February 17, 2023
This Government Data Request Procedure sets forth the procedure adopted by Nexthink SA (together with its affiliated entities, “Nexthink”) for responding to and documenting requests received from a law enforcement or other governmental authority (together the “Requesting Authority”) to disclose personal data processed by Nexthink (hereafter “Data Disclosure Request”).
Where Nexthink receives a Data Disclosure Request, it will handle that Data Disclosure Request in accordance with this procedure. If applicable data protection laws require a higher standard of protection for personal data than is required by this procedure, Nexthink will comply with the relevant requirements of applicable data protection laws.
2. General Principle on Data Disclosure Requests
As a general principle, Nexthink does not disclose personal data in response to a Data Disclosure Request unless either:
it is under a compelling legal obligation to make such disclosure; or
taking into account the nature, context, purposes, scope and urgency of the Data Disclosure Request and the privacy rights and freedoms of any affected individuals, there is an imminent risk of serious harm that merits compliance with the Data Disclosure Requests in any event.
For that reason, unless it is legally prohibited from doing so or there is an imminent risk of serious harm, Nexthink will notify and consult with the competent data protection authorities – and, where it processes the personal data on behalf of a customer, the Customer – in order to address the Data Disclosure Request.
3. Handling of a Data Disclosure Request
3.1 Receipt of a Data Disclosure Request
If Nexthink receives a Data Disclosure Request, its recipient must immediately pass it to Nexthink's Privacy and Cybersecurity Committee at email@example.com, indicating the date on which it was received together with any other information which may assist the Committee in processing the request.
For clarity, a request does not have to be made in writing, made under a Court order, or mention data protection laws to qualify as a Data Disclosure Request.
3.2 Initial steps
Nexthink’s Privacy and Cybersecurity Committee will carefully review each and every Data Disclosure Request on a case-by-case basis. The Committee will liaise with other Nexthink departments as deemed appropriate to:
(i) determine the nature of the Data Disclosure Request, its context, purposes, scope, urgency and validity under applicable laws; and
(ii) identify whether action may be needed to challenge the Data Disclosure Request, and/or notify the Customer or competent authorities – notably data protection authorities – in accordance with this procedure.
All the efforts listed hereabove shall be documented and recorded by the Committee.
4. Notice of a Data Disclosure Request
4.1 Notice to the Customer
If a Data Disclosure Request concerns personal data for which a customer is the data controller under the applicable data protection laws, Nexthink will enjoin the Requesting Authority to address said request directly to the Customer. Nexthink will support the Customer in accordance with the terms of the respective data processing agreement.
If this is not possible (for example, because the Requesting Authority declines to address the Data Disclosure Request directly to the Customer), Nexthink will notify and provide the Customer with the details of the Data Disclosure Request prior to disclosing any personal data, unless legally prohibited or where an imminent risk of serious harm exists which prohibits prior notification, so that the Customer may seek legal remedies. Where Nexthink is legally prohibited from notifying the Customer prior to disclosure, Nexthink will take reasonable steps to notify the Customer of the request after the nondisclosure requirement expires.
4.2 Notice to the competent data protection authorities
Where compliance with a valid Data Disclosure Request would put Nexthink in potential breach of the applicable data protection laws (for example, because the Requesting Authority is located in a foreign jurisdiction that does not provide an adequate level of protection for the personal data in accordance with the applicable data protection laws), then Nexthink will also suspend the Data Disclosure Request in order to notify and consult with the competent data protection authorities, unless legally prohibited.
Where Nexthink is prohibited from notifying the competent authorities and suspending the Data Disclosure Request, Nexthink will use its best efforts (taking into account the nature, context, purposes, scope and urgency of the request) to inform the Requesting Authority about its obligations under the applicable regulation and obtain the right to waive the prohibition. Such efforts may include (i) asking the Requesting Authority to put the request on hold so that Nexthink can consult with the competent data protection authorities; and/or (ii) seeking any legal remedies to this effect. Nexthink will maintain a written record of the efforts taken.
5. Disclosure Reports
Nexthink will document each Disclosure Request by completing a Disclosure Report, in the form set forth in Annex 1 attached hereto. Disclosure Reports will be filled out and recorded by Nexthink’s Privacy and Cybersecurity Committee.
6. Transparency Reports
Nexthink commits to periodically preparing a publicly facing report (a “Transparency Report”), which reflects to the extent permitted by applicable laws the number of Data Disclosure Requests as well as the number of executed requests.
7. Bulk Transfers
In no event will any Nexthink entity transfer personal data to a Requesting Authority in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society.
Date of request:
Description of request, including legal grounds for request:
Personal data subject to request:
Relevant Nexthink customer and details of correspondence (if applicable):
Description of consultation with data protection authority or legal prohibition that prevents consultation (if applicable):
Description of grounds for complying with request (if applicable):
Description of grounds for rejecting or challenging the request (if applicable):
Date of disclosure to Requesting Authority (if applicable):
Personal data disclosed to Requesting Authority (if applicable):
Other relevant details: