At Salesforce, privacy and security of customer data is our top priority. As part of this commitment, we strive to offer our customers the tools they need to meet their regulatory requirements. To that end, we want to highlight an important update to our Data Processing Addendum incorporating the UK’s international data transfer addendum to the European Commission’s standard contractual clauses (“EU SCCs”) for international data transfers (“UK addendum”). This update allows customers to use the EU SCCs for transfers of personal data from the UK to non-adequate countries.
Following its departure from the European Union, the UK did not automatically benefit from the EU SCCs introduced by the European Commission in 2021. The UK addendum amends the EU SCCs to ensure that the mechanism works for UK data transfers, thus enabling them to enjoy the same protections offered by the EU SCCs.
Customers are required to implement the UK addendum into their contracts by either September 22, 2022 for new agreements signed on or after that date, or until March 21, 2024 for existing agreements. To incorporate the UK addendum into customer contracts, our customers may choose to execute a new DPA, or simply sign an addendum agreement (either one that incorporates the UK addendum alone or one that includes the new EU SCCs and the UK addendum agreement).
Salesforce’s Data Processing Addendum (“DPA”) is an addendum to the Main Services Agreement (“MSA”) that documents contractual privacy protections and incorporates global cross-border data transfer mechanisms. In September 2021, the DPA was updated to include the new EU SCCs along with new privacy measures, including enhanced audit rights and strengthened protections around government access requests. Today’s update builds on the existing robust safeguards offered by Salesforce and together with our Transparency Report and Salesforce’s UK Processor Binding Corporate Rules, will provide customers with the comfort and certainty they need to meet their regulatory obligations.