The Forthcoming EU General Data Protection Regulation

This page is intended to provide an overview of the forthcoming EU (European Union) General Data Protection Regulation (“GDPR”) and Salesforce’s preparations for the GDPR.

What is the GDPR?

On May 25, 2018, the GDPR will come into effect and replace existing national data protection laws in EU member states. The GDPR strengthens privacy rights of EU individuals and places additional requirements on businesses processing personal data of EU individuals.

 

To whom does the GDPR apply?

The scope of the GDPR is very broad. It applies to Salesforce customers based in the EU as well as non-EU customers to the extent such customers offer goods and/or services to or track the behavior of EU individuals. The GDPR applies to all industries and sectors. 

 

What does the GDPR aim to achieve​?

The dual aim of the GDPR is to:

  • update existing EU data protection laws to strengthen the protection of personal data in light of rapid technological developments, increased globalization, and more complex cross-border flows of personal data; and
  • replace the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state.
 

What are some of the biggest changes resulting from the GDPR?

  • More rights for EU individuals: The GDPR provides expanded rights for EU individuals related to deletion, restriction, and portability of personal data.
  • New requirements for profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals.
  • Data breach notification and security: The GDPR requires organizations to report certain data breaches to data protection authorities. The GDPR also places more specific security requirements on organizations.
  • Binding corporate rules (BCRs): The GDPR officially recognizes BCRs (which Salesforce offers for certain of its services) as a means for controllers and processors to legalize transfers of personal data outside the EU.
  • One-stop-shop: The GDPR provides a central point of enforcement for companies with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.

Importantly, the GDPR does not place any new restrictions on transfers of personal data outside the EU. Salesforce’s existing data processing addendum, which references our Binding Corporate Rules, Privacy Shield certification, and the European Commission’s model clauses, will continue to legalize transfers of EU personal data outside of the EU. See our FAQ on the Salesforce Data Processing Addendum for more information.

 

How is Salesforce preparing for the GDPR?

At Salesforce, trust is our #1 value and nothing is more important than the success of our customers and the protection of our customers’ data. Salesforce has demonstrated this commitment by being the first top 10 software company in the world to achieve approval for our Binding Corporate Rules from European data protection authorities.

Salesforce welcomes the GDPR as an important step forward in streamlining data protection requirements across the EU and has worked closely with the European lawmakers, EU data protection authorities, and industry associations throughout the development and approval of the GDPR.

Salesforce is committed to complying with the GDPR in providing services to customers. We are also committed to ensuring our customers can continue to use our services in compliance with the GDPR. Similar to existing legal requirements, this requires a partnership between Salesforce and our customers in their use of our services. We have closely analyzed the requirements of the GDPR and are working to make any necessary enhancements to our products, contracts, and documentation to help support Salesforce’s and our customers’ compliance with the GDPR. In the coming months, we will release more specific information on each of these work streams.

 

Does the GDPR require EU personal data to remain in the EU?

No, the GDPR does not place any new restrictions on transfers of EU personal data outside the EU. Our existing data processing addendum, which references our Binding Corporate Rules, Privacy Shield certification, and the European Commission’s model clauses, will continue to legalize such international transfers.

 

Where can I learn more about the GDPR?

Additional information about the GDPR is available on the EU’s GDPR website.

 
Live Chat