It’s that time again….we’re updating our terms and policies to make it easier for you to understand how we supply our services to our subscribers. Most of these improvements should come as no surprise considering the General Data Protection Regulation (the famous “GDPR”) that has now come into effect.
As we have done in the past, we like to provide our subscribers with more than just a link to the new terms and policies leaving it entirely to them to figure out what has changed. On the contrary, we cherish transparency and that is why we always provide you with summaries of the most important modifications we periodically make. Obviously, this summary does not reflect all of the changes to our terms and policies, but it highlights those that we deem to be the most relevant for you. We therefore suggest that you check the new terms and policies and review all the updates carefully!
These updates will be effective for all new subscribers as of June 1, 2018, and will be effective for all existing subscribers as of July 1, 2018. For our channel subscribers, such as those subscribers that purchased a subscription to our products through a reseller, we have made similar changes to our Reseller Subscription Services Agreement that will also be effective as of July 1, 2018.
1. What is Changing in Zendesk’s Master Subscription Agreement?
We updated the main body of our Master Subscription Agreement (“MSA”), aiming for clarity and simplification. In light of GDPR, we decided to clarify that we will not sell (and have never sold) your Service Data to any third party. In addition, we do not share Service Data with third parties except for authorized third-party service providers or to the extent necessary to provide the services.
Some of the major updates in our MSA include:
In Section 2.3, we clarified what “Additional Features” means. Specifically, these are additional features and functionality distinct from the Services, such as the API, SDK, Built by Zendesk Marketplace Applications or EAP programs, that we leave up to our subscribers to decide whether or not to activate.
Section 3.8 is the clause that changed the most. It has undergone a general and profound restyling because we wanted one simple idea to be clear to our subscribers: “We never sell, rent, or lease your Service Data to any third party”. This is a strong and unambiguous statement that unmistakably shows how much Zendesk values its subscribers’ privacy and data protection. Zendesk may share aggregated and anonymised information for purposes such as benchmarking and analytics, but again this will never allow a third party to personally identify our subscribers, Agents or End-Users.
In Section 10.2, we clarified how the limitation of liability works when your Affiliates want to use the MSA to purchase our products and services (they are more than welcome to do so!).
2. What is Changing in Zendesk’s Privacy Policy?
With the enactment of GDPR, we have obviously thoroughly reviewed our Privacy Policies. We are happy, and slightly proud, to tell our subscribers that the Privacy Policy did not require an extensive amount of makeup. Although this may sound surprising to some, it is yet another sign that Zendesk’s path towards GDPR compliance began around 2 years ago and that our terms, policies and processes are very close to complete readiness for the 25th of May. The most relevant changes concern the rights that the GDPR recognises for data subjects and the how the respective roles of Zendesk and Zendesk’s subscribers are defined. We also shed light on how Zendesk will respond to requests to exercise those rights.
The updates include, but are not limited to:
A statement asking those who provide their friends’ name and email address to Zendesk for referral purposes, to have a reasonable belief that such friends would not object to us being in touch with them. We love when you refer our services to your friends and acquaintances, but we also want to be sure we can lawfully contact them.
We clearly outlined when and why Zendesk collects personal data from subscribers or third parties.
Reference to our Binding Corporate Rules (BCRs) when transferring personal data outside of the European Economic Area. Zendesk is one of only a few software companies in the world to have received approval for its BCRs and just the second company ever to receive approval from the Irish Data Protection Commissioner.
We added a notice to end-users, making them aware of their rights, as provided by the GDPR, also clarifying the roles of Zendesk (data processor) and Zendesk’s customers (data controllers). In accordance with such distinction, end-users should exercise their rights primarily with the data controller.
In connection with the previous point, there is now a section dedicated to explaining how Zendesk responds to requests of access, deletion, and amendment of personal information.
Our obligations when we change our Privacy Policy. Namely, if there are any material changes to the Policy, then you will be notified by our posting of a prominent notice on our website prior to the change becoming effective. If we are required by law to do so, we will seek your consent prior to those material changes becoming effective.
3. What is Zendesk doing to comply with the GDPR?
GDPR replaces national privacy and security laws that previously existed within the European Economic Area (“EEA”) with a single, comprehensive EEA-wide law that governs the use, sharing, transfer and processing of any personal data that originates from the EEA.
Our policy is to respect all laws that apply to our business and this includes GDPR. We also appreciate that our subscribers have requirements under GDPR that are directly impacted by their use of our products and services. We are committed to supporting our subscribers’ GDPR compliance efforts and their local member state requirements.
As part of our commitment to GDPR compliance, we have updated our Privacy Policy as indicated above. In addition to our Privacy Policy updates we completed our initial GDPR readiness project across our entire organisation, including the recent completion of our Data Protection Impact Assessments (“DPIAs”). As part of this project, we analysed each of our product offerings and our internal policies with a view of identifying any gaps in GDPR compliance; and, we are taking steps to fill any such gaps. We launched our EU Data Protection website which provides more detailed information as to how Zendesk protects our subscribers’ data and how we are preparing for GDPR in order to be compliant by the GDPR effective date, including product features that are currently available to our subscribers that can assist with GDPR compliance requirements.
Zendesk values our subscribers’ trust, and we share in the same concerns as our subscribers over the privacy of our subscribers’ data. That is why Zendesk offers its subscribers choices when it comes to privacy. Zendesk has obtained approval for its BCRs as a data processor for its subscribers’ data, which provide our subscribers with a robust mechanism to facilitate transfers of personal data from the EEA to members of the Zendesk family of companies when using our services. Further information is available in our press release. In addition, Zendesk has certified its compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks to the U.S. Department of Commerce and has been added to the Department of Commerce’s list of self-certified Privacy Shield participants. Our certifications confirm that we comply with the Privacy Shield principles for the transfer of European and Swiss personal data to the United States. Finally, in an effort to give our subscribers even more assurances around our commitment to GDPR compliance, we have updated our Data Processing Agreement, providing a contractual commitment to comply with the provisions of GDPR when they come into effect and incorporating the EU Model Clauses. If you are a subscriber who needs a Data Processing Agreement (“DPA”) or you are a subscriber who needs an updated DPA for GDPR then please submit your request to privacy@zendesk.com.
4. Is There Anything Else That I Should Know?
We are glad you asked!Here are a few more things that Zendesk is committed to doing to ensure our compliance with GDPR:
- Ensuring our products are SOC 2, Type 2, ISO 27001:13 and ISO 27018:2014 certified. To learn about our current security certifications and commitments, please visit Zendesk’s Security website.
Zendesk commits to follow appropriate security measures, incident response planning and precautions in accordance with GDPR.
Zendesk will assist with notifying supervisory agencies of breaches and promptly communicating any breaches to subscribers and users, as necessary.
We will ensure that employees authorised to process personal data have committed to confidentiality and have undergone the appropriate information security and privacy training.
- As published on our website, Zendesk holds all subprocessors that handle personal data, including our managed services providers, to the same data management, security, and privacy practices and standards to which we hold ourselves.
Zendesk will assist our subscribers, insofar as possible, to respond to data subject requests that our subscribers may receive under GDPR.
Don’t forget to read the new terms and policies in their entirety!