When you use Atlassian products through an employer or organization, that organization is typically the data controller and Atlassian acts as a processor, meaning your employer's privacy policies and the terms negotiated between Atlassian and your employer govern how your data is handled, not solely this policy.
This analysis describes what Atlassian's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that employees and contractors using Atlassian tools through an enterprise account may need to direct data subject rights requests to their employer rather than directly to Atlassian, and their employer's data governance practices apply to content within the account.
For users accessing Atlassian services through an employer or organization, the employer administrator controls data processing decisions including retention, deletion, and access to content. Atlassian's direct data subject rights procedures may be limited in this context, as the employer is designated as the controller under the policy.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We may display advertisements on our Services and those advertisements may be targeted to your interests based on your personal information. We may share your personal information with advertising partners for interest-based advertising purposes. You may opt out of interest-based advertising by visi...
Monitoring
Atlassian has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Atlassian is the controller of personal information covered by this Privacy Policy. In some instances, the customer (the 'administrator') decides how and why personal information is processed. In those instances, Atlassian is the processor of that information. The rights and obligations of customers who act as controllers are described in the agreements between Atlassian and those customers, including the Data Processing Addendum.— Excerpt from Atlassian's Atlassian Privacy Policy
(1) REGULATORY LANDSCAPE: The GDPR's controller/processor framework under Articles 4, 24, and 28 requires a written Data Processing Agreement between Atlassian and enterprise customers acting as controllers. The UK GDPR imposes equivalent requirements. Regulators in the EU and UK may scrutinize whether DPA terms are adequate, particularly regarding sub-processor obligations and audit rights. (2) GOVERNANCE EXPOSURE: High for enterprise compliance teams. Organizations must ensure an executed Atlassian DPA is in place and that internal policies address how employee data within Atlassian environments is governed, including retention schedules and access controls. (3) JURISDICTION FLAGS: EU and UK organizations have mandatory DPA requirements under GDPR Article 28. US organizations in regulated industries (healthcare, financial services) should assess whether additional agreements (BAA, financial data addenda) are required in addition to the standard DPA. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should confirm the Atlassian DPA is executed and that the sub-processor list is reviewed and accepted. The DPA should address cross-border transfer mechanisms, incident notification timelines, and audit rights. Responsibility allocation for data subject rights requests (deletion, access) between Atlassian and the enterprise customer should be clearly documented. (5) COMPLIANCE CONSIDERATIONS: Enterprise legal teams should map all categories of personal data processed within Atlassian tools, document Atlassian as a processor in their Article 30 records, and establish internal procedures for handling data subject requests that originate from employees using Atlassian products.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that employees and contractors using Atlassian tools through an enterprise account may need to direct data subject rights requests to their employer rather than directly to Atlassian, and their employer's data governance practices apply to content within the account.
For users accessing Atlassian services through an employer or organization, the employer administrator controls data processing decisions including retention, deletion, and access to content. Atlassian's direct data subject rights procedures may be limited in this context, as the employer is designated as the controller under the policy.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Atlassian.