Marketing Cloud, Trailhead...
July 16, 2020
Salesforce’s Binding Corporate Rules Reflect Highest Data Protection Standards
By Lindsey Finch, EVP, Global Privacy & Data Protection Officer
The digital transformation of the economy has expanded the amount of data that is transferred across borders. The free flow of data increases trade between regions, grows economies, and creates jobs. But this cannot come at the expense of privacy. Individuals, companies, regulators, and policymakers must be able to trust that data stored or accessed across borders does not result in a diminishing level of protection.
Today, the Court of Justice of the European Union (“CJEU”) issued a decision on two mechanisms legalizing the transfer of data from the EU. The decision confirmed the validity of the European Commission’s standard contractual clauses (“SCCs”) as a legal mechanism for the transfer of EU personal data. At the same time, the CJEU invalidated the EU-US Privacy Shield framework. Further, it held that companies are responsible for conducting diligence to help ensure compliance with EU data protection laws, including assessing whether any recipient country’s laws are compatible with EU citizens’ fundamental human right to privacy and data protection.
Salesforce customers do not need to take any action to continue to use our services in compliance with European law. Our existing Data Processing Addendum already contains both the SCCs and Salesforce’s Processor Binding Corporate Rules (“BCRs”) to legalize the transfer of EU personal data to our service. Neither of these mechanisms were impacted by the CJEU ruling today.
At Salesforce, trust is our #1 value. Our privacy model is simple: we do not use or share our customers’ data and our job is to do our best to keep it safe. We provide a comprehensive privacy program, including resources that document our compliance and help our customers on their own privacy journeys.
Salesforce was the first enterprise software company to achieve approval for our BCRs in November 2015. BCRs, which were not at issue in today’s CJEU decision, are company-specific data protection policies that are widely viewed as the “gold standard” of EU personal data transfer mechanisms. This is because BCRs must adhere to strict criteria (including meeting requirements about government requests for EU personal data), be approved by EU data protection authorities, and require ongoing reporting to EU data protection authorities.
The privacy compliance landscape around the globe is rapidly evolving, but our commitment to privacy is steadfast. We are driven by our focus on customer success, ensuring our customers may use our services in a compliant manner that helps our customers build trust with their own customers.