GDPR Lawsuit Against Oracle and Salesforce

A series of lawsuits have been filed against Salesforce and Oracle, by a non-profit organization named The Privacy Collective and Rebecca Rumbul, privacy campaigner and data protection specialist which claims that the two giant companies illegally processed personal data collected in cookies.

The violation is quite serious, the companies are accused of collecting and storing personal information of users without a clearly expressed consent, to carry out sales actions via harmful ads.

The organization claims that Salesforce and Oracle use cookies illegally to monitor and collect personal data of consumers on several well-known websites such as Amazon,, Dropbox etc.

The lawsuit filed in Netherlands, UK and Wales could cause damages of up to $19.5 billion to the companies. Rebecca Rumbul: “I am tired of tech giants behaving as if they are above the law. It is time to take a stand and demonstrate that these companies cannot unlawfully and indiscriminately hoover up my personal data with impunity. The internet is not optional anymore, and I should be able to use it without big tech tracking me without my consent.’’

Oracle has rejected the lawsuit, claiming that it has no direct role in the real-time bidding process and has a ‘’comprehensive GDPR compliance program’’. Similarly, “Salesforce disagrees with the allegations and intends to demonstrate they are without merit.”

The outcome of the lawsuit is expected in 2021.

How to avoid GDPR fines

1.Know your data 

What types of personal data do you collect and store?

How many people are you collecting data from?

Are there any “special categories” of data involved?

Do you transfer them out of the EEA?

All these questions help comprise the risk associated with customer data. The higher the risk you impose on customers, the greater the security you will need to provide in order to satisfy a Data Protection Authority if something goes wrong or if you get audited.

2.Know your security 

If you experience a data breach, you must report it. And if, under inspection, your security software is not up-to-date, or if you don’t use simple tools like anti-malware software, firewalls, and SSL certificates around your web forms, then you’ll probably be liable for a fine.

The same goes for access controls – if you give everyone in your company access to customers’ personal data, regardless of whether they need it for their job, you will be setting yourself up for a fine.

3.Get audit-ready

You need to be prepared for an audit or investigation if a data breach does happen. That means having the appropriate policies and procedures in place well before the breach occurs.

Some policies and procedures include a data breach response protocol, a broad data protection policy, and training courses around cybersecurity and data protection for any employees that have access to personal data.

Finally, make sure you document your personal data in a personal data inventory, describing the types of data your company collects, where it’s stored, how long it’s kept, who has access to it, how it’s deleted, and to whom it’s transferred.


Need help? Get in touch to find out more.