Public Authorities Access Request Policy
1. Introduction
Contentsquare Group (“Contentsquare”) is committed to ensuring the utmost levels of protection and transparency in transferring and disclosing Customer’s Personal Data to third parties.
This Public Authorities Access Request Policy (“Policy”) sets out Contentsquare’s principles and procedure for responding to a disclosure request received from a public authority, including judicial authorities (“Public Authority”) that involves Customer’s personal data as defined under applicable data protection laws (“Customer Personal Data”) Processed by Contentsquare and its Sub-Processors (the “Request”) in adherence to applicable Data Protection Laws and the Agreement (including the Standard Contractual Clauses (Processor to Processor)) between Contentsquare and Customer. Any capitalized terms used in this Policy that are not defined will have the meaning set out in:
- Contentsquare’s Terms and Conditions and Data Processing Agreement (“DPA”);
- Hotjar’s Terms of Service and Data Processing Agreement;
- Heap’s Master Services Agreement and Data Processing Addendum.
2. Requirements for data disclosure
2.1. Customer’s Notification
Unless otherwise required under applicable law or instructed by a competent Public Authority, before disclosing any Customer Personal Data to a Public Authority, Contentsquare will promptly notify the affected Customer of the Request. As a Data Controller, each Customer owns their Customer Personal Data, not Contentsquare. Thus, Contentsquare believes that any Public Authority seeking the disclosure of Customer Personal Data should address its request directly with that Customer where possible. Additionally, this would allow each Customer the ability to work on its response directly with the Public Authority.
If Contentsquare is prohibited from notifying Customer under the laws of the country of destination, Contentsquare will use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. Contentsquare will document its best efforts in order to be able to demonstrate them on request of Customer.
Where permissible under the applicable laws, Contentsquare will provide Customer, at regular intervals for the duration of the Agreement, with as much relevant information as possible on the Requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.) as described in the Section 4 of this Policy.
2.2. Review of Request’s legality and data minimisation
Contentsquare will review the legality of the Request, in particular whether it remains within the powers granted to the requesting Public Authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the Request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. Contentsquare, will, under the same conditions, pursue possibilities of appeal. When challenging a Request, Contentsquare will seek interim measures with a view to suspending the effects of the Request until the competent judicial authority has decided on its merits. Contentsquare will not disclose Customer’s Personal Data requested until required to do so under the applicable procedural rules.
Contentsquare will document its legal assessment and any challenge to the Request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to Customer. It will also make it available to the competent Supervisory Authority on Request.
If Contentsquare finds that a Request is lawful and binding, Contentsquare will disclose only the minimum amount of information necessary to comply with the Request.
If Contentsquare finds that a Request is incompatible with European law, Contentsquare shall promptly identify appropriate measures (e.g., technical or organisational measures to ensure security and confidentiality) to be adopted by Contentsquare and/or its Sub-Processes to address the situation, if appropriate in consultation with Customer. No transfer will take place until sufficient alternative measures can be taken to allow for compliance with Agreement between Contentsquare and Customer. If no alternative measures have been identified, or if instructed by Customer or the Supervisory authority, Contentsquare will suspend the transfer of Customer’s Personal data until appropriate safeguards and/or terminate the Agreement.
3. Data access request handling process
Contentsquare and its Sub-processors are committed to the following steps for each and every Request received:
- immediately upon receipt of a Request, each Contentsquare Sub-processor will forward that Request to Contentsquare’s Privacy Team, who will notify the Chief Legal Officer and corporate management group;
- to the extent that the Request concerns information by which Contentsquare is not the Data Controller (as defined under applicable Data Protection Law), and unless such notification is prohibited by applicable law or if otherwise instructed by a competent Public Authority, Contentsquare’s Privacy Team will promptly notify the Customer as further set out in the “Third-Party Disclosure” section of our DPA and Standard Contractual Clauses (Processor to Processor);
- Contentsquare’s Privacy Team will review each Request on a case-by-case basis, and liaise with outside counsel as appropriate, to determine the nature, context, purposes, scope, and urgency of the Request, and its validity under applicable laws. This review takes into account all applicable laws and regulations, and mandates that the Public Authority follow the requisite legal process outlined under the applicable laws (e.g., issuing the request via subpoena, court order, or a warrant signed by a relevant judicial authority). If such Request is determined to be invalid or unlawful, Contentsquare will challenge that Request on the basis of overbreadth, appropriateness, or conflict with applicable law. Any requests that are found to be not legally binding will be rejected;
- After exhausting steps i-iii above, Contentsquare will adhere to and satisfy the Request only to the minimum amount absolutely necessary to comply with the requirements of Section 2 of this Policy.
4. Transparency report
Pursuant to the Section 2.1 of this Policy, Contentsquare is committed to maintaining an annual report (a “Transparency Report”) which reflects the number and type of Requests that it has received in the preceding year, as may be limited by applicable law or court order. This Transparency Report is available here and is available upon request to the relevant Supervisory Authority.