Build trust and transparency around your data with Commerce Cloud.

Commerce Cloud empowers retailers to unify customer experiences across all points of commerce — web, social, mobile, and store. From shopping to customer service, Commerce Cloud delivers 1-to-1 shopping experiences that delight customers, increasing engagement, loyalty, and conversion. Nothing is more important to us than enabling the success of our clients. This commitment defines who we are and everything we do. That extends to building tools and features that help merchants comply with the GDPR and serving as a trusted partner to ensure commerce operations remain reliable, compliant, and secure.

Commerce Cloud Accelerates GDPR Readiness


Right to Be Forgotten

Shoppers can request that a merchant stops accessing or modifying their personal data. Salesforce provides merchants with two tools to use when presented with a Restriction of Processing request: a new API for data export, and another for data deletion. There are a number of reasons why consumers may wish their data to be deleted. For instance, if consumers want to end their relationship with a brand. Salesforce provides merchants with the ability to delete shopper order and tracking data, enabling merchants to comply with Right to Be Forgotten if an EU shopper makes a request.

Data Portability

Shoppers can request to obtain certain personal data in a structured, machine-readable format so they can transmit relevant data to another company. Salesforce provides merchants the ability to offer a self-service data export to shoppers using a new data export cartridge. Additionally, merchants themselves can create a data export using a new API for data export.
Shoppers can object to the processing of their personal data with respect to receiving marketing communications, online tracking, and user profiling. Salesforce has a new “Do Not Track” flag for the Digital Script API for Session to give merchants the tools to manage their own storefront consent management solution.

Restriction of Processing

Shoppers can request that a merchant stops accessing or modifying personal data. Salesforce provides merchants with two tools to use when presented with a Restriction of Process request: a new API for data export, and another for data deletion capabilities. If the restriction is lifted at a later date, the records can be re-imported.


Salesforce offers customers a robust data processing addendum containing strong privacy commitments that few software companies can match. This addendum contains data transfer frameworks ensuring that our customers can lawfully transfer personal data to Salesforce outside of the European Economic Area by relying depending on the service on Binding Corporate Rules, our Privacy Shield certification, or the Standard Contractual Clauses. This addendum also contains specific provisions to assist customers in their compliance with the GDPR.


Protecting the security and privacy of customer and cardholder data is as much of a priority for Salesforce and Commerce Cloud as it is for our merchants. Commerce Cloud continuously implements robust technical and organisational security controls to ensure that commerce operations remain reliable, compliant, and secure — all without adding extra costs or infrastructure.

We are committed to our customers’ success, including compliance with the GDPR.”


What customers should do?

- Raise awareness of the importance of GDPR compliance with organisation leaders
- Obtain executive support for necessary staff resources and financial investments
- Choose someone to lead the effort in becoming GDPR-compliant
- Build a steering committee of key functional leaders
- Identify privacy champions throughout the organisation 
- Review existing privacy and security efforts to identify strengths and weaknesses
- Identify all the systems where the organisation stores personal data, and create a data inventory
- Create a register of data processing activities and carry out a privacy impact assessment for each high-risk activity
- Document compliance
- Ensure privacy notices are present wherever personal data is collected
- Implement controls to limit the organisation’s use of data to the purposes for which it collected the data
- Establish mechanisms to manage data subject consent preferences
- Implement appropriate administrative, physical, and technological security measures and processes to detect and respond to security breaches
- Establish procedures for responding to data subject requests for access, rectification, objection, restriction, portability, and deletion (right to be forgotten)
- Enter into contracts with affiliates and vendors that collect or receive personal data
- Establish a privacy impact assessments process
- Administer employee and vendor privacy and security awareness training
- Compile copies of privacy notices and consent forms, the data inventory and register of data processing activities, written policies and procedures, training materials, intracompany data transfer agreements, and vendor contracts
- If required, appoint a data protection officer and identify the appropriate EU supervisory authority
- Conduct periodic risk assessments

GDPR Resources