Freshdesk is ready for GDPR. Here are the changes we’ve made to our product and policies to help you comply with GDPR. We’ve also answered some of the questions that we frequently hear from our customers.
What is GDPR and does it affect me?
The GDPR is a European Union regulation that establishes a new framework for handling and protecting the personal data of EU-based residents. It comes into effect on May 25, 2018. It provides residents of the EU greater control over their personal data and assurances that their information is being securely protected across Europe.
GDPR applies to you if your organization matches the descriptions below:
If you are located within the European Union
You are located outside the European Union but offer goods and services to EU residents and collect their data
That ultimately means that almost every major corporation in the world will need to be ready when GDPR comes into effect.
What are the key changes covered in GDPR?
GDPR expressly introduces several principles that previously underpinned data protection law, such as the 'accountability principle' and 'privacy by design', and encourages organizations to take more responsibility for protecting the personal data they handle.
Do I need to move my data to the EU Data Center?
No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on the transfer of personal data outside the EU. GDPR only mandates that such transfers be legitimized through any of the mechanisms provided in the regulation. Some ways of legitimized transfers are through EU-US Privacy Shield Certification and Model Contractual Clauses. Freshworks uses both ways to legitimize data transfers.
However, if your organization’s policy requires you to store data in the EU, you can choose from available Freshdesk plans for options.
Does my data leave the EU?
If your data is hosted in the Freshworks AWS data center in EU/EEA, then the data will not leave the EU.
Freshdesk is committed to providing secure products and services by implementing and adhering to requirements under GDPR, both as a data controller and processor. Freshworks has a comprehensive GDPR program headed by the legal team with able assistance from the information security team, which is supported by key privacy principles - Accountability, Privacy by Design and Default, Data Minimization, and Subject Access Rights. Programs, projects, and processes at Freshdesk are aligned to GDPR Privacy Principles right from the inception of an idea or project, thereby supporting Privacy by Design and Default principles. Freshworks privacy practices, both as a controller and a processor can be found here
How can you delete user data?
In Freshdesk, a delete request from a customer would have to be routed via the admin who validates if the requester is genuine.
How does the admin delete customer's data:
1. The admin navigates to the specific customer's profile and 'delete' the contact - this first step is a soft delete. (Now Live)
2. The admin then navigates to the deleted contact's profile and uses the 'Delete forever' option to delete the customer’s data permanently - tickets, forums, calls & profile. (Now Live)
For a more detailed explanation of deleting contacts permanently, please refer to this article.
3. If the deleted contact has been an agent with the account, we permanently delete their PII (Personally Identifiable Information) such that the individual is not identified or identifiable after that. (Now Live)
Note: For business continuity, their contributions to the business viz. Ticket responses, notes, knowledge base articles, forum topics/comments, support calls, surveys, automation rules, ticket templates, contacts, companies, tags, etc. will be retained.
How can an agent or a customer rectify his contact details?
End-users and Agents in Freshdesk can rectify any errors in their personal data by editing their profiles.
In addition, Freshdesk customers can leverage the following APIs to assist with their GDPR compliance efforts:
How can I export customer data?
An export request from a customer would have to be routed via the admin who validates if the requester is genuine. Customers can leverage the following APIs to assist with their GDPR compliance efforts on data portability:
User profile can be accessed using View a Contact API
You may want to only export fields visible to the customer using ‘displayed_for_customers’ property of this API
Tickets of the User
List Ticket by Requestor using List Tickets API
Ticket fields needs to be filtered out for User Visible fields. You can use the ‘displayed_for_customers’ property of this API.
Access conversations by Ticket Id
Loop through all tickets of the user and use this API to fetch conversations
Use only public notes for export by using the ‘private’ property in the response
How does the admin export customer data: (Now Live)
Customer export - The admin navigates to the list of all customers where the export functionality is available, and then filter through to the required customer's data.
Additionally, the admin may use this API call to pull all profile information about them.
Ticket export - The admin filters all tickets by a customer via the Tickets List page, and export this list.
Additionally, the admin may use this API call to export all tickets of any customer.
How can I explicitly obtain consent from customers when they submit tickets through the Freshdesk Support Widget?
As a data controller, it is essential for you to assess what data you're collecting in the form of ticket field or contact fields - this information must be minimized to the extent necessary for you to provide service or support. As a data processor, Freshworks performs operations or set of operations on this data only on your authorization and in compliance with applicable regulations.
If you use ‘consent’ as the basis for processing personal data, you can add a checkbox-styled mandatory field to your 'New ticket' form.
Customers in the Estate and Forest plan can use the Portal Customization feature to add consent statements and link it to their Terms of Service.
Customers in the Sprout, Blossom, and Garden plans can add a checkbox and specify the types of data in a textual statement that their customers' consent to share with your organization.
How can I delete old tickets that no longer serve any purpose?
GDPR mandates that personal data should not be retained for periods longer than necessary for purposes it was collected. Additionally, if a customer decides to exercise their right to be forgotten/erasure, it should be complied with.
To support you with these requests, Freshdesk Mint has a 'Delete forever' option for a customer. When a customer reaches out to you to delete their data, as an admin you'd be able to use this option. This would permanently delete customer information in the system, as well as tickets/chats/calls tagged to the contact.
Based on your data retention policies, if you wish to automate deletion of tickets that are in the system, please use our ‘Delete ticket’ API. This moves tickets to Trash, from where they get permanently deleted in 30 days. You can also periodically go to the ticket list view, filter by date and perform a bulk-delete action.
What is our Data Retention policy?
Deletion from our databases is immediate; however we maintain logs for troubleshooting. These logs would be retained for 3 months and then archived in a secure environment with no access unless explicitly approved by the senior management to comply with applicable laws. These archived logs would also be purged automatically after 12 months.
For more information or questions about Freshdesk’s GDPR roadmap please, write to email@example.com.
Freshworks as a company is committed to providing secure products and services by implementing and adhering to prescribed compliance policies, both as a data controller and processor. The upcoming GDPR enforcement is critical to our mission of providing EU and all our global customers with safe and dependable business software suite.
For more information or questions about the Freshworks Privacy Notice, please contact firstname.lastname@example.org
Disclaimer: This document is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and/or your organization. We encourage you to obtain independent professional advice, before taking or refraining from any action on the basis of the information provided here.