OneTrust does not voluntarily disclose any personal data of customers to government authorities or otherwise grant them access to such data. In addition, OneTrust has not built, and will not purposefully build, backdoors to enable government actors to access its data or information systems, and has not changed, and will not purposefully change, its processes in a manner that facilitates government access to data.
However, OneTrust may receive a legally binding subpoena, writ, warrant, or other court order from a government authority requesting that it disclose a customer’s personal data. OneTrust will only provide the requested customer data in response to formal and valid legal process. Where OneTrust receives such a request, OneTrust’s legal team reviews the request to ensure that it satisfies applicable legal requirements. If the legal assessment reveals legitimate and lawful grounds for challenging the request, OneTrust will do so where appropriate. OneTrust’s policy is to construe such requests narrowly to limit the scope of the personal data provided.
For OneTrust to disclose any customer data, the request must also satisfy the following policies:
- be made in writing and on official letterhead,
- identify and be signed by an authorized official of the requesting party and provide official contact information, including a valid email address,
- indicate the reason for, and nature of, the request,
- identify the customer or customer account that is the target of the request,
- describe with specificity the data/information sought and its relationship to the investigation, and
- be issued and served in compliance with applicable law.
Where OneTrust receives a legally binding request for a customer’s personal data, OneTrust’s policy is to notify the customer via email before disclosing any information. To the extent permissible under the request and/or applicable law, the notice will describe the personal data requested, the authority making the request, the legal basis of the request, and any response already provided. This notice gives the customer an opportunity to pursue a legal remedy, such as filing an objection with a court or the requesting authority.
Exceptions to OneTrust’s policy for personal data requests by government authorities:
- A statute, court order, or other law may prohibit OneTrust from notifying the customer about the request, but OneTrust will make reasonable efforts to obtain a waiver of the prohibition or provide notice once the prohibition requirement ends.
- OneTrust might not give notice to the customer in exceptional circumstances involving imminent danger of death or serious physical injury to any person or to prevent harm to OneTrust’s services.
- OneTrust might not give notice to the customer when it has reason to believe that the notice would not go to the actual customer account holder, for instance, if an account has been hijacked.
- Where OneTrust identifies unlawful or harmful activity, or suspects any such activity, related to a customer’s account, it might notify appropriate authorities, such as in the cases of hacking.