Atlassian’s LGPD Commitment
What is the LGPD?
The Lei Geral de Proteção de Dados (LGPD) is a Brazilian privacy law that was passed in 2018 by the Brazilian National Congress. In August 2020, the President of Brazil approved the creation of a federal independent regulatory authority - the Authoridad Nacional de Protecao de Dados (ANPD) - to interpret and enforce the LGPD, in addition to acting as the national supervisory authority. The law went into effect on September 18, 2020, with enforcement starting in mid-2021.
The LGPD regulates the collection, use, processing, storage, and transfer of personal data of Brazilian data subjects. It closely follows the European Union’s General Data Protection (GDPR), including an extraterritorial scope, meaning that any entity who processes the data of Brazilian data subjects will be subject to the LGPD, even if that entity is outside of Brazil. In addition, notification of data breaches to the supervisory authority and affected data subjects, defining lawful bases for processing, and imposing heavy penalties for similar violations of the law are similar to the GDPR.
Atlassian and the LGPD
Data subject rights
Atlassian commits to compliance with the requirements of the LGPD. We have amended our privacy program to encompass components of the law, including:
We offer data portability and data management tools including:
- Profile deletion tool: We help customers and end users delete personal information, such as names and email addresses. We help customers respond to user requests to delete personal information, and we also help end users with Atlassian accounts delete their personal information, as well as people without Atlassian accounts delete their personal information.
- Data access requests: Atlassian Organization Admins can facilitate access of their managed users' data from Atlassian support. Unmanaged end users may also request that their personal data be accessed by initiating a data access request from Atlassian support. People who have provided their personal data or had their personal data provided to Atlassian, but do not have Atlassian accounts, may also initiate a request for access.
- Import and export tools: Customers may access, import, and export their Customer Data using Atlassian’s tools.
- To make a data deletion or access request via telephone, or if special accommodations are required, please leave a message at 1 (800) 804-5281 and our privacy support team will promptly be in touch.
Data Transfer Mechanisms
Atlassian supports appropriate international data transfer mechanisms by executing Standard Contractual Clauses through our updated Data Processing Addendum.
Data Security and Compliance
Like the GDPR, the LGPD requires companies to implement technical and organizational security measures to protect personal data.
Protecting our customers' information and their user's privacy is extremely important to us. We are entrusted with some of our customer's most valuable data, which is why we have built security into every layer of the Atlassian Cloud architecture. We provide replication, backup, and disaster recovery planning, encryption in transit and at rest, advanced threat detection, and more. Visit the Atlassian Security Practices page to learn more about our approach to security.
Additionally, we have devoted significant resources towards ensuring our cloud products are built and designed in accordance with widely accepted standards and certifications. These standards mirror many of the security and privacy requirements of the LGPD and GDPR and give our customers a transparent framework by which to measure our software development and data management practices. Currently, we have certified a number of our products for ISO/IEC 27001 and ISO/IEC 27018 standards as well as SOC 2 and SOC 3 certifications. Our data centers, co-location, and managed service providers also undergo a thorough security assessment as a part of the evaluation process and then undergo regular SOC 1, SOC 2, and/or ISO/IEC 27001 audits thereafter.
To learn more about our Risk Management Program, current certifications, and commitments for our Cloud products, please see the Compliance page on our Trust Center.
Other LGPD considerations
In August 2020, the Brazilian Presidency announced a decree creating Brazil’s Data Protection Authority, the ANPD. The ANPD is responsible for issuing clarifying guidelines regarding the LGPD, receiving and addressing complaints from data subjects, and issuing sanctions for breaches of the law.
We continue to monitor developments with the ANPD for further clarification regarding LGPD requirements.