We help our customers around the world protect the privacy and security of their customers’ data.

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that regulates the use of personal data of EU residents  and provides individuals rights to exercise control over their data. The GDPR does not only apply to European companies, it extends to any organization worldwide that targets or offers services or products to EU residents.

The GDPR requires companies to be transparent and accountable for their use of personal data, and to be able to demonstrate this to both regulators and the individuals concerned. There is no requirement for personal data to stay in the EU, but transfers outside of the European Economic Area are restricted, meaning that unless the European Commission has assessed the country’s privacy regime and declared it to be “adequate”, the data must be further protected by contract, or other EU-approved means. For any transfers to non-adequate countries, Salesforce’s data processing addendum incorporates such EU-approved means, namely our Processor Binding Corporate Rules and the European Commission’s standard contractual clauses. Customers can rely on these protections to transfer EU personal data using our services.

Japan and countries throughout the Asia-Pacific region (APAC) have their own data protection laws, which vary from light-touch to more prescriptive. 

Despite the patchwork of laws and regulations, there is a common non-binding baseline formed by the APEC Privacy Framework. The Asia-Pacific Economic Cooperation (APEC) is a regional economic forum aimed at increasing prosperity for the region by promoting balanced, inclusive, sustainable, innovative and secure growth and accelerating regional economic integration.  As part of this cooperation, the APEC Privacy Framework was adopted. The Framework sets out a series of privacy principles to ensure continued trade and economic growth and, in particular, free flow of personal data within the APEC region. Companies can certify under the Privacy Recognition for Processors (PRP) Framework to demonstrate compliance with the APEC Privacy Framework and help their customers on their privacy journey. 

Salesforce was one of the first companies globally to obtain PRP certification. Find more information here.

Japan’s Act on the Protection of Personal Information (APPI)  is based on principles similar to the GDPR. In 2019, Japan and the EU acknowledged each other’s data protection frameworks to be “adequate”, thus allowing personal data to flow freely between the two economies without the need for further protections such as binding corporate rules or the European Commission’s standard contractual clauses.

Since 2008, Salesforce has also been PrivacyMark certified. PrivacyMark is a Japanese privacy certification that focuses on enhancing individuals' awareness of the protection of personal data and incentivizing businesses to build trusted connections with their customers. To obtain the certification, companies must show they take appropriate measures to protect personal data of individuals. The requirements for PrivacyMark certification are governed by the Japan Institute for Promotion of Digital Economy and Community.

In the United States, there is no comprehensive privacy law that applies across all industries and types of personal data. Rather, a patchwork of federal and state laws govern how businesses must manage personal data. These include federal laws that focus on certain industries, sensitive data types, or processing activities like direct marketing. For example, health-related data about patients and individuals collected by businesses in the healthcare industry is regulated by the federal Health Insurance Portability and Accountability Act (HIPAA), personal data collected and used by financial institutions is covered by the Gramm-Leach-Bliley Act (GLBA), the sending of commercial emails is covered by the CAN-SPAM Act, and children's data is regulated by the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA). Additionally, US state laws, such as the California Consumer Privacy Act (CCPA), impact how companies conduct business by regulating how they process and protect the personal data of individuals that reside in those states.

Salesforce Chairman and Co-CEO Marc Benioff has advocated for a national privacy law to be implemented in the United States, so that a US individual’s privacy is not dependent on their ZIP code. Similar to the GDPR in the EU, a national US privacy law would require that companies disclose how they collect and use personal data and recognize individuals’ rights to have a say in how businesses manage their data.

Salesforce’s cloud services are designed to help customers comply with this patchwork of US federal and state laws, including for some services—like Health Cloud and Financial Services Cloud—complying with the special requirements of HIPAA and GLBA.

In Latin America and the Caribbean, a number of national and local laws govern how organizations use personal data.  Several Latin American and Caribbean countries have enacted privacy rules that are loosely based on European requirements, but sectoral and industry-specific rules still remain throughout the region. Brazil has enacted a national law (LGPD) which is similar to the GDPR but with its own Brazil-specific requirements. Salesforce is closely monitoring developments around LGPD and other laws in Latin American and Caribbean countries.  Salesforce’s data processing addendum, other privacy and product documentation, as well as our internal practices are designed for global use and we update them as necessary to continue to deliver our services to customers in Latin America and the Caribbean in accordance with legal requirements.