Atlas­si­an Cloud – three tips for use in con­for­mance with the GDPR

Whe­ther Jira, Con­fluence or Trel­lo, Atlas­si­an apps and ser­vices are high­ly popu­lar and have beco­me an indis­pensable part of day-to-day ope­ra­ti­ons for many com­pa­nies. Some time ago, the Australia-based pro­vi­der announ­ced the end of ser­ver sup­port and the launch of a Cloud-only stra­tegy. As of Febru­ary of this year, new apps can no lon­ger be purcha­sed for exis­ting ser­ver licen­ses, and ser­ver sup­port will be dis­con­tin­ued enti­re­ly on 15 Febru­ary 2024. From that point on, the­re will no lon­ger be any secu­ri­ty updates or bug fixes for cri­ti­cal vul­nerabi­li­ties. For Euro­pean cus­to­mers, this rai­ses the ques­ti­on as to the cir­cum­s­tances under which the Atlas­si­an Cloud can still be used in con­for­mance with data pro­tec­tion law.

Three tips for use of Atlas­si­an Cloud in con­for­mance with the GDPR

1. Atlas­si­an as pro­ces­sor: Use of Cloud ser­vices is a clas­sic exam­p­le of a pro­ces­sing arran­ge­ment, and that is the case for Atlas­si­an Cloud as well. But in accordance with the GDPR, con­trol­lers can only work tog­e­ther with pro­ces­sors which pro­vi­de suf­fi­ci­ent gua­ran­tees that pro­ces­sing will be con­duc­ted in such a way as to meet the requi­re­ments of data pro­tec­tion law. Asi­de from revie­w­ing the pro­ces­sing con­tract, com­pa­nies which use the Atlas­si­an Cloud must affirm that Atlas­si­an is a trust­wor­t­hy pro­vi­der and that it has taken ade­qua­te tech­ni­cal and orga­niza­tio­nal mea­su­res in order to ensu­re data security.
2. Appro­pria­te safe­guards for third-country trans­fer: Sin­ce Atlas­si­an is based in Aus­tra­lia and uses num­e­rous sub-processors which are spread out all over the world, a third-country trans­fer takes place even if the data are stored in the EU. In order to con­form with the GDPR, third-country trans­fers must pro­vi­de appro­pria­te safe­guards. One pos­si­bi­li­ty is adop­ti­on of the stan­dard con­trac­tu­al clau­ses (SCCs) issued by the EU Com­mis­si­on. In addi­ti­on, a Trans­fer Impact Assess­ment (TIA) must be performed.
3. Exten­si­ve docu­men­ta­ti­on: In order to com­ply with their legal duty to ren­der account, con­trol­lers should exten­si­ve­ly docu­ment the mea­su­res they take to ensu­re data pro­tec­tion in the Atlas­si­an Cloud. All imple­men­ta­ti­on steps, tech­ni­cal and orga­niza­tio­nal mea­su­res taken and secu­ri­ty pre­cau­ti­ons for the pro­tec­tion of per­so­nal data should all be docu­men­ted. If neces­sa­ry, this should also include a thres­hold ana­ly­sis and a data pro­tec­tion impact assess­ment on this basis.

Con­clu­si­on: Atlas­si­an Cloud pro­ducts can be used in con­for­mance with the GDPR

Despi­te the legal chal­lenges asso­cia­ted with the launch/transition to Atlas­si­an Cloud, tech­ni­cal and orga­niza­tio­nal mea­su­res can be taken to ensu­re and docu­ment that use of Jira, Con­fluence & Co. con­forms to the requi­re­ments of data pro­tec­tion law. Howe­ver, con­trol­lers should act quick­ly and take sui­ta­ble mea­su­res right away in view of the fact that ser­ver sup­port will soon be coming to an end, and in order to be pre­pared for pos­si­ble audits by the data pro­tec­tion aut­ho­ri­ties based on the Cloud strategy.