The following information is provided for information purposes only. They do not constitute legal advice. In particular, they are not intended to and cannot replace legal advice that takes into account the specifics of the individual case. When we report on cases, in particular court decisions, their results may not be used to infer a similar outcome in other cases.
We make every effort to select all information provided with care and to update or supplement it as necessary. Nevertheless, we cannot guarantee that the information in this text is up-to-date, complete, or correct.
In the current situation, our customers frequently ask about the compliance of the Atlassian Cloud with the GDPR with regard to the international transfer of data, which cannot be ruled out. Especially the "Schrems II ruling" of the European Court of Justice from July 2021 and the associated invalidity of the so-called "Privacy Shield" leave many questions open on the part of our customers and causes uncertainty.
According to the GDPR, the international transfer of personal data outside the EU always requires special justification. In practical terms, two legal bases are particularly relevant here - both are the subject of the ECJ ruling:
With an adequate decision, the EU Commission can determine that the legal system of a country outside the EU has a level of data protection equivalent to that of the EU. Data transfers to such a third country thus follow the regime for data transfers within the EU. Under the EU's Privacy Shield agreement with the U.S., this also applied to data transfers to certified recipients in the U.S. if they submitted to the Privacy Shield regime.
The second relevant mechanism is the so-called standard contractual clauses (SCC). These are model contracts formally adopted by the EU Commission. If the contracting parties agree to the applicability of these clauses for their data transfers, then - according to the conception of the GDPR - the contractual provisions compensate for the alleged data protection deficit in the recipient country.
Contrary to opinions to the contrary, the ECJ has now merely declared the EU Commission's adequacy decision on the Privacy Shield invalid due to uncontrolled possible data access by US authorities. The above-mentioned standard contractual clauses as such, however, have been explicitly confirmed by the ECJ as a suitable means of securing international data transfers. However, according to the ECJ, the decision to transfer should not be based solely on the standard contractual clauses. It is up to each company to "assess in each individual case - if necessary in cooperation with the recipient of the transfer - whether the law of the third country of destination ensures adequate protection [...] in accordance with Union law and, if necessary, to provide more guarantees than those offered by those clauses."
The ECJ thus states that data transfers outside the EU are possible if the standard contractual clauses referred to are used for this purpose and additional "safeguards" are taken by companies to ensure that the level of data protection under the standard contractual clauses is respected by the contractual partner. However, the ECJ does not comment on what these protective measures must or can look like. However, the European Data Protection Committee (EDSA) has already commented on this in its FAQ (https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118.pdf.) According to this, the additional protective measures required must be determined by the companies themselves with the help of a risk assessment - which should include the sensitivity of the data to be transferred, among other things. However, according to the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg, examples of additional protective measures may include the contractual specification of particularly secure encryption of personal data or the pseudonymization of personal data. (https://www.baden-wuerttemberg.datenschutz.de/wp-content/uploads/2020/08/Orientierungshilfe-Was-jetzt-in-Sachen-internationaler-Datentransfer.pdf).
According to the EDSA, the scope of the additional protective measures must depend on the categories of personal data that are transmitted.
In order to agree on the aforementioned standard contractual clauses, including the additional measures deemed necessary, a comprehensive contract can therefore be concluded with the cloud provider for a cloud solution with international data transfer in accordance with the ruling of the ECJ.
What can this mean for the Atlassian Cloud?
Atlassian offers a contract containing the standard contractual clauses to its cloud customers at the following link: https://www.atlassian.com/legal/data-processing-addendum and states that the Atlassian Cloud - even in the case of an international data transfer to the U.S. - can now already be contractually designed to comply with the GDPR. Among other things, the EU standard contractual clauses, as well as annual audit rights and information on the special encryption of data are included in this GCU. In addition, Atlassian assures to inform the customers immediately about any unlawful access to their data.
In the Standard, Premium, and Enterprise variants of the Atlassian Cloud Services, a storage location in the EU may be specified for certain - but not all - Data.
Whether these additional protective measures of Atlassian are sufficient for the individually required commissioned processing must be assessed by each customer itself based on the type of data to be processed and the internal risk assessment. If Customers conclude that the additional safeguards are not sufficient, additional safeguards may be agreed upon with Atlassian within the GCU. However, the extent to which this is possible is beyond our knowledge, as this agreement can only be concluded between Atlassian and the customers. All questions regarding this agreement should therefore be directed exclusively to Atlassian.
It should therefore be noted that German companies can continue to use cloud services for their data, even taking into account the Schrems II ruling of the ECJ, if the factual and contractual design of these services meets certain requirements.
Further information on this topic can be found, among other places, in the FAQ of the European Data Protection Committee (EDSA) at the following link: https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118.pdf. EDSA states in these FAQs, among other things, that they plan to publish an opinion in a timely manner with regard to the possible additional safeguards.
//SEIBERT/MEDIA GmbH
Luisenstraße 37-39, 65185 Wiesbaden