Salesforce Sales Cloud and Data Protection – What Belongs in the Privacy Policy

When a website operator uses Salesforce Sales Cloud, they regularly process contact data of prospective and existing customers (e.g. name, email address, phone number, company, role) for the purpose of customer acquisition, customer relationship management and sales steering – often based on contract performance and legitimate interests, in certain constellations also based on consent. This article summarises which data Salesforce Sales Cloud typically touches in the website context and which mandatory information has to appear in a privacy policy.

The following remarks are based on publicly available information from the provider and on publicly researchable sources; they do not replace a case-by-case review by the website operator.

A. Purpose and Functioning of Salesforce Sales Cloud

Salesforce Sales Cloud is a cloud-based customer relationship management platform (CRM) of the Salesforce group. Sales teams use it as a central application to manage leads, contacts, accounts, opportunities, activities (calls, emails, meetings), sales pipelines and forecasts. Numerous extensions allow marketing automation, service cases, analytics and AI-supported features (Einstein) to be integrated into the same data foundation.

In the website context, two integration functions are particularly relevant: First, the web-to-lead/web-to-case function, where contact forms, demo requests or newsletter sign-ups are embedded on the website operator's site and the submitted data is created directly as a record in Sales Cloud. Second, the connection to website tracking and marketing automation (e.g. Account Engagement / Pardot, Marketing Cloud), where behavioural data from website visitors can flow into Sales Cloud records. Other components of the Salesforce platform (e.g. Service Cloud, Commerce Cloud, Data Cloud, Marketing Cloud) are not covered in this overview.

This page focuses on the direct integration function between website and Salesforce Sales Cloud, i.e. the data flow from the website operator's site into the website operator's CRM.

B. Mandatory Information in the Privacy Policy When Using Salesforce Sales Cloud

In addition to general information (controller, data protection officer, data subject rights, supervisory authority), the GDPR requires specific mandatory information for the privacy policy with regard to the use of concrete tools. This follows in particular from Art. 13 and Art. 14 GDPR.

Mandatory information includes:

• the purposes of the processing (Art. 13(1)(c) GDPR),
• the legal bases of the processing (Art. 13(1)(c) GDPR),
• where processing is based on a balancing of interests (Art. 6(1)(f) GDPR), the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients of the personal data (Art. 13(1)(e) GDPR),
• whether data is transferred to an insecure third country outside the EU/EEA and on which basis (Art. 13(1)(f) GDPR),
• the storage period or the criteria used to determine it (Art. 13(2)(a) GDPR),
• where data is not collected directly from the data subject, additionally the categories of personal data (Art. 14(1)(d) GDPR).

These mandatory items are broken down for Salesforce Sales Cloud below.

In practice, it has become common to include a separate, lawyer-drafted text block per tool in the privacy policy. This is not a mandatory requirement of the GDPR and regularly leads to long, redundant and poorly maintainable privacy policies that tend to conflict with the transparency principle of Art. 12(1) GDPR. A more appropriate approach is a topic-oriented one, where processing operations are described across the board (e.g. contact form, newsletter, tracking, CRM management) and concrete service providers such as Salesforce are listed in a recipients appendix. This is the approach taken by the matterius generator.

C. Provider of Salesforce Sales Cloud

According to publicly available information, the contracting party for customers in the European Economic Area is regularly the Salesforce entity based in Ireland. The exact entity (e.g. SFDC Ireland Limited) and the corresponding address should be taken from the specific contract or the current information at https://www.salesforce.com/eu/company/locations/ and verified by the website operator. The parent company is Salesforce, Inc., based in San Francisco, USA.

Within the group, data is also processed in the USA. According to publicly available information from the U.S. Department of Commerce (https://www.dataprivacyframework.gov/s/participant-search), Salesforce, Inc. is listed as a participant in the EU-US Data Privacy Framework (DPF); Salesforce additionally refers to approved Binding Corporate Rules. The DPF status and the use of EU Standard Contractual Clauses (SCCs) should be verified by the website operator on a case-by-case basis.

The central data protection information of the Salesforce group is available at https://www.salesforce.com/company/legal/privacy/. Product-specific security, subprocessor and compliance information can be found at https://compliance.salesforce.com/.

D. Data Processing by Salesforce Sales Cloud – Step by Step

1. Collection: Data typically enters Sales Cloud via web-to-lead/web-to-case forms on the website operator's site, through manual entry by sales staff, through imports (e.g. lists), or via connected marketing and service tools.
2. Storage: The data is stored in Salesforce-operated cloud data centres. According to its own information, Salesforce provides EU Hyperforce regions; the specific region is set out in the contractual documents. Subprocessors may also be located outside the EEA.
3. Use: The website operator uses Sales Cloud for sales operations (lead qualification, activity management, forecasting). According to provider statements, Salesforce processes the data on instructions for the purpose of providing the platform.
4. Transmission: Salesforce may engage subprocessors (e.g. hosting providers, support providers); a list is part of the contractual documents. The website operator may additionally forward data to connected third-party systems (e.g. ERP, marketing automation).
5. Deletion: The website operator defines deletion and retention rules within Sales Cloud (e.g. via retention policies, manual deletion, API-driven deletion routines). Salesforce deletes data after termination of the contract in accordance with the agreed deadlines.

E. Data Collected in Salesforce Sales Cloud

In the Salesforce Sales Cloud context, the following data is typically captured: first and last name, business email address, phone number, role and department, company name and address, opportunity data (stage, estimated value, close date), activities (calls, emails, meetings, notes), correspondence history, and where applicable tracking and behavioural data linked from connected systems. With web-to-lead forms, the form fields filled in by the visitor and additional technical metadata are captured.

This data falls into the following standardised data categories:

• Web server log data: data the website operator's web server receives with each request, e.g. IP address, date and time, URL of the requested form, referrer, information on browser, operating system and device.
• Click paths: forms accessed, web-to-lead forms submitted, links clicked, each with timestamp.
• Device data: device type, operating system, screen resolution of the device used to access the form.
• Browser information: browser name and version.
• Coarse location data: coarse location at city or municipality level derived from the IP address.
• User account data: for logged-in Salesforce users (the website operator's sales staff) user ID, email, roles and permissions, login history.
• User content: content a website visitor enters into web-to-lead/web-to-case forms, e.g. inquiries, messages, uploaded files.
• User profiles: interests, segment assignments, lead scores and activity histories maintained by the website operator for a lead or contact.
• Conversion events: relevant sales events recorded in the CRM, e.g. lead creation, demo booking, quote request, deal closure.

F. Purposes of Use When Using Salesforce Sales Cloud

The website operator regularly uses Salesforce Sales Cloud to centrally capture incoming inquiries, qualify leads, structure the sales process, document activities, create forecasts and maintain customer relationships. The system also supports internal sales steering and the fulfilment of statutory retention and documentation obligations.

These purposes fall into the following standardised purpose categories:

• Functional provision: provision of the web-to-lead/web-to-case function on the website and of the CRM functionality, including error detection and resolution.
• Contract performance: preparation and execution of contractual relationships with prospects and customers, e.g. offer phase, contract closure, contract execution.
• Security and abuse prevention: authentication of Salesforce users, access control, spam and bot defence on web-to-lead forms, fraud prevention.
• General product improvement: evaluation of aggregated CRM metrics for optimising sales processes.
• User profile creation: creation and maintenance of lead and contact profiles, including segment assignments.
• User-individual product improvement: needs-based contact with individual leads and contacts based on prior interactions.
• User-individual marketing: alignment of individual sales and marketing activities, where appropriate consent has been given.
• Compliance with retention obligations: retention of contract-relevant and tax-relevant data in accordance with § 147 AO, § 257 HGB.
• Compliance: compliance with statutory requirements and demonstrating such compliance.
• Legal enforcement: assertion, exercise and defence of legal claims.
• Communication: handling of inquiries, customer service, support.

G. Legal Bases When Using Salesforce Sales Cloud

In the website context, Salesforce Sales Cloud falls primarily into the tool category CRM/sales system with connected web form, with overlaps to contact form, newsletter (where connected) and – with active tracking – tracking (statistics/marketing).

The following legal bases typically come into consideration:

• Contract performance (Art. 6(1)(b) GDPR) for handling specific inquiries, offers and contracts.
• Legitimate interests (Art. 6(1)(f) GDPR) for general CRM management, lead management and internal sales steering; relevant legitimate interests are typically efficiency, business management, advertising (within the limits of § 7 UWG), security, abuse prevention and legal enforcement.
• Consent (Art. 6(1)(a) GDPR, where applicable in conjunction with § 25(1) TDDDG) for advertising emails, the linkage with tracking/marketing data, and – where cookies or similar storage accesses are used – the associated storage accesses.
• Legal obligation (Art. 6(1)(c) GDPR) for the retention of contract-relevant and tax-relevant data.

Which legal basis applies depends on the case and is to be reviewed by the website operator on a case-by-case basis.

H. Special Considerations and Notes on Salesforce Sales Cloud

• DPA: According to its own information, Salesforce provides a Data Processing Addendum. Contract documents and compliance materials are available at https://compliance.salesforce.com/; concluding a DPA is regularly required when using the system for own processing activities.
• Subprocessors: Salesforce publishes a list of engaged subprocessors. Website operators should review this list before contracting and during ongoing operations.
• Third-country transfer: Processing in the USA is possible. According to publicly available information, Salesforce, Inc. is DPF-certified; SCCs and Binding Corporate Rules may additionally apply. The specific transfer mechanism follows from the contractual documents.
• Hyperforce/region: The choice of storage region (e.g. EU) affects the third-country topic and should be configured deliberately by the website operator.
• Web-to-lead/web-to-case configuration: Before productive use, mandatory fields, data minimisation, bot protection (e.g. reCAPTCHA), consent checkboxes and the link to marketing automation should be configured in a privacy-friendly manner.
• Retention and deletion: Sales Cloud offers configurable retention policies and API interfaces for deletion and access requests; corresponding processes are to be established by the website operator.
• Role: In the website context, according to provider statements, Salesforce acts as a processor of the website operator for the platform provision. Whether deviating constellations exist in individual cases is to be reviewed by the website operator.

I. FAQ on Salesforce Sales Cloud and Data Protection

J. Conclusion on Salesforce Sales Cloud and Call-to-Action

Salesforce Sales Cloud is a classic CRM back end with high data relevance: at the centre are contact and contract data of prospects and customers, supplemented by activity and, where applicable, tracking data. From a data protection perspective, the web-to-lead integration, the third-country reference to the US parent company, the conclusion of a DPA, the choice of storage region and the configuration of retention and deletion rules are particularly relevant.

For the website operator, it is mostly not advisable to include a separate text block for Salesforce Sales Cloud in the privacy policy. Such tool-specific blocks make the privacy policy long, redundant and hard to maintain and tend to conflict with the transparency principle of Art. 12(1) GDPR.

A structured, topic-oriented approach is recommended: the privacy policy describes processing operations by topic (e.g. contact form, CRM management, newsletter, tracking, contract execution) and refers in an appendix to specific recipients such as Salesforce. This is the methodology of the matterius generator.

K. Curator