Trust

Salesforce Trust

Global Privacy Law Landscape
Over the past several years, numerous laws and frameworks have emerged globally that govern the handling of personal information, including the following:
United States
  • Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA)
  • Financial Modernization Act of 1999 or Gramm-Leach-Bliley Act (GLB)
  • Numerous state breach notification laws
Canada
  • Personal Information Protection and Electronic Documents Act of 2000 (PIPEDA)
  • Numerous provincial privacy laws affecting the public and private sectors
European Union
  • Directive 95/46/EC of the European Parliament and of the Council of 24 October1995 on the protection of individuals with regard to the processing of personal data andon the free movement of such data (EU Data Protection Directive)
Asia Pacific
  • Japan Law on Protection of Personal Information of 2003
  • Asia-Pacific Economic Cooperation (APEC) Privacy Framework
Although the requirements of these laws and frameworks vary greatly,some common themes have emerged, such as notice, choice, access, and security.
Notice: What information must be provided to individualsabout how their data may be used and who it may be shared with?When must this notice be provided to individuals? In what manner must this notice be provided?
Choice: What choices are individuals offered in terms of what information aboutthem is collected and how such information is used?
Access: Are individuals given the opportunity to access information maintained about them?Can individuals request that their information be amended or deleted?
Security: Are organizations that handle personal information required to protect suchinformation using administrative, technical, and physical safeguards?
Salesforce.com's customers solely determine what data is submitted to the salesforce.comservice as customer data. With respect to such data, salesforce.com acts as a data processor.In our role as a processor of customer data, salesforce.com addresses the generalprivacy principles described above in the following ways:
Notice, Choice & Access:  Salesforce.com generally does not have a direct relationship withindividuals whose personal data is submitted by customers to the salesforce.com service ascustomer data. Salesforce.com does not collect personal information on behalf of ourcustomers, and salesforce.com does not determine how our customers use suchdata. Additionally, salesforce.com's customer contracts generallyprohibit salesforce.com from accessing customer data except under limited circumstances.Compliance with the Notice, Choice, and Access principles is based on cooperation betweensalesforce.com and our customers. For example, salesforce.com's contracts with our customersstate that customers are responsible for the accuracy, quality, integrity, reliability, andappropriateness of data submitted to the salesforce.com service and that customers must complywith applicable laws in using the salesforce.com service.
Security:  Salesforce.com maintains appropriate administrative, physical, and technicalsafeguards to help protect the security, confidentiality, and integrity of data our customers submitto the salesforce.com service as customer data. Salesforce.com's customers are responsible forensuring the security of their customer data in their use of the service.