Storing personal data in user properties is gdpr compliant?

gdpr

#1

Effective at 10 Dec 2018 there will be a new required field for cloud apps, stating if personal data is stored outside of Atlassian systems by an app. We have an app that stores user data in user properties (/rest/api/2/user/properties). We think that this means that we still can select “No” in the new field.

Is this correct?


#2

@m.schmidt, that sounds a bit odd to me. Can you be more specific as to what personal data you are storing in user properties, and for what purpose?


#3

@m.schmidt - Jira will not clear user properties after data deletion is processed for account close. This means that if you are storing personal data in user properties you should help clear personal data after account close which means you will have to select “Yes” and implement the Personal Data Reporting API.


#4

@epehrson @akassab We currently store the userids of users (covering for a user that is not in office), but change to accountIds there also.

Other data that is stored there is project ids and a personal message, that is send, when someone assigns an issue to this user.

This information is automatically deleted as soon as the date of the absence is over.

Does this still mean we must implement the api?


#5

@m.schmidt, if you replace any user identifiers in those user properties by account IDs, then you will not be storing any personal data. The project ID is an Atlassian entity identifier, and the personal message is user-generated content. Neither is considered personal data.

As long as you store user keys or usernames or other personal data in user properties, you will be required to select “Yes” in the Marketplace selector and report on these user accounts. Once you complete the migration to account ID, you can select “No”.


#6

Hi,

Is this also need for Server Apps? My Add-on named Timesheet for Confluence stores usernames in MySQL database installed to customers server? So do I need to select “Yes” on this?


#7

Hi @matti.kiviharju -

The field applies to all apps (Server / Cloud / Data Center). The requirement to implement the personal data reporting API is only applicable for Cloud.