Skip to Content
Skip to Footer

Digital Transformation

Salesforce Receives Approval for UK Binding Corporate Rules Under New Rules

Today Salesforce announced it has earned the Information Commissioner’s Office’s (ICO) approval of its UK Processor Binding Corporate Rules (UK BCRs). 

Why it’s important: Binding Corporate Rules are company-specific, group-wide data protection policies approved by European data protection authorities to facilitate international transfers of personal data from either the EU or the UK to countries that have not been deemed adequate. They have long been considered the ‘gold standard’ of transfer mechanisms due to the rigorous approval process. 

Salesforce’s newly-approved UK BCRs, in combination with its EU Binding Corporate Rules (EU BCRs), and the supplementary technical, organizational, and contractual measures the company has implemented, provide Salesforce customers with the strongest transfer mechanisms available to ensure the continued cross-border flow of data. 

Driving the news: Salesforce is among the first companies in the world to have achieved approval for use of UK BCRs for data transfers under new guidelines introduced following the UK’s withdrawal from the EU. Salesforce customers can now benefit from the new UK BCRs, which have been incorporated into Salesforce’s existing data processing addendum by reference. 

The Salesforce perspective: “At Salesforce, trust is our number one value. We are proud to again be among the first companies in the world to receive regulatory approval for our UK BCRs under the new rules,” said Ed Britan, Head of Global Privacy. “This recognition sets us apart in terms of the exceptional privacy protections we provide to our customers.”

The big picture: Obtaining approval requires intensive consultation with the data protection authorities, who approve them on the basis of rigorous privacy principles. Following the UK’s departure from the European Union, Salesforce’s EU BCRs no longer applied to transfers of personal data from customers established in the UK or subject to the UK GDPR. A separate process was initiated with the ICO to seek approval for a second set of Binding Corporate Rules based on new guidance.  

In addition to the UK and EU BCRs, Salesforce uses the following mechanisms to provide customers with secure cross-border data flows across the region and internationally:

  • Standard Contractual Clauses (SCCs) – Salesforce’s data processing addendum includes the latest version of the standard contractual clauses and best-in-industry commitments around challenging government access requests and providing for customer audits. 
  • EU-US Data Privacy Framework / Privacy Shield / UK-US equivalent – Salesforce remains certified under Privacy Shield to demonstrate its commitment to its protections, and welcomed the new Executive Order on the trans-Atlantic transfer of personal data. Salesforce plans to certify to both the EU-US Data Privacy Framework and the UK-US equivalent once adopted. 

Salesforce is committed to providing customers with the strongest protections available for addressing cross-border transfer requirements. In addition:

  • In 2021, Salesforce announced the Hyperforce EU Operating Zone, allowing customers expanded data residency services for storing and processing data in the EU.
  • At Dreamforce ‘22, Salesforce announced external encryption key management, enabling customers to use EU encryption partners, based in the EU, for controlling access to their data.
  • Salesforce has obtained certification for both the APEC Cross Border Privacy Rules (CBPR) and APEC Privacy Recognition for Processors (PRP) System. These certifications demonstrate our adherence to the APEC Framework of accountability for the entire scope of our processing activities, meaning that Salesforce effectively implements the level of protections set out by the CBPR and PRP frameworks.

Go deeper: Learn more about cross-border data transfer mechanisms: 

Read more on Salesforce and privacy here.


Get the latest Salesforce News