Ah yes… welcome to the Atlassian predicament.
Let’s do a little trip down memory lane. The year is 2019 and Atlassian is scrambling to implement GDPR, which came into effect since May 2018.
For most companies, GDPR is a mess, but for Atlassian, it is a true nightmare. For a couple of years now, Atlassian has been migrating users to their new Atlassian ID infrastructure, which it created to scale her somewhat new Cloud offering.
You see, initially Atlassian thought it could get away with just serving “hosted Jira” as a Cloud solution. But that really didn’t scale well and resulted in a massive AWS bill. So they decoupled her Cloud & on-premise products and started to rethink identity management in Cloud. She came up with a brilliant idea: one Atlassian ID to rule them all. Individual users would get an Atlassian ID and those Atlassian ID could be used with all Atlassian products and linked to an indefinite amount of company instances. In theory one could have a personal Atlassian ID and keep that ID when they switch employers.
Then GDPR came along and Atlassian was completely f*cked. Because not only was the Atlassian ID coupled to individuals, those individuals could also use the same Atlassian ID for consumer facing products (like Trello and Bitbucket) as well as for business use.
That means that Atlassian was both a Data Controller as well as a Data Processor for that same user, making the whole “consent” issue a lot more difficult compared to other B2B SaaS solutions. While the rest of the SaaS world simply said that they either were Data Controller (b2c) or Data Processor on behalf of the company and that consent was not required because of contractual clauses (B2B), Atlassian had created a mixed bag.
It became even worse because Atlassian also had a Marketplace where Marketplace Partners were getting access to Atlassian data on behalf of Atlassian customers, which included PII from Atlassian ID for which Atlassian was responsible of the data.
So they did what any normal company would do: they created a legal monstrosity. The gist is: Atlassian ID is a one-on-one relationship between Atlassian and the individual, and Atlassian is the gatekeeper of all PII related to the Atlassian ID.
Even if your employees use their work email, they have created their Atlassian ID accounts as individuals, entering into a separate legal construct with Atlassian with regard to the Data Controller/Data Subject relationship that is not related to the agreement they may/may not have with their employer.
And Atlassian is taking the responsibility of safeguarding this data very, very, very serious. Meaning that you will not get access to that data unless absolutely necessary in a very controlled environment.
So yeah, short answer is that you won’t get this data from Atlassian even if you somehow feel that this was your data to begin with.