Example: marketing

Salesforce’s Processor Binding Corporate Rules for …

Salesforce s Processor Binding Corporate Rulesfor theProcessing of personal DataUpdated mid July 2021 Salesforce Processor BCRT able of Contents1. Introduction42. Definitions43. Scope and Application54. Responsibilities Towards Customers6A. General Obligations6B. Transparency, Fairness, Lawfulness and Cooperationwith Customers6C. data Subject Rights6i. data Subject Requests6ii. Handling of Complaints7D. Regulatory Inquiries and Complaints7E. data Protection Impact Assessments7F. Records of processing Activities75. Description of processing Operations and Transfers7A. Purpose Limitation7B. Nature of personal data Processed8C. Affected data Subjects8D. Countries of location of the Salesforce Group AffiliateSub-processors9E. data Quality9F. Sub-processing9i. Sub- processing Within the Salesforce Group9ii. Sub- processing by Third Parties9iii. Notification of New Sub-processors and ObjectionRights106. Confidentiality and Security Measures10A. Confidentiality and Training10B.

processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific ...

Tags:

  Data, Processing, Personal, Processing of personal data

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Advertisement

Transcription of Salesforce’s Processor Binding Corporate Rules for …

1 Salesforce s Processor Binding Corporate Rulesfor theProcessing of personal DataUpdated mid July 2021 Salesforce Processor BCRT able of Contents1. Introduction42. Definitions43. Scope and Application54. Responsibilities Towards Customers6A. General Obligations6B. Transparency, Fairness, Lawfulness and Cooperationwith Customers6C. data Subject Rights6i. data Subject Requests6ii. Handling of Complaints7D. Regulatory Inquiries and Complaints7E. data Protection Impact Assessments7F. Records of processing Activities75. Description of processing Operations and Transfers7A. Purpose Limitation7B. Nature of personal data Processed8C. Affected data Subjects8D. Countries of location of the Salesforce Group AffiliateSub-processors9E. data Quality9F. Sub-processing9i. Sub- processing Within the Salesforce Group9ii. Sub- processing by Third Parties9iii. Notification of New Sub-processors and ObjectionRights106. Confidentiality and Security Measures10A. Confidentiality and Training10B.

2 data Security10C. personal data Incident Management and Notification10D. Audits11i. Third-Party Audits and Certifications11 Page2 Salesforce Processor BCRii. Network of Privacy Personnel and Internal Verification11iii. Customer Audits127. Third-Party Beneficiary Rights12A. Rights directly enforceable against the SalesforceGroup13B. Rights enforceable against the Salesforce Groupwhere the data Subject is not able to bring aclaim against the Customer acting as Controller13C. Modalities148. Liability and Enforcement149. Cooperation with Supervisory Authorities1510. Local Law Requirements1511. data Protection Officer1612. Salesforce Processor BCR and Applicable Law16 Appendix A Services to which the Salesforce ProcessorBCR applies17 Page3 Salesforce Processor BCR1. , inc. and its affiliates are committedto achieving and maintaining customer trust. Integralto this mission is providing a robust security andprivacy program that carefully considers data accordance with theGeneral data Protection Regulationand, as applicable, the Swiss data ProtectionLaws and Regulations,the Salesforce Processor BCR(as defined below) is intended to provide anadequate level of protection for personal data duringinternational transfers within the Salesforce Groupmade on behalf of Customers and under their Definitions Controllermeans the entity which determines the purposesand the means of the processing ofPersonal data .

3 Customer(s)means (i) a legal entity with whom a memberof the Salesforce Group has executed acontract to provide the Services (or a legal entityplacing an order under such contract) and suchcontract incorporates by reference the SalesforceProcessor BCR or (ii) a legal entity with whom amember of the Salesforce Group has executed a contractunder which the legal entity is entitled toresell the Services to its end customers and suchcontract incorporates by reference the SalesforceProcessor BCR. data Subjectmeansthe identified or identifiableperson to whom personal data relates. General data Protection RegulationorGDPR means EuropeanRegulation 2016/679 of theEuropean Parliament and of the Council of 27 April2016 on the protection of natural persons withregard to the processing of personal data and on thefree movement of such data and repealingEuropean Directive 95/46/EC. personal Datameans any information relating to (i)an identified or identifiable natural person; and(ii) an identified or identifiable legal entity (wheresuch information is protected similarly as personaldata or personally identifiable information underSwiss data Protection Laws and Regulations).

4 Processormeans the entity which processes PersonalData on behalf of the Controller. Salesforce Groupmeans , inc. and itsaffiliate Sub-processors of personal data , listedas a Salesforce Affiliate in the Infrastructureand Sub- Processor documentation for each Servicecovered by the Salesforce Processor BCR, clarity, a Customer (as defined in Section 2)may be a Controller or a Processor of personal aCustomer is a Processor of personal data , the SalesforceGroup shall process personal data as Sub-processorsonbehalf of the Controller. Instructions from the Controllerregarding the processing personal data shall be giventhrough the Processor BCR Salesforce Processor BCRmeans Salesforce s Processor Binding Corporate Rules for the Processingof personal data , the most current version of whichis available on Salesforce Group s website,currently locatedhere. Servicesmeans the online services provided to Customerby the Salesforce Group, as listed inAppendix A.

5 Sub-processormeans any Processor engaged by a memberof the Salesforce Group. Supervisory Authoritymeans an independent publicauthority which is established by an EUmember state pursuant to Article 51 of the GDPR, and/or,as applicable, the Swiss data protectionauthority established under the Swiss data ProtectionLaws and Regulations. Swiss data Protection Laws and Regulationsmeans theSwiss Federal data Protection Act 1992and its successor Scope and ApplicationThe purpose of the Salesforce Processor BCR is togovern international transfers of personal data toandbetween members of the Salesforce Group, and to third-partySub-processors (in accordance with writtenagreements with any such third-party Sub-processors)when acting as Processors and/or Sub-processorson behalf and under the documented instructions Salesforce Processor BCR applies to personal Datasubmitted to the Services by: Customers established in an EEA member state or Switzerlandwhose processing activities for therelevant data are governed by theGDPR or, as applicable,by the Swiss data Protection Laws andRegulations.

6 Or Customers established in non-EEA member states forwhich the customer has contractuallyspecified that the GDPR and implementing nationallegislation shall Salesforce Group may update the Salesforce ProcessorBCR with approval from the SalesforceGroup s appointed privacy leader, general counseland compliance officer. All changes to the SalesforceProcessor BCR shall be communicated to members ofthe Salesforce Salesforce Group s appointed privacy leader shallbe responsible for keeping a fully updated list ofthe members of the Salesforce Group and third-partySub-processors and making appropriate notificationsto Customers and the French data protection authority( CNIL ) in its capacity as competent SupervisoryAuthority for the Salesforce Processor BCR. The SalesforceGroup shall not transfer personal data to anew member of the Salesforce Group until such memberis appropriately bound by and complies with theSalesforce Processor Salesforce Group shall make the most current versionof the Salesforce Processor BCR, including themembers of the Salesforce Group,availablehere.

7 Significantchanges to the Salesforce Processor BCRand/or the list of members of the Salesforce Groupwill be reported (a) in a timely fashion to Customersand (b) once per year to the relevant SupervisoryAuthorities via the CNIL in its capacity as competentSupervisory Authority for the Salesforce ProcessorBCR accompanied by a brief explanation of Processor BCRWhen the changes to the Salesforce Processor BCR affect the processing conditions, the Salesforce Groupshall inform the Customer in such a timely fashionthat Customer has the possibility to object to thechange or to terminate the contract before the modificationis categories of personal data , the types of processingand its purposes, the types of data Subjectsaffected and the identification of the recipientsin the third countries are set out in Section 5 shall be the responsibility of a Customer to applythe Salesforce Processor BCR to:-All personal data processed for Processor activitiesand that are submitted to EU and, asapplicable, Swiss law; or-All processing of personal data for Processor activitieswithin the Salesforce Group whateverthe origin of the Responsibilities Towards CustomersA.

8 General ObligationsThe Salesforce Group and its employees shall complywith the Salesforce Processor BCR, processPersonal data only upon a Customer s documented instructionand shall have a duty to respectCustomer s instructions regarding the data processingand the security and confidentiality of PersonalData, pursuant to the measures provided in the contractsexecuted with Salesforce Group shall immediately inform theCustomer if in its opinion an instruction infringestheGDPR or other EU or EU member state law or, as applicable,Swiss data protection Transparency, Fairness, Lawfulness and Cooperationwith CustomersThe Salesforce Group undertakes to be transparentregarding its personal data processing activitiesand toprovide Customers with reasonable cooperation andassistance within a reasonable period of time to helpfacilitate their respective data protection obligationsregarding personal data , to the extent Customer,inits use of the Services, does not have the reasonableability to address such data Subject RightsMembers of the Salesforce Group act as Processorson behalf of Customers.

9 As between the SalesforceGroup and Customers, Customers have the primary responsibilityfor interacting with data Subjects, andthe role of the Salesforce Group is generally limitedto assisting Customers as data Subject RequestsThe Salesforce Group shall promptly notify Customerif the Salesforce Group receives a request from aData Subject to exercise the data Subject's rightof access, right to rectification, restriction ofprocessing,erasure ( right to be forgotten ), data portability,object to the processing , or its right not to besubject toan automated individual decision making ( data SubjectRequest ).Taking into account the nature of theprocessing, the Salesforce Group shall assist Customerby appropriate technical and organizationalmeasures, insofar as this is possible, for the fulfilmentof Customer s obligation to respond to a DataSubject Request under the GDPR or, as applicable,an equivalent obligation under Swiss data ProtectionLaws and Regulations.

10 In addition, to the extent Customer,in its use of the Services, does not have theability to address a data Subject Request, the SalesforceGroup shall upon Customer s request providecommercially reasonable efforts to assist Customerin responding to such data Subject Request, to thePage6 Salesforce Processor BCRextent the response to such data Subject Request is required under the GDPRor, as applicable, anequivalent obligation under Swiss data ProtectionLaws and Regulations. To the extent legally permitted,Customer shall be responsible for any costs arisingfrom the Salesforce Group s provision of Handling of ComplaintsThe Salesforce Group s Privacy department shall beresponsible for handling complaints related tocompliance with the Salesforce Processor Subjects may lodge a complaint about processingof their respective personal data that isincompatible with the Salesforce Processor BCR bycontacting the relevant Customer or the SalesforceGroup s Privacy department at the email address Salesforce Group shallwithout undue delay communicate the complaint to theCustomer to whom the personal data relateswithout obligation to handle it (except if it hasbeen agreed otherwise with Customer).


Related search queries