Privacy Shield Invalidation and Zendesk’s Practices

By Rachel Tobin, AGC EMEA (Global Privacy Counsel)

Published July 17, 2020
Last updated October 28, 2020

On the 16th of July 2020, the Court of Justice of the European Union (“CJEU”) issued their decision in case C-311/18, also known as Schrems II. The CJEU’s decision confirmed the validity of the European Commission Controller-Processor Standard Contractual Clauses (“SCCs”) while invalidating the EU-US Privacy Shield Framework as a mechanism to transfer personal data from the EU to the US. The decision requires organizations engaged in transfers of personal data to a third country to carry out an assessment prior to making a transfer under the SCCs to ensure that data subjects are afforded a level of protection “essentially equivalent” to that guaranteed within the European Union (“EU”) by the GDPR. If this level of protection cannot be achieved through reliance on the SCCs alone, then the exporting organization must implement "supplementary measures" to protect the exported personal data to an "essentially equivalent" standard.

1. How does the decision impact Zendesk’s customer’s use of the Services?

Zendesk offers our customers choices when it comes to privacy. Zendesk has obtained regulatory authorization of its controller and processor Binding Corporate Rules (“BCRs”) for its customers’ data, which provide our customers with a robust mechanism to transfer personal data from the EU to members of the Zendesk family of companies when using our services. Further information is available in our press release found here and our Privacy and Data Protection website found here. Zendesk’s Data Processing Agreement (“DPA”) includes both the SCCs and Zendesk’s BCRs.

In light of the CJEU’s decision and the emerging and anticipated guidance from the European Data Protection Board and the EU Commission, we have reviewed our data transfer arrangements with our sub-processors and confirm valid transfer mechanisms are in place. An up-to-date list of our sub-processors is available here.

If you currently have a DPA with Zendesk, you can continue to use the Zendesk service in compliance with European Law. The Schrems II court's ruling does not change your ability to transfer data between the EU and the United States within the Service. Please also note that neither the CJEU ruling nor the GDPR require you to host personal data in the EU.

If you are a current customer and require a DPA, you can access the form as needed in your customer admin console, or click here which will bring you to our DPA.

2. Government access to personal data within customer accounts

In its decision, the CJEU determined that organizations which rely on the SCC’s and/or BCR’s should ensure that data subjects whose personal data is transferred to a third country pursuant to standard contractual clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR. The court specified that organizations should assess whether or not they can transfer personal data on the basis of the SCCs and/or BCRs by taking into account the circumstances of the transfers and any supplementary measures that an organization could put in place.

Zendesk has a well-defined internal policy and process for government requests for information about our customers which aligns with Rules 12A and 12B of our Processor BCR Policy. Zendesk will notify the affected customer regarding the request, unless prohibited by law or if there is a clear and obvious indication of illegal conduct or risk of harm. We further confirm that we have not built any backdoors or other methods into our services to allow government authorities to circumvent our security measures and have access to Personal Data in Customer Accounts.

3. Supplementary Measures - Encryption of customer data

Zendesk has strong data security practices to protect its customers’ data, as detailed in our Zendesk Security website, including encryption:

  • (i) Encryption in transit. Service Data, which may include Personal Data, is encrypted in transit over public networks when communicating with Zendesk user interfaces (UIs) and application programming interface (APIs) via industry-standard HTTPS/TLS (TLS 1.2 or higher). Exceptions to encryption at transit (such as when using a third-party service that does not support encryption) are detailed on our Security website found here;
  • (ii) Encryption at rest. Service Data, which may include Personal Data, is encrypted at rest by Zendesk’s Sub-processor and managed services/hosting provider, Amazon Web Services Inc., via AES-256.
  • (iii) Zendesk also allows for customer-generated certificates for data in transit by using the Host Mapping feature on their account, more information is available here.

Since our inception, Zendesk’s approach has been anchored with a strong commitment to privacy, security, compliance, and transparency. Privacy is an ongoing journey and we at Zendesk remain committed to protecting and securing our customers’ data. If you have any further questions please reach out to your account manager.