Hi @remie - thanks for your post, we appreciate that GDPR analysis can be complex.
Atlassian’s own in-house legal team, with assistance from subject matter experts in the privacy space, have devoted significant resources towards ensuring that our Cloud products are built and designed in accordance with widely accepted standards and certifications - for anyone following this discussion, you can learn more about our GDPR commitment here if you haven’t already seen it. While we are unable to provide any specific legal guidance on how our partners should interpret GDPR in relation to the products and services they offer to customers, we would like to pass along some high-level information to help clarify some of the questions raised in this thread. Ultimately, we recommend that partners always consult a lawyer with any concerns or questions about if and how the GDPR specifically applies to you.
Atlassian’s relationship with end-users. Where an individual end-user has access to Atlassian products purchased by an organization (for instance, the end-user’s employer), that organization (the customer) is the administrator of the Atlassian products that they purchase and is responsible for the accounts it controls. Atlassian enters into an agreement with that customer to provide these services and to process personal data on behalf of that customer (i.e., the employer) and not the individual end-user.
For more details, please see the preamble to the Cloud Terms of Service; the Atlassian User Notice; Exhibit A, Part A under “Categories of data subjects” of our customer Data Processing Addendum; and the Atlassian Privacy Policy sections on managed accounts and the “Notice to End Users.”
When is Atlassian a controller or processor? We publish this information in our Data Processing Addendum (DPA) with customers. At a high level: Atlassian predominantly acts as a processor of personal data on behalf of our customers, in connection with the provision of our cloud products. In certain circumstances, Atlassian acts as a controller of personal data (e.g. for billing processes, to comply with applicable laws and to ensure the security of our cloud products etc.) You can learn more by reading our section 2.2 of our customer DPA, as well as Exhibit A, Annex 1(B), Part B of the customer DPA.
Are Marketplace Partners sub-processors? No. When Atlassian engages a sub-processor who will process customer personal data on behalf of and at the direction of Atlassian, we enter into an agreement with that sub-processor and list them on this page. We do not list Marketplace Partners on this page because Marketplace Partners are not sub-processors to Atlassian.
If you think back to the controller / processor guidance in our DPAs 101 guide: Marketplace Partners who list their own customer-facing apps in our Marketplace aren’t processing customers’ personal data on behalf of Atlassian, or at the instructions of Atlassian, or in order to provide functionality to Atlassian - they’re usually either processing personal data for the benefit of the customers using their apps, or for themselves. This is in contrast to the companies you’ll see on our sub-processors list: vendors who process data on our behalf to provide a service to us, like AWS.
What’s the relationship between Marketplace Partners and customers? Marketplace Partners and their customers enter into an independent legal relationship each time a customer chooses to install an app. Under our Marketplace Partner Agreement, Marketplace Partners agree to: (1) enter into their own End User Terms and (2) End User Privacy Policy with customers, for each Marketplace app they list (see Section 5.6 - End User Terms). Marketplace Partners are responsible for determining how they process data, what data processing role they take on with respect to their customers, and ensuring that data is processed in accordance with the commitments they make to their customers (see Section 8.4 - End User Data and Privacy-Related Obligations).e
When should Marketplace Partners enter into a separate DPA with customers? Atlassian is not a part of this relationship and can’t dictate what legal terms you use to offer your apps to customers. That’s why we recommended in our DPAs 101 guide that if you are processing personal data, you should consider whether you are a data processor and whether you need a DPA in place with your customers. That said, the GDPR is a complex law and will apply differently to different apps, depending on where and how you do business, what data you collect about your customers and end-users, and how you use that data, among other things. If partners have any concerns or questions about how the GDPR specifically applies to you, we recommend that you consult a lawyer for further guidance.