Please note that this FAQ Guide: (a) is being provided for informational purposes only and does not constitute legal advice; (b) represents our current Zendesk offerings and practices, which are subject to change; and (c) does not create any commitments or assurances from Zendesk and its affiliates or sub-processors. The responsibilities and liabilities of Zendesk to its Subscribers are controlled by the Zendesk Master Subscription Agreement (“MSA”) and Data Processing Agreement (“DPA”) and this document is not part of, nor does it modify, any agreement between us. Capitalized terms used but not defined in this document will have the meanings provided in the MSA and DPA.
We appreciate international transfers are a complex area to navigate in light of the Schrems II judgment and the new standard contractual clauses (“SCCs”) and hope this FAQ helps to answer your key questions from the European Data Protection Board’s recommendations, as they relate to your use of Zendesk services. Please also feel free to email any further questions you may have on the topic to firstname.lastname@example.org.
1. What does the GDPR say about international transfers?
Personal data covered by the GDPR can only be transferred outside of the EEA if an approved mechanism is in place to make sure that a GDPR level of data protection is not undermined.
This means it is important that organizations first know and map all transfers of personal data to non-EEA countries (step one from the EDPB recommendations). Zendesk and its sub-processors will process Subscriber personal data in the following non-EEA countries: Australia, Brazil, Canada, Costa Rica, Japan, Philippines, Singapore, United Kingdom, and the United States.
2. What international transfer mechanisms does Zendesk use?
Organizations should then identify what transfer mechanism they are relying on for each transfer (step two from the EDPB recommendations). Some countries outside of the EEA (e.g. the UK) benefit from an EU data protection authority decision. We use this mechanism where possible.
We use the SCCs as the mechanism for international transfers of personal data between Zendesk Subscribers and Zendesk sub-processors in non-EEA/non-adequate countries. These provide contractual guarantees that the personal data will be protected to a GDPR standard outside of the EEA.
We use the Binding Corporate Rules (“BCRs”) - see here and here - for international transfers between different Zendesk entities. BCRs are supervisory authority approved policies that govern data protection matters within a group of companies, including regarding international transfer between those entities.
3. How does the Schrems II case affect the use of SCCs and BCRs?
Data exporters need to ensure that importing countries provide essentially equivalent protection to the EU for the specific data, especially regarding government surveillance (step three from the EDPB recommendations). If an essentially equivalent level of protection is not provided then, to proceed with the transfer, the data exporter must implement “supplementary measures” in order bring the level of data protection back up to an essentially equivalent standard (step four from the EDPB recommendations).
It is important to note that the Schrems II judgment does not require data localization or EU-only support. Some companies may view this as a preference or as a supplementary technical measure, but it is not an explicit legal requirement.
4. What is the relationship between the new SCCs and Schrems II?
The new SCCs came about because the older versions had already become outdated. However, the Schrems II decision provided further impetus for them to be developed. The new SCCs codify the Schrems II requirement to undertake a Transfer Impact Assessment (“TIA”). They also require data importers to take specific data protection steps if they receive a government access request. The new SCCs are already part of the latest Zendesk DPA.
5. What is a TIA and how do you complete it?
A TIA is a method for assessing if an essentially equivalent level of protection will be provided in the importing country for the specific data being transferred (steps three and four from the EDPB recommendations), including whether local government surveillance laws meet the EU’s Essential Guarantees for surveillance measures, any relevant practical evidence of government surveillance (e.g. government access requests previously received by the importer) and, if necessary, supplementary measures that may assist in reaching a level of essential equivalency.
We have created a guide to assist you in completing your TIAs for your use of Zendesk services. This guide includes details on government surveillance laws in each country where Zendesk or its sub-processors may import Subscriber data. You can request a copy of this guide by contacting your Zendesk account executive.
6. What is Zendesk’s approach to government access requests and has it received any in the past?
In line with above, a TIA should consider what the data importer’s process is for responding to government access requests, whether they have previously received any of these requests and if they are actually allowed to provide information about any such requests.
Zendesk follows our Government Data Request Policy and the steps in Art. 15 of the new SCCs when we receive any government access request. This includes asking the authority to contact the controller of the data in the first instance and, failing that, undertaking a careful legal review of the validity of the request. Zendesk, like many technology companies, occasionally does receive requests from law enforcement agencies in the United States and elsewhere, seeking data stored by Zendesk on behalf of a Subscriber. More information about such requests that Zendesk has received can be found in our transparency report
7. What is Zendesk’s approach to FISA 702 in light of Schrems II?
FISA 702 authorizes certain types of foreign intelligence collection for national security purposes. A special independent federal court called the Foreign Intelligence Surveillance Court oversees the intelligence collection to ensure it is conducted consistent with the FISA statute and the U.S. Constitution, specifically the Fourth Amendment protection against unreasonable searches and seizures.
Zendesk is a United States corporation formed and registered in the State of Delaware, subject to United States law. Zendesk is a remote computing service (“RCS”) as defined in the Electronic Communications Privacy Act (“ECPA”), Section 2711 of Title 18 U.S.C. when it provides Services to Subscribers. ECPA does not permit law enforcement authorities to access data stored with an RCS provider unless they first obtain a warrant, subpoena, or court order. Providers of remote computing services may also be subject to Section 702 of the Foreign Intelligence Surveillance Act (“FISA 702”) if they store electronic communications.
As part of your TIA you may, depending on the circumstances, firstly conclude that there is no reason to believe that FISA 702 will be applied in practice to the data you use Zendesk as a processor for, particularly because of the type of data Zendesk processes on your behalf. In this regard, post Schrems II the US government has provided assurances that: “most U.S. companies do not deal in data that is of any interest to U.S. intelligence agencies, and have no grounds to believe they do. They are not engaged in data transfers that present the type of risks to privacy that appear to have concerned the ECJ in Schrems II.”
Secondly, Zendesk’s transparency report shows that the possibility of any requests of this nature occurring are very rare. This may also lead you to conclude that there is no reason to believe that FISA 702 will be applied in practice to the data you use Zendesk as a processor for.
Thirdly, as the controller, you have the right to check logs related to your data to see if there has been any unauthorized access to it (remembering that Zendesk staff may only access your data with your approval in normal circumstances). This supplementary measure may therefore satisfy you that any possible essential equivalence issue is remedied.
8. What is Zendesk’s approach to EO 12333 in light of Schrems II?
Executive Order (EO) 12333 does not actually authorize the U.S. Government to require companies to provide assistance in collecting foreign intelligence information, and Zendesk will not voluntarily do so. Zendesk has not received any orders for bulk data. Any EO 12333 risk should be remedied if a data importer uses sufficiently powerful encryption in transit. This is because EO 12333 appears to involve the interception of data before it reaches those company servers in the US. If the encryption is strong enough then any intercepted data will remain unreadable.
Zendesk provides adequate encryption in this regard as all communications with Zendesk UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. Service Data is encrypted at rest in AWS using AES-256 key encryption. Additionally, Zendesk has not built any backdoors into to allow government authorities to circumvent its security measures to gain access to Service Data. This all should therefore mean that Zendesk has implemented supplementary measures that adequately addresses any essential equivalence risk created by EO 12333.
9. How can you ensure that your data will be adequately protected under the surveillance laws of other countries where Zendesk processes it?
As noted above, Zendesk has provided summaries of relevant local laws in our TIA guide. It may be that you assess some of these countries' laws as providing an essentially equivalent level of protection as that in the EU for your data. In that case, no further action would be required for those countries.
If you assess any of these countries' laws as not providing essentially equivalent protection for your data then, depending on the circumstances (e.g. type of data), you may decide there is still no reason to believe the laws will actually be applied to your data. You also may consider the supplementary measures that Zendesk has in place (e.g. our government access policy and enhanced security measures) mean that any essential equivalence issues are adequately addressed.
10. What other steps are Zendesk taking in response to Schrems II?
We appreciate that some of our Subscribers are interested in solutions that provide an even higher level of compliance in what is an ever-evolving privacy landscape. With this in mind, we are committed to building both a Bring Your Own Key (BYOK) solution, as well as more in-depth data localization offerings.
In addition to focusing our efforts on Bring Your Own Key (BYOK) encryption, we’re investing in building more privacy and compliance features to allow for data retention policy implementation, increased visibility into agent access, granular permissions, and additional tools to assist with data minimization within your Zendesk instance.
We are working hard on these projects and will provide you with updates on them soon. However, if there is anything that you would like to discuss in relation to them, our Schrems II compliance, or any general data protection matters, then please contact your Zendesk account executive or email@example.com.