This guide describes how app developers can comply with user privacy requirements, as detailed by the General Data Protection Regulation (GDPR). On this page, you'll find information on your responsibilities as an app developer for Atlassian and instructions on how to meet these responsibilities.
In addition to this guide, you should read Data privacy guidelines for general guidelines on user privacy and Marketplace apps.
Personal data (PD) is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data, such as these fields: email, avatar, username, and full name.
The GDPR governs the processing of personal data of individuals by an individual, company, or organization. As an app developer, you must ensure that your apps comply with the GDPR when handling the personal data for users. This includes:
In order to comply with these requirements, we recommend that your apps do not store any user personal data and always retrieve current user data at the time of use using Atlassian APIs. This is the simplest and most reliable solution, as you don't need to worry about managing and reporting user personal data for your apps. If you choose this approach, you don't need to read the rest of this guide.
However, if you choose to store user personal data with your apps, Atlassian has built the following capabilities to help you comply with the GDPR:
Read the following sections on reporting data and storing data to learn how to use these capabilities.
As an app developer, you are required to periodically report the user personal data that your apps are
storing. You must report each accountId
, which is a short hand reference to an Atlassian Account ID.
An accountId
uniquely identifies a user across all Atlassian products. It is 1-128 characters long, and
may contain alphanumeric characters, as well as -
and :
characters. Note that you must use accountIds
to report personal data usage, even if the API permits other identifiers.
At a high level, this is how to do reporting for your apps:
The cycle period defines the required period of time between sending reports for a given accountId. You can think about it as the maximum allowable staleness of the reported data that is stored by Atlassian.
By default, the cycle period is 7 days.
However, the polling resources may return a different cycle
period (in the Cycle-Period
header) that you must follow instead. Note, you
should not send reports more frequently than the cycle period for each accountId
.
When setting up reporting for your apps, also consider the following recommendations:
In addition to reporting user personal data for your apps, you must ensure that you are storing user personal data for your apps correctly:
The following accountIds should be used by vendors for testing:
5be24ad8b1653240376955d2
5be24ba3f91c106033269289
There is no fixed accountId that can be used to test for the updated case.
Atlassian will be monitoring correct usage of the API detailed in this guide. For example, our systems will detect the case of apps repeatedly checking the status of a closed account beyond a reasonable time frame. For this reason, repeated/regression testing of the closed account case should only be done using the closed test account provided above since we have added this accountid to the blocklist from our anomaly detection logic.
The Personal data reporting API is a RESTful API that allows apps to report the user accounts for which they are storing personal data. For flexibility and efficiency, the API allows multiple accounts to be reported on in a single request.
The Personal data reporting API has two polling resources: one for reporting for Connect apps and another for reporting for OAuth 2.0 authorization code grants (3LO) apps:
These resources are described in detail below.
POST /rest/atlassian-connect/latest/report-accounts
POST /wiki/rest/atlassian-connect/latest/report-accounts
Reports a list of user accounts and gets information on whether the personal data for each account
needs to be updated or erased.
Authentication: JWT authentication. See the Authentication section of the
REST API.
This operation has no parameters.
Content type: application/json
Each request allows up to 90 accounts to be reported on. For each account, the
accountId and time that the personal data was retrieved must be provided. The time format is
defined by
RFC 3339, section 5.6.
Example request (application/json):
1 2{ "accounts": [{ "accountId": "account-id-a", "updatedAt": "2017-05-27T16:22:09.000Z" }, { "accountId": "account-id-b", "updatedAt": "2017-04-27T16:23:32.000Z" }, { "accountId": "account-id-c", "updatedAt": "2017-02-27T16:22:11.000Z" }] }
200
(Content type: application/json): The request is successful and one or more personal data
erasure actions are required. The information is contained in an accounts
array where each object
identifies the accountId and whether the reason for the erasure is due to the closure of
the account or invalidation of the app's copy of personal data due to the some update. In
the case of the latter, the app is permitted to re-request personal data.Example response (application/json):
1 2{ "accounts": [{ "accountId": "account-id-a", "status": "closed" }, { "accountId": "account-id-c", "status": "updated" }] }
204
: The request is successful and no action by the app is required, with respect to the accounts
sent in the request.400
: The request was malformed in some way. A body may be present, giving additional information.Example response (application/json):
1 2{ "errorType": "string", "errorMessage": "string" }
403
: The request is forbidden.429
: Rate limiting applies. The app must follow the rate limiting directives provided in response
headers.500
: An internal server error occurred. A body may be present, giving additional information.Example response (application/json):
1 2{ "errorType": "string", "errorMessage": "string" }
503
: The service is currently unavailable. The service may be unavailable during initial development
or due to an outage of an upstream dependency.POST https://api.atlassian.com/app/report-accounts/
Reports a list of user accounts and gets information on whether the personal data for each account needs to be updated or erased. This resource is for OAuth 2.0 authorization code grants (3LO) apps only.
Note, to use this API you must add the Personal data reporting API to your app from the Permissions section in the developer console.
Authentication: OAuth 2.0 authorization code grants.
This operation has no parameters.
Content type: application/json
Each request allows up to 90 accounts to be reported on. For each account, the
accountId and time that the personal data was retrieved must be provided. The time format is
defined by
RFC 3339, section 5.6.
Example request (application/json):
1 2{ "accounts": [{ "accountId": "account-id-a", "updatedAt": "2018-10-25T23:08:51.382Z" }, { "accountId": "account-id-b", "updatedAt": "2018-10-25T23:14:44.231Z" }, { "accountId": "account-id-c", "updatedAt": "2018-12-01T02:44:21.020Z" }] }
200
(Content type: application/json): The request is successful and one or more personal data erasure
actions are required. The information is contained in an accounts
array where each object
identifies the accountId and whether the reason for the erasure is due to the closure of
the account or invalidation of the app's copy of personal data due to the some update. In
the case of the latter, the app is permitted to re-request personal data.
Example response (application/json):
1 2{ "accounts": [{ "accountId": "account-id-a", "status": "closed" }, { "accountId": "account-id-c", "status": "updated" }] }
204
: The request is successful and no action by the app is required with respect to the accounts
sent in the request.
400
: The request was malformed in some way. The response body contains an error message.
Example response (application/json):
1 2{ "errorType": "string", "errorMessage": "string" }
429
: Rate limiting applies. Delay by the time period specified in the Retry-After
header (in seconds)
before making the API call again.
500
: An internal server error occurred. The response body contains an error message.
Example response (application/json):
1 2{ "errorType": "string", "errorMessage": "string" }
503
: The service is unavailable.
Rate this page: