Zscaler and UK Data Protection Laws

Introduction and Overview

When the United Kingdom (“UK”) withdrew from the European Union (“EU”) effective January 31, 2020, a “transition period” ensured that most EU laws—including EU data protection laws—continued to apply to the UK. Following the transition period, effective January 1, 2021, two key pieces of legislation govern data protection in the UK: the UK General Data Protection Regulation (Regulation (EU) (2016/679) (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”).

The UK GDPR is largely identical to the EU GDPR, as incorporated into UK law by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and other domestic UK laws. The DPA 2018 supplements and complements the UK GDPR, including by providing certain exemptions from the UK GDPR.

Like the EU GDPR, the UK GDPR describes key principles governing the processing of personal data by controllers and processors, including the following:

01 Lawfulness, fairness, and transparency

Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. The controller must only process personal data on the basis of one or more of the legal grounds set out in Article 6 of the UK GDPR.

02 Purpose limitation

Personal data must only be collected for specified, explicit, and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.

03 Data minimization

Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

04 Accuracy

Personal data must be accurate and, where necessary, kept up to date.

05 Storage limitation

Personal data must not be kept in a form which permits data subjects to be identified for longer than is necessary for the purposes for which the data is processed.

06 Integrity and confidentiality

Personal data must be processed in a way that appropriately ensures its security. Controllers and processors must use appropriate technical or organizational security measures to ensure this.

07 Accountability

The controller is responsible for, and must be able to demonstrate, compliance with the other data protection principles.

For cross-border transfers of personal data from the UK to countries that have not been determined to provide “adequate safeguards” under the UK GDPR (which includes the United States), the UK Information Commissioner’s Office (“ICO”) has approved (effective March 21, 2022) an International Data Transfer Addendum that supplements and provides options under the EU standard contractual clauses (“EU SCCs”) to ensure that the EU SCCs are applicable to data transfers from the UK.

How Does Zscaler Comply with UK Data Protection Laws?

Because Zscaler’s obligations under UK Data Protection Laws are essentially identical to its obligations under the EU GDPR, including with respect to data subject rights, please see our Zscaler and the GDPR page for a detailed description of how Zscaler ensures its data processing practices and procedures are compliant with both the EU GDPR and the UK GDPR (as supplemented by the DPA 2018).