Heroku and GDPR
Last updated 23 July 2019
Table of Contents
At Salesforce, trust is our #1 value and the protection of our customers’ data is paramount. We know that many organizations have questions about GDPR and the new obligations under GDPR. We have created this document to help you on your compliance journey.
The EU General Data Protection Regulation (GDPR) is a comprehensive European privacy law that takes effect on May 25, 2018. Salesforce welcomes this law as an important step forward in streamlining data protection requirements across the European Union and as an opportunity for Salesforce to deepen our commitment to data protection.
Our GDPR commitment
We are committed to our customers’ success, including compliance with the GDPR.
Similar to existing privacy laws, compliance with the GDPR requires a partnership between Salesforce and our customers in their use of our services. Salesforce will comply with the GDPR in the delivery of our service to our customers. We are also dedicated to helping our customers comply with the GDPR. We have closely analyzed the requirements of the GDPR, and are working to make enhancements to our products, contracts, and documentation to support compliance with the GDPR.
Does the GDPR affect my organization?
If you are processing personal data in the context of an organization established in the EU, the GDPR will apply to you, regardless of whether you are processing personal data in the EU or not. “Processing” means any operation performed on personal data such as collection, storage, transfer, dissemination, or erasure.
If you are not established in the EU, the GDPR applies to you if you are offering goods or services (whether paid or free) to EU data subjects or monitoring the behavior of EU data subjects within the EU. Monitoring can be anything from putting cookies on a website to track browsing behavior of data subjects to high tech surveillance activities.
Under European data protection law, organizations processing personal data are divided into “Controllers,” or the entities that control the personal data, and “Processors,” the entities that process personal data only on the instructions of the Controllers. The GDPR applies to both Controllers and Processors.
Preparing our customers for the GDPR
Here are several resources to help our customers prepare for the GDPR. Several considerations are listed within each of these topics.
|Data Deletion for Heroku||Sometimes it’s necessary to delete a customer’s personal data to comply with various data protection and privacy regulations. We give you examples of common requests and things to consider, so you can comply with the regulations that apply to you.|
|Consent Management for Heroku||Track your customers’ approval for how your company interacts with them. To help you assess your compliance with various data protection and privacy regulations, we give you examples of common customer requests. And we provide details to help you determine the best way to comply with the regulations that apply to your company.|
|Restrict Data Processing for Heroku||Some situations require you to prevent the processing of your customers’ data. We give you actions to consider so that you can work toward complying with the laws that are important to your company.|
|Data Portability for Heroku||Your customers can request a copy of the data we received from them. To work toward complying with various data protection and privacy regulations, export the data and pack it up. We’ve given you examples of common customer requests and things to consider. That way, you can determine how best to work toward complying with the regulations that apply to your company.|
We look forward to working with our customers’ GDPR compliance efforts. For more information, we encourage our customers to visit our GDPR Resource Website and take the EU Privacy Law Basics Module on Trailhead.
The Heroku Security Website explains the security processes we have in place to protect our customers and the Heroku Security, Privacy, and Compliance Website shows our customers how they can configure and implement additional security options.
To see our GDPR, Salesforce Processor Binding Corporate Rules, Privacy Shield, and Standard Contractual Clauses visit our Data Processing Addendum Website. To learn about Heroku’s architecture, features, restrictions, notices, infrastructure environment, sub-processors, etc., visit the Heroku Trust and Compliance Website.
Salesforce Heroku customers are encouraged to contact Heroku Support if they have additional questions about how to best implement security measures and how to govern application deployment on Heroku.