We have outsourced our Atlassian licensing and services business to the newly founded Seibert Solutions GmbH. Actonic's products will be further developed under the usual name.

GDPR-compliance in Atlassian products: The right to be forgotten in Jira & Confluence


Data protection has become an obligatory task for companies, which many consider to be a nuisance, as there is often a lack of insight into this complicated topic. Granted, checking all personal data for compliance and handling it appropriately is of course an extremely demanding task, but the wrong approach can result in heavy fines. Therefore, it is important for companies not to put this extensive task on the back burner and to take it as seriously as possible. A GDPR criterion that you should also not neglect is the "right to be forgotten". It allows individuals whose data have been processed by companies to initiate a request for the deletion of this data by the company.

Also in the Atlassian ecosystem and in its two major products Jira and Confluence, data protection is an important topic. Here, personal data is often stored on Confluence pages or within Jira tickets. If a request for deletion of personal data is not or only incompletely followed up, this can cause the previously mentioned high penalties. To handle data in a GDPR-compliant way, Jira and Confluence offer some built-in solutions to deal with the "right to be forgotten". However, the Atlassian Marketplace also contains another option for companies to manage data protection within Jira and Confluence: the apps "Data Protection and Security Toolkit for Jira and Confluence".

In this article, we will present in detail the out-off-the-box options in Jira and Confluence to deal with the "right to be forgotten" and compare them with the solutions offered by "Data Protection and Security Toolkit for Jira and Confluence".

“Right to be forgotten” Art. 17 DSGVO in Jira and Confluence

The “right to be forgotten” gives every person the opportunity to demand that companies delete all personal data that they have stored about them. This includes, for example, names, user names, avatars and personal settings. This request must be complied within one month.

What this means for you is if you have data about people stored in your Jira or Confluence, and they request you to delete that data, you should do so as soon as possible.

To do this, you first need to find this data. You can imagine that searching for this data can be extremely complicated, especially if this data is stored in different Confluence pages and/or Jira tickets. In order to avoid the time-consuming search for data within any conceivable Confluence page and Jira ticket, Jira and Confluence include built-in features. In the following, we will present these and compare them with the possibilities of the “Data Protection and Security Toolkit for Jira and Confluence’ app.

Integrated “right to be forgotten” capabilities in Jira and Confluence

For Atlassian Cloud products, the “right to be forgotten” is fully covered by the ability to submit requests to the Atlassian Support. This applies with the exception of content stored by third-party applications. If you are a cloud user and receive a request for deletion of personal data, you can submit a support ticket to Atlassian, through which the support will anonymize the content of the requested user. However, this option is not available for server and data center users.

For Jira Server and DC, there are certain workarounds for the “right to be forgotten” where you use SQL scripts in your database. Learn more about this in the Atlassian documentation. However, this option can be very challenging and takes a lot of time.

For Confluence Server/DC, there are a number of custom scripts that must be run manually by admins. Learn more about this in this section of the Atlassian documentation. Even with this method, many users may reach their limits and have to spend too many resources.

“Right to be forgotten” solutions with “Data Protection and Security Toolkit for Jira and Confluence”

The apps “Data Protection and Security Toolkit for Jira and Confluence” are a complete toolkit for the two Atlassian softwares to become GDPR-compliant in a simple and fast way. For the “right to be forgotten”, the Jira version of the app includes the “Data Cleaner” module. In the Confluence version, the “User Anonymizer” module is used for this purpose. By using these modules, personal data can be found and deleted within a few minutes. This way, the one-month deadline for deleting data is not a problem and anonymizing just becomes a routine task. Through the app, we cover Jira/Confluence server, data center as well as cloud. At the same time, this method is extremely reliable and secure. In the following, we will give you a quick insight into the two modules:

The “Data Cleaner” module — How to find personal data with “Data Protection and Security Toolkit for Jira and Confluence”

With the Data Cleaner module, personal data can be found in just a few minutes. For this purpose, a JQL query, which allows you to pick out your desired data in no time, is used. This can then be further filtered by fields and types. The output can be listed according to various criteria. Here, all desired data is found within Jira, which you can then quickly and easily anonymize or delete.

The “User Anonymizer” module — How to find personal data with “Data Protection and Security Toolkit for Confluence”

Sometimes you need to anonymize the content of certain users in Confluence, for example when an employee leaves the company. For this purpose, the “User Anonymizer” module can be used in Confluence. To make the desired user(s) invisible, the module simply assigns them a substitute user name. The scope of the search can be limited by CQL (Confluence Query Language) and the roles of the person can be reset or changed. Extremely useful here is the “Dry Run” function, through which you can first display the affected content. This allows you to check whether everything was selected correctly in the step before.

Conclusion: Jira and Confluence internal solutions vs. “Data Protection and Security Toolkit for Jira und Confluence”

No matter if you decide to use Jira internal solutions or the apps, in any case, data protection and especially the “right to be forgotten” in Jira and Confluence must be taken extremely seriously. If someone asks you to delete personal data, you should do so as soon as possible. Otherwise, you could face heavy fines. It is important to delete the data completely and not miss any.

In our comparison of Jira and Confluence out-of-the-box solutions with “Data Protection and Security Toolkit for Jira and Confluence“, the app is clearly ahead. Here you can quickly and easily find personal data and then anonymize or delete it. In doing so, you can be sure that you have not overlooked any critical data and have complied with the “right to be forgotten”.

Moreover, “Data Protection and Security Toolkit” contains much more data protection features. For example, the app lets you create simple customizable notifications to get consent from people to process personal data. Another powerful feature of the tool is the ability to create data processing rules to ensure you don’t miss any personal data that should be deleted. “Data Protection and Security Toolkit for Jira and Confluence” is your complete toolkit to become fully GDPR-compliant within Jira and Confluence!

Curious? Try “Data Protection and Security Toolkit for Jira and Confluence” now for free for 30 days on the Atlassian Marketplace!

CCPA, GDPR, HIPAA and more: easily manage all of them!

  • Automated and efficient user search
  • Be safe with risk-free data protection
  • Also ready for: CCPA, HIPAA, LGPD, etc.
Go to Atlassian Marketplace

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 1

No votes so far! Be the first to rate this post.