The EU-U.S. and Swiss-U.S. Privacy Shield frameworks are the new European Commission-approved mechanisms that enable the transfer of personal data from Europe to the U.S. and Switzerland to the U.S. in compliance with European and Swiss data protection laws. As the successors to the EU-US and Swiss-US Safe Harbors, the Privacy Shield frameworks introduce stronger obligations on the handling of data from the EU and Switzerland; and, provide greater protections for individuals. We value your trust and share in the same concerns over the privacy of you and your data and want to take this opportunity to announce that Zendesk has certified its compliance with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks to the U.S. Department of Commerce and has been added to the Department of Commerce’s list of self-certified Privacy Shield participants. Our certifications confirm that we comply with the Privacy Shield principles for the transfer of European and Swiss personal data to the United States.

This is great news for our customers, providing them with an even better data transfer mechanism than the former EU-US and Swiss-US Safe Harbors. Zendesk moved quickly to adopt the Privacy Shield principles as part of our ongoing commitment to privacy and protecting our customers’ data.

As part of our Privacy Shield certifications, Zendesk agrees to resolve privacy-related issues in an expedient manner through cooperation with European and Swiss data protection authorities and binding arbitration. In addition, the Privacy Shield frameworks align closely to the recently adopted General Data Protection Regulation (“GDPR”), enabling Zendesk to begin updating its internal policies in advance of the May 2018 GDPR effective date.

Zendesk has also obtained approval for its Binding Corporate Rules (“BCR”) as a data processor for its customers’ data, which provides our customers with another robust mechanism to facilitate transfers of personal data from the EEA to members of the Zendesk family of companies when using our services.  Further information is available in our press release.  

With these announcements, Zendesk customers will have a choice of data transfer mechanisms: the Privacy Shield frameworks; our Binding Corporate Rules; and entry into our standard Data Processing Agreement (“DPA”) that includes the European Commission-approved Standard Contractual Clauses (“Model Clauses”). If you are a Zendesk customer and wish to enter into our DPA, please email us at privacy@zendesk.com.

Zendesk also offers customers the ability to request that critical data for certain services is hosted in the EU. This feature is limited to certain service plans and is subject to additional fees. Zendesk’s policy on regional data hosting in the EU is more specifically described here and outlines in more detail what data is available to be hosted in the EU. Because the concept of “transfer” under applicable data privacy laws is broadly interpreted to include activities that Zendesk may undertake as a data processor in jurisdictions outside the EEA and since certain elements of the Zendesk services platform rely on third parties that do not provide regional hosting, Zendesk cannot restrict data transfers from the EEA. However, Zendesk employs state of the art security to protect your data, and our Privacy Shield certification and DPA are designed to ensure that any data transfer from EEA is done in strict compliance with applicable data security and privacy laws.

If you have any additional questions, please email us at privacy@zendesk.com.