1.1 This Government Data Request Policy sets out Zendesk’s procedure for 1) prior assessment of existing third country requirements to disclose personal data or measures authorising access by public authorities; and 2) responding to a request received from a law enforcement or other government authority (together the “Requesting Authority“) to disclose personal data processed by Zendesk (hereafter “Data Disclosure Request“) which is aligned with our Binding Corporate Rules: Government Data Request Procedure. The Policy also sets out Zendesk’s notification procedure for instances where we became aware of a direct access (i.e., access to personal data without prior request, and/or approval/collaboration by Zendesk) by law enforcement or other government authority to personal data processed by Zendesk (hereafter “Direct Access”), which is aligned with our Binding Corporate Rules: Government Data Request Procedure.
1.2 Where Zendesk receives a Data Disclosure Request, it will handle that Data Disclosure Request in accordance with this policy. If applicable data protection law(s) require a higher standard of protection for personal data than is required by this policy, Zendesk will comply with the relevant requirements of those applicable data protection law(s).
2. Prior assessment
2.1 Prior to Zendesk carrying out international transfers of personal data subject to the requirements of this Controller and/or Processor Policy, it will carry out an assessment of laws and practices of the third country of destination regarding Data Disclosure Request requirements or measures authorising Direct Access (including in transit), which could prevent Zendesk from fulfilling its obligations under the respective Controller/Processor Policy, such as practices that do not respect the essence of the fundamental rights and freedoms and exceed what is necessary and proportionate in a democratic society, as well as the applicable limitations and safeguards. Such assessment shall be carried out in light of the specific circumstances of the transfer, and of any envisaged onward transfer (including purposes, location and sector in which the transfer and the related processing take place, types of entities involved in the processing, categories/format of personal data transferred and transmission channels used) and determine whether additional contractual, technical or organisational safeguards (be it during personal data transmission or at rest) are required. The assessment (and safeguards, as appropriate) will be communicated by members of the privacy team to all Group Members. Zendesk will reasonably monitor future developments of laws of the country of destination to, as appropriate, to consider impacts such changes may have on the initial assessment it carried out. Group Members acting as data importers under this Controller and/or Processor Policy shall reasonably communicate such changes they become aware of to Group Members/customers acting as data exporters and to the EEA Group Member with delegated data protection responsibilities.
2.2 Where Zendesk determines that additional safeguards are to be put in place to address the findings of the assessment in paragraph 2.1, Zendesk will notify the relevant EEA Group Member with delegated data protection responsibilities, and relevant members of Privacy Council or broader privacy team will be involved, in order to reflect their views regarding such safeguards.
2.3 Zendesk will document such assessment as outlined in paragraph 2.1 and additional measures pursuant to paragraph 2.2 and make these available to competent supervisory authority upon request.
2.4 Where Zendesk determined that effective supplementary measures were needed to fulfil its obligations under the respective Controller/Processor Policy, however, it could not identify any, or if instructed by the competent supervisory authority, the privacy team commits to suspend the relevant transfers (including transfers for which the same assessment and reasoning would lead to the same conclusion) and inform all Group Members involved of the same. Following such suspension, entities exporting personal data under this Controller and/or Processor Policy can end such personal data transfer and personal data, which were not subject to sufficient protections required under the Controller/Processor Policy, may be returned to the exporting entity and/or destroyed.
3. General principle on Data Disclosure Requests
3.1 As a general principle, Zendesk does not disclose personal data in response to a Data Disclosure Request unless either:
• is under a legal obligation to make such disclosure; or
• taking into account the nature, context, purposes, scope and urgency of the Data Disclosure Request and the privacy rights and freedoms of any affected individuals, there is an imminent risk of serious harm that merits compliance with the Data Disclosure Requests in any event.
3.2 For that reason, unless it is legally prohibited from doing so or there is an imminent risk of serious harm, Zendesk will notify and consult with the competent data protection authorities (and, where it processes the personal data on behalf of a customer, the customer) to address the Data Disclosure Request.
4. Handling of a Data Disclosure Request
4.1 If a Zendesk Group Member receives a Data Disclosure Request, the recipient of the request must pass it to Legal immediately upon receipt, indicating the date on which it was received together with any other information that may assist the Legal Team to respond to the request. Similarly, if a Zendesk Group Member becomes aware of Direct Access, it shall communicate this to the Legal Team immediately, indicating the date on which it occurred together with any other information that may assist the Legal Team to respond in line with this Policy.
4.2 The Requesting Authority’s request does not have to be made in writing, made under a Court order, or mention data protection law to qualify as a Data Disclosure Request. Any Data Disclosure Request, however made, must be notified to the Legal Team for review.
4.3 Zendesk’s Legal Team will carefully review each and every Data Disclosure Request and Direct Access on a case-by-case basis. The Legal Team will liaise with the Privacy Team and outside counsel as appropriate to determine the nature, context, purposes, scope and urgency of the Data Disclosure Request/Direct Access, and its validity under applicable laws and principles of international comity, to identify whether action may be needed to challenge the Data Disclosure Request/Direct Access, including by means of an appeal to the Requesting Authority, and/or by seeking interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits or otherwise requiring the disclosure under the applicable procedural law, as appropriate, and/or to notify the customer and/or competent data protection authorities in accordance with paragraph 4.
5. Notice of a Data Disclosure Request/Direct Access
5.1 Notice to the customer
5.1.1 If a request concerns personal data for which a customer is the controller, Zendesk will ordinarily ask the Requesting Authority to make the Data Disclosure Request directly to the relevant customer. If the Requesting Authority agrees, Zendesk will support the customer in accordance with the terms of its contract to respond to the Data Disclosure Request.
5.1.2 If this is not possible (for example, because the Requesting Authority declines to make the Data Disclosure Request directly to the customer or does not know the customer’s identity), Zendesk will notify and provide the customer with the details of the Data Disclosure Request prior to disclosing any personal data, unless legally prohibited from doing so, or where an imminent risk of serious harm exists that prohibits prior notification.
5.1.3 If Zendesk becomes aware of a Direct Access concerning personal data for which a customer is the controller, Zendesk will notify and provide the customer with the details of such Direct Access, unless legally prohibited from doing so or where an imminent risk of serious harm exists that prohibits such notification.
5.2 Notice to the competent data protection authorities
5.2.1 If the Requesting Authority is in a country that does not provide an adequate level of protection for the personal data in relation to such request, in accordance with applicable data protection laws, then Zendesk will also put the request on hold to notify and consult with the competent data protection authorities, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.
5.2.2 If the law enforcement or other government authority which carried out a Direct Access is in a country that does not provide an adequate level of protection for the personal data in relation to such request, in accordance with applicable data protection laws, then Zendesk will also notify and consult with the competent data protection authorities, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.
5.2.3 Where Zendesk is prohibited from notifying the competent data protection authorities and/or suspending the request, Zendesk will use its best efforts (taking into account the nature, context, purposes, scope, and urgency of the request) to inform the Requesting Authority/authority that carried out the Direct Access about its obligations under applicable data protection law and to obtain the right to waive this prohibition. Such efforts may include asking the Requesting Authority/authority that carried out the Direct Access to put the request on hold, so that Zendesk can consult with the competent data protection authorities, or to allow disclosure to specified personnel at Zendesk’s customer, and may also, in appropriate circumstances, include seeking a court order to this effect. Zendesk will maintain, and upon reasonable request provide to its customers and competent data protection authorities, a written record of the efforts it takes, in line with its established business record maintenance practices, unless legally prohibited from doing so.
6. Transparency reports
6.1 Zendesk commits to preparing a semi-annual report (a “Transparency Report”), which reflects the number and type of Data Disclosure Requests it has received for the preceding six months, as may be limited by applicable law or court order. Zendesk will publish the Transparency Report on its website, and make the report available upon request to competent data protection authorities.
7. Bulk transfers
7.1 In no event will any Group Member transfer personal data to a Requesting Authority in a massive, disproportionate, and indiscriminate manner that goes beyond what is necessary in a democratic society.