To whom does the GDPR apply?
The GDPR applies to organizations that collect and process personal data of individuals in the EU for their own purposes, defined as Controllers by the regulation, as well as to organizations that process data on behalf of others, defined as Processors by the regulation. This is a shift from the preceding EU data protection law, which only applied to controllers.
How does GDPR change privacy law?
The key changes are the following: Expanded data privacy rights for EU individuals, data breach notification and added security requirements for organizations, as well as customer profiling and monitoring requirements. GDPR also includes binding Corporate Rules for organizations to legalize transfers of personal data outside the EU, and a 4% global revenue fine for organizations that fail to adhere to the GDPR compliance obligations. Overall the GDPR provides a central point of enforcement by requiring companies to work with a lead supervisory authority for cross-border data protection issues.
Does GDPR apply to companies that are not based in the EU?
Yes. The GDPR applies to entities that collect or process personal data of individuals in the European Union, even if the entity is not established in the EU, for instance if the entity is offering goods and services targeted at EU data subjects or is monitoring their behaviour within the EU.
Does the GDPR require EU personal data to stay in the EU?
No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. Salesforce’s data processing addendum, which references our Binding Corporate Rules, Privacy Shield certification, and the European Commission’s model clauses, will continue to help our customers legalize transfers of EU personal data outside of the EU. See our FAQ on our data processing addendum for more information.