1. Introduction

1.1 This Government Data Request Policy sets out Textline’s procedure for responding to a request received from a law enforcement or other government authority (together the “Requesting Authority“) to disclose personal information processed by Textline (hereafter “Data Disclosure Request“) which is aligned with our Binding Corporate Rules: Government Data Request Procedure.

1.2 Where Textline receives a Data Disclosure Request, it will handle that Data Disclosure Request in accordance with this policy. . If applicable data protection law(s) require a higher standard of protection for personal information than is required by this policy, Textline will comply with the relevant requirements of those applicable data protection law(s).

2. General principle on Data Disclosure Requests

2.1 As a general principle, Textline does not disclose personal information in response to a Data Disclosure Request unless either:

• it is under a compelling legal obligation to make such disclosure; or
• taking into account the nature, context, purposes, scope and urgency of the Data Disclosure Request and the privacy rights and freedoms of any affected individuals, there is an imminent risk of serious harm that merits compliance with the Data Disclosure Requests in any event.

2.2 For that reason, unless it is legally prohibited from doing so or there is an imminent risk of serious harm, Textline will notify and consult with the competent data protection authorities (and, where it processes the personal information on behalf of a Customer, the Customer) to address the Data Disclosure Request.

3. Handling of a Data Disclosure Request

3.1 If a Textline Group Member receives a Data Disclosure Request, the recipient of the request must pass it to Textline’s Data Privacy Officer and Privacy Team (collectively, the “Privacy Team”) immediately upon receipt, indicating the date on which it was received together with any other information that may assist the Privacy Team to respond to the request.

3.2 The Requesting Authority’s request does not have to be made in writing, made under a Court order, or mention data protection law to qualify as a Data Disclosure Request. Any Data Disclosure Request, however made, must be notified to the Privacy Team for review.

3.3 Textline’s Privacy Team will carefully review each and every Data Disclosure Request on a case-by-case basis. The Privacy Team will liaise with the legal department and outside counsel as appropriate to deal with the request to determine the nature, context, purposes, scope and urgency of the Data Disclosure Request, and its validity under applicable laws, to identify whether action may be needed to challenge the Data Disclosure Request and/or to notify the Customer and/or competent data protection authorities in accordance with paragraph 4.

4. Notice of a Data Disclosure Request

4.1 Notice to the Customer

4.1.1 If a request concerns personal information for which a Customer is the controller, Textline will ordinarily ask the Requesting Authority to make the Data Disclosure Request directly to the relevant Customer. If the Requesting Authority agrees, Textline will support the Customer in accordance with the terms of its contract to respond to the Data Disclosure Request.

4.1.2 If this is not possible (for example, because the Requesting Authority declines to make the Data Disclosure Request directly to the Customer, does not know the customer’s identity, or if Textline is not permitted by law to disclose the Data Disclosure Request), Textline will notify and provide the Customer with the details of the Data Disclosure Request prior to disclosing any personal information, unless legally prohibited from doing so or where an imminent risk of serious harm exists that prohibits prior notification.

4.2 Notice to the competent data protection authorities

4.2.1 If the Requesting Authority is in a country that does not provide an adequate level of protection for the personal information in accordance with applicable data protection laws, then Textline will also put the request on hold to notify and consult with the competent data protection authorities, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.

4.2.2 Where Textline is prohibited from notifying the competent data protection authorities and suspending the request, Textline will use its best efforts (taking into account the nature, context, purposes, scope, and urgency of the request) to inform the Requesting Authority about its obligations under applicable data protection law and to obtain the right to waive this prohibition. Such efforts may include asking the Requesting Authority to put the request on hold, so that Textline can consult with the competent data protection authorities, or to allow disclosure to specified personnel at Textline’s customer, and may also, in appropriate circumstances, include seeking a court order to this effect. Textline will maintain a written record of the efforts it takes.

5. Transparency reports

5.1 Upon request from an existing customer, Textline commits to providing an annual report (a “Transparency Report”), which reflects the number and type of Data Disclosure Requests it has received for the preceding 12 months, as may be limited by applicable law or court order.

6. Bulk transfers

6.1 In no event will any Group Member transfer Personal Information to a Requesting Authority in a massive, disproportionate, and indiscriminate manner that goes beyond what is necessary in a democratic society.

‍