データ転送影響評価
最終更新日: 2023 年 9 月 19 日
概要
This Data Transfer Impact Assessment (“DTIA”) serves the purpose of assisting Atlassian customers as well as Forge developers in conducting a risk assessment for the transfer of personal data in connection with Atlassian’s provision of its Cloud Products, Support, and Services (together, “Services”), and Forge Platform (“Forge”), and subsequent processing of such personal data by Atlassian, its Affiliates and sub-processors in light of the “Schrems II” ruling of the Court of Justice for the European Union and the subsequent recommendations from the European Data Protection Board. The DTIA supplements the information necessary for compliance with data transfer provisions under the European Data Protection Law as defined in our Atlassian Data Processing Addendum (Atlassian DPA) and Forge Data Processing Addendum (Forge DPA).
As a provider of global services, Atlassian runs its services with common operational practices and features across multiple jurisdictions. Therefore, we store personal data in data centers located in the United States, EMEA, and APAC, further outlined in our data residency documentation, and process it in other locations worldwide for the provision of products, features, as well as customer and technical support purposes.
Under the European Data Protection Laws, personal data may not be transferred outside of Europe unless (i) the importing country has been deemed adequate by the relevant governmental body; or (ii) the data exporter has appropriate safeguards in place to ensure that personal data transferred is subject to an adequate level of protection. Those safeguards are referred to as “transfer mechanisms.”
The Atlassian DPA incorporates the Standard Contractual Clauses (as defined in the DPA) as such transfer mechanism as follows:
- Where personal data protected by the GDPR is transferred to Atlassian outside of Europe, Atlassian relies upon the EU Standard Contractual Clauses (SCCs) to provide an appropriate safeguard for the transfer. Under the SCCs, our Customers are acting as the "Data Exporter" and Atlassian is the "Data Importer".
- Where personal data protected by the UK Data Protection Law, Atlassian relies on the UK Addendum in our DPA in accordance with the ICO guidance from 2022.
-
Where personal data is protected by the Swiss Federal Act on Data Protection is transferred to Atlassian outside of Europe, Atlassian relies upon the EU SCCs plus certain interpretative provisions to make the SCCs work for Switzerland's legal regime.
Furthermore, Atlassian participates in and certifies compliance with the Data Privacy Framework. You can find more information in our Privacy Notice under the Section “Data Privacy Framework Notice.” Where adequacy does not apply, we continue to rely on the Standard Contractual Clauses (SCCs) as a transfer mechanism.
Scope of the Data Transfer Impact Assessment
Please note, that the processing locations depend on which Cloud Products you as a customer may have purchased, e.g. if you have purchased Jira Align, the relevant sub-processors and processing locations may be different (as listed under our sub-processor page) from the sub-processors and locations applicable for Trello, or Confluence. Additionally, you may also configure data residency for certain data in those Cloud Products which could further reduce the scope of transfers indicated on this page. Therefore, please review the sub-processor page and the data residency page in connection with the Cloud Products you have purchased in order to draw relevant information from this document.
The Atlassian DTIA is scoped to cover direct and onward data transfers in connection with Atlassian’s provision of Services as well as the Forge Platform. The processing activities (incl. transfers) are outlined in the Atlassian DPA and Forge DPA respectively.
Atlassian processes personal data in a number of jurisdictions, which includes transferring the data out of Europe/EEA, the UK, and Switzerland (together, “Europe”) to both, countries holding adequacy status under the European Data Protection Laws (as defined in Atlassian’s Data Processing Addendums), and third countries, as outlined below:
Europe/EEA and Adequate Countries | Bulgaria, France, Germany, Ireland, Netherlands, Poland, Sweden; Canada, Japan, New Zealand, United Kingdon, United states |
---|---|
Third Countries | Australia, Brazil, India, Malaysia, Mexico, Philippines, Turkey |
Canada, Japan, New Zealand, and the United States* (only commercial organizations participating in the Data Privacy Framework) offer an adequate level of data protection under European Data Protection Laws. The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein, and Iceland), UK, and Switzerland to these third countries without any transfer impact assessment nor further safeguard being necessary. Transfers to these countries are assimilated into intra-European data transfers.
Specifically for the data transfers to the United States, Atlassian US., Inc., and its US affiliates participate in and certify compliance with the Data Privacy Framework Principles. You can find more information in our Privacy Notice under the Section “Data Privacy Framework Notice.” Where adequacy does not apply, we continue to rely on the Standard Contractual Clauses (SCCs) as a transfer mechanism. The EU Commission confirmed in its FAQs that all safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transfers under the GDPR to companies in the US regardless of the transfer mechanism used. These safeguards therefore also facilitate the use of other tools, such as standard contractual clauses and binding corporate rules.
Our analysis of transfers to third countries is described below. Please note that the transfers apply to all Atlassian Services and Forge:
Australia
ステップ 2: 使用する転送ツールの特定
Purpose for transfer and any further processing | Direct transfers: Atlassian has offices in Australia where our employees may access personal data for the purposes of the provision of Services and Forge Platform. Onward transfers: Atlassian transfers Customer Personal Data to its sub-processors for the purposes of assisting in the provision of Services as well as Forge as further outlined in our sub-processor page. Atlassian also offers data residency in accordance with this page. |
---|---|
The frequency of the transfer | Direct transfers: Continuous. Onward transfers: Continuous. |
Categories of personal data transferred | Direct transfers: As detailed in Atlassian DPA and Forge DPA respectively. Onward transfers: Please refer to Atlassian's sub-processor page for more information. |
Sensitive data transferred (if applicable) | Direct transfers: Determined at the sole discretion of the data exporter. Onward transfers: Determined at the sole discretion of the data exporter. |
Length of processing chain
| Onward transfers: Please refer to Atlassian's sub-processor page. |
Applicable transfer mechanism
| Direct transfers: Standard Contractual Clauses between Atlassian and its customers, or Forge developers, respectively. Onward transfers: Standard Contractual Clauses between Atlassian and its sub-processors. Atlassian imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws. |
Identifying laws and practices relevant in light of all circumstances of the transfer | Australia has various laws, legislation and executive powers that could be used to compel companies to disclose personal data, or that provides for investigation and enforcement agencies to obtain data where there is a suspected contravention. A high-level summary of several of the key laws is provided below:
For aspects of each of the above laws, there are potential extra-territorial powers that could theoretically compel those outside of Australia to assist in the investigative process. However, in practice, it is highly unlikely that law enforcement and surveillance authorities will be able to do so without operating through existing bilateral processes, such as mutual legal assistance treaties. In practice, it can be difficult to determine how governmental authorities use all of their powers to conduct surveillance and collect data (and therefore whether it involves unnecessary or disproportionate data access in any circumstances) because in several cases, government authorities are not required to publicly report on when and how they use these powers (although independent oversight and review, including reporting to independent statutory authorities, is embedded throughout the surveillance legislation framework). In addition, not all requests for access to data and surveillance are currently subject to prior independent judicial authorization, although a process for review and reform of Australia’s surveillance laws has commenced and this may change in the future. Atlassian publishes and follows Atlassian Guidelines for Law Enforcement Requests in responding to any government requests for data. Atlassian also publishes an annual Transparency Report with information about government requests to access data. |
ブラジル
Purpose for transfer and any further processing | Direct transfers: Not applicable. Onward transfers: Atlassian transfers Customer Personal Data to its sub-processors for the purposes of assisting in the provision of Services as well as Forge as further outlined in our sub-processor page. |
---|---|
The frequency of the transfer | Direct transfers: Not applicable. Onward transfers: Continuous. |
Categories of personal data transferred | Direct transfers: Not applicable. Onward transfers: Please refer to Atlassian's sub-processor page for more information. |
Sensitive data transferred (if applicable) | Direct transfers: Not applicable. Onward transfers: Determined at the sole discretion of the data exporter. |
Length of processing chain
| Onward transfers: Please refer to Atlassian's sub-processor page for more information. |
Applicable transfer mechanism
| Direct transfers: Not applicable. Onward transfers: Standard Contractual Clauses between Atlassian and its sub-processors. Atlassian imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws. |
Identifying laws and practices relevant in light of all circumstances of the transfer | The Brazilian government can only access/intercept personal data for certain specified purposes including, but not limited to, criminal law enforcement and surveillance, as further described below, and after authorization of a court. A high-level summary of the key laws is provided below:
The Brazilian General Data Protection Law ("LGPD") is mostly aligned with the GDPR, therefore it provides a similar level of protection, but it does not apply to national security or criminal matters. However, the country has not yet been evaluated in order to obtain an adequacy decision from the European Data Protection Board. アトラシアンは、政府からのデータ提供要請に応じるにあたり、アトラシアンの法執行機関からの要請に関するガイドラインを公表し、これに従っています。また、データ アクセスに関する政府からの要請に関する情報を掲載した、年次透明性報告書も公表しています。 |
インド
Purpose for transfer and any further processing | Direct transfers: Not applicable. Onward transfers: Atlassian transfers Customer Personal Data to its sub-processors for the purposes of assisting in the provision of Services as well as Forge as further outlined in our sub-processor page. |
---|---|
The frequency of the transfer | Direct transfers: Not applicable. Onward transfers: Continuous. |
Categories of personal data transferred | Direct transfers: Not applicable. Onward transfers: Please refer to Atlassian's sub-processor page for more information. |
Sensitive data transferred (if applicable) | Direct transfers: Not applicable. Onward transfers: Determined at the sole discretion of the data exporter. |
Length of processing chain
| Onward transfers: Please refer to Atlassian's sub-processor page for more information. |
Applicable transfer mechanism
| Direct transfers: Not applicable. Onward transfers: Standard Contractual Clauses between Atlassian and its sub-processors. Atlassian imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws. |
Identifying laws and practices relevant in light of all circumstances of the transfer | India has various surveillance, criminal, and security laws which allow government agencies to intercept and access "personal information" and "sensitive personal data or information" without obtaining their prior consent if relevant factors apply. A high-level summary of the key laws is provided below. Note that these laws are often applied together, so criminal laws cannot be distinguished from surveillance specific laws.
Since the scope of the surveillance and interception powers of Indian authorities extends to investigations carried out in respect of any persons, companies, and entities operating within India (including those doing business in India from offshore), any data recipient is potentially within the scope of such criminal law enforcement and shall be obligated to share data available with it if called upon by a government authority. The CrPC applies to the territory of India and accordingly, an offshore entity is not under an obligation to comply with the request, however, if the offshore entity has a presence in India, the CrPC would extend to such operations within India. アトラシアンは、政府からのデータ提供要請に応じるにあたり、アトラシアンの法執行機関からの要請に関するガイドラインを公表し、これに従っています。また、データ アクセスに関する政府からの要請に関する情報を掲載した、年次透明性報告書も公表しています。 |
マレーシア
Purpose for transfer and any further processing | Direct transfers: Not applicable. Onward transfers: Atlassian transfers Customer Personal Data to its sub-processors for the purposes of assisting in the provision of Services as well as Forge as further outlined in our sub-processor page. |
---|---|
The frequency of the transfer | Direct transfers: Not applicable. Onward transfers: Continuous. |
Categories of personal data transferred | Direct transfers: Not applicable. Onward transfers: Please refer to Atlassian's sub-processor page for more information. |
Sensitive data transferred (if applicable) | Direct transfers: Not applicable. Onward transfers: Determined at the sole discretion of the data exporter. |
Length of processing chain
| Onward transfers: Please refer to Atlassian's sub-processor page for more information. |
Applicable transfer mechanism
| Direct transfers: Not applicable. Onward transfers: Standard Contractual Clauses between Atlassian and its sub-processors. Atlassian imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws. |
Identifying laws and practices relevant in light of all circumstances of the transfer | There are laws and regulations in Malaysia that grant surveillance powers and various laws confer public authorities the right to access and intercept data, which are not limited to instances concerning matters of national security. The power to intercept communications, and to exercise powers to search and seize data, can be exercised for the purpose of any investigation into an offence under the relevant law. A high-level summary of the key laws is provided below:
Public officers can exercise the enforcement powers set out in the PDPA and carry out search and seizure operations and access computerised data and information. No extraterritorial effect: It is important to note that Malaysian public authorities would not be able to enforce most of the abovementioned laws against foreign entities not present in Malaysia. The rights granted to public authorities under the laws above to access data, and to exercise powers of search and seizure, are granted vis-à-vis entities who are based in Malaysia. As such, Malaysian public authorities would need to seek the collaboration of their foreign counterparts in order to access personal data stored in the EU by entities outside Malaysia. アトラシアンは、政府からのデータ提供要請に応じるにあたり、アトラシアンの法執行機関からの要請に関するガイドラインを公表し、これに従っています。また、データ アクセスに関する政府からの要請に関する情報を掲載した、年次透明性報告書も公表しています。 |
メキシコ
Purpose for transfer and any further processing | Direct transfers: Not applicable. Onward transfers: Atlassian transfers Customer Personal Data to its sub-processors for the purposes of assisting in the provision of Services as well as Forge as further outlined in our sub-processor page. |
---|---|
The frequency of the transfer | Direct transfers: Not applicable. Onward transfers: Continuous. |
Categories of personal data transferred | Direct transfers: Not applicable. Onward transfers: Please refer to Atlassian's sub-processor page for more information. |
Sensitive data transferred (if applicable) | Direct transfers: Not applicable. Onward transfers: Determined at the sole discretion of the data exporter. |
Length of processing chain
| Onward transfers: Please refer to Atlassian's sub-processor page for more information. |
Applicable transfer mechanism
| Direct transfers: Not applicable. Onward transfers: Standard Contractual Clauses between Atlassian and its sub-processors. Atlassian imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws. |
Identifying laws and practices relevant in light of all circumstances of the transfer | Private entities that are obligated to comply with the Protection of Personal Data held by Private Parties ('LFPDPPP') legislation must process data in some manner in connection with Mexico and therefore have to respond to demands by Mexican authorities to disclose those personal data (assuming the demand is otherwise lawful). Atlassian is potentially within the scope of the importing territory's governmental security and surveillance powers if the data importer obtains personal data that falls under the definition of “data processing” in the LFPDPPP. Under Mexican Data Protection Laws, the transfer of data turns the receiver into a data controller. The scope of application of LFPDPPP and its Regulations is when the processing:
Mexican Authorities will argue that the data importer has the data and they may exercise their powers. アトラシアンは、政府からのデータ提供要請に応じるにあたり、アトラシアンの法執行機関からの要請に関するガイドラインを公表し、これに従っています。また、データ アクセスに関する政府からの要請に関する情報を掲載した、年次透明性報告書も公表しています。 |
フィリピン
Purpose for transfer and any further processing | Direct transfers: Not applicable. Onward transfers: Atlassian transfers Customer Personal Data to its sub-processors for the purposes of assisting in the provision of Services as well as Forge as further outlined in our sub-processor page. |
---|---|
The frequency of the transfer | Direct transfers: Not applicable. Onward transfers: Continuous. |
Categories of personal data transferred | Direct transfers: Not applicable. Onward transfers: Please refer to Atlassian's sub-processor page for more information. |
Sensitive data transferred (if applicable) | Direct transfers: Not applicable. Onward transfers: Determined at the sole discretion of the data exporter. |
Length of processing chain
| Onward transfers: Please refer to Atlassian's sub-processor page for more information. |
Applicable transfer mechanism
| Direct transfers: Not applicable. Onward transfers: Standard Contractual Clauses between Atlassian and its sub-processors. Atlassian imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws. |
Identifying laws and practices relevant in light of all circumstances of the transfer | The Philippines has enacted specific laws that enable law enforcement authorities and military personnel to obtain access to data, including personal data being processed in the Philippines and held by private organizations. In addition, the powers of government authorities enable them to request / access data stored in Europe but which are accessed by individuals located in the Philippines, as long as the person or entity sought to be enjoined is subject to the jurisdiction of the Philippine government. A high-level summary of the key laws is provided below:
アトラシアンは、政府からのデータ提供要請に応じるにあたり、アトラシアンの法執行機関からの要請に関するガイドラインを公表し、これに従っています。また、データ アクセスに関する政府からの要請に関する情報を掲載した、年次透明性報告書も公表しています。 |
トルコ
Purpose for transfer and any further processing | Direct transfers: Not applicable. Onward transfers: Atlassian transfers Customer Personal Data to its sub-processors for the purposes of assisting in the provision of Services as well as Forge as further outlined in our sub-processor page. |
---|---|
The frequency of the transfer | Direct transfers: Not applicable. Onward transfers: Continuous. |
Categories of personal data transferred | Direct transfers: Not applicable. Onward transfers: Please refer to Atlassian's sub-processor page for more information. |
Sensitive data transferred (if applicable) | Direct transfers: Not applicable. Onward transfers: Determined at the sole discretion of the data exporter. |
Length of processing chain
| Onward transfers: Please refer to Atlassian's sub-processor page for more information. |
Applicable transfer mechanism
| Direct transfers: Not applicable. Onward transfers: Standard Contractual Clauses between Atlassian and its sub-processors. Atlassian imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws. |
Identifying laws and practices relevant in light of all circumstances of the transfer | A high-level summary of the key laws relevant in Turkey is provided below:
Extraterritorial effect: the governmental or state authorities’ powers to request documents from organizations are not limited to information located in Turkey (if servers are located in Europe). The same principle applies to tapping into the communication of individuals by judicial decision. In a two-ended conversation, if one of the persons is located in Europe or is a European citizen, the National Intelligence Organisation will still be able to collect the necessary information. アトラシアンは、政府からのデータ提供要請に応じるにあたり、アトラシアンの法執行機関からの要請に関するガイドラインを公表し、これに従っています。また、データ アクセスに関する政府からの要請に関する情報を掲載した、年次透明性報告書も公表しています。 |
United States*
Purpose for transfer and any further processing | Direct transfers: Atlassian has offices in the United States where our employees may access personal data for the purposes of the provision of Services and Forge. Onward transfers: Atlassian transfers personal data to its sub-processors for the purposes of assisting in the provision of Services as well as Forge as further outlined in our sub-processor page. |
---|---|
The frequency of the transfer | Direct transfers: Continuous. Onward transfers: Continuous. |
Categories of personal data transferred | Direct transfers: As detailed in Atlassian DPA and Forge DPA respectively. Onward transfers: Please refer to Atlassian's sub-processor page for more information. |
Sensitive data transferred (if applicable) | Direct transfers: None. Onward transfers: Determined at the sole discretion of the data exporter. |
Length of processing chain
| Onward transfers: Please refer to Atlassian's sub-processor page for more information. |
Applicable transfer mechanism
| Direct transfers: Atlassian’s DPF Certification for the contractual relationship between Atlassian and its customers, or Forge developers, respectively. Onward transfers: Standard Contractual Clauses between Atlassian and its sub-processors. Atlassian imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws. |
Identifying laws and practices relevant in light of all circumstances of the transfer | Schrems II では欧州連合 (EU) 司法裁判所により、以下の米国の法律が米国において個人データの実質的に同等な保護を確保する上での潜在的な障害として特定されました。
Further information about these U.S. surveillance laws can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S.Data Transfers after Schrems II whitepaper from September 2020. As for the CLOUD Act, please refer to What is the CLOUD Act? by BSA Software Alliance outlining the scope of the CLOUD Act. With the Data Privacy Framework, Europe introduced the adequacy framework for US companies that self-certify under the DPF. An essential element of the adequacy decision was the updated US legal framework, e.g. Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities”, which was signed by President Biden on 7 October and is accompanied by regulations adopted by the Attorney General. These instruments were adopted to address the issues raised by the Court of Justice in its Schrems II judgment. For Europeans whose personal data is transferred to the US, the Executive Order provides for:
Atlassian US, Inc. and its US affiliates participate in and certify compliance with the Data Privacy Framework Principles. Our US entities are now able to rely on the adequacy decision to receive EU personal data. You can find more information in our Privacy Notice under the Section “Data Privacy Framework Notice.” アトラシアンは、政府からのデータ提供要請に応じるにあたり、アトラシアンの法執行機関からの要請に関するガイドラインを公表し、これに従っています。また、データ アクセスに関する政府からの要請に関する情報を掲載した、年次透明性報告書も公表しています。 |
補足措置
適用されるデータ保護法に従って個人データを保護するために、アトラシアンは以下の技術的、契約的、組織的な補足措置を講じています。
技術的措置 | アトラシアンは、個人データのセキュリティを強化するために、以下の技術的措置を講じています。
|
---|---|
契約的措置 | アトラシアンの契約的措置は、SCC を組み込んだデータ処理補遺と、SCC に関する英国補遺とスイスによる修正条項に定められています。特に、当社は以下の要件の対象となっています。
|
組織的措置 | データを保護するためのアトラシアンの組織的措置には以下が含まれます。
|
適切な間隔での再評価
アトラシアンは、ヨーロッパ外への個人データの転送に関連するデータ プライバシー規制とリスク環境の変化に対応するために、関連するリスクと実施した措置を確認し、必要に応じて再検討します。
法的注意事項: お客様と Forge 開発者は、本書に記載されている情報を独自に評価する責任があります。本書は、(a) 情報提供のみを目的としており、(b) 予告なしに変更される可能性のある現時点でのアトラシアンの製品、サービス、プラクティスについて説明しており、(c) アトラシアンとその関連会社、サプライヤー、またはライセンサーにいかなる義務または保証も負わせないものとします。お客様に対するアトラシアンの責任は、アトラシアンの契約で規定されており、本書はアトラシアンとお客様またはアトラシアンと Forge 開発者との間の契約の一部となるものではなく、またそれを修正するものでもありません。