roadmap/cloud?category=dataManagement&

In addition to data residency, you will also find our plans for BYOK and meeting additional regulated industry requirements. 

Data Management and Security Practices

I would also ask everyone to take a good read through all of our information on our Trust site: https://www.atlassian.com/trust

Here you can find a ton of information on all of the practices in place that help exemplify how seriously we take protecting your data. 

Customer Feedback

We also are engaging actively with our customers and partners on our Data Residency plans, and ensuring we fully understand your needs, so we can work to address them in the future.  Please feel free to join our discussion here: https://community.atlassian.com/t5/Cloud-Security-Compliance/gh-p/cloud-security-compliance

This is a great forum to join if you have any questions around compliance, regulated industries, data management, and/or data residency. 

Reply
5 votes
Christoph Roll
Christoph Roll April 11, 2018

Dear Atlassian team,

as you wrote in the announcement from the 1. December, you are committed and preparing for the GDPR, which comes in into force in Europe on the 25. May this year.
Unfortunately, this date is approaching and there is still some information missing, not only for me. The following questions need to be answered urgently in order to continue using your software:
- Will there be a Data Processing Agreement? (or should we send ours? ;)) This is a general requirement!
- Can we make sure or OnDemand instance is hosted in your data center in Ireland?
- What about privacy requirements as described for example in CONFCLOUD-7837 ?

I know/hope you guys are probably busy tackeling these challenges but our data protection officer is asking when we can expect information regarding the GDPR from Atlassian as our data processor.
Please be reminded that there will be severe penalties. Without clarification of the points, the further operation of the software after the 25. May is not possible for us and actually all your customers in Europe.

if I should overlook something, I ask for a pointer ;)

Best regards

View More Comments
Like # people like this
Fabrizio Galletti _Getconnected_
Fabrizio Galletti _Getconnected_ May 8, 2018

Any news?

Like
olivier.beaujean@bisnode.com
olivier.beaujean@bisnode.com May 17, 2018

Hello, same question on our side. Is there a Processor Agreement available? Should we send you ours? 

Like
Andreas Illmer
Andreas Illmer May 17, 2018

I wrote an email to privacy@atlassian.com and asked for a DPA. Everything went smooth then and I had my DPA within one day or so.

Like Joe Pakenham likes this
nihit jain
nihit jain May 22, 2018

Hello Andreas, we did mail to privacy@atlassian.com but didn't receive any reply. 

It would be really great if you can share the DPA with us.  Thanks!

Like
olivier.beaujean@bisnode.com
olivier.beaujean@bisnode.com May 22, 2018

same here, no reply yet

Like
Reply
2 votes
Andreas Springer _Actonic_
Andreas Springer _Actonic_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
June 18, 2019

Hi everybody,

I'm the Head of Marketing at Actonic and if you need a complete GDPR/DSGVO solution for Jira, please have a look at our app „GDPR (DSGVO) and Security for Jira“. It provides all the tools you need to become fully compliant quickly and easily. There's also a version for Confluence. Both can be found in the Atlassian Marketplace.

I hope this will be useful for some people here. Thank you!

Reply
2 votes
Boas Enkler
Boas Enkler March 29, 2018

Why isn't here any official statement of atlassian ? 

View More Comments
Like
Boas Enkler
Boas Enkler March 29, 2018

thx for the link at least a commitment. hopefully they will be intime...

Like
Deleted user April 9, 2018

Thanks - still no mention of Data Processing Agreement being available. When are we going to get it? Other companies - AWS, Salesforce, CA, etc already published their self-signed agreement. We need one from Atlassian.

Like
Matthew_Mills
Matthew_Mills April 11, 2018

Hi

Sorry to hijack the post, but as an organisation located in the UK just like many others on this thread? For us to be GDPR compliant we have to have our data stored in the EU.

Will that happen in time for May 25th? Will we be able to guarentee that our data will be held in Ireland?

Like
Reply
2 votes
Effie Bagourdi [Nimaworks]
Effie Bagourdi [Nimaworks] December 5, 2017

Have a look at this recent announcement (published Dec 01st, 2017).  Although it does not give any additional info regarding the EU data storage it starts with "Atlassian is committed to compliance with the General Data Protection Regulation (GDPR), which will go into effect May 25, 2018. "

View More Comments
Søren Riis Mønsted
Søren Riis Mønsted December 5, 2017

They say they are Privacy Shield certified, which is good in terms of transferring data outside EU, also under the new GDPR. But they still need to enter Data Processing Agreements with their customers, regardless of all other efforts they do.

Like
Reply
2 votes
Søren Riis Mønsted
Søren Riis Mønsted November 30, 2017

Atlassian needs to make a Data Processing Agreement with their customers in addition to Privacy Shield. This is a must-have if customers should be able to comply with GDPR.

View More Comments
Søren Riis Mønsted
Søren Riis Mønsted November 30, 2017

The requirement of having a Data Processing Agreement  applies even if they open a EU data center.

Like
Reply
2 votes
Aron Gombas _Midori_
Aron Gombas _Midori_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
September 12, 2017

Some months ago Atlassian suggested that they are opening their first data center located in Europe. I don't know what happened after, but it may worth some Googling...

OK, I looked this up for you: https://www.atlassian.com/trust/infrastructure

As it says it is "CURRENTLY IN PRIVATE BETA" and:

Atlassian has extended its cloud hosting infrastructure to Ireland. European customers of JIRA or Confluence cloud will benefit from improved performance and other advantages of local data storage.

View More Comments
GeertWeijsGEA
GeertWeijsGEA September 19, 2017

This step is mainly meant for "user experience improvement"

Storing data in Europe is one condition comply with GDPR, but not the only one.
Atlassian still states it will store all data in a location of their choice.

Meanwhile I got an answer from Atlassians legal office stating: "We are relying on our Privacy Shield certification to satisfy the onward transfer requirements under GDPR”

Our legal department estimates it is not enough to comply.

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
September 19, 2017

Same here, I'm told Privacy Shield won't be enough.  We need the option to host inside the EU.

The Beta in Europe is in Ireland, so that would solve it, if I understand correctly.  But only if Atlassian will guarantee that if you ask for EU data, it will only be held and processed in the Irish centre.

Like
Thomas Wrobel
Thomas Wrobel September 20, 2017

We are by now looking for an alternative. It is a pity because we like the Atlassian products. The way Atlassian behaves seems to show that they do not care about their European business. Maybe to them, it is neglectable, otherwise, they will wake up to customers changing to competitors.

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
September 20, 2017

This does generate some work for partners - as a test or demo Cloud system is used by a company, then they realise it's not suitable, they ask us to help migrate them to server.  Either their own hosted one, or by one of us that does managed services.  It's not the main driver of Cloud to Server migrations, but it's not insignificant.

Have you considered a managed service?  (Your comment suggests you don't want to run it yourself)

Like
GeertWeijsGEA
GeertWeijsGEA September 20, 2017

Hi Nic,

 

Actually we are considering both options. We already have a partner offering both solutions.

We might consider an alternative

May be you should start an office on the other side of the channel :)

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
September 20, 2017

:-) Tempting, as I probably don't want to live here after Brexit.

Like
Reply
1 vote
David Toussaint _Communardo_
David Toussaint _Communardo_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 18, 2018

Hey all,

I just wanted to let you now that there will be a new Jira app for anonymization by next week. An app for Confluence will be following shortly after. All the details are available already in the Atlassian Marketplace as well as in our Blog and website.

Disclaimer: I'm the product manager at the vendors company and am only posting this as the app does exactly what the initial question is all about.

Cheers, David

View More Comments
Technical Support-R4L
Technical Support-R4L July 4, 2018

so this is solved? JSD and all Atlassian products conform to GDPR? Please confirm. 

Like
Reply
1 vote
Andreas Illmer
Andreas Illmer April 23, 2018

Same here. It's getting urgent.

Reply
1 vote
Paul Cartwright
Paul Cartwright April 19, 2018

I too am looking for a contact to sign our DPA contract.

Reply
1 vote
rcole
rcole January 22, 2018

And the penalty is 4% of annual revenue or €10 million, whichever is greater. Just to underline to Atlassian that people will not be fucking around with non-compliance. :)

View More Comments
Celik Vedat
Celik Vedat March 7, 2018

It's 20 Million euros :P

Like
Reply
1 vote
Thomas Wrobel
Thomas Wrobel September 12, 2017

We have the same problem. If there is no answer and/or solution soon, we will have to switch to a self hosted Gitlab solution. 

Reply
0 votes
lauren
lauren
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 28, 2019

Hi everyone, 

I just wanted to share an update. Atlassian now has a GDPR page that includes a full description of our GDPR practices: https://www.atlassian.com/trust/privacy/gdpr

Hopefully this helps answer some of your questions!

View More Comments
Deleted user October 26, 2020

Can Atlassian update it's description and practices regarding the invalidation of Privacy Shield and the consequences for EU Customers?

Like Fabrizio Galletti _Getconnected_ likes this
Reply
0 votes
Amadeus UK Marketing Ltd
Amadeus UK Marketing Ltd April 30, 2018

Dear Atlassian team,

We are trawling through old Jira issues manually removing GDPR data. We find however that if we are updating the original issue log that the original description is kept in the comments.

Please urgently advise how I can remove those from the comments.

Kind regards

Dorthe

Reply
0 votes
Jen Phillips
Jen Phillips November 22, 2017

I'd also like an answer on this. We're currently looking at various ticketing solutions and Jira is winning on most points, but lack of GDPR compliance may be the sticking point.

View More Comments
Barry Kaplan
Barry Kaplan November 22, 2017

This is quite critical. Atalssian needs to be very clear here or a lot of JSD customers will have to jump ship. 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events