International data transfers following the Schrems II decision
What did the Court of Justice of the European Union decide regarding data transfers from the EU?
On July 16, 2020 the Court of Justice of the European Union (the Court) invalidated the EU-US Privacy Shield, which was one of the ways companies transferred data from the EU to the US in compliance with the General Data Protection Regulation (GDPR). At the same time, the Court confirmed that Standard Contractual Clauses (SCCs) continue to provide a valid mechanism for companies to transfer personal data outside the EU, subject to a case-by-case adequacy analysis.
On June 4, 2021, the European Commission updated the SCCs to meet the requirements of the GDPR. The updated SCCs include additional information and provisions required for companies to conduct their adequacy analysis.
What does this mean for Atlassian customers?
To address the court’s decision, we have updated our DPA to include a full copy of the updated Standard Contractual Clauses (SCCs). Additionally, customers who have signed older versions of our DPA will remain compliant until Dec 27, 2022.
While the European Commission stated that older versions of the DPA signed before Sep 27, 2021 are legally sufficient, we anticipate that many customers will want to take advantage of the new DPA. If you wish to update your agreement to the latest DPA, please follow the instructions here.
Does Atlassian’s DPA address the UK-specific guidance?
Yes, in light of the the Information Commissioner Office of UK (the “ICO”) publishing new transfer mechanisms for companies to rely upon when transferring personal data internationally, Atlassian has updated our DPA to include a UK addendum.
We remain committed to ensuring our customers' data is protected with the utmost care and in compliance with applicable data privacy laws and requirements.
How does Atlassian ensure that data remains protected outside of Europe?
Atlassian has put in place a number of measures to ensure that EU, UK and Swiss data remains protected when it is transferred outside of Europe.
In addition to incorporating the SCCs, our DPA also sets out Atlassian’s commitments to confidentiality, security of processing, customer controls, how Atlassian helps to notify of incidents, and how Atlassian helps our customers honor data subject rights. The combination of the Atlassian DPA, SCCs, security commitments and supplemental safeguards continue to offer our customers a robust level of protection.
Please also note that Atlassian:
- encrypts data in transit and at rest (see here for more information);
- offers data residency;
- is building BYOK encryption;
- publishes an annual Transparency Report with information about government requests for users' data as well as government requests to remove content or suspend accounts; and
- provides additional information about our policies and procedures for responding to requests for user data in our Guidelines for Law Enforcement.
For additional information on our security practices and how we’re complying with the GDPR, please visit this page.