Salesforce Marketing Cloud and Data Protection – What Belongs in the Privacy Policy

When a website operator uses Salesforce Marketing Cloud, it typically processes contact data (in particular email addresses) and interaction data of newsletter recipients and website visitors for the purposes of newsletter delivery, campaign management and marketing automation, on the basis of consent under Art. 6 (1) (a) GDPR and supplementary legitimate interests. This page provides website operators in Germany with a concise overview of which data Salesforce Marketing Cloud processes and which mandatory information should appear in a website's privacy notices.

A. Purpose and Functionality of Salesforce Marketing Cloud

Salesforce Marketing Cloud (now also marketed as Marketing Cloud Engagement) is a cloud-based marketing platform from the Salesforce group for email marketing, marketing automation, customer journey orchestration, push and mobile messaging and cross-channel campaigns.

Website operators typically integrate only individual functions into their own website. This tool entry page focuses on the most common integrations for website operators: the email newsletter sign-up form (CloudPages or embedded form), the newsletter sending itself (with open and click tracking) and the web tracking script (Collect tracking code/beacon), which transmits visitor behaviour data to the platform and links it to profiles in Marketing Cloud. Other functions of the platform – such as Mobile Studio (SMS/push), Advertising Studio or Datorama – are not covered by this page.

Marketing Cloud is a software-as-a-service solution; data is stored in data centres of the Salesforce group (depending on the chosen instance, in the EU or in the United States).

B. Mandatory Privacy Policy Information When Using Salesforce Marketing Cloud

In addition to general information about the website operator, the rights of data subjects and the supervisory authority, the GDPR requires specific mandatory information for the use of concrete tools such as Salesforce Marketing Cloud. This includes in particular:

• the purposes of processing (Art. 13 (1) (c) GDPR),
• the legal bases of processing (Art. 13 (1) (c) GDPR),
• where processing relies on a balancing of interests (Art. 6 (1) (f) GDPR), the specific legitimate interests pursued (Art. 13 (1) (d) GDPR),
• the recipients or categories of recipients (Art. 13 (1) (e) GDPR),
• whether data is transferred to an unsafe third country and on what basis (Art. 13 (1) (f) GDPR),
• the storage period or the criteria used to determine it (Art. 13 (2) (a) GDPR),
• where data is not collected directly from the data subject, additionally the categories of personal data processed (Art. 14 (1) (d) GDPR).

These mandatory items are broken down for Salesforce Marketing Cloud below.

In practice, it is not necessary to list every single tool – including Salesforce Marketing Cloud – in the privacy policy with its own text module, even though this practice has become widespread. The "text-module-per-tool" approach has established itself as bad style: it leads to long, lawyer-drafted texts that repeat themselves, that make the privacy policy hard to maintain and that work against the transparency requirement in Art. 12 (1) GDPR. A more appropriate approach is a topic-oriented structure that describes processing operations by topic (newsletter, tracking, marketing automation …) and only names the specific service providers – including Salesforce Marketing Cloud – in an appendix listing recipients. This is exactly the methodology of the matterius generator.

C. Provider of Salesforce Marketing Cloud

According to the publicly available information of the provider, the contracting party for customers in the EEA and Germany is regularly the EU group company of Salesforce – typically SFDC Ireland Limited, Salesforce Tower, 60 North Dock, Dublin 1, D01 W2Y3, Ireland. The parent company is Salesforce, Inc., Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA. Which group company is the contracting party in the individual case must be verified by the website operator on the basis of its contractual documents.

According to the entry on the DPF list, Salesforce, Inc. is EU-US Data Privacy Framework (DPF) certified (see the participant entry in the DPF directory). In addition, the Salesforce group relies on EU Standard Contractual Clauses (SCCs) and Binding Corporate Rules where data is transferred to third countries without an adequacy decision.

The provider's privacy notices are available at https://www.salesforce.com/company/privacy/. The Data Processing Addendum (DPA) is available at https://www.salesforce.com/company/legal/agreements/.

D. Data Processing by Salesforce Marketing Cloud – Step by Step

E. Data Collected by Salesforce Marketing Cloud

In connection with newsletter delivery and web tracking, Salesforce Marketing Cloud typically processes – according to the provider's information – the email address, possibly salutation, first and last name, additional profile information from the sign-up form, the IP address, timestamps of the sign-up and double opt-in confirmation, sending, open and click events, bounce and unsubscribe events as well as – when the Collect tracking script is used – behavioural data on the website (such as visited pages, scrolling, cart events).

The data can be assigned to the following standardised data categories:

• Web server log data: IP address, timestamp, URL, user-agent information, status code on access to the sign-up form and tracking endpoints.
• Click paths: visited pages, links and buttons clicked, access to the sign-up form, clicks within sent emails.
• Device data: device type, operating system, screen size, where collected via the tracking script.
• Browser information: browser name and version.
• Coarse location data: city- or municipality-level location derived from the IP address.
• User profiles: interests assigned by the website operator to a recipient, segment assignments, engagement scores, customer journey status.
• Conversion events: newsletter sign-up, double opt-in confirmation, click on purchase actions, calls to thank-you pages.
• Interaction data: opening of emails, clicks on links and buttons, scrolling behaviour on websites.

F. Purposes of Use of Salesforce Marketing Cloud

Website operators typically use Salesforce Marketing Cloud to send newsletters and other marketing emails to interested recipients, to run sign-ups via a double opt-in process in a legally compliant manner, to measure campaign performance, to segment recipients on the basis of behavioural and profile data, to trigger individual customer journeys and to coordinate cross-channel campaigns.

These purposes can be assigned to the following standardised purpose categories:

• Functionality provision: delivery of the sign-up form, sending of confirmation and service emails, provision of the newsletter function.
• Security and abuse prevention: protection against bots in sign-up forms, detection of unauthorised sign-ups.
• General product improvement: evaluation of aggregated metrics such as open and click rates to optimise future campaigns.
• General marketing: reach analysis, campaign performance measurement, overall campaign management.
• User profile creation: creation of recipient profiles, assignment to segments and target groups.
• User-individual product improvement: tailoring sent content to interests and past behaviour.
• User-individual marketing: personalised email content, trigger campaigns, abandoned cart emails.
• Legal enforcement: evidence of consents granted (double opt-in, sign-up data).
• Communication: handling service-related responses to newsletters.

G. Legal Bases When Using Salesforce Marketing Cloud

In a first step, it must be determined which tool category Salesforce Marketing Cloud primarily falls into. As described here, it is mainly a tool in the Newsletter category and – where the Collect tracking script is used – additionally in the Tracking (marketing) category.

In a second step, the relevant legal bases need to be identified:

• For sending newsletters and promotional emails, consent under Art. 6 (1) (a) GDPR is regularly relevant; in an existing customer context, this is supplemented by Section 7 (3) UWG together with legitimate interests in advertising (Art. 6 (1) (f) GDPR).
• For storing sign-up and double opt-in records, a legal obligation under Art. 6 (1) (c) GDPR in conjunction with Art. 7 GDPR and Section 7 (2) no. 2 UWG and a legitimate interest in legal enforcement are relevant.
• For setting cookies and accessing device information through the Collect tracking script, consent under Section 25 (1) TDDDG is regularly required, supplemented by marketing consent under Art. 6 (1) (a) GDPR for subsequent profiling.
• For open and click tracking in sent emails, consent is typically the relevant basis; reliance solely on legitimate interests is contested.

Which legal basis applies in the specific case depends on the circumstances (sign-up process, integration into the consent banner, existing customer relationship) and is to be assessed by the website operator on a case-by-case basis.

H. Particularities and Notes on Salesforce Marketing Cloud

• Data processing: According to the publicly available information, Salesforce provides a Data Processing Addendum (DPA) for Marketing Cloud; the conclusion of a DPA under Art. 28 GDPR is mandatory for use by German website operators.
• Third-country transfer / DPF: Where data is transferred to the United States, the DPF certification of Salesforce, Inc. may serve as a transfer mechanism; in addition, EU Standard Contractual Clauses and Binding Corporate Rules are used. The actual hosting location (EU or US instance) is a matter of the contractual arrangement with Salesforce.
• Sub-processors: A current sub-processor list is available via the Salesforce Compliance Portal (https://compliance.salesforce.com) and should be reflected in the recipient list of the privacy policy.
• Opt-out for recipients: Every promotional email sent via Marketing Cloud must contain a working unsubscribe link (cf. Section 7 (2) no. 4 UWG, Art. 21 (2) GDPR).
• Settings for the website operator: Configurable items include in particular mandatory double opt-in, IP storage on sign-up, activation/deactivation of open and click tracking, use of the Collect tracking script as well as data retention rules in Data Extensions.
• Sources: The above information is based on the provider's publicly available publications and does not replace an individual case assessment.

I. Frequently Asked Questions on Salesforce Marketing Cloud and Data Protection

J. Conclusion on Salesforce Marketing Cloud

When using Salesforce Marketing Cloud, website operators process contact and behavioural data of newsletter recipients and visitors for purposes of email marketing, marketing automation and campaign management. The contracting party is regularly the EU group company of Salesforce; the parent company Salesforce, Inc. is DPF certified. Key obligations are concluding a data processing agreement, properly documenting consent for newsletter and web tracking and providing functioning opt-out and objection paths.

For the website operator, having a dedicated text module just for Salesforce Marketing Cloud in the privacy policy is mostly of little use. It makes the privacy policy long, opaque, hard to maintain and works against the transparency requirement in Art. 12 (1) GDPR. The recommended approach is a structured, topic-oriented one that explains tools by topic (newsletter, tracking, sales …) and only refers to specific providers such as Salesforce Marketing Cloud in the appendix listing recipients. This is exactly the methodology of the matterius generator.

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com