App stores personal data? How to do analytics right

Hi all, here comes a questions related to GDPR, Personal Identifiable Information (PII) and Analytics.

When publishing an App (3LO in our case, similar to other App types I guess), Atlassian asks:

App stores personal data?
Select “Yes” if you copy and store personal data associated with user references (e.g. AccountID) in your own systems or if you cache data for longer than 24 hours.

So far our App only stores the Atlassian Account ID of the user and gets other details link email address on-the-fly, which I believe means, we can answer No here. However I’m not sure, since the accountId is considered Personal Identifiable Information, right?

Second, we are setting up an analytics system and think about using the accountId to store certain user events (specific actions like ‘page created’, ‘feature x used’). Do we need to obfuscate the accountID in such records? If yes, would a simple hash of the AccountID be an identifier we can use without GDPR considerations?

Thanks for your thoughts on this!
Lukas

Tagging some people I’ve seen are knowledgable during my research: @ldellatorre @remie @akassab

Atlassian account ID is not PII. If you only store this and do not store other attributes (like name and email address) then you can answer No.

Hi Raimonds!

Thanks for the answer!

What about the second part, if we store the Atlassian ID together with some Analytics data, would we need to delete such data if a user wants us to? And if so, could we avoid that by not storing the Atlassian ID, and instead use a hash of it as identifier in our Analytics system?

Greetings
Lukas