Government Data Request Policy

1. Introduction

1.1 This Government Data Request Policy sets out UseINBOX’s procedure for responding to a request received from a law enforcement or other government authority (together the “Requesting Authority“) to disclose personal information processed by UseINBOX (hereafter “Data Disclosure Request“) which is aligned with our Binding Corporate Rules: Government Data Request Procedure.

1.2 Where UseINBOX receives a Data Disclosure Request, it will handle that Data Disclosure Request in accordance with this policy. If applicable data protection law(s) require a higher standard of protection for personal information than is required by this policy, UseINBOX will comply with the relevant requirements of those applicable data protection law(s).

2. General principle on Data Disclosure Requests

2.1 As a general principle, UseINBOX does not disclose personal information in response to a Data Disclosure Request unless either:

• it is under a compelling legal obligation to make such disclosure; or
• taking into account the nature, context, purposes, scope and urgency of the Data Disclosure Request and the privacy rights and freedoms of any affected individuals, there is an imminent risk of serious harm that merits compliance with the Data Disclosure Requests in any event.

2.2 For that reason, unless it is legally prohibited from doing so or there is an imminent risk of serious harm, UseINBOX will notify and consult with the competent data protection authorities (and, where it processes the personal information on behalf of a Customer, the Customer) to address the Data Disclosure Request.

3. Handling of a Data Disclosure Request

3.1 If a UseINBOX Group Member receives a Data Disclosure Request, the recipient of the request must pass it to UseINBOX’s Chief Privacy Officer and Privacy Team (collectively, the “Privacy Team”) immediately upon receipt, indicating the date on which it was received together with any other information that may assist the Privacy Team to respond to the request.

3.2 The Requesting Authority’s request does not have to be made in writing, made under a Court order, or mention data protection law to qualify as a Data Disclosure Request. Any Data Disclosure Request, however made, must be notified to the Privacy Team for review.

3.3 UseINBOX’s Privacy Team will carefully review each and every Data Disclosure Request on a case-by-case basis. The Privacy Team will liaise with the legal department and outside counsel as appropriate to deal with the request to determine the nature, context, purposes, scope and urgency of the Data Disclosure Request, and its validity under applicable laws, to identify whether action may be needed to challenge the Data Disclosure Request and/or to notify the Customer and/or competent data protection authorities in accordance with paragraph 4.

4. Notice of a Data Disclosure Request

4.1 Notice to the Customer

4.1.1 If a request concerns personal information for which a Customer is the controller, UseINBOX will ordinarily ask the Requesting Authority to make the Data Disclosure Request directly to the relevant Customer. If the Requesting Authority agrees, UseINBOX will support the Customer in accordance with the terms of its contract to respond to the Data Disclosure Request.

4.1.2 If this is not possible (for example, because the Requesting Authority declines to make the Data Disclosure Request directly to the Customer, does not know the customer’s identity, or if UseINBOX is not permitted by law to disclose the Data Disclosure Request), UseINBOX will notify and provide the Customer with the details of the Data Disclosure Request prior to disclosing any personal information, unless legally prohibited from doing so or where an imminent risk of serious harm exists that prohibits prior notification.

4.2 Notice to the competent data protection authorities

4.2.1 If the Requesting Authority is in a country that does not provide an adequate level of protection for the personal information in accordance with applicable data protection laws, then UseINBOX will also put the request on hold to notify and consult with the competent data protection authorities, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.

4.2.2 Where UseINBOX is prohibited from notifying the competent data protection authorities and suspending the request, UseINBOX will use its best efforts (taking into account the nature, context, purposes, scope, and urgency of the request) to inform the Requesting Authority about its obligations under applicable data protection law and to obtain the right to waive this prohibition. Such efforts may include asking the Requesting Authority to put the request on hold, so that UseINBOX can consult with the competent data protection authorities, or to allow disclosure to specified personnel at UseINBOX’s customer, and may also, in appropriate circumstances, include seeking a court order to this effect. UseINBOX will maintain a written record of the efforts it takes.

5. Transparency reports

5.1 UseINBOX commits to preparing a semi-annual report (a “Transparency Report”), which reflects the number and type of Data Disclosure Requests it has received for the preceding six months, as may be limited by applicable law or court order. UseINBOX shall publish the Transparency Report on its website, and make the report available upon request to competent data protection authorities.

6. Bulk transfers

6.1 In no event will any Group Member transfer Personal Information to a Requesting Authority in a massive, disproportionate, and indiscriminate manner that goes beyond what is necessary in a democratic society.

For more information, please contact us at [email protected].