Global Zendesk Candidate
Privacy Notice
For Québécois, please click here. For Catalan, please click here.
Effective: September 29, 2023
Date Last Updated: September 29, 2023
Table of Contents
1. Introduction
This Candidate Privacy Notice (“Notice”) applies to Zendesk, Inc. and its relevant affiliates including, but not limited to, FutureSimple, Inc. and Smooch Technologies US Inc. (“Zendesk,” “Zendesk Group,” “us,” “we,” or “our”). This Notice describes how Zendesk collects, uses, stores, and discloses personal data about any candidates or other individuals who apply to an open position with us; who we contact for or who express interest in employment with us; who attend a recruitment event; or who undergo an interview or assessment with us (“Candidate(s)”). This Notice also describes the rights that Candidates may have in relation to the personal data that we process about them. As used in this Notice, “personal data” means any information that relates to, identifies, or reasonably could be used to identify an individual, directly or indirectly.
If you are located in the European Economic Area (“EEA”), Switzerland, or the United Kingdom (“U.K.”), please refer to Section 8 of this Notice for more information about which specific entity or entities act as a controller in relation to your personal data.
This Notice does NOT apply to:
Personal data that Zendesk processes about you if you interact with Zendesk websites, Zendesk mobile applications, the Zendesk Marketplace, the Zendesk Developer Portal, our branded social media pages, and other non-career websites which we operate (collectively, our “Digital Properties”), or other ways you may interact with Zendesk as a user of our products and services. In such cases, the privacy notice posted on the Digital Properties you interact with will apply; or
Personal data that Zendesk processes about you if you are an employee with Zendesk, which is subject to our separate Employee Privacy Notice.
If you are offered and you accept a role at Zendesk, the Candidate personal data collected during the recruiting process will become part of your employee file and will be governed by the Zendesk Employee Privacy Notice, a copy of which will be provided when you are on-boarded as an employee.
2. Candidate Personal Data We Collect and Disclose
What Candidate Personal Data Do We Collect? | To Whom Do We Disclose Candidate Personal Data for a Business Purpose? |
---|---|
Identifiers, such as name and contact information (including postal address, phone number, residence, and e-mail address) and other similar identifiers. |
|
Information in connection with you and/or your job application, such as assessments you complete during the application process and information collected through the application process. |
|
Information necessary to confirm your ability to work for Zendesk, which we may be legally required or permitted by local law to collect as part of the application process, such as immigration information, citizenship, proof of vaccination, or visa information. |
|
Public information, such as social media profiles (where permitted). |
|
Characteristics of protected classifications under California or Federal law, such as race or ethnic origin (optional), gender identity (optional), sexual orientation (optional), nationality (optional), ethnicity (optional), medical conditions (optional), military or veteran status (optional), and disability (optional). |
|
Professional or employment information, such as certifications, résumé, curriculum vitae, cover letter, training courses, publications, transcript information, work history, professional qualifications, performance information, references provided, background information provided or confirmed by academic institutions and training or certification providers, information provided by recruiting or executive search agencies. |
|
Education information, such as academic degrees, professional qualifications, certifications, training courses, publications, and transcript information. |
|
Audio, electronic, visual, or other sensory information, such as CCTV footage at Zendesk physical office locations, badge entry and exit information (including badge photo), and interview recordings (where permissible). |
|
Other information, such as any other personal data you voluntarily choose to provide in connection with your job application, such as compensation history. |
|
Sensitive Personal Data, such as government identifiers, race or ethnic origin (optional), gender identity (optional), sexual orientation (optional), ethnicity (optional), medical conditions (optional), disability (optional), visa information, immigration information, and proof of vaccination. |
|
If we request for you to provide any additional information not described above, we will notify you at the time of collection why we are asking for it and how we will process it. We may also de-identify, anonymize, or aggregate personal data to use and share with third parties for any purpose, where legally permitted.
3. How We Process Candidate Personal Data
We may process your personal data for the following purposes:
Purpose of Processing | Lawful Basis |
---|---|
For recruiting purposes, to determine your qualifications for employment, and to make hiring decisions. For instance, we may process your personal data when evaluating your candidacy and communicating with you about the hiring process. Where legally permissible to do so, we may contact you about Zendesk roles for which you may be a fit. |
Legitimate interests; Consent |
To send you communications about Zendesk job postings, careers fairs, newsletters, and related corporate communications. |
Consent |
To inform you about Zendesk recruitment events in which you choose to participate. For instance, career fairs or university/nonprofit recruitment events. |
Legitimate interests; Consent |
To provide accommodations during the recruitment process. For instance, to provide accommodations requested for physical or mental conditions during the recruitment process. |
Legal obligations |
For the purpose of equal opportunities monitoring, compliance with anti-discrimination laws, or government-reporting obligations. |
Consent; Legal obligations |
To establish, exercise, or defend against legal claims. |
Legal claims; Legal obligations |
To protect the safety, security, and integrity of our property (such as our databases and other technology assets); to protect the rights of those who interact with us or others; and to detect, prevent, and respond to security incidents or other malicious, deceptive, fraudulent, or illegal activity. For instance, this may involve collecting and processing special categories of personal data (e.g., health data) where necessary for reasons of public health or as required by applicable law. |
Legitimate interests; Public interest; Legal claims; Vital interests; Legal obligations |
To fulfill a referral request when you are referred for a role with Zendesk by a Zendesk employee using our referral process, as permissible, including by using the provided contact information to reach out to you. |
Consent; Legitimate interests |
To perform a contract to which you are a party or to take steps at your request prior to entering into a contract. For instance, to take steps prior to entering an employment contract with you. |
Contract |
To understand and improve our recruitment process. For instance, including efforts to promote diversity, equity, and inclusion, where legally permissible. |
Legitimate interests; Consent |
Where you have voluntarily agreed to have your personal data processed. |
Consent |
Zendesk will honor data subject rights to the extent required by law. You may have the right to access, correct, update, and, in some cases, request deletion of your personal data (subject to exceptions). You may submit a request here.
4. Sources of Candidate Personal Data
We may collect Candidate personal data from sources that include the following:
Information you provide to us directly. We collect the personal data you provide to us directly. For instance, when you create or submit a job application or provide personal data to us as part of the interview process.
Information collected from other individuals. We may collect personal data about you from other individuals. For instance, references during the application process, including your current or past employer, coworkers, or friends. We may also collect personal data about you if you are referred for a role at Zendesk by someone else, as permissible.
Information from public sources. We may collect personal data you submit in public forums, such as information made publicly available on a personal webpage (where permitted).
Information from other third parties. We may collect information from external third parties, such as professional or sanctions registries, background information provided or confirmed by academic institutions and training or certification providers, and recruiting or executive search agencies.
We may combine information that we receive from the various sources described in this Notice and use or disclose it for the purposes described in this Notice.
5. Retention of Candidate Personal Data
Your personal data will be stored in accordance with applicable laws and kept as long as needed to carry out the purposes described in this Notice (or as otherwise required by applicable law). If you are successful with your job application, your personal data will be kept in accordance with our Employee Privacy Notice. If you are unsuccessful with your job application, your personal data will be kept for the duration of the application process, plus a reasonable period of time after confirmation that your application was unsuccessful to allow us to record the reasons for our decision in relation to your application (including so that we can exercise, establish, or defend any legal claims). Where permissible, we may also retain your personal data for a reasonable period to consider you for other suitable openings within Zendesk in the future.
If you would like to opt-out from Zendesk’s policy of retaining your information for the purposes of considering you for other suitable openings, please email peopleandplaces@zendesk.com.
6. Contact Information
If you have questions or complaints regarding this Notice, please contact us by email at privacy@zendesk.com or at:
Zendesk, Inc.
Attn: Privacy Team and DPO
989 Market Street
San Francisco, CA 94103
United States
You may also raise complaints with the statutory regulator in your jurisdiction. A list of contact details for the EEA data protection authorities is available here, for the Swiss authority – here, and the U.K. authority – here.
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, we commit to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to TRUSTe, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit here for more information or to file a complaint. The services of TRUSTe are provided at no cost to you.
7. Modifications to This Notice
We may update this Notice from time-to-time to reflect changes in legal, regulatory, or operational requirements; our practices; and other factors. Please check this Notice periodically for updates. When required under applicable law, we will notify you of any changes to this Notice by posting a notice on this page prior to any changes taking effect (and updating the “Last Updated” date at the beginning of this Notice) or in another appropriate manner.
8. Supplemental Information for EEA, Swiss, and U.K. Candidates
The following terms supplement the Notice with respect to our processing of European Economic Area (i.e., European Union Member States, Iceland, Liechtenstein, and Norway), Swiss, and U.K. personal data. In the event of any conflict or inconsistency between the other parts of the Notice and the terms of this Section 8, Section 8 shall govern and prevail with regard to the processing of EEA, Swiss, and U.K. personal data.
Data Controller: The Zendesk entity with whom you are interacting is the controller of information collected within the scope of this Notice. In the majority of cases, this will be the local Zendesk entity, unless we specifically inform you otherwise. In the U.S., this will be Zendesk, Inc. On some occasions, more than one Zendesk entity may process your personal data as independent controllers. If you have any questions about controllership, please contact us using the contact information provided in Section 6.
Legal Basis for Processing: Please see Section 3 for the legal basis on which we rely for the collection, processing, and use of your personal data.
Your Data Subject Rights: You may have certain rights in relation to your personal data. We will honor these rights to the extent required by law.
Access: You may have the right to obtain confirmation from us if your personal data is being processed, and supplementary information; and the right to obtain a copy of your personal data undergoing the processing.
Rectification: You may have the right to request the rectification of inaccurate personal data and to have incomplete data completed.
Objection: You may have the right to object to the processing of your personal data if it has been processed under the legitimate interest or public interest legal basis. We shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms or if the data is needed for the establishment, exercise, or defense of legal claims.
Portability: You may have the right to receive your personal data that you have provided to us, in a structured, commonly-used and machine-readable format and have the right to transmit it to other data controllers without hindrance. This right only exists if the processing is based on your consent or a contract and the processing is carried out by automated means.
Restriction: You may have the right to request to restrict the processing of your personal data in certain cases.
Erasure: You may request to erase your personal data if (i) it is no longer necessary for the purposes for which we have collected it, (ii) you have withdrawn your consent and no other legal ground for the processing exists, (iii) you objected and no overriding legitimate grounds for the processing exist, or (iv) the processing is unlawful, or erasure is required to comply with a legal obligation.
Right to Lodge a Complaint: You also may have the right to lodge a complaint with a supervisory authority in the country where you reside. The contact details for data supervisory authorities in the EEA are available here, in Switzerland here, and the U.K. here.
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, we commit to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (“DPAs”), the UK Information Commissioner’s Office (“ICO”) and the Gibraltar Regulatory Authority (“GRA”), and the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. Under certain circumstances, you may also have the right to invoke binding arbitration.
Right to Refuse or Withdraw Consent: In case we ask for your consent to processing, you are free to refuse to give consent and you can withdraw your consent at any time without detriment by contacting us using the contact information provided above in Section 6, or, in case of direct marketing e-mail communications, by clicking on the unsubscribe link. The lawfulness of any processing of your personal data that occurred prior to the withdrawal of your consent will not be affected.
Automated decision-making: The types of automated decision-making referred to in Article 22(1) and (4) EU/U.K. General Data Protection Regulation (“GDPR”) do not take place in connection with your personal data. Should this change, we will inform you about why and how any such decision was made, the significance of it, and the possible consequences of it. You will also have the right to human intervention, to express your point of view, and to contest the decision.
Other Rights: Depending on the local law of the jurisdiction in which you are located, you may have additional rights in relation to your personal data.
If you would like to exercise any of your rights, please submit a request here. Please note that we may refuse to act on requests to exercise data protection rights in certain cases, such as when providing access might infringe on someone else’s privacy rights or impact our legal obligations.
International Transfers Outside of the EEA, U.K., and Switzerland: As a global organization headquartered in the United States, we have offices, affiliates, subsidiaries, and employees located around the world. Because of this, some recipients with whom we share personal data may be located in countries outside the EEA, Switzerland, or the U.K., and which do not provide an adequate level of protection as defined by data protection laws in the EEA, Switzerland, and the U.K. Certain third countries have been officially recognized by the EEA, Swiss, and U.K. authorities as providing an adequate level of protection and no further safeguards are necessary. The below information outlines how we protect your personal data when transferring it outside those countries.
Intra-group transfers: Intra-group international transfers will be to countries where Zendesk entities are located, including the United States. The transfer of your personal data outside the EEA, Switzerland, and the U.K. to the Zendesk Group members located in third countries which do not offer an adequate level of protection in comparison with the EEA, Swiss, or U.K. privacy standards will be based on the following safeguards:
Zendesk Binding Corporate Rules that have been authorized by the EU data protection authorities, and which enable us to transfer personal data lawfully from EEA member states to other Zendesk Group members around the world. More information on (including a copy of) our Binding Corporate Rules is available here, and evidence of our Binding Corporate Rules approval is available on the European Data Protection Board’s website here; or
The EU Standard Contractual Clauses and/or the U.K. International Data Transfer Agreement/U.K. International Data Transfer Addendum, as applicable. We may also utilize addendums and other data transfer agreements specific to certain countries.
Third parties: Some of the third parties with whom we share personal data are also located outside the EEA, Switzerland, or the U.K. in third countries, which do not provide an adequate level of data protection as defined by data protection laws in the EEA, Switzerland, or the U.K. Transfers to third parties located in such third countries take place using an acceptable data transfer mechanism, such as the EU Standard Contractual Clauses and/or U.K. International Data Transfer Agreement/U.K. International Data Transfer Addendum, approved codes of conduct and certifications, on the basis of permissible statutory derogations, or any other valid data transfer mechanism issued by the EEA, Swiss, or U.K. authorities. Please reach out to us using the contact information in Section 6 for further information or, where available, a copy of the relevant data transfer mechanism.
Zendesk, Inc., FutureSimple Inc., and Smooch Technologies US Inc. comply with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. Zendesk, Inc. FutureSimple Inc., and Smooch Technologies US Inc. have certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Zendesk, Inc. FutureSimple Inc., and Smooch Technologies US Inc. have certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Zendesk, Inc., FutureSimple Inc., and Smooch Technologies US Inc. are subject to the investigatory and enforcement powers of the United States Federal Trade Commission regarding compliance with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”).
Data Protection Officer: Please find below contact details for our EU and U.K. data protection officer: Zendesk, Inc., Attn: Privacy Team and DPO, 989 Market Street, San Francisco, CA 94103, United States, privacy@zendesk.com
9. Supplemental Information for California Candidates
Pursuant to the California Consumer Privacy Act (“CCPA”), this section applies to certain personal data collected about Candidates that are California residents and supplements the rest of our Notice above. This section does not apply to the following personal data:
Information about Candidates who are not California residents;
Information about Zendesk employees. Such information is subject to a separate Employee Privacy Notice that we make available to Zendesk employees; or
Information that Zendesk processes about you if you interact with our Digital Properties (defined above in Section 1) or otherwise interact with Zendesk as a user of our products or services.
a. How We Disclose California Candidate Personal Data
Section 2 above contains a chart detailing the categories of Candidate personal data and to whom it was disclosed for a business purpose in the past 12 months. We have not sold or shared personal data of Candidates in the past 12 months. Zendesk only uses Sensitive Personal Information, as defined by California law, consistent with the exceptions to the right to limit Sensitive Personal Information.
b. Your California Data Protection Rights
California Candidates may have certain rights, subject to legal limitations, concerning the collection, use, and disclosure of their personal data:
Right to Know. You have the right to request information about the categories of personal data we have collected about you, the categories of sources from which we collected the personal data, the purposes for collecting the personal data, and to whom we have disclosed personal data and why (“Categories Report”). You may also request the specific pieces of personal data we have collected about you (“Specific Pieces Report”).
Right to Delete. You have the right to request that we delete personal data that we have collected from you.
Right to Correct. You have the right to request that we correct inaccurate personal data that we maintain about you.
California Candidates may request to exercise the above rights by submitting a request through our webform. We will not discriminate against you for exercising your privacy rights. We will respond to all requests within 45 days, unless we need more time, in which case we will notify you and may take up to 90 days total to respond to your request.
Verification: In order to process requests, we will need to obtain information to locate you in our records or verify your identity, depending on the nature of the request. In most cases, we will request information about you, which may include your name, email address, or other information. If you submit a Right to Know “Specific Pieces Report,” we may also request a signed declaration, under penalty of perjury, that you are who you say you are. We may request alternative information under certain circumstances and/or use third parties to help verify your identity.
Authorized Agents: Authorized agents may request to exercise rights on behalf of California Candidates, but we reserve the right to also verify the Candidate’s identity directly as described above. Authorized agents must contact us by submitting a request through our webform and indicate that they are submitting the request as an authorized agent. Authorized agents must provide evidence of their identity and documentation evidencing proof of the authorized agent’s legal authority to act on the behalf of the individual California Candidate.