GDPR & CCPR Frequently Asked Questions

What is the GDPR?

Regulation (EU) 2016/679, the General Data Protection Regulation (“GDPR”), is European privacy legislation that took effect May 25, 2018. It replaced the EU member state laws that implemented the EU Data Protection Directive, which had been in existence since 1995.

Is the GDPR applicable to Zix?

Zix is covered by the GDPR in situations where Zix processes personal data of Zix customers, including but not limited to customer end users, if those individuals are EU data subjects. Zix may also be subject to the GDPR if it processes personal data of its personnel if those personnel are EU data subjects.

What is the CCPA?

The California Consumer Privacy Act (“CCPA”) is California privacy legislation that will take effect January 1, 2020, and that grants European-style privacy rights to California residents (referred to in the law as consumers).

Is the CCPA applicable to Zix?

Yes, the CCPA applies to Zix.

Are the GDPR and the CCPA applicable to me as Zix’s customer?

You should consult with your company’s legal counsel to determine if the GDPR and/or the CCPA apply to you.

Is Zix a Data Controller, a Data Processor, or a Subprocessor under the GDPR?

With respect to the personal data of its customers, Zix is a Data Processor and Zix’s customer is the Data Controller. The Zix customer, the Data Controller, determines the purposes and means of the processing of personal data. Specifically, Zix’s customer decides that it is going to provide Zix’s email encryption, anti-virus, or other products to its employees or other individuals and thereby decides the purposes for which Zix will process the personal data of those individuals – specifically, in order to provide them with the services purchased by the customer. Zix, as the Data Processor, processes personal data on behalf of the Zix customer Data Controller at that company’s direction.

When a customer has a contractual relationship with a reseller, the customer is a Data Controller and the reseller as a Data Processor processes personal data on the customer’s behalf. In those instances, Zix is a Subprocessor.

Is Zix a Business, a Service Provider, or a Third Party under the CCPA?

With respect to the personal information of its customers’ California consumers, Zix is a Service Provider and Zix’s customer is the Business for purposes of the CCPA.  When the customer purchases through a reseller, the customer is a Business and both the reseller and Zix are Service Providers in connection with the personal information of resellers’ California consumers.

Zix is a Business with respect to personal information of California residents that it collects through its websites or through its consumer-facing businesses like Total Defense.

What are subprocessor and affiliate responsibilities?

Zix does not use subprocessors in the provision of core service functionality.  Nonetheless, Zix may engage third party subprocessors and affiliates to assist Zix in providing products and services to customers, such as for Internet infrastructure and service-management operations. When subprocessors and affiliates have access to customers’ personal data, Zix actively manages them and such subprocessors and affiliates must comply with the terms of service.  Moreover, Zix is responsible for its subprocessors’ and affiliates’ compliance with the terms of service, including adherence to law, privacy, and security provisions.

Does Zix have a Data Protection Officer?

No, Zix does not have a Data Protection Officer or DPO because Zix’s processing operations in providing email encryption, anti-virus, archiving, and similar products do not require regular and systematic monitoring of the individual data subjects. Indeed, Zix is in the business of processing the personal data of its customers for the purpose of securing that data from unauthorized access by third parties. Further, Zix’s core activities do not consist of processing on a large scale special categories of personal data (such as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric, data concerning health, or data concerning a natural person's sex life or sexual orientation) or data relating to criminal convictions and offences.

What is the lawful basis under the GDPR for Zix’s processing of personal data?

With respect to the email encryption, anti-virus, and other security services that Zix provides to its customers, Zix’s customers must conduct their own lawful basis analysis. Zix cannot provide legal advice to its customers.

With respect to the security services that Zix provides directly to data subjects in the EU, if any, Zix has a legitimate interest in processing the data. The GDPR specifically recognizes that “the processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned”. The GDPR acknowledges that may include preventing unauthorized access to electronic communications networks and malicious code distribution and stopping denial of service attacks and damage to computer and electronic communication systems.

To the extent Zix engages in direct marketing to individual EU data subjects who are representatives of Zix’s customers, Zix has a legitimate interest in such processing in order to make offers of relevant services available to its business customers; the direct marketing is necessary to achieve that legitimate interest because those data subjects represent Zix’s business customers; and Zix’s legitimate interest is not outweighed by the individual’s interests, rights and freedoms. The individuals receiving such direct marketing always have the right to object, and Zix takes appropriate measures to protect the personal data processed for such direct marketing, both as set forth in Zix’s Privacy Policy, available here:

Does Zix conduct Data Protection Impact Assessments (DPIAs)?

Zix does not conduct DPIAs with respect to the personal data of its customers because Zix’s processing operations as described in this FAQ and in Zix’s privacy policy are not likely to result in a high risk to the rights and freedoms of natural persons. As noted above, Zix is in the business of processing the personal data of its customers for the purpose of securing that data from unauthorized access by third parties. As such, Zix regularly conducts security risk assessments and obtains an annual SOC 2 report from an independent auditor. Zix will assist its customers, the Data Controllers, where necessary and upon written request, in ensuring compliance with the customer’s obligations, if any, deriving from the carrying out of DPIAs.

How does Zix handle data subject requests to exercise their rights under the GDPR and consumer requests under the CCPA?

This subject is addressed in Zix’s Privacy Policy (which will be expanded for consumer requests under CCPA prior to January 1, 2020). In brief, where allowed by law, Zix will notify its customer if Zix receives a request from a data subject and/or California consumer to exercise the data subject’s right of access, right to rectification, restriction of processing, erasure (“right to be forgotten”), data portability, objection to processing, or right not to be subject to automated individual decision making (“Data Subject Request”), or to exercise the California consumer’s rights to deletion, disclosure, or refraining from selling (“Consumer Request”). Zix will also assist its customer in responding to a Data Subject Request or Consumer Request, where legally required and permissible. Zix’s customer is responsible for any costs arising from Zix’s assistance with Data Subject Requests and Consumer Requests.

Does Zix have an incident response plan?

Yes, Zix has an incident response plan in place that follows the recommendations of the U.S. National Institute of Standards and Technology Special Publication 800-61 Revision 2, Computer Security Incident Handling Guide.

Does Zix host data in my country and does it transfer data across borders?

Zix offers data center hosting of personal information in several countries, depending on the applicable service and availability.  This means your personal information data (e.g., emails) will be resident and available from a Zix data center in a specific country.  Currently, options may include: United States, Switzerland, United Kingdom, or Canada.

Zix may transfer, access, and store personal data globally as necessary to provide products and services to its customers, such as for Internet infrastructure and service-management operations. Zix complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce. For more information about Zix’s Privacy Shield certification, see the next FAQ.

Is Zix Privacy Shield certified?

Yes, Zix participates in the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from the European Union and European Economic Area. Zix has certified to the Department of Commerce that it adheres to the Privacy Shield Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement and liability. Zix is responsible for ensuring that third parties acting as its agent adhere to the same high standards. This means that, in addition to Zix’s obligations under the Privacy Shield Principles, Zix shall be liable to you when its third party agents transfer your personal data and process it in a manner that violates the Privacy Shield Principles unless Zix can demonstrate that it is not responsible for the resulting damages. Zix is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.

For inquiries or complaints regarding our compliance with Privacy Shield, please send us an email or letter at the address in Zix’s Privacy Policy specified in the “Privacy Policy questions, suggestions and complaints” section. If we are unable to resolve your complaint directly, you may submit your complaint at no cost to you to JAMS at In the event there are residual complaints that have not been resolved by JAMS, or any other means, you may seek a non-monetary remedy through binding arbitration to be provided to you in accordance with the Privacy Shield Principles.

To learn more about the Privacy Shield Framework, and to view Zix’s certification, please visit and the list of entities covered under Zix’s self-certification. A list of companies certified under the Privacy Shield Framework is available at the following link: Who is Zix’s Supervisory Authority in the EU?

Certain Zix companies are registered with the United Kingdom Information Commissioner’s Office. Our Zix entity registration number is Z304946X, and AppRiver is ZA545976. You can view either registration on the UK ICO website.

Where can I find more information about Zix’s privacy practices?

In Zix’s privacy policy, available at The Policy will be updated before January 1, 2020, to include additional provisions relevant to the CCPA.