GitLab Privacy Compliance

GDPR overview

The General Data Protection Regulation (GDPR) is a European privacy law that is set to go into effect in May 2018. The GDPR replaces the Data Protection Directive that was put into place in 1995. Although it is a European law, it will impact any entity that does business in or offers services and goods to people in the European Union (EU), regardless of their location. It will also apply to any entity that collects and analyzes the data of EU residents or businesses.

The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Under GDPR, private information is defined as any information that is directly or indirectly identifiable to an individual. This includes information such as social security numbers, location data, online identifiers, pseudonymous data, and genetic or biometric data, such as fingerprints and facial recognition.

Specifically, GDPR grants EU citizens these controls over their personal data:

  • Right of access: Data controllers will be required to fulfill requests from individuals seeking access to their private data or information on how it is being used. Data collectors and processors will have to detail how the personal information was obtained, how and why it is being used, as well as with whom the company is sharing the information. Companies will also be mandated to provide the individual with a copy of their personal records.
  • Notice of security breaches: Individuals must be alerted within 72 hours if their personal data has been hacked or otherwise compromised.
  • “Right to erasure”: Individuals can decide they no longer want their personal data to be processed and request that all of their information be deleted.
  • Data portability: Individuals will be permitted to move their personal data from one company to another upon request, without opposition from the data controller.

CCPA overview

The California Consumer Protection Act (CCPA) took effect on January 1, 2020. Similar to GDPR, CCPA is intended to protect person information and also articulates the rights that California consumers have regarding their information. CCPA applies specifically to residents of California.

The definition of Person Information in CCPA is very similar to GDPR's definition of Personal Data: "Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

Just as GDPR establishes rights for EU citizens, CCPA establishes certain rights for California residents:

  • The rights to disclosure of data collected and sold: California residents have the right to request access to their personal information and to ask how their data is used by the company after it has been gathered. If the information is being shared or sold, this must be disclosed when requested.
  • The right to deletion: Companies must delete a Consumer's personal information upon request.
  • The right to opt out of sales of Personal Information: If a company sells personal information, consumers have the right to opt out.
  • The right to non-discrimination: If a consumer exercises their rights under CCPA, the business may not discriminate against the consumer. For instance, they company cannot deny service or charge different rates to a consumer who exercises their rights under CCPA.

See GitLab's Privacy Request Instructions.

Key GDPR requirements

Companies within and outside of the European Union will be required to make a number of adjustments to the way they access and process the personal data of EU residents in order to be GDPR compliant.

The identification of information controllers and processors are key components to creating GDPR compliance.

What are controllers?

Controllers are a company or organization that determines the purpose for and manner in which personal data is processed.

Controllers can also be processors.

What are processors?

Data processors take the information controllers have accumulated and process the personal information.

GitLab’s CI/CD tools fall under the processor category.

The responsibility of GDPR compliance is heavily imposed on controllers. Data controllers are responsible and liable for GDPR compliance in the processing of personal data, even in cases when they have outsourced processing activities to another company. Nonetheless, processors are also obligated to be GDPR compliant under the law.

To inquire about executing a DPA, please contact your Sales Account Manager. If you do not know your Account Manager, please email [email protected]

These are some of the key requirements for GDPR compliance:

Maintain a legal basis for data collection and processing

Companies must have a legal basis for the processing of personal data.

Be transparent

Companies must inform individuals about the collection of personal data as well as why and how the data is being used. Information must also be provided about how the data is being stored and the length of time for which it will be held.

Individuals must also be advised when their information is transferred internationally.

Employ a data protection officer

Companies that have personal data collection or processing at the core of their business will be required to hire or appoint a data protection officer (DPO).

Specifically, a DPO will be required by GDPR if a company processes a large amount of personal or sensitive data regarding criminal offenses or convictions. Companies that regularly and systematically monitor the personal data of individuals on a large scale are also required to have a DPO in order to be GDPR compliant.

Preserve records

Under GDPR, companies will be required to maintain processing records for personal data. The records can be requested by the supervisory authority at any time.

Implement data protection by default and design

Data protection safeguards must be built into products and services during the earliest stages of development.

Provide notification of a security breach

Individuals must be directly notified of security breaches that affect their personal data within 72 hours.

Supervisory authorities must be advised of security breaches that present a risk to the rights and freedom of individuals within 72 hours. The general public must be immediately alerted of security breaches that are sufficiently serious.

Creating a GDPR action plan

Controllers and processors of personal data must create a GDPR action plan that encompasses all of the new requirements.

GDPR checklist to ensure compliance:

  • Identify information controllers
  • Identify information processors
  • Train data controllers and/or collectors on GDPR requirements
  • Ensure that partner vendors are GDPR compliant
  • Designate or employ a Data Protection Officer, if necessary
  • Conduct data mapping to determine what information your company collects and how it is transferred, processed, and stored
  • Build products and services using principles of privacy by design and default
  • Create a system that continuously monitors data handling and illustrates GDPR compliance
  • Educate customers of their rights under GDPR
  • Create a notification action plan for security breaches

Security and Compliance with GitLab

As the first single application for software development, security, and operations (DevSecOps), GitLab’s tools offer a streamlined process that can keep your entire team synchronized and your most important data secure. Our tool features Kerberos-powered user authentication and a block secret push file system that allows your company to prevent sensitive files from being accidentally pushed into a live repository.

GitLab’s CI/CD tools also offer a number of features that may help your team members remain in compliance with your company’s legal, licensing and other requirements. Some of those tools include:

  • Push rules: This allows you to reject code that does not comply with company policy.
  • Strict code review: You have the option to require multiple approvals from a certain set of team members before a merge request can be accepted.
  • Multiple options for user roles and permissions: Access and permissions can be managed at many levels, with five different options for user roles and settings for external users. Permissions can be set according to one’s role as opposed to allowing only read or write access to a repository.
  • Log forwarding: Logs can be forwarded to a central system for better tracking.
  • Membership locking: Group owners can maintain control of their project by blocking other members from adding other parties to the project.
  • Reject unsigned commits: GitLab Enterprise Edition Premium allows you to reject unsigned commits and require GPG signatures.

GitLab offers built-in application security testing scanners that routinely check code for common issues during development and deployment. Our scanners also monitor previously patched vulnerabilities in order to ensure that our security-sensitive services are guarded.

Learn more about Application Security Testing at GitLab

Find out how GitLab’s end-to-end software development tools can help your company monitor all of the steps in your production lifecycle.

Contact us Security FAQ

GDPR Compliance FAQs

  1. Who is impacted by GDPR?

    Any entity that does business with corporations or individuals in the European Union and will have access to personal data.

  2. Is GitLab GDPR compliant?

    Yes, compliance is an ongoing process and we work diligently to keep up with best practices and processes every day.

  3. What is the difference between a controller and processor?

    Controllers determine how personal data is processed and used. Processors simply process the data as prescribed by the controller.

  4. What is the supervisory authority?

    The supervisory authority is the United Kingdom’s Information Commissioner’s Office (ICO). The independent regulatory office is a public body that reports to Parliament. The ICO is tasked with “uphold[ing] information rights in the public interest, promoting openness by public bodies and data privacy for individuals,” according to the authority’s website.

  1. What are the principles of Privacy by Design and Privacy by Default?

    Privacy by design occurs when data protection is embedded into each step of the personal information processing life cycle, including processing product development, software development, and IT systems. Privacy by default means that the strictest privacy settings are automatically in place when an application is released to the public.

  2. Who should be in control of ensuring GDPR compliance at my company?

    Companies should designate an employee to oversee GDPR compliance and determine where that responsibility will fall within the organization, i.e. security department. Some companies will be required to hire or designate a data protection officer to oversee GDPR compliance within their organization.

  3. What is a Data Protection Officer?

    GDPR calls for some companies to designate a Data Protection Officer (DPO) depending on the nature and amount of personal data the entity processes. The officer, who must be an expert in data protection law, will be tasked with establishing and maintaining a data security plan and GDPR compliance. DPOs are required for public entities as well as companies that manage or store large amounts of personal data, process or hold special personal information or routinely monitor the personal data of private individuals.

  4. Does using GitLab make my company GDPR compliant?

    No, GitLab is a processor of information. While GitLab continuously works towards maintaining GDPR compliance, simply using GitLab’s services does not make your company compliant. As the controller of the information, you must ensure that the collection of personal data is GDPR compliant as well as other processors in your pipeline.

  5. What happens if my company is not GDPR compliant?

    Breaches in GDPR compliance can range from a stern, written warning for first-time, unintentional infractions to a fine of €20 million or 4 percent of the company’s previous year’s total global revenue, whichever is greater.

GDPR blog post

If you do business in Europe, you need to know about GDPR

Read more
GitLab Security

GitLab Security Page

Read more

GDPR Website

Read more
GitLab Docs

GitLab Dynamic Application Security Testing

Read more
Edit this page View source

Try GitLab Ultimate risk-free for 30 days.

No credit card required. Have questions? Contact us.