Atlassian’s LGPD Commitment
What is the LGPD?
The Lei Geral de Proteção de Dados (LGPD) is a new Brazilian privacy law that went into effect on September 18, 2020, and regulates the collection, use, processing, storage, and transfer of personal data of Brazil data subjects.
How is the LGPD similar to the GDPR?
The LGPD is very similar to the GDPR, so most, if not all of Atlassian’s existing GDPR practices to address compliance will be applicable.
One of the similarities the LGPD has with the GDPR is that the LGPD is applicable to any business or organization that processes data of Brazil data subjects, regardless of where the company or organization is located.
What is Atlassian doing to comply with the LGPD?
Data subject rights
We offer data portability and data management tools including:
- Profile deletion tool: We help customers and end users delete personal information, such as names and email addresses. We help customers respond to user requests to delete personal information, and we also help end users with Atlassian accounts delete their personal information, as well as people without Atlassian accounts delete their personal information.
- Data Access requests: Atlassian Organization Admins can facilitate access of their managed users' data from Atlassian support. Unmanaged end users may also request that their personal data be accessed by initiating a data access request from Atlassian support. People who have provided their personal data or had their personal data provided to Atlassian, but do not have Atlassian accounts, may also initiate a request for access.
- Import and export tools: Customers may access, import, and export their Customer Data using Atlassian’s tools.
- To make a data deletion or access request via telephone, or if special accommodations are required, please leave a message at 1 (800) 804-5281 and our privacy support team will promptly be in touch.
Data Transfer Mechanisms
Atlassian supports appropriate international data transfer mechanisms by executing Standard Contractual Clauses through our updated Data Processing Addendum.
Data Security and Compliance
Like the GDPR, the LGPD requires companies to implement technical and organizational security measures to protect personal data.
Protecting our customers' information and their user's privacy is extremely important to us. We are entrusted with some of our customer's most valuable data, which is why we have built security into every layer of the Atlassian Cloud architecture. We provide replication, backup, and disaster recovery planning, encryption in transit and at rest, advanced threat detection, and more. Visit the Atlassian Security Practices page to learn more about our approach to security.
Additionally, we have devoted significant resources towards ensuring our cloud products are built and designed in accordance with widely accepted standards and certifications. These standards mirror many of the security and privacy requirements of the LGPD and GDPR and give our customers a transparent framework by which to measure our software development and data management practices. Currently, we have certified a number of our products for ISO/IEC 27001 and ISO/IEC 27018 standards as well as SOC 2 and SOC 3 certifications. Our data centers, co-location, and managed service providers also undergo a thorough security assessment as a part of the evaluation process and then undergo regular SOC 1, SOC 2, and/or ISO/IEC 27001 audits thereafter.
To learn more about our Risk Management Program, current certifications, and commitments for our Cloud products, please see the Compliance page on our Trust Center.
Other LGPD commitments
We offer data portability and data management tools including:
- We have an Annex to our Data Processing Agreement with terms that cover compliance with the LGPD. Click here to download a copy.
- LGPD Amendment to Atlassian DPA 2020-12-3.docx.pdf
- 07 Dec 2020, 12:54 PM
- We have ensured Atlassian staff that access and process Atlassian customer personal data have been trained in handling that data and are bound to maintain the confidentiality and security of that data.
- We hold any vendors that handle personal data to the same data management, security, and privacy practices and standards to which we hold ourselves.
- We are committed to carrying out data privacy impact assessments.
When does the LGPD come into effect?
The LGPD came into effect in September 2020, but enforcement will not start until August of 2021.
Other LGPD considerations
In August, 2020, the Brazilian Presidency announced a decree creating Brazil’s Data Protection Authority, the ANPD. The ANPD will ultimately be responsible for issuing clarifying guidelines regarding the LGPD, receiving and addressing complaints from data subjects, and issuing sanctions for breaches of the law. We note that the President of Brazil nominated the five Directors of the ANPD on October 15, 2020, who were just approved by the Brazilian Senate on October 20th, 2020.
We will continue to monitor developments with the ANPD for further clarification regarding LGPD requirements.