Atlassian is committed to our customers' success and the protection of their data by ensuring that we comply with the General Data Protection Regulation (GDPR) and all privacy-related regulations. The GDPR is designed to give European Union citizens more control over their data and seeks to unify a number of privacy and security laws under one comprehensive law. The GDPR not only applies to organizations located within the EU, but it also applies to all companies processing and holding the personal data of data subjects residing in the EU, regardless of the company’s location. Anyone that violates the privacy and security standards required by this law could face harsh fines and a disruption of their services.
Main elements of the regulation
The intention of the GDPR is to acknowledge the value of personal data and the agency individuals have over their own personal data. Article 5 explains the spirit of the legislation:
- Data should be processed with the fair consent of the data subject, transparently, and in accordance with the law.
- Data will be collected and used for the purposes you give to the data subject, and not beyond this. (There are some exceptions, in the case of using data for the “common good.”)
- Only collect what you need, and no more. This benefits both the data subject and your organization; no sense in being responsible for protecting data you don’t actually need.
- Data should be maintained for accuracy, and when it is no longer accurate or up to date, steps should be taken to rectify this or delete the data.
- Data should be kept in a form that identifies data subjects only for as long as is necessary and discards the data when it’s no longer useful.
- Data should be stored in a way that preserves its integrity and confidentiality.
International Data Transfers
As a company with a global customer base and operations, Atlassian must be able to transfer and access data around the world. We understand and respect the rules for onward transfers of personal data outside of the European Economic Area (EEA), and offer customers a robust international data transfer framework as a part of our Data Processing Addendum. This addendum ensures that our customers can lawfully transfer personal data to Atlassian Cloud products outside of the EEA, even with the recent updates of the Schrems II ruling, by relying on the Standard Contractual Clauses. In addition to the addendum, Atlassian is committed to protecting customer data privacy and rights by only responding to law enforcement requests after a comprehensive legal review. Our team publishes an annual Transparency Report with information about government requests for users’ data as well as government requests to remove content or suspend user accounts.
Whenever we share your data with Atlassian service providers, we remain accountable to you for how it is used by any of these organizations. We require all service providers to undergo a thorough diligence process and enter into contracts that ensure our customers' personal data receives adequate protection and safeguards.