1.1 This Government Data Request Policy sets out Zendesk’s procedure for responding to a request received from a law enforcement or other government authority (together the “Requesting Authority“) to disclose personal information processed by Zendesk (hereafter “Data Disclosure Request“) which is aligned with our Binding Corporate Rules: Government Data Request Procedure.
1.2 Where Zendesk receives a Data Disclosure Request, it will handle that Data Disclosure Request in accordance with this policy. If applicable data protection law(s) require a higher standard of protection for personal information than is required by this policy, Zendesk will comply with the relevant requirements of those applicable data protection law(s).
2. General principle on Data Disclosure Requests
2.1 As a general principle, Zendesk does not disclose personal information in response to a Data Disclosure Request unless either:
- it is under a compelling legal obligation to make such disclosure; or
- taking into account the nature, context, purposes, scope and urgency of the Data Disclosure Request and the privacy rights and freedoms of any affected individuals, there is an imminent risk of serious harm that merits compliance with the Data Disclosure Requests in any event.
2.2 For that reason, unless it is legally prohibited from doing so or there is an imminent risk of serious harm, Zendesk will notify and consult with the competent data protection authorities (and, where it processes the personal information on behalf of a Customer, the Customer) to address the Data Disclosure Request.
3. Handling of a Data Disclosure Request
3.1 If a Zendesk Group Member receives a Data Disclosure Request, the recipient of the request must pass it to Zendesk’s Chief Privacy Officer and Privacy Team (collectively, the “Privacy Team”) immediately upon receipt, indicating the date on which it was received together with any other information that may assist the Privacy Team to respond to the request.
3.2 The Requesting Authority’s request does not have to be made in writing, made under a Court order, or mention data protection law to qualify as a Data Disclosure Request. Any Data Disclosure Request, however made, must be notified to the Privacy Team for review.
3.3 Zendesk’s Privacy Team will carefully review each and every Data Disclosure Request on a case-by-case basis. The Privacy Team will liaise with the legal department and outside counsel as appropriate to deal with the request to determine the nature, context, purposes, scope and urgency of the Data Disclosure Request, and its validity under applicable laws, to identify whether action may be needed to challenge the Data Disclosure Request and/or to notify the Customer and/or competent data protection authorities in accordance with paragraph 4.
4. Notice of a Data Disclosure Request
4.1 Notice to the Customer
4.1.1 If a request concerns personal information for which a Customer is the controller, Zendesk will ordinarily ask the Requesting Authority to make the Data Disclosure Request directly to the relevant Customer. If the Requesting Authority agrees, Zendesk will support the Customer in accordance with the terms of its contract to respond to the Data Disclosure Request.
4.1.2 If this is not possible (for example, because the Requesting Authority declines to make the Data Disclosure Request directly to the Customer, does not know the customer’s identity, or if Zendesk is not permitted by law to disclose the Data Disclosure Request), Zendesk will notify and provide the Customer with the details of the Data Disclosure Request prior to disclosing any personal information, unless legally prohibited from doing so or where an imminent risk of serious harm exists that prohibits prior notification.
4.2 Notice to the competent data protection authorities
4.2.1 If the Requesting Authority is in a country that does not provide an adequate level of protection for the personal information in accordance with applicable data protection laws, then Zendesk will also put the request on hold to notify and consult with the competent data protection authorities, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.
4.2.2 Where Zendesk is prohibited from notifying the competent data protection authorities and suspending the request, Zendesk will use its best efforts (taking into account the nature, context, purposes, scope, and urgency of the request) to inform the Requesting Authority about its obligations under applicable data protection law and to obtain the right to waive this prohibition. Such efforts may include asking the Requesting Authority to put the request on hold, so that Zendesk can consult with the competent data protection authorities, or to allow disclosure to specified personnel at Zendesk’s customer, and may also, in appropriate circumstances, include seeking a court order to this effect. Zendesk will maintain a written record of the efforts it takes.
5. Transparency reports
5.1 Zendesk commits to preparing a semi-annual report (a “Transparency Report”), which reflects the number and type of Data Disclosure Requests it has received for the preceding six months, as may be limited by applicable law or court order. Zendesk shall publish the Transparency Report on its website, and make the report available upon request to competent data protection authorities.
6. Bulk transfers
6.1 In no event will any Group Member transfer Personal Information to a Requesting Authority in a massive, disproportionate, and indiscriminate manner that goes beyond what is necessary in a democratic society.