Data Privacy Compliance
Our Commitment to You and the Protection of Your Data
Zesty Tech Ltd. and its affiliates (collectively “Zesty”) are fully committed to and prioritize our customers’ and users’ privacy rights. As a global company with customers and users located in different countries and states, we adhere to global data protection laws, the main benchmark are the General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act of 2018 (“CCPA”), the UK data protection laws (the Data Protection Act 2018 (DPA 2018) as amended to incorporate the GDPR), and the Swiss data protection laws (including the Federal Data Protection Act (“FDPA”) and the Ordinance on the Federal Act on Data Protection (“FODP“)).
This page will help you to better understand what those data privacy laws are and how Zesty complies with them. Below you can find the FAQs which clarify the recent revisions we have made to our legal documents.
GDPR Compliance
The GDPR went into effect on May 25, 2018 and established a structured and comprehensive framework on how to collect, process, use, and share personal data in order to protect the privacy rights of EU data subjects. The GDPR applies to any organization which has an establishment in the EU or offers goods or services to data subjects in the EU or processes personal data of EU data subject. In other words, even if you are based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.
The processing of Personal Data under the GDPR is conducted either as a “Controller” who determines the purposes and means of the processing operations, or as a “Processor” who processes the personal data on behalf of the Controller.
How Zesty complies with the GDPR?
When Zesty acts as the “Controller” of the personal data, it shall ensure to apply security measures, disclosures and respect data subject rights as required under the GDPPR. The GDPR provides data subject with several rights, such as: the right to be informed of the processing of personal data; the right to access to your personal data; the right to rectification and amendment; and the right to deletion / erasure. According to your interaction with Zesty, these rights can be exercised through this form. Zesty’s personal data processing practices are further detailed in our Privacy Policy which we update from time to time.
As Zesty’s customer, you are the “Controller” of the personal data and are responsible to comply with the GDPR requirements independently from Zesty. When using the Zesty platform and services therein, Zesty will process personal data on your behalf and subject to customers’ written instructions, as a “Processor” or a “Sub-processor” and shall comply with GDPR requirements under such role. The processing of personal data will be subject to the Data Processing Agreement which outlines each party’s obligations under GDPR, including limitations on the use of personal data by Zesty as the Processor, security obligations and incident response, listing the sub-processors of the service as updated from time to time, and support to enable completion of data subject requests.
Zesty uses and deploys several service providers (sub-processor), for the purpose of providing the services, which process personal data subject to a Data Processing Agreements which sets Zesty’s and service provider’s role, responsibilities and obligations in compliance with the GDPR. If and when we update our sub-processors list, we are obliged to send our customers a notice and update our Data Processing Agreements.
When Zesty transfers personal data to a third-party country which did not receive an adequacy decision, or does not fall within the GDPR exemptions, we execute data transfer mechanisms which provide the appropriate safeguards for such transfer as required under the GDPR, such as the Standard Contractual Clauses (“EU SCCs”) as adopted by the European Commission on 4 June 2021 for the international transfers of personal data. The transfer mechanism used for each sub-processor is detailed in our sub-processors list.
Zesty has a US entity which is established in California, US. As between Zesty Tech Ltd. (which is established in an adequate country) and Zesty Tech Inc., Zesty Tech Ltd. is the Controller of the personal data, the HQ is based in Zesty Tech Ltd. The US entity merely provides sales and customer success services; however, the US teams have access to certain personal data. Therefore, if our customer determines that an SCC is required, either because of the US entity or a US based sub-processor, we allow our customer to enter into a SCCs with additional safeguards to further strengthen the security of such transfer.
For more information on the UK SCC and Swiss SCC, please see our FAQs below.
CCPA Compliance
The CCPA which went into effect on January 1, 2020 and became enforceable on July 1, 2020, is the United States’ first comprehensive data protection law, provides California residents control over how businesses may collect and use their personal information. The CCPA is amended by the California Privacy Rights Act (“CPRA”) on January 1, 2023.
The CCPA applies California establishments, or if doing business in California and standing with one of the three thresholds that concern number of users or revenues based on processing of California resident personal information.
Under the CCPA the “Controller” is defined the “Business” and the “Processor” could be either a “Service provider” or “Contractor”.
Similar to the GDPR, the CCPA provides California consumers with certain rights regarding their personal information such as:
- The right to opt-out of automated decision-making technology and profiling;
- “Do Not Sell or Share My Personal Information” opt out right which shall be presented to users on the website homepage and restricts the business ability to sale personal information (whether for monetary considerations or other valuable consideration) or share personal information for the purpose of cross-contextual behavioral advertising (whether or not for valuable consideration);
- The right to limit the use of a consumer’s sensitive information, such as SSN, driver license’s number, racial or ethnical origin, etc.;
- The right to access the personal information;
- The right to delete the personal information;
How Zesty complies with the CCPA?
Zesty Tech Inc. is established in California and complies with the CCPA directly as a “Business”. California residents can learn more about how we process their personal information and how can they exercise their rights through The CCPA Notice.
Customers using the Zesty services, which are subject to CCPA, are the “Business” and shall comply with the CCPA independently from Zesty. In its role as a “Service Provider” Zesty processes its customers personal information subject to an executed CCPA Addendum (available here) between Zesty and the customer. Such agreement ensures that both contractual parties have put in place all reasonably necessary procedures and means to secure the personal information processed by each party.
The security measures implemented by Zesty
Data protection regulations require implementation of security technical organizational measures, which include physical control, access control, monitoring, awareness, limiting the data processed, backups, managing vendors and transfers of data, etc. Zesty is SOC 2 certification, which ensures that all necessary security criteria are met – the security, availability, processing integrity, confidentiality and privacy criteria are maintained and managed by Zesty as in our trust center which you can review herein.
FAQ
What are the “new” Standard Contractual Clauses?
Under the GDPR, personal data may only be transferred to a third country, which is not an adequate country or falls within the GDPR derogations, where appropriate safeguards were obtained. Following the Scherms II decision, which invalidated the EU-US Privacy Shield, the EU commission issued modernized standard contractual clauses, which replaced the old SCCs. As the transition period for updating the executed contracts is about to expire on December 27, 2022, Zesty is obliged to comply with such requirements and update its Data Processing Agreements to include the new EU SCC.
What are the “UK SCC” or the “Swiss SCC” and why do we need them?
Following Brexit, parts of the GDPR were incorporated into UK local laws by the enactment of the Data Protection Act 2018 creating what is known as the “UK GDPR”. Respectively the UK’s Information Commissioner’s Office, Parliament or Secretary of State adopted the EU SCC as available here: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK SCC”).
The Swiss Data Protection Law is amended and enforced from 1.1.23, which adopted the EU SCC as well, with certain alterations, further known as the Swiss SCC.
Hence, transfer of personal data from the UK, Swiss or EEA to a third country which is not an adequate country or falls within the exemptions, are all subject to security transfers, measures and mechanisms. As a global market we enable our customers to apply any of the SCCs, as applicable and required, as a mechanism for such transfers by adding the SCCs to our Data Processing Agreement.
As the “Controller” you need to assess and determine which mechanism is applicable to your personal data transfer, taking into account the Zesty entities and sub-processors and the region in which the personal data is processed.
Which changes were addressed in the new Zesty DPA?
First, the new EU SCC was added, with the applicable Annexes, as well as the UK and Swiss SCCs. Second, we updated the sub-processor list in Annex III, and elaborated on our security measures in Annex II. Last, we added the “CCPA Addendum” if and to the extent applicable to our customer.
Do I need to have a DPA?
Zesty and its customers are obliged to execute a Data Processing Agreement according to applicable data protection laws – such as the GDPR, the CCPA and the UK GDRR, the Israeli Data Privacy regulations, etc., which may be amended and revised from time to time, therefore we may be required to revise the DPA from time to time as well.
I have already executed a Data Processing Agreement with Zesty; do I need to be bound by the new DPA?
No. Zesty offers such customers to execute the Data Processing Agreement Addendum which supplements only relevant issues regarding the new SCCs, the CCPA amendments and the updated sub-processor list.
I did not execute an SCC so far; do I need to sign this now?
As Zesty operates in several countries or states (some which are adequate others are not) Zesty and its customers are obliged to implement appropriate safeguard in order to provide the appropriate level of security to the personal data at transfer. If you determine the SCC are required as a safeguard mechanism, it may be executed either by the new DPA and its annexes or the Addendum.
When will the new SCC enter into force?
The transition period for the implementation of the new EU SCC and UK SCC will end on December 27, 2022. Starting from December 27, 2022, all existing DPAs will need to include the new SCCs. The Swiss SCC will be required from January 1, 2023.
Do we need a CCPA Addendum?
If you are Zesty customer considered as “Business” under the CCPA, for which Zesty processes personal information on your behalf as a “Service Provider” than you and Zesty are obliged to execute the CCPA Addendum (available here) which will govern our personal information processing activities on your behalf, making sure we do so solely for the provision of our services to you.
What are the security measures implemented by Zesty?
Zesty is determined to ensure that an appropriate level of security is applied to the data processed by it. A description of the technical and organizational measures implemented by Zesty is detailed in our Security Overview page.
What can I do if I still have other questions?
If you have any further questions concerning Zesty’s privacy practices and our ongoing efforts surrounding the data protection laws, please feel free to contact our Data Protection & Privacy Team, at privacy@zesty.co.
Resources
The information provided in this page is not legal advice. Nothing herein is intended to certify or otherwise guarantee that any specific methods will comply with an applicable data privacy regulation. Instead, it provides background information to help you better understand how Zesty has addressed some important legal points. Each customer or user should review applicable privacy requirements independently from the information provided herein, and based on its independent review, determine acceptable data practices.