Atlassian solition partner logo
altassian logo
awards logo

Atlassian gold Partner logo mobile

altassian logo mobile

awards logo mobile

Blog

Atlassian Perspective on Data Privacy

Atlassian Perspective on Data Privacy

Rapid advancements in data collection, processing, and storage technologies have led to the creation of legal regulations aimed at protecting personal data privacy and ensuring that all individuals involved in data operations are subject to oversight.

The Personal Data Protection Law ("KVKK") and the General Data Protection Regulation ("GDPR") are regulations that come into play to protect individuals' privacy rights and information security. Additionally, these regulations aim to prevent the collection of personal data in an unlimited and arbitrary manner, the exposure to unauthorized individuals, or the violation of personal rights through unauthorized or misuse.

What is KVKK?

KVKK stands for the Personal Data Protection Law. Alongside this law, the KVKK institution was established to manage and sustain the processes. Since then, inspections have begun, and serious steps have been taken to protect personal data. The KVKK law, which had been in draft form for a long time, was officially published on April 7, 2016, and came into effect. This established the rules and obligations for companies processing personal data, from processing to the protection of privacy, in order to safeguard individuals' fundamental rights and freedoms.

What is GDPR?

The General Data Protection Regulation (GDPR) is the most stringent privacy and security law in the world. Although it was designed and adopted by the European Union (EU), it imposes obligations on any organization that targets or collects data from individuals within the EU, regardless of where the organization is located. In summary, GDPR sets rules for how companies, governments, and other organizations can process personal data of EU citizens or residents. GDPR aims to strengthen and unify data protection laws for all individuals within the European Union.

GDPR's Seven Fundamental Principles:

  • Lawfulness, fairness, and transparency.
  • Purpose limitation.
  • Data minimization.
  • Accuracy.
  • Storage limitation.
  • Integrity and confidentiality (security).
  • Accountability.

Similarities between GDPR and KVKK

One of the most significant similarities between the two regulations is their scope of application. GDPR provides a broader scope compared to KVKK, so all companies processing personal data of individuals within the EU are obligated to comply with GDPR, regardless of their location. In short, GDPR covers all data stored by firms with servers in Europe.

Additionally, while KVKK holds data controllers accountable to the Personal Data Protection Authority ("KVK") regarding the processing, deletion, and collection of personal data, GDPR holds data controllers accountable under the accountability principle for all fundamental principles. Under KVKK, data controllers are required to register with the Data Controllers Registry Information System ("VERBIS").

Another critical similarity falls under the heading of penalties. While KVKK stipulates a maximum penalty of 1,000,000 TL, GDPR imposes fines up to 4% of annual global turnover or €20,000,000, whichever is higher. This demonstrates the importance of compliance with GDPR to avoid such substantial penalties.

It is reasonable to say that there is significant similarity between KVKK and GDPR.

Atlassian is subject to GDPR.

Atlassian's Commitment to GDPR

Atlassian is committed to continuously investing in the success of its customers and the protection of customer data. Ensuring data security involves helping Atlassian customers and users understand and comply with the General Data Protection Regulation (GDPR). GDPR, which came into effect on May 25, 2018, represents the most significant change in European data privacy legislation in the last 20 years.

Designed to provide EU citizens with more control over their data and to consolidate existing privacy and security laws under a single comprehensive law, GDPR is applicable not only to organizations within the EU but also to all companies processing and holding personal data of individuals residing in the EU, regardless of the company's location.

This page explains Atlassian's approach and investment in GDPR compliance and how it assists customers in achieving GDPR compliance.

GDPR Compliance

  • Security and Certifications
  • International Data Transfers
  • Data Portability, Data Access, and Right to Erasure
  • Privacy and Consent

GDPR Compliance

We recognize that our customers have GDPR-specific requirements arising from their use of Atlassian products and services, so we have dedicated significant resources to assist them in meeting their GDPR and local law requirements.

Below are some GDPR initiatives applied to Atlassian's cloud products:

  • Significant investments in security infrastructure and certifications.
  • Supporting appropriate international data transfer mechanisms by maintaining Privacy Shield certifications and implementing Standard Contractual Clauses through updated Data Processing Addenda.
  • Profile deletion tool: Assisting customers and end users in deleting personal information such as names and email addresses.
  • Import and export tools: Allowing customers to access and import/export Customer Data using Atlassian’s tools.
  • For data deletion or access requests by phone or if specific arrangements are needed, you can leave a message at (800) 804-5281 to have the privacy support team contact you.
  • Necessary updates have been made to relevant contract terms.
  • Ensuring that Atlassian personnel who access and process customers’ personal data are trained on processing such data and are responsible for maintaining its privacy and security.

Security and Certifications

Protecting customer information and user privacy is extremely important to Atlassian. Some of our customers’ most valuable data is entrusted to us, so we have implemented security at every layer of the Atlassian Cloud architecture. We provide redundancy, backup, disaster recovery planning, encryption in transit and at rest, advanced threat detection, and more.

Certain products are certified with ISO / IEC 27001, ISO / IEC 27002, and ISO / IEC 27018 standards, as well as SOC2 Type II certifications.

International Data Transfers

Atlassian customers can rely on Privacy Shield certifications or Standard Contractual Clauses to legally transfer personal data to Atlassian Cloud products outside the European Economic Area.

Atlassian does not access, collect, store, or otherwise process personal data in connection with the provision of our Server and Data Center products, except in limited situations where optional support services are provided. Therefore, most of the GDPR obligations applicable to data processors do not apply to Atlassian in the context of Server or Data Center. Atlassian does not provide a DPA when using Atlassian Server or Data Center products as Atlassian acts as a data processor.

Data Portability, Data Access, and Right to Erasure

If you host customer data in Atlassian products, we assist in fulfilling data export requests. Atlassian provides robust data portability and management tools for exporting product and user data.

Additionally, Atlassian makes it easy to delete personal data from Atlassian Cloud products, helping customers meet their obligations under GDPR’s right to erasure (or right to be forgotten).

Atlassian Organization Admins can facilitate the deletion of managed users’ accounts through the admin portals. End users can also request account deletion from their Atlassian account profile page. Individuals who provide personal data to Atlassian but do not have Atlassian accounts can also make a deletion request.

Atlassian Organization Admins can facilitate access to managed users' data from Atlassian support. Unmanaged end users can also request access to their personal data by initiating a data access request with Atlassian support. Individuals who provide personal data to Atlassian but do not have Atlassian accounts can also request access.

Privacy and Consent

Privacy is important to Atlassian, and it is crucial to be transparent about how information is collected, used, and shared.

When using Atlassian Server and Data Center products, Atlassian provides these products in a downloadable format. Atlassian does not access, collect, store, or otherwise process personal data in connection with providing these downloadable products to Server and Data Center customers, except in limited situations where optional support services are provided.

Social Media