DentroChat logo
Kokeile ilmaiseksi

slack.com privacy policy — score 72/100 (medium risk)

Viimeksi analysoitu

Raportin sisältö (yhteenveto, havainnot, lainaukset) on luotu englanniksi eikä sitä ole lokalisoitu.

Aja uusi analyysi toiselle käytännölle

Slack Technologies, LLC · slack.com

Raportin tiedot

medium riski

Slack collects a wide range of personal and usage data, relying heavily on broad legitimate interests to process it and transfer it globally, though it does provide standard GDPR rights and safeguards like Standard Contractual Clauses.

The Slack Privacy Policy clearly distinguishes between Customer Data (where the employer/Customer is the controller) and Other Information (where Slack is the controller). While this dual-role structure is standard for enterprise SaaS, Slack's reliance on 'legitimate interests' for extensive processing—including predictive modeling, marketing, and international data transfers—raises compliance concerns under GDPR proportionality requirements. The policy is transparent about data sharing with affiliates and third parties, and utilizes Standard Contractual Clauses for EU data transfers, but lacks detail on supplementary transfer measures and specific retention timelines for non-customer data.

Viimeksi analysoitu
LähdeURL
Pituus50,704 merkkiä

Kategoria-arviointi

Käytännön jakautuminen keskeisille vaatimustenmukaisuusalueille. Hyvä = vahva, kohtalainen = ristiriitainen, heikko = huolestuttava.

Data Minimizationfair

Slack collects a broad array of 'Other Information' including metadata, device details, and third-party data, which goes beyond what is strictly necessary for basic messaging functionality.

Transparencygood

The policy clearly delineates between Customer Data and Other Information, and explicitly lists purposes and legal bases for processing, though some legitimate interest claims are quite broad.

Third-party Sharingfair

Data is shared with corporate affiliates, event sponsors, professional advisers, and subprocessors, with a reference to Salesforce's subprocessor list, but lacks granular control for the user over these specific shares.

International Transfersfair

Explicitly transfers data outside the EEA to the US and other countries using SCCs, but fails to detail supplementary measures required post-Schrems II to protect against US surveillance.

AI/Model Trainingpoor

The policy explicitly states Slack uses data to 'develop and provide search, learning and productivity tools' and 'predictive models' under legitimate interests, without providing a specific or easy opt-out mechanism for this AI training.

User Rightsgood

Clearly outlines GDPR rights including access, deletion, correction, and the right to object to legitimate interests, and provides contact information for the Data Protection Officer and Data Protection Authority.

Keskeiset havainnot

Huomionarvoiset ehdot, ongelmat tai hyvät käytännöt (kriittiset ensin)

Varoitus

Broad Reliance on Legitimate Interests for Core Processing

Slack relies heavily on 'legitimate interests' as the legal basis for processing Other Information, including developing predictive models, marketing, and international data transfers. Under GDPR, this requires a strict balancing test, and using it for global transfers or AI development may not withstand regulatory scrutiny if user rights are not adequately preserved.

Varoitus

AI and Predictive Modeling Without Specific Opt-Out

The policy states Slack uses Other Information to 'develop and provide search, learning and productivity tools and additional features' and to make suggestions 'based on historical use and predictive models'. There is no specific opt-out mechanism provided for this AI/model training, only a general right to object to legitimate interests.

Varoitus

Vague Retention Periods for Other Information

While Customer Data retention is controlled by the Customer, Slack states it retains Other Information 'for as long as necessary' or for the 'period of time needed for Slack to pursue legitimate business interests'. This vague timeframe conflicts with GDPR's requirement for strict storage limitation.

Info

Dual Controller/Processor Role Clarity

The policy clearly distinguishes that the Customer is the controller of Customer Data while Slack is the processor, and Slack is the controller of Other Information. This transparency helps users understand they must contact their employer for workspace data requests, and Slack for metadata/usage requests.

Yhteenveto käyttäjälle

Your employer controls your workspace messages and files, but Slack controls your usage metadata, device info, and profile data, using it for broad purposes like developing AI features and marketing; you can object to some of this processing, but opting out of service communications is not allowed.

Vaatimustenmukaisuusasento

mixed

EU-siirrot

Data is transferred outside the EEA to the US and other countries using Standard Contractual Clauses (SCCs), but the policy lacks explicit detail on supplementary technical measures to protect data from US surveillance, relying instead on a 'legitimate interest' justification for the transfer itself.

Havaitut signaalit

Tekstistä tunnistetut erityiset tiedot ja käytännöt

Kerätyt tiedot
Messages and filesEmail addressPhone numberPasswordBilling detailsServices metadataLog dataIP addressDevice informationLocation informationCookie informationContact informationAudio and video metadata
Käsittelyn tarkoitukset
Providing and maintaining servicesCompliance with legal obligationsDeveloping search, learning and productivity toolsInvestigating and preventing security issues and abuseAggregating or de-identifying informationResponding to legal requestsInternational data transfersCommunicating with usersSending service emailsBilling and account managementSending marketing emails
Jakaminen kolmansille osapuolille
Corporate affiliatesThird-party service providers and partnersThird-Party Services integrationsProfessional advisersEvent sponsorsLaw enforcement and regulators
Kansainväliset siirrot
Transfers outside EEA to US, Australia, Canada, Japan, India, South KoreaStandard Contractual Clauses usedAPEC CBPR and PRP certifications
Tekoäly / Mallin koulutus
Used for predictive modelsUsed for learning and productivity toolsUsed to identify organizational trendsNo specific opt-out for AI training

Todisteiden otteet

Suorat lainaukset käytännöstä näiden havaintojen tueksi

We rely on our legitimate interests or the legitimate interests of a third party where they are not outweighed by your interests or fundamental rights and freedoms (‘legitimate interests’).

To develop and provide search, learning and productivity tools and additional features... make Services or Third-Party Service suggestions based on historical use and predictive models;

Slack may retain Other Information pertaining to you for as long as necessary for the purposes described in this Privacy Policy... This may include keeping your Other Information after you have deactivated your account for the period of time needed for Slack to pursue legitimate business interests...

Slack uses Standard Contractual Clauses approved by the European Commission... for transfers to, among others, Australia, Canada, India, Japan, South Korea and the United States.

Puuttuu tai epäselvä

  • No specific supplementary measures detailed for US data transfers post-Schrems II
  • No specific retention timeframes for Other Information
  • No explicit opt-out mechanism for AI/predictive model training
  • No detail on automated decision-making or profiling logic beyond predictive models

Kysyttävät kysymykset

  • How does Slack conduct and document the balancing test required for relying on legitimate interests, particularly for using personal data to develop predictive models and AI features?
  • What specific technical and organizational supplementary measures does Slack implement alongside Standard Contractual Clauses to protect EU personal data transferred to the United States?
  • What is the maximum retention period for 'Other Information' after a user deactivates their account, and how is 'legitimate business interest' strictly defined in this context?
  • Can users explicitly opt out of their Other Information being used for 'predictive models' and 'learning tools' without losing core service functionality?
Tämän analyysin tuottaa tekoäly, eikä se ole oikeudellista neuvontaa. Kysy aina pätevältä juristilta vaatimustenmukaisuuspäätöksiin.

Jaa tämä analyysi

Kuka tahansa, jolla on tämä linkki, voi nähdä yllä olevan tuloksen.

DentroChatin rakentama

100 % eurooppalainen tekoälychat kaikille

Keskustele tekoälyn kanssa, käsittele tiedostoja, luo kuvia ja hae verkosta. Tiedot pysyvät Euroopassa.

EU:ssa isännöity infrastruktuuriTeksti, tiedostot, kuvat ja verkkohakuNopea-, Ajattelu- ja Luova-tilatTietosuoja ensin oletuksenaTiedot eivät poistu Euroopasta
Kokeile ilmaiseksi →