What is the GDPR?

The GDPR is a new comprehensive data protection law (in effect May 25, 2018) in the EU that strengthens the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It updates and replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state.

What does GDPR regulate?

The GDPR regulates the “processing” of data for EU individuals, which includes collection, storage, transfer, or use. Any organization that processes personal data of EU individuals is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).

Our GDPR readiness

We’ve launched a GDPR program to address our responsibilities as both a trusted data controller and a trusted data processor.
We have prepared a Data Processing Agreement to address how we process our customers’ data in compliance with the act.

How we can help

GDPR compliance is an activity that involves all the parties serving on a project. See the details how we serve our clients and help them comply.

Know your rights

You have full rights to access or export or delete you data unless your data must be kept due to contract enforcement or legal obligation.
Being our customer or a client of our customers you can request for you rights using our online portal.


To whom does the GDPR apply?

The GDPR applies to organizations that collect and process personal data of individuals in the EU for their own purposes, defined as Controllers by the regulation, as well as to organizations that process data on behalf of others, defined as Processors by the regulation. This is a shift from the preceding EU data protection law, which only applied to controllers.

How does GDPR change privacy law?

The key changes are the following: Expanded data privacy rights for EU individuals, data breach notification and added security requirements for organizations, as well as customer profiling and monitoring requirements. GDPR also includes binding Corporate Rules for organizations to legalize transfers of personal data outside the EU, and a 4% global revenue fine for organizations that fail to adhere to the GDPR compliance obligations. Overall the GDPR provides a central point of enforcement by requiring companies to work with a lead supervisory authority for cross-border data protection issues.

Does GDPR apply to companies that are not based in the EU?

Yes. The GDPR applies to entities that collect or process personal data of individuals in the European Union, even if the entity is not established in the EU, for instance if the entity is offering goods and services targeted at EU data subjects or is monitoring their behaviour within the EU.

Does the GDPR require EU personal data to stay in the EU?

No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. Salesforce’s data processing addendum, which references our Binding Corporate Rules, Privacy Shield certification, and the European Commission’s model clauses, will continue to help our customers legalize transfers of EU personal data outside of the EU. See our FAQ on our data processing addendum for more information.

Have more questions about GDPR or need to know more details about our software and service?