This guide describes how certain features and functionality in Zendesk products can assist with your obligations under privacy law, for example, as a data controller under the General Data Protection Regulation (GDPR), or as a business under the California Consumer Privacy Act (CCPA). Zendesk is considered a third-party data processor under the GDPR, and a service provider under the CCPA, because it handles the personal data or personal information of its customers' end users on behalf of its customers (or subscribers).
Data controllers and businesses bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant data protection law.
See the following articles in this guide:
- Complying with Privacy and Data Protection Law in Zendesk Support
- Complying with Privacy and Data Protection Law in Zendesk Insights
- Complying with Privacy and Data Protection Law in Zendesk Guide
- Complying with Privacy and Data Protection Law in Zendesk Chat
- Complying with Privacy and Data Protection Law in standalone Chat accounts
- Complying with Privacy and Data Protection Law in Zendesk Talk
- Complying with Privacy and Data Protection Law in Zendesk Explore
- Complying with Privacy and Data Protection Law in Zendesk Bime
- Complying with Privacy and Data Protection Law in Zendesk Sell
- Complying with Privacy and Data Protection Law in Zendesk Sunshine
- Complying with Privacy and Data Protection Law in Zendesk Sunshine Conversations
- Complying with Privacy and Data Protection Law in Zendesk WFM (Tymeshift)
- Complying with Privacy and Data Protection Law in Zendesk QA (Klaus)
- Complying with Privacy and Data Protection Law in Ultimate
For instructions on deleting a user's personal data in Zendesk products, see Forgetting a user in Zendesk.
For more information on privacy law and Zendesk, see our Privacy and Data Protection website.
What is personal data
Personal data, or personal information, is any data that can be used to identify an individual. Examples include an email address, a phone number, or a social security number. Personal data may also include any data that could be used indirectly to identify an individual. For example, a person's nickname such as "Gerry" may not be personal data because many people may have the same nickname. However, if the nickname can be combined with other data such as a work address, the nickname could be considered personal data because it helps identify the individual.
Your organization needs to decide what personal data is. Is it simply an email address or phone number, or do you further disambiguate using a combination of identities or attributes? This decision is up to you.
If you’re unsure whether or not a piece of information is personal data, it’s best to err on the side of caution. Another option is to seek legal advice.
Common terms
The following terms are sometimes used in this document.
Soft delete
Soft deleting an item deletes the item such that it is not visible to any users, including admins using either the product interface or the API. The item is still in the Zendesk database and accessible by Zendesk on a limited basis only to its employees with certain database privileges. Soft deleted tickets are automatically permanently deleted after 30 days.
Hard delete, permanently delete, scrub
Hard deleting or scrubbing an item permanently deletes the item. The item is completely removed from the Zendesk database. No one, including Zendesk employees with database privileges, can access the item any longer.