Depending on where you live, you may have rights to see, correct, delete, or transfer your personal data, object to how it is processed, and appeal if Salesforce declines your request.
This analysis describes what Salesforce's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
These rights are meaningful but are qualified by the phrase 'subject to local data protection laws,' meaning the rights you actually have depend on your jurisdiction. EU and California residents have the broadest statutory rights.
Interpretive note: The specific rights available to any individual user are conditional on their jurisdiction, and the document does not specify which rights apply in which regions beyond referencing 'local data protection laws,' requiring users to independently assess their statutory entitlements.
Salesforce acknowledges a comprehensive list of data subject rights, but which rights apply to you depends on your location. EU, UK, and California residents have the strongest legal basis to enforce rights including deletion, portability, and objection to automated profiling. You can submit requests via the privacy form or by email at privacy@salesforce.com.
Cross-platform context
See how other platforms handle Data Subject Rights Framework and similar clauses.
Compare across platforms →Monitoring
Salesforce has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"You have certain rights relating to your Personal Data, subject to local data protection laws. Depending on the applicable laws, these rights may include the right to: Access your Personal Data held by us; Know more about how we process your Personal Data; Rectify inaccurate Personal Data and, taking into account the purpose of processing the Personal Data, ensure it is complete; Erase or delete your Personal Data; Restrict our processing of your Personal Data; Transfer your Personal Data to another controller (data portability), to the extent possible; Object to any processing of your Personal Data; Opt out of certain disclosures of your Personal Data to third parties; Not be subject to a decision based solely on automated processing, including profiling, which produces legal effects ("automated decision-making"); Withdraw your consent at any time (to the extent we rely on consent as our legal basis for processing); Complain about the use of your Personal Data; Not be discriminated against for exercising your rights as described above; and Appeal our refusal to act upon your request to exercise a right relating to your Personal Data by following the steps provided in response to your inquiry.— Excerpt from Salesforce's Salesforce Privacy Statement
REGULATORY LANDSCAPE: This provision reflects the data subject rights framework under GDPR Articles 15 through 22, the CCPA and CPRA rights regime applicable to California residents, and equivalent frameworks under UK GDPR and various other national privacy laws. The right to appeal a refusal reflects both GDPR's requirement to provide reasoning for refusals and CPRA's appeals requirement. The anti-discrimination right mirrors CCPA's prohibition on penalizing consumers for exercising privacy rights. GOVERNANCE EXPOSURE: Medium. The breadth of rights listed is largely a reflection of statutory obligations rather than voluntary commitments, but operationalizing these rights requires robust intake, verification, and response processes. Failure to respond to access or deletion requests within statutory timeframes (30 days under CCPA with one 45-day extension, one month under GDPR with up to two-month extension) creates direct regulatory risk. JURISDICTION FLAGS: EU and UK residents have the most comprehensive and directly enforceable rights, with supervisory authority complaint mechanisms available. California residents have CCPA and CPRA rights enforceable by the California Privacy Protection Agency and the California AG. Residents in other US states with comprehensive privacy laws (Virginia, Colorado, Texas, among others) have varying rights that may overlap with those listed. The appeals right is specifically required under CPRA and several other US state privacy laws. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should assess whether their use of Salesforce services creates obligations on Salesforce as a processor to assist with data subject requests directed to the enterprise customer. The DPA governs this obligation in the processor context; this Privacy Statement governs Salesforce's own controller-capacity obligations. COMPLIANCE CONSIDERATIONS: Organizations that are enterprise customers should review their DPA with Salesforce to confirm the data subject request assistance provisions and response timelines. Salesforce's own rights intake process via the web form and email should be tested periodically to confirm response timelines and verification procedures meet statutory requirements. Records of requests received and responses provided should be maintained for regulatory audit purposes.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
These rights are meaningful but are qualified by the phrase 'subject to local data protection laws,' meaning the rights you actually have depend on your jurisdiction. EU and California residents have the broadest statutory rights.
Salesforce acknowledges a comprehensive list of data subject rights, but which rights apply to you depends on your location. EU, UK, and California residents have the strongest legal basis to enforce rights including deletion, portability, and objection to automated profiling. You can submit requests via the privacy form or by email at privacy@salesforce.com.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Salesforce.