Whether Jira, Confluence or Trello, Atlassian apps and services are highly popular and have become an indispensable part of day-to-day operations for many companies. Some time ago, the Australia-based provider announced the end of server support and the launch of a Cloud-only strategy. As of February of this year, new apps can no longer be purchased for existing server licenses, and server support will be discontinued entirely on 15 February 2024. From that point on, there will no longer be any security updates or bug fixes for critical vulnerabilities. For European customers, this raises the question as to the circumstances under which the Atlassian Cloud can still be used in conformance with data protection law.
Three tips for use of Atlassian Cloud in conformance with the GDPR
- Atlassian as processor: Use of Cloud services is a classic example of a processing arrangement, and that is the case for Atlassian Cloud as well. But in accordance with the GDPR, controllers can only work together with processors which provide sufficient guarantees that processing will be conducted in such a way as to meet the requirements of data protection law. Aside from reviewing the processing contract, companies which use the Atlassian Cloud must affirm that Atlassian is a trustworthy provider and that it has taken adequate technical and organizational measures in order to ensure data security.
- Appropriate safeguards for third-country transfer: Since Atlassian is based in Australia and uses numerous sub-processors which are spread out all over the world, a third-country transfer takes place even if the data are stored in the EU. In order to conform with the GDPR, third-country transfers must provide appropriate safeguards. One possibility is adoption of the standard contractual clauses (SCCs) issued by the EU Commission. In addition, a Transfer Impact Assessment (TIA) must be performed.
- Extensive documentation: In order to comply with their legal duty to render account, controllers should extensively document the measures they take to ensure data protection in the Atlassian Cloud. All implementation steps, technical and organizational measures taken and security precautions for the protection of personal data should all be documented. If necessary, this should also include a threshold analysis and a data protection impact assessment on this basis.
Conclusion: Atlassian Cloud products can be used in conformance with the GDPR
Despite the legal challenges associated with the launch/transition to Atlassian Cloud, technical and organizational measures can be taken to ensure and document that use of Jira, Confluence & Co. conforms to the requirements of data protection law. However, controllers should act quickly and take suitable measures right away in view of the fact that server support will soon be coming to an end, and in order to be prepared for possible audits by the data protection authorities based on the Cloud strategy.back