EFFECTIVE DATE: September 7, 2022
Introduction. This Government Data Request Policy sets out ChurnZero’s procedure for responding to a request received from a law enforcement or other government authority (together the “Requesting Authority“) to disclose personal information processed by ChurnZero (hereafter “Data Disclosure Request“) which aligns with our commitments under various data transfer methods we currently use (i.e., Standard Contractual Clauses).
Where ChurnZero receives a Data Disclosure Request, we will process that Data Disclosure Request in accordance with this policy. If applicable data protection law(s) require a higher standard of protection for personal information than is required by this policy, we will comply with the relevant requirements of those applicable data protection law(s).
General principle on Data Disclosure Requests. As a general principle, we do not disclose personal information in response to a Data Disclosure Request unless either:
- We are under a compelling legal obligation to make such disclosure; or
- After considering the nature, context, purposes, scope, and urgency of the Data Disclosure Request and the privacy rights and freedoms of any affected individuals, we conclude there is an imminent risk of serious harm that merits compliance with the Data Disclosure Requests in any event.
Where possible, in determining to what extent either of the above factors are applicable, we will, unless we are legally prohibited from doing so or there is an imminent risk of serious harm, notify and consult with the competent data protection authorities (and, where we process the relevant personal information on behalf of a customer, the customer) as to such Data Disclosure Request.
Notice of a Data Disclosure Request. If a Data Disclosure Request concerns personal information for which a customer is the controller, we will ordinarily ask the Requesting Authority to make the Data Disclosure Request directly to the relevant customer. If the Requesting Authority agrees, we will support the customer in accordance with the terms of its contract to respond to the Data Disclosure Request.
If this is not possible (for example, because the Requesting Authority declines to make the Data Disclosure Request directly to the customer or does not know the customer’s identity), ChurnZero will notify and provide the customer with the details of the Data Disclosure Request prior to disclosing any personal information, unless legally prohibited from doing so or where an imminent risk of serious harm exists that prohibits prior notification.
Notice to the Competent Data Protection Authorities. If the Requesting Authority is in a country that does not provide an adequate level of protection for the personal information in accordance with applicable data protection laws, then ChurnZero will notify and consult with the competent data protection authorities before responding to the Data Disclosure Request, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.
Where ChurnZero is prohibited from notifying the competent data protection authorities or suspending the Data Disclosure Request, we will use our best efforts (taking into account the nature, context, purposes, scope, and urgency of the Data Disclosure Request) to inform the Requesting Authority about its obligations under applicable data protection law and to obtain the right to waive this prohibition. Such efforts may include asking the Requesting Authority to put the request on hold, so that we can consult with the competent data protection authorities, or to allow disclosure to specified personnel at our customer, and may also, in appropriate circumstances, include seeking a court order to this effect. ChurnZero will maintain a written record of the efforts it takes.
Transparency reports. To the extent required by applicable law, ChurnZero will prepare and make available upon request to competent data protection authorities, a semi-annual report (a “Transparency Report”), which reflects the number and type of Data Disclosure Requests we have received for the preceding six months.