OUR COMMITMENT TO PROTECTION OF PERSONAL DATA
Zesty is committed to comply with applicable data protection laws. As a global company with customers located in different countries and states, we adhere to applicable global data protection laws, with the benchmark of main privacy laws such as the EU and UK General Data Protection Regulation (“GDPR”), and US laws such as the California Consumer Privacy Act of 2018 (“CCPA”).
This page will help you to better understand what those data privacy laws are and the measures taken by Zesty to ensure compliance.
GDPR COMPLIANCE
The EU GDPR went into effect on May 25, 2018 (and following Brexit, is retained in domestic law as the UK GDPR, alongside an amended version of the DPA 2018, where the key principles, rights and obligations remain the same). The GDPR establishes a structured and comprehensive framework on how to process personal data in order to protect the privacy rights of EU and UK data subjects. The GDPR applies to any organization which has an establishment in the EU or the UK, as well as to organizations that offers goods or services to data subjects in the EU or UK.
The processing of personal data under the GDPR is conducted either as a “Controller” – meaning the party that determines the purposes and means of the processing operations, or as a “Processor” – meaning that processes the personal data on behalf of the Controller.
THE MEASURES TAKEN BY Zesty in compliance with the GDPR
When Zesty acts as the “Controller” of the personal data, it shall ensure to apply security measures, disclosures and respect data subject rights as required under the GDPR. The GDPR provides data subject with several rights, such as: the right to be informed of the processing of personal data; the right to access to your personal data; the right to rectification and amendment; and the right to deletion/erasure of your personal data. Zesty’s personal data processing practices as the “Controller” are further detailed in our Privacy Policy , including detailed information on the types of personal data we process, the purpose for which we process personal data, our lawful basis for processing personal data, privacy rights and how to request to exercise such rights .
As Zesty’s customer, you are the “Controller” of the personal data we process for the provisions of the services we provide you, and are responsible to comply with the GDPR requirements independently from Zesty. When using the Zesty platform and services therein, Zesty will process personal data on your behalf as a “Processor” or and shall comply with GDPR requirements under such role. The processing of personal data will be subject to the Data Processing Agreement which outlines each party’s obligations under GDPR, including limitations on the use of personal data by Zesty as the Processor, security obligations and incident response, and assistance, as required under the GDPR.
Zesty uses and deploys several service providers (sub-processor), for the purpose of providing the services, which process personal data subject to a data processing agreements we execute with such service providers, to ensure we comply with our responsibilities and obligations as a Processor. Our Sub-Processors List, includes the applicable information regarding the sub-processor we use, and will be updated when needed, in accordance with our obligations under our Data Processing Agreement.
When Zesty transfers personal data to a third-party country which did not receive an adequacy decision, or does not fall within the GDPR exemptions, we execute data transfer mechanisms which provide the appropriate safeguards for such transfer as required under the GDPR. This includes, as applicable, transfer in compliance with the EU-U.S. Data Privacy Framework or the UK Extension (Zesty Tech Inc. is self-certified for compliance with the DPF – see our Data Privacy Framework Statement), transfer based on the Standard Contractual Clauses (as adopted by the European Commission , the UK’s Information Commissioner’s Office, and the Swiss Data Protection Law).
The transfer mechanism used for each sub-processor is detailed in our Sub-Processors List.
CCPA COMPLIANCE
The CCPA which went into effect on January 1, 2020 (as amended is amended by the California Privacy Rights Act (“CPRA”) on January 1, 2023) , is the United States’ first comprehensive data protection law, provides California residents control over how businesses may collect and use their personal information.
The CCPA applies California establishments, or if doing business in California and standing with one of the three thresholds that concern number of users or revenues based on processing of California resident personal information.
Under the CCPA the “Controller” is defined the “Business” and the “Processor” could be either a “Service provider” or “Contractor”.
The CCPA provides California consumers with certain rights regarding their personal information such as:
- The right to opt-out of automated decision-making technology and profiling;
- “Do Not Sell or Share My Personal Information” – an opt out right which restricts the business ability to sale personal information (whether for monetary considerations or other valuable consideration) or share personal information for the purpose of cross-contextual behavioral advertising (whether or not for valuable consideration);
- The right to limit the use of a consumer’s sensitive information, such as SSN, driver license’s number, racial or ethnical origin, etc.;
- The right to access the personal information;
- The right to delete the personal information;
THE MEASURES TAKEN BY Zesty in compliance with the CCPA
Our CCPA Notice provides the needed information and disclosure on Zesty’s personal information collection and use practices in our role as the “Business” , including the categories of personal information we collect, the purpose of collection, the categories of their party recipients we share personal information with, privacy rights under the CCPA and how to request to exercise such right .
As Zesty’s customer, in the event you are subject to CCPA, you are considered as the “Business” of the personal information we process for the provisions of the services we provide you, and you are responsible to comply with the CCPA independently from Zesty. In its role as a “Service Provider” Zesty processes its customers personal information subject to the provisions of an executed CCPA Addendum between Zesty and the customer, which outlines each party’s obligations under the CCPA, including limitations on the use of personal information by Zesty as the Service Provider, security obligations and incident response, as required under the CCPA.
THE SECURITY MEASURES IMPLEMENTED BY ZESTY
Data protection regulations require implementation of security technical and organizational measures, which include physical control, access control, monitoring, awareness, limiting the data processing, data transfers obligations, etc. Zesty maintains SOC 2 certification, to demonstrate its adherence to high security standards – for additional information regarding our security measures – please see our Information Security Overview. Our security obligations towards our customers when processing personal data on their behalf, are further detail under our Data Processing Agreement.
STILL HAVE OTHER QUESTIONS?
If you have any further questions concerning Zesty’s privacy practices and our ongoing efforts surrounding the data protection laws, please contact our Data Protection & Privacy Team, at privacy@zesty.co.
Additional Resources:
- Zesty’s Data Processing Agreement (DPA)
- Zesty’s CCPA Addendum
- Zesty’s Sub-Processors List
- Zesty’s Information Security Overview
- Data Privacy Framework Statement
The information provided in this page is not legal advice. Nothing herein is intended to certify or otherwise guarantee that any specific methods will comply with an applicable data privacy regulation. Instead, it provides background information to help you better understand how Zesty has addressed some important legal points. Each customer or user should review applicable privacy requirements independently from the information provided herein, and based on its independent review, determine acceptable data practices.
