Privacy Shield notice

Slack EU-US and Swiss-US Privacy Shield notice

Effective date: 1 January 2020

Slack Technologies, LLC (‘We’ or ‘Our’) has certified with the EU-US and Swiss-US Privacy Shield with respect to the personal data that we receive and process on behalf of our customers through our online workplace productivity tools and platform (the ‘Services’). Slack certifies that it adheres to the Privacy Shield Principles of notice, choice, onward transfer, security, data integrity, access and enforcement for personal data submitted by our customers in the European Union, the United Kingdom and Switzerland through the Services, and our Privacy Shield certification will be available here. We may also process personal data that our customers submit relating to individuals in the EU via other compliance mechanisms, including data processing agreements based on the EU Standard Contractual Clauses.

Data processed

We provide the Services so that our customers can communicate and operate aspects of their businesses. In providing these Services, we process messages, files and other content our customers submit to the Services or instruct us to process on their behalves in connection with the Services (“Customer Data”). As set out in our privacy policy, Slack also collects other information (“Other Information”) that may include personal data, such as account creation data, usage information and cookie information.

Purposes of data processing

We process Customer Data in accordance with the Customer’s instructions, including any applicable terms in a customer’s agreement with the Customer and the Customer’s use of Services functionality, and as required by applicable law. Slack is a processor of Customer Data and the Customer is the controller. To fulfil these purposes, we may, for example, access Customer Data to provide the Services, to prevent or address service or technical problems, to respond to customer support matters, to follow the instructions of our customer who submitted the data or in response to contractual requirements with our customers. As set out in our privacy policy, Slack uses Other Information in furtherance of our legitimate interests in operating our Services, Websites and business.

Third parties with whom we may share data

We use a limited number of third-party providers to assist us in providing the Services to our customers and to support our business. As of the date hereof, these third-party providers perform technical operations, such as database monitoring, data storage and hosting services, and help us provide customer support and other business functions. These third parties may access, process or store personal data in the course of providing these services, but only based on our instructions.

If we receive personal data subject to our certification under the Privacy Shield and then transfer it to a third-party service provider acting as an agent on our behalf, we have certain liability under the Privacy Shield if both (i) the agent processes the personal data in a manner inconsistent with the Privacy Shield and (ii) we are responsible for the event giving rise to the damage.

Questions or complaints

If you are a resident of a European country participating in the Privacy Shield and you believe we maintain your personal data within the scope of this Privacy Shield certification, you can direct any questions or complaints concerning our Privacy Shield compliance to privacy@slack.com or at our postal address:

Slack Technologies, LLC
500 Howard Street
San Francisco, CA 94105
United States

We will work with you to resolve your issue.

Dispute resolution

If you are a resident of a European country participating in the Privacy Shield and you have not received a timely response to your concerns or we have not addressed your concerns to your satisfaction, you may seek further assistance, at no cost to you, from JAMS, which is an independent dispute resolution body in the United States.

We are also committed to cooperating with competent EU data protection authorities (DPAs) with regard to our customers’ end users’ human resources data transferred from a European country participating in the Privacy Shield in the context of their employment relationship.

Arbitration

You may also be able to invoke binding arbitration for unresolved complaints but prior to initiating such arbitration, a resident of a European country participating in the Privacy Shield must first: (1) contact us and give us the opportunity to resolve the issue; (2) seek assistance from JAMS; and (3) contact the US Department of Commerce (either directly or through a European DPA) and give the Department of Commerce time to attempt to resolve the issue. If such a resident invokes binding arbitration, each party shall be responsible for its own legal fees. Please be advised that, pursuant to the Privacy Shield, the arbitrator(s) may only impose individual-specific, non-monetary, equitable relief necessary to remedy any violation of the Privacy Shield Principles with respect to the resident.

US Federal Trade Commission Enforcement

Our Privacy Shield compliance is subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC).

Right of access

Some international users (including those whose personal data is within the scope of this Privacy Shield certification) have certain legal rights to access certain personal data we hold about them and to obtain its correction, amendment or deletion. Those users may exercise some of those rights through the options described in our Privacy Policy and in our Privacy FAQs and Team Administration FAQs. However, please be advised that we may first refer your request to the customer who submitted your personal data and we will support them as needed in responding to your request, if you wish to request access, to limit use or to limit disclosure. This is because our personnel have a limited ability to identify and access an individual user’s personal data that a customer has submitted to the Services.

Requirement to disclose

We may disclose personal data when we believe in good faith that such action is necessary to conform to legal requirements or to respond to lawful requests by public authorities, including to meet national security or law enforcement requirements, or to enforce our contractual obligations.