Salesforce and GDPR: What German Companies Need to Know in 2026

Yes, Salesforce can be used GDPR-compliantly in Germany. Salesforce provides a Data Processing Addendum (DPA — known in Germany as an Auftragsverarbeitungsvertrag or AVV), operates data centers in Frankfurt, and holds BSI C5 attestation. However, these protections are not automatic: you must execute the DPA, configure EU data residency, and address Works Council requirements before going live. This guide covers the current compliance landscape for Salesforce Sales Cloud, Service Cloud, and Marketing Cloud under German and EU data protection law. For Salesforce Einstein AI features, see our dedicated Salesforce Einstein GDPR guide.

Is Salesforce GDPR-Compliant for German Companies?

Yes — with conditions. Salesforce acts as a data processor under Art. 4(8) GDPR (Regulation (EU) 2016/679) when processing personal data on behalf of your business. Your company, as the data controller, must satisfy four core requirements before using Salesforce to handle personal data:

• Execute the Salesforce DPA/AVV to fulfil Art. 28 GDPR requirements
• Configure EU data residency to keep personal data within the European Economic Area
• Review Salesforce’s sub-processor list and assess any third-country data transfers
• Establish a legal basis — typically contractual necessity (Art. 6(1)(b)) or legitimate interest (Art. 6(1)(f)) — for CRM data processing

Salesforce is one of the most GDPR-mature enterprise platforms available to German companies. The March 2026 DPA update further strengthened its compliance documentation, making Salesforce a straightforward choice from a data protection standpoint — provided you take the required setup steps.

Salesforce DPA: What’s Covered

Under Art. 28 GDPR, every organisation using a third-party service to process personal data must have a written Data Processing Agreement in place. In Germany, this is the Auftragsverarbeitungsvertrag (AVV).

Salesforce updated its Data Processing Addendum in March 2026. The updated DPA covers:

• A precise description of all processing activities across Salesforce products
• Categories of data subjects and personal data processed
• Technical and organisational measures (TOMs) aligned with ISO 27001 and BSI C5
• Sub-processor management, notification obligations, and approval processes
• Data subject rights assistance under Arts. 15–22 GDPR
• Procedures for data return or deletion upon contract termination
• Updated Standard Contractual Clauses for third-country transfers

How to execute the Salesforce DPA:

1. Log in to Salesforce Trust (trust.salesforce.com) or your Salesforce account dashboard
2. Navigate to the legal agreements or privacy section
3. Accept Salesforce’s standard DPA — this is a pre-signed online agreement for most Salesforce products, requiring no individual negotiation
4. Download and archive the signed DPA for your compliance records and vendor management file

For German companies, the DPA should also address compliance with the Bundesdatenschutzgesetz (BDSG) — particularly §26 BDSG where employee personal data processed in Salesforce (e.g. sales representative performance data) is involved.

EU Data Residency: The Frankfurt Data Center

Salesforce operates data centers in Frankfurt, Germany, as part of its EU infrastructure. For German companies with EU data residency enabled, primary personal data — including CRM records, contact information, and customer interaction history — is stored and processed within the European Economic Area (EEA).

Key points for German companies:

• EU data residency is a subscription-tier feature, not a default setting. Confirm whether your Salesforce contract includes it and request written confirmation of the data storage location for your instance
• Metadata and operational data (logs, backup infrastructure, support operations) may still involve data flows outside the EEA — covered by Standard Contractual Clauses in Salesforce’s DPA
• Marketing Cloud has historically maintained separate data residency infrastructure; confirm EU residency scope for Marketing Cloud separately if your organisation uses it
• Service Cloud contact center features and telephony integrations may route data through additional sub-processors — always verify the current sub-processor list before enabling these features

Document the confirmed data residency configuration in your Records of Processing Activities (RoPA) under Art. 30 GDPR.

Standard Contractual Clauses and the EU-US Data Privacy Framework

Salesforce, as a US-headquartered company, processes some data in the United States. The legal framework for these transfers relies on two mechanisms:

Standard Contractual Clauses (SCCs): Salesforce’s DPA incorporates the updated EU SCCs issued by the European Commission in June 2021 (Decision 2021/914). These clauses govern all EU-to-US personal data transfers and address the requirements established following the Schrems II ruling (Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, C-311/18).

EU-US Data Privacy Framework (DPF): Salesforce is certified under the EU-US Data Privacy Framework, which came into effect in July 2023 and was upheld by the CJEU in July 2024. DPF certification provides an additional legal mechanism for transatlantic data transfers and requires participating organisations to meet rigorous data protection standards.

For German companies: both mechanisms together give transatlantic Salesforce data transfers a solid legal foundation. Nevertheless, document your Transfer Impact Assessment (TIA) to demonstrate due diligence — German data protection authorities (Datenschutzaufsichtsbehörden, particularly the LfDI and BayLDA) have signalled continued scrutiny of US cloud services.

BSI C5 Certification and Other Security Certifications

BSI C5 (Cloud Computing Compliance Criteria Catalogue) is the German Federal Office for Information Security’s cloud security standard. Salesforce holds BSI C5 attestation — a significant differentiator for German enterprise procurement, public sector contracts, and regulated industry deployments.

Salesforce’s current certification portfolio relevant to German organisations:

Certification	Relevance
BSI C5	German cloud security standard — required for many public sector and regulated industry contracts
ISO 27001	International information security management standard — globally recognised
SOC 2 Type II	Annual operational security attestation — available under NDA from Salesforce
ISO 27017	Cloud-specific security controls
ISO 27018	Protection of personal data in cloud environments

Request BSI C5 attestation documentation directly from your Salesforce account team for procurement purposes. Current attestations are valid for specific Salesforce services; verify that the products you are procuring are within the certified scope.

Works Council (Betriebsrat) Considerations

Salesforce deployments frequently trigger co-determination rights under §87(1) No. 6 BetrVG — the Works Constitution Act — because the platform enables technical monitoring of employee behaviour and performance.

Specific scenarios where Works Council involvement is required:

• Salesforce Sales Cloud: Pipeline management, activity tracking, call logging, and sales performance dashboards can be used to monitor individual employee performance and productivity
• Salesforce Service Cloud: Call centre queue management, case resolution times, customer satisfaction scores tied to individual agents, and SLA compliance tracking are classic §87 BetrVG use cases
• Salesforce Marketing Cloud: Campaign attribution data and email engagement metrics that can be linked to individual marketing team members

Recommended approach:

1. Conduct a pre-deployment assessment of all Salesforce features that could enable employee monitoring
2. Engage the Betriebsrat before rollout — not after
3. Negotiate a Betriebsvereinbarung (works agreement) that defines permitted uses, data retention, access controls, and employee rights
4. Use Salesforce’s admin controls to disable or restrict monitoring features not covered by the Betriebsvereinbarung
5. Document the Betriebsvereinbarung in your RoPA

Works Council negotiations for Salesforce CRM deployments are a core part of what we handle at Compound Law. For the full legal framework on employee data monitoring, see our AI employee monitoring compliance guide.

Salesforce Einstein and AI Features: A Separate Compliance Layer

Salesforce Einstein — Einstein Lead Scoring, Einstein GPT, Conversation Intelligence, and other AI-driven features — introduces additional GDPR obligations beyond the core CRM platform. Key concerns include Art. 22 GDPR automated decision-making requirements, DPIA obligations for large-scale profiling, and EU AI Act compliance for high-risk use cases in professional services and customer-facing deployments.

The Salesforce Einstein compliance framework is covered in detail in our dedicated guide. See our Salesforce Einstein GDPR guide before activating AI features in your Salesforce instance. For AI-assisted customer service using Salesforce Service Cloud, also review our AI customer service compliance guide.

Our Assessment

Salesforce is one of the most compliance-mature enterprise CRM platforms available in Germany. The March 2026 DPA update, BSI C5 attestation, Frankfurt data center, and EU-US DPF certification together give German companies a strong legal foundation for Salesforce deployment.

The key compliance risks are not the platform itself, but configuration and process gaps: failing to execute the DPA before going live, deploying Salesforce without Works Council involvement, or activating Einstein AI features without assessing Art. 22 GDPR obligations.

Before going live with Salesforce, complete these steps:

1. Execute the Salesforce DPA/AVV and archive a signed copy
2. Confirm and document EU data residency configuration in writing
3. Review the Salesforce sub-processor list and conduct a Transfer Impact Assessment
4. Add Salesforce to your RoPA under Art. 30 GDPR
5. Engage your Works Council and negotiate a Betriebsvereinbarung where required
6. Assess Einstein AI features separately using our Einstein compliance guide

Contact Compound Law for a Salesforce GDPR readiness assessment tailored to your organisation.

Frequently Asked Questions

Is Salesforce GDPR compliant?

Yes. Salesforce provides a comprehensive Data Processing Addendum (updated March 2026), operates data centers in Frankfurt, holds BSI C5 and ISO 27001 certifications, and is certified under the EU-US Data Privacy Framework. GDPR compliance requires the controller — your organisation — to execute the DPA, configure EU data residency, and establish appropriate legal bases for processing before going live.

Does Salesforce have a DPA for Germany?

Yes. Salesforce provides a standard Data Processing Addendum accessible through Salesforce Trust (trust.salesforce.com) and the Salesforce contract portal. This DPA satisfies Art. 28 GDPR requirements and includes the AVV provisions required under German data protection law. It does not require individual negotiation and can be accepted online.

Where does Salesforce store data for EU customers?

Salesforce operates data centers in Frankfurt and other EU locations. EU data residency — keeping primary personal data within the EEA — is available as a subscription feature. Confirm whether your contract includes EU data residency, enable it in your Salesforce org settings, and request written confirmation of the data storage scope for your specific instance.

Is Salesforce BSI C5 certified?

Yes. Salesforce holds BSI C5 attestation for its cloud services. BSI C5 is the German Federal Office for Information Security’s cloud security criteria catalogue and is required for many public sector contracts and regulated industry deployments in Germany. Request the current attestation documentation from your Salesforce account team.

Do I need to involve the Works Council for Salesforce?

Usually yes, if your Salesforce deployment includes features that enable monitoring of employee performance, behaviour, or productivity. Under §87(1) No. 6 BetrVG, the Works Council has mandatory co-determination rights for technical monitoring systems. Engage the Betriebsrat before rollout and negotiate a Betriebsvereinbarung to govern Salesforce use.

---

The information on this page is general guidance on Salesforce GDPR compliance and does not constitute legal advice. Your specific situation may require individual legal assessment. Contact Compound Law for tailored Salesforce compliance support.