Atlas­si­an Cloud – three tips for use in con­for­mance with the GDPR

Whe­ther Jira, Con­fluence or Trel­lo, Atlas­si­an apps and ser­vices are high­ly popu­lar and have beco­me an indis­pensable part of day-to-day ope­ra­ti­ons for many com­pa­nies. Some time ago, the Australia-based pro­vi­der announ­ced the end of ser­ver sup­port and the launch of a Cloud-only stra­tegy. As of Febru­ary of this year, new apps can no lon­ger be purcha­sed for exis­ting ser­ver licen­ses, and ser­ver sup­port will be dis­con­tin­ued enti­re­ly on 15 Febru­ary 2024. From that point on, the­re will no lon­ger be any secu­ri­ty updates or bug fixes for cri­ti­cal vul­nerabi­li­ties. For Euro­pean cus­to­mers, this rai­ses the ques­ti­on as to the cir­cum­s­tances under which the Atlas­si­an Cloud can still be used in con­for­mance with data pro­tec­tion law.

Three tips for use of Atlas­si­an Cloud in con­for­mance with the GDPR

  1. Atlas­si­an as pro­ces­sor: Use of Cloud ser­vices is a clas­sic exam­p­le of a pro­ces­sing arran­ge­ment, and that is the case for Atlas­si­an Cloud as well. But in accordance with the GDPR, con­trol­lers can only work tog­e­ther with pro­ces­sors which pro­vi­de suf­fi­ci­ent gua­ran­tees that pro­ces­sing will be con­duc­ted in such a way as to meet the requi­re­ments of data pro­tec­tion law. Asi­de from revie­w­ing the pro­ces­sing con­tract, com­pa­nies which use the Atlas­si­an Cloud must affirm that Atlas­si­an is a trust­wor­t­hy pro­vi­der and that it has taken ade­qua­te tech­ni­cal and orga­niza­tio­nal mea­su­res in order to ensu­re data security.
  2. Appro­pria­te safe­guards for third-country trans­fer: Sin­ce Atlas­si­an is based in Aus­tra­lia and uses num­e­rous sub-processors which are spread out all over the world, a third-country trans­fer takes place even if the data are stored in the EU. In order to con­form with the GDPR, third-country trans­fers must pro­vi­de appro­pria­te safe­guards. One pos­si­bi­li­ty is adop­ti­on of the stan­dard con­trac­tu­al clau­ses (SCCs) issued by the EU Com­mis­si­on. In addi­ti­on, a Trans­fer Impact Assess­ment (TIA) must be performed.
  3. Exten­si­ve docu­men­ta­ti­on: In order to com­ply with their legal duty to ren­der account, con­trol­lers should exten­si­ve­ly docu­ment the mea­su­res they take to ensu­re data pro­tec­tion in the Atlas­si­an Cloud. All imple­men­ta­ti­on steps, tech­ni­cal and orga­niza­tio­nal mea­su­res taken and secu­ri­ty pre­cau­ti­ons for the pro­tec­tion of per­so­nal data should all be docu­men­ted. If neces­sa­ry, this should also include a thres­hold ana­ly­sis and a data pro­tec­tion impact assess­ment on this basis.

Con­clu­si­on: Atlas­si­an Cloud pro­ducts can be used in con­for­mance with the GDPR

Despi­te the legal chal­lenges asso­cia­ted with the launch/transition to Atlas­si­an Cloud, tech­ni­cal and orga­niza­tio­nal mea­su­res can be taken to ensu­re and docu­ment that use of Jira, Con­fluence & Co. con­forms to the requi­re­ments of data pro­tec­tion law. Howe­ver, con­trol­lers should act quick­ly and take sui­ta­ble mea­su­res right away in view of the fact that ser­ver sup­port will soon be coming to an end, and in order to be pre­pared for pos­si­ble audits by the data pro­tec­tion aut­ho­ri­ties based on the Cloud strategy.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.