Versions Compared

Old Version 14

changes.mady.by.user Former user

Saved on

compared with

New Version 15

changes.mady.by.user Andy Brook [Plugin People]

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Table of Contents

What is it?

As per google:

Table of Contents

What is it?

As per google:

On 25 May 2018, the most significant piece of European data protection legislation to be introduced in 20 years will come into force. The The EU General Data Protection Regulation (GDPR) replaces the the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processedacross Europe, regardless of where that data is processed.

Data Protection after 31 DEC 2020

The EU GDPR will no longer apply directly in the UK at the end of the transition period (31 December 2020). However, UK organisations must still comply with its requirements after this point.

First, the DPA 2018 enacts the EU GDPR’s requirements in UK law. Second, the UK government has issued a statutory instrument – the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 – which amends the DPA 2018 and merges it with the requirements of the EU GDPR to form a data protection regime that will work in a UK context after Brexit.

This new regime will be known as ‘the UK GDPR’.

There is very little material difference between the EU GDPR and the proposed UK GDPR, so organisations that process personal data should continue to comply with the requirements of the EU GDPR.

The EU GDPR’s requirements as implemented by Parts 3 and 4 of the DPA 2018 will continue to apply for law enforcement and intelligence purposes.

For purposes of simplicity, references to GDPR will, after 31 DEC 2020 mean UK GDPR.

Definitions

GDPR terms : https://gdpr-info.eu/art-4-gdpr/

The Plugin People Ltd :"We", "Us", "The Company"

Enterprise Mail Handler for Jira (Server) : JEMH

Enterprise Mail Handler for Jira (Cloud) : JEMHC

Personally Identifying Information : PII

Introduction

What follows is a variation on the topics covered in the Atlassian the Atlassian Privacy & GDPR section on their licensing page.  Related to this is our Data security & privacy statement, GDPR  GDPR affects Us in the following main areas:

Billing


PII data obtained through billing would only be used by us, in relation to the service(s) the customer has purchased from us.  We track and record name/email address of all customers making purchases with us directly, as part of the transaction.  We are legally required to retain history of such transactions for 7years, that includes email traffic, quotes, invoices, purchase orders, in addition to order-related spread sheets.  Where 3rd parties require details of our activities relating to sales (accounting) , personal details are removed.

Cloud

This is the largest area.  We have a cloud version of the Enterprise Mail Handler for Jira Cloud (JEMHC) that processes email from customer mailboxes and drives issue creation/update in customer Jira instances.

About JEMHC

JEMHC on installation gets the billing contact user email address, we use this to populate the JEMHC > Licensing > System Notifications > Email Addresses field.  This field is CSV, and is maintained by the Jira instance administrator not us.  We do not have functional access to your data to make changes.  We have a back office system that exposes basic system contact details to us.  JEMHC mails out to this list every month a status email summarizing JEMHC usage, if there is any.

...

This applies to JEMHC only, in a few parts:

  • Email: The system sends a variety of email to involved parties, located anywhere.  Messages that aren't processed are forwarded to JEMHC instance admins, any or all could be located outside the EU.  The delivery of such email is done using the onward mail server system that the JEMHC instance administrator has defined, typically secured by SSL.

  • Files:  If the JEMHC administrator configures External Storage it is possible for JEMHC to enable Jira users to store attachments in remote cloud storage.  Users with access to the issue can download resources related to that issue through that issue.  Different mechanisms for accessing downloaded resources exist (e.g. "time-limited-validity multi-use links", or streamed content delivery).  Such delivery is always done over an SSL protocol link.

  • Logs: JEMHC application generates logs, we can retrieve these remotely, but even in that case, the logs have been obfuscated in terms of PII (email subjects and the vast majority of email addresses are hashed - non happy-path scenarios may show up email addresses to aid diagnosis)

Can I opt out of having customer data collected or shared?

...

Customer email addresses for non-account holders can be stored in plain text, visible to anyone who can view the issue or retrieve the issue through REST.  This is more a data privacy issue for the Jira instance administrator than us as the JEMHC service provider.

Support

  • As part of support we encounter customer data regularly in the form of Email content that has processing problems.  Such information is shared by the JEMHC customer in confidence, on behalf of the sender for the sole purpose of diagnosing processing problems and improving JEMHC's ability to handle such messages.  That information is not shared with 3rd parties, and not retained by us for any reason.  We will manufacture test data as needed to replicate customer problem scenarios for internal testing purposes.

  • External Storage:  As part of support ticket lifecycle, we automatically purge all issue-files when an issue is resolved.  We are considering extending this to include actual issue attachments as well, such that all JEMHC customers can do the same, if desired.

  • Jira attachments: TODO, as part of our support ticket lifecycle, we will be implementing features within JEMHC to enable attachment data to be expired after a certain amount of time, ie, giving such data a guaranteed lifespan in our system.  We won't delete comments or issues as this is needed to trace recurring customer problems.

Do We use sub-processors to further process customer data?

...

JEMHC needs to implement a simple unsubscribe feature that will remove the sender from a given issue, or opt out for automated emails:

Jira LegacyserverSystem JIRAserverId31e1f342-5dce-3979-a43c-85899d565476keyhttps://thepluginpeople.atlassian.net/browse/JEMHC-1674

You want to move your data from one provider to another

...

Who can I contact with questions regarding GDPR?

Queries about GDPR should be directed to the Plugin People Ltd Data Protection Officer at data-protection-officer@thepluginpeople.com

No Formatcode
Data Protection Officer
The Plugin People Ltd
Pure Offices
Cheltenham Office Park
Hatherley Lane
Cheltenham
GL51 6SH
UK

...