Concerned about VPN vulnerabilities? Learn how you can benefit from our VPN migration offer including 60 days free service.

Zscaler and the GDPR

Introduction

This European Union General Data Protection Regulation (“GDPR”) and Company Privacy Policy (“Policy”) applies to individuals that visit www.zscaler.com (“Site”) from the European Economic Area (“EEA”), United Kingdom (“UK”), and Switzerland and describes how Zscaler, Inc. and its subsidiaries (“Zscaler” or “We” or “Us”) collects, uses, and discloses information that relates to an identified or identifiable individual located in the European Economic Area (EEA), United Kingdom, or Switzerland (the “Personal Data”) through our website at www.zscaler.com (“Site”). This Policy supplements the Company Privacy Policy located at https://www.zscaler.com/privacy/company-privacy-policy, and unless specifically defined in this Policy, the terms in this Policy have the same meaning as in the Company Privacy Policy. 

Zscaler is committed to our customers’ success, including compliance with the GDPR. The GDPR will require a closer partnership between Zscaler and our customers in their use of our services and products. Zscaler has closely analyzed the requirements of the GDPR, and has made enhancements to our services, products, documentation, and contracts to support our own compliance with the GDPR. In addition, Zscaler is dedicated to assisting our customers with their GDPR compliance efforts.

To assist our Customers in complying with the GDPR, we have compiled a comprehensive, side-by-side “Controller vs Processor Responsibility Chart” of the customer’s obligations as the data controller vs. Zscaler’s obligations as the data processor. This chart is a helpful tool for our customers to better understand what exactly they need to do to comply with the GDPR and what they can expect from Zscaler.

Although, we rely on Standard Contractual Clauses in our standard DPA, Zscaler has elected to self-certify to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks administered by the U.S. Department of Commerce (“Privacy Shield”). Zscaler complies with the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. 

For purposes of enforcing compliance with the Privacy Shield, Zscaler is subject to the investigatory and enforcement authority of the U.S. Federal Trade Commission. For more information about the Privacy Shield, see the U.S. Department of Commerce's Privacy Shield website located at https://www.privacyshield.gov. To review Zscaler's Privacy Shield certification, see the U.S. Department of Commerce's list of Privacy Shield certified companies located at https://www.privacyshield.gov/list

Personal Data Collection and Use

In addition to the Personal Data described in the Zscaler Privacy Policy, Zscaler may receive the following categories of Personal Data from the EEA, UK, and/or Switzerland:

• Contact and billing information (name, mailing address, phone number, email address, etc.) from partners and vendors or from individuals subscribing to, or interested in our Products;

• Other data provided by a customer, vendor, or partner to facilitate Zscaler’s provision of the Products or to allow Zscaler to receive services; and

• Online identifiers, such as IP address, and other internet browsing activity.

We rely on various legal bases under applicable data protection legislation in order to process Personal Data, including by your consent, our legitimate interests, contractual necessity and as required by law. We use the Personal Data we collect for the purpose of providing services to our customers, to operate our business, for advertising and marketing, and for any other purpose consented to by the individual. Zscaler will only process Personal Data in ways that are compatible with the purpose for which Zscaler collected the Personal Data, or for purposes that the individual or entity providing the Personal Data authorizes. Zscaler maintains reasonable procedures to help ensure that Personal Data is reliable for its intended use.

We do not collect any Personal Data on the Site that is considered sensitive Personal Data under the GDPR.

Data Transfers to Third Parties

Third-Party Agents or Service Providers

We may transfer Personal Data to our third-party agents or service providers that perform functions on our behalf as described in the Zscaler Privacy Policy. We take reasonable and appropriate steps to ensure that third-party agents and service providers process Personal Data in accordance with our GDPR and Privacy Shield obligations.

We will transfer Personal Data if the country to which the Personal Data will be transferred has been granted a European Commission adequacy decision, or we have put in place appropriate safeguards in respect of the transfer.

Disclosures for National Security or Law Enforcement

Under certain circumstances, we may be required to disclose your Personal Data in response to valid requests by public authorities, including to meet national security or law enforcement requirements.

Security

Zscaler maintains reasonable and appropriate security measures to protect Personal Data.

Rights Under the GDPR

You have a right to the following:

• To request access to the Personal Data we hold about you;

• To request that we rectify or erase your Personal Data;

• To request that we restrict or block the processing of your Personal Data;

• Under certain circumstances, to receive Personal Data about you that we store and transmit to another without hindrance from us, including requesting that we provide your Personal Data directly to another, i.e. a right to data portability; and

• Where we previously obtained your consent, to withdraw consent to processing your Personal Data.

To exercise these rights, contact [email protected]

Please be aware that Zscaler may be unable to afford these rights to you under certain circumstances, such as if we are legally prevented from doing so.

Additionally, you have the right to lodge a complaint against us.  To do so, contact the supervisory authority in your country of residence.

Retention

We will process and store your Personal Data only for the period necessary to achieve the purpose of the storage, or as permitted by law. The criteria used to determine the period of storage of information is the respective statutory retention period. After expiration of that period, the corresponding information is routinely deleted, as long as it is no longer necessary for the fulfillment of a contract or the initiation of a contract.

Helpful Links Regarding the GDPR

https://gdpr-info.eu/

https://ec.europa.eu/justice/smedataprotect/index_en.htm

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/

https://ec.europa.eu/info/law/law-topic/data-protection_en1

Changes To This Policy

We reserve the right to amend this Policy from time to time consistent with the requirements of the GDPR.

NOTE: While this site is designed to help organizations understand the GDPR in connection with Zscaler's services and products, the information contained herein may not be construed as legal advice and organizations should consult with their own legal counsel with respect to interpreting their unique obligations under the GDPR.