This guide describes how certain features and functionality in Zendesk Sunshine can assist with your obligations under privacy law. Zendesk Sunshine includes profiles, events, custom objects, and the Sunshine UI.
To learn more about meeting your obligations in other Zendesk products, see Complying with Privacy and Data Protection Law in Zendesk products.
In this guide, users can be End-Users or Agents as the terms are defined in the Master Subscription Agreement.
Meeting an access obligation
Individuals from certain regions have a right of access. On request, you may have an obligation to inform an end user or agent where their personal data is being held and for what purposes.
Sunshine profiles, events, and custom objects authenticates callers to its API using either basic authentication with your email address and password, with your email address and an API token, or with an OAuth access token.
Access to Sunshine profiles and events data using APIs can be limited to access to a single business account.
With respect to audits and logs, all generated logs are transferred and stored in a secured and encrypted location. In the event of suspected or confirmed unauthorized data access, Sunshine profiles, events, and custom objects can provide audit logs to help you investigate, respond to, and remediate the issue.
To export the data from profiles and events, please follow the steps described in Meeting a data portability obligation.
Meeting a correction obligation
Individuals from certain regions have a right to rectification, or the right to have inaccuracies in their personal data corrected. On request, you may have an obligation to provide the individual with their personal data and fix inaccuracies or add missing information.
To meet a correction obligation:
Sunshine profiles allows you to delete the existing information and re-create the personal data with the necessary fixes, or update or partially update an existing profile
The Sunshine UI in the Admin Center allows you to delete an existing object type or relationship type. You can then re-create the object type or relationship type.
See Meeting an erasure obligation for more detail.
Meeting an erasure obligation
Individuals from certain regions have a right to erasure, or the right to be forgotten or deleted. On request, you may have an obligation to delete the personal data of an individual.
Using the Sunshine Profiles API, you can delete a profile to delete a customer’s details and all events associated with the profile.
Using Custom Objects API, you can delete an object type, delete an object record, delete a relationship type, delete a relationship record. You can also run custom object jobs to batch delete object records and relationship records.
Meeting a data portability obligation
Individuals from certain regions have a right to data portability. On request, you may have an obligation to provide an individual with their personal data or to transmit the data to another organization.
Businesses can export data about users including metadata to another system as required by privacy and data protection law. The feature exports data in a commonly used machine readable format (JSON), which can then be imported into another system. The Get profile by identifier API and Get profile by profile ID API allows you to retrieve all of the personal data stored on a user.
Meeting an objection obligation
Individuals from certain regions have a right of objection, or the right to object to direct marketing. You may have an obligation to stop processing personal data for direct marketing purposes when you receive an objection from an individual.
Since Sunshine profiles, events, custom objects, and the Sunshine UI do not actively offer direct marketing as a feature, it's up to the business to be aware of how the end user information is being used. With that, if the business wishes to meet this objection obligation within the platform, Sunshine profiles, events, and custom objects allows you to delete the existing information and re-create the personal data with the necessary fixes. See Meeting an erasure obligation for more detail.
This document is for informational purposes only and does not constitute legal advice. Readers should always seek legal advice before taking any action with respect to the matters discussed herein.