slack.com privacy policy — score 72/100 (medium risk)
Último análisis
El contenido del informe (resumen, hallazgos, citas) se generó en inglés y no está localizado.
Slack Technologies, LLC · slack.com
Detalles del informe
medium riesgoSlack collects a wide range of personal and usage data, relying heavily on broad legitimate interests to process it and transfer it globally, though it does provide standard GDPR rights and safeguards like Standard Contractual Clauses.
The Slack Privacy Policy clearly distinguishes between Customer Data (where the employer/Customer is the controller) and Other Information (where Slack is the controller). While this dual-role structure is standard for enterprise SaaS, Slack's reliance on 'legitimate interests' for extensive processing—including predictive modeling, marketing, and international data transfers—raises compliance concerns under GDPR proportionality requirements. The policy is transparent about data sharing with affiliates and third parties, and utilizes Standard Contractual Clauses for EU data transfers, but lacks detail on supplementary transfer measures and specific retention timelines for non-customer data.
Evaluación por categoría
Desglose de la política en las principales áreas de cumplimiento. Bueno = sólido, regular = mixto, deficiente = preocupante.
Slack collects a broad array of 'Other Information' including metadata, device details, and third-party data, which goes beyond what is strictly necessary for basic messaging functionality.
The policy clearly delineates between Customer Data and Other Information, and explicitly lists purposes and legal bases for processing, though some legitimate interest claims are quite broad.
Data is shared with corporate affiliates, event sponsors, professional advisers, and subprocessors, with a reference to Salesforce's subprocessor list, but lacks granular control for the user over these specific shares.
Explicitly transfers data outside the EEA to the US and other countries using SCCs, but fails to detail supplementary measures required post-Schrems II to protect against US surveillance.
The policy explicitly states Slack uses data to 'develop and provide search, learning and productivity tools' and 'predictive models' under legitimate interests, without providing a specific or easy opt-out mechanism for this AI training.
Clearly outlines GDPR rights including access, deletion, correction, and the right to object to legitimate interests, and provides contact information for the Data Protection Officer and Data Protection Authority.
Hallazgos clave
Cláusulas destacadas, problemas o buenas prácticas detectadas (críticos primero)
Broad Reliance on Legitimate Interests for Core Processing
Slack relies heavily on 'legitimate interests' as the legal basis for processing Other Information, including developing predictive models, marketing, and international data transfers. Under GDPR, this requires a strict balancing test, and using it for global transfers or AI development may not withstand regulatory scrutiny if user rights are not adequately preserved.
AI and Predictive Modeling Without Specific Opt-Out
The policy states Slack uses Other Information to 'develop and provide search, learning and productivity tools and additional features' and to make suggestions 'based on historical use and predictive models'. There is no specific opt-out mechanism provided for this AI/model training, only a general right to object to legitimate interests.
Vague Retention Periods for Other Information
While Customer Data retention is controlled by the Customer, Slack states it retains Other Information 'for as long as necessary' or for the 'period of time needed for Slack to pursue legitimate business interests'. This vague timeframe conflicts with GDPR's requirement for strict storage limitation.
Dual Controller/Processor Role Clarity
The policy clearly distinguishes that the Customer is the controller of Customer Data while Slack is the processor, and Slack is the controller of Other Information. This transparency helps users understand they must contact their employer for workspace data requests, and Slack for metadata/usage requests.
Resumen para el usuario
Your employer controls your workspace messages and files, but Slack controls your usage metadata, device info, and profile data, using it for broad purposes like developing AI features and marketing; you can object to some of this processing, but opting out of service communications is not allowed.
Postura de cumplimiento
mixed
Transferencias en la UE
Data is transferred outside the EEA to the US and other countries using Standard Contractual Clauses (SCCs), but the policy lacks explicit detail on supplementary technical measures to protect data from US surveillance, relying instead on a 'legitimate interest' justification for the transfer itself.
Señales detectadas
Datos y prácticas específicas identificadas en el texto
Fragmentos de evidencia
Citas directas de la política que respaldan estos hallazgos
We rely on our legitimate interests or the legitimate interests of a third party where they are not outweighed by your interests or fundamental rights and freedoms (‘legitimate interests’).
To develop and provide search, learning and productivity tools and additional features... make Services or Third-Party Service suggestions based on historical use and predictive models;
Slack may retain Other Information pertaining to you for as long as necessary for the purposes described in this Privacy Policy... This may include keeping your Other Information after you have deactivated your account for the period of time needed for Slack to pursue legitimate business interests...
Slack uses Standard Contractual Clauses approved by the European Commission... for transfers to, among others, Australia, Canada, India, Japan, South Korea and the United States.
Ausente o poco claro
- No specific supplementary measures detailed for US data transfers post-Schrems II
- No specific retention timeframes for Other Information
- No explicit opt-out mechanism for AI/predictive model training
- No detail on automated decision-making or profiling logic beyond predictive models
Preguntas que hacer
- How does Slack conduct and document the balancing test required for relying on legitimate interests, particularly for using personal data to develop predictive models and AI features?
- What specific technical and organizational supplementary measures does Slack implement alongside Standard Contractual Clauses to protect EU personal data transferred to the United States?
- What is the maximum retention period for 'Other Information' after a user deactivates their account, and how is 'legitimate business interest' strictly defined in this context?
- Can users explicitly opt out of their Other Information being used for 'predictive models' and 'learning tools' without losing core service functionality?
Compartir este análisis
Cualquiera con este enlace puede ver el resultado anterior.
Creado por DentroChat
Chat de IA 100 % europeo para todos
Chatea con la IA, trabaja con archivos, genera imágenes y busca en la web. Los datos permanecen en Europa.