Zendesk asserts that it acts as a data controller for data collected through its own websites and marketing activities, and as a data processor for Service Data submitted by business customers through the platform. Business customers are stated to be responsible for establishing a legal basis for processing Service Data.
This analysis describes what Zendesk's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes the allocation of data protection obligations between Zendesk and its business customers, determining which party bears controller responsibilities under GDPR, UK GDPR, and equivalent frameworks, and directing data subject rights requests accordingly.
Interpretive note: The scope of Zendesk's independent discretion over Service Data in practice may affect whether the processor characterization holds under regulatory scrutiny in specific jurisdictions.
Under this clause, individuals whose personal data is contained in Service Data processed through the Zendesk platform are directed to contact the relevant Zendesk business customer, not Zendesk, to exercise data subject rights including access, deletion, and portability. The agreement states that Zendesk processes Service Data only on behalf of and according to the instructions of its business customers.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We may display advertisements on our Services and those advertisements may be targeted to your interests based on your personal information. We may share your personal information with advertising partners for interest-based advertising purposes. You may opt out of interest-based advertising by visi...
Monitoring
Zendesk has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Zendesk acts as a data controller when it determines the means and purposes of processing personal data, and as a data processor when it processes personal data on behalf of our customers. When Zendesk customers use our Services, they may submit personal data to Zendesk (referred to as 'Service Data'). In these cases, Zendesk processes such Service Data only on behalf of the customer and in accordance with their instructions. Customers are responsible for ensuring that there is a legal basis for Zendesk to process such Service Data.— Excerpt from Zendesk's Zendesk Privacy Policy
(1) REGULATORY LANDSCAPE: This provision directly engages GDPR Articles 4(7) and 4(8) defining controller and processor, and Article 28 governing processor obligations. UK GDPR contains equivalent provisions. The relevant enforcement authorities are EU supervisory authorities and the UK ICO. The assertion that business customers bear controller responsibility for Service Data may be scrutinized if Zendesk exercises independent judgment over that data in any context. (2) GOVERNANCE EXPOSURE: High. The controller/processor distinction determines which party must respond to data subject rights requests, conduct data protection impact assessments, and maintain records of processing activities. If business customers lack adequate privacy infrastructure, data subject rights fulfillment may be operationally impaired. (3) JURISDICTION FLAGS: EU/EEA and UK users face the highest exposure given GDPR and UK GDPR controller/processor obligations. California residents under CPRA also have rights that depend on correct identification of the business acting as controller. This provision may create gaps for individuals in jurisdictions where the relevant Zendesk customer does not have a local privacy program. (4) CONTRACT AND VENDOR IMPLICATIONS: Business customers procuring Zendesk must execute a Data Processing Agreement to satisfy GDPR Article 28 requirements. Procurement teams should verify that the DPA covers subprocessor notification, audit rights, and cross-border transfer mechanisms. The assertion that customers are responsible for legal basis for Service Data processing should be reflected in customer-facing contracts. (5) COMPLIANCE CONSIDERATIONS: Organizations using Zendesk should update their records of processing activities to reflect Zendesk as a processor, ensure their own privacy notices disclose Zendesk as a subprocessor or service provider, and establish internal workflows for routing data subject rights requests that arrive for Service Data to their Zendesk-based systems.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes the allocation of data protection obligations between Zendesk and its business customers, determining which party bears controller responsibilities under GDPR, UK GDPR, and equivalent frameworks, and directing data subject rights requests accordingly.
Under this clause, individuals whose personal data is contained in Service Data processed through the Zendesk platform are directed to contact the relevant Zendesk business customer, not Zendesk, to exercise data subject rights including access, deletion, and portability. The agreement states that Zendesk processes Service Data only on behalf of and according to the instructions of its business customers.
ConductAtlas has identified this type of provision across 2 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Zendesk.