US CRM might be illegal for most European companies

Privacybunker.IO Founder

An open-source developer that helps companies and startups to solve data security and privacy challenges.

Let’s start with the bad news for many European companies. If you use Hubspot CRM, you might break the law. If you use other US CRM, you might break the law. If you use Indian CRM, you might break the law.

On July 16, 2020, the Court of Justice of the European Union issued its long-awaited decision in the case Data Protection Commission v. Facebook Ireland, Schrems. That decision invalidates the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies rely to conduct trans-Atlantic trade in compliance with EU data protection rules.

Why Schrems-II compliance so important?

Data exporters are liable to personal data when performing a cross-border transfer. The Data exporter is your company - a CRM service customer.

Data exporters need to implement supplemental technical measures to prevent governmental authorities from identifying individuals pertaining to the data in the target countries. In the case of CRM, it is not possible. You need to save customer details in cleartext.

Alternatively, you might get explicit consent from your customers for their personal data to be processed in the US. It is called Standard Contractual Clauses (SCCs).

Suppose, you hire someone to collect marketing leads for you. You have the list now. Now, you need to contact each guy asking for his consent for his details to be saved in the USA (i.e. Hubspot).

I am sure, no one is going to do it. No one will bother his potential customers asking for their consent that their personal data will be saved out of European Union.

For the companies using landing pages to collect leads

If landing pages are your only method to collect prospects, you win. You can add a checkbox on your landing pages asking for your customer’s consent for his details to be processed by US companies. It must not be pre-checked. Otherwise, you break another GDPR rule ;-).

List of European SaaS providers.

At Privacybunker website we maintain a list of European SaaS companies you can work with:

Check your website for GDPR and cookie violations now

€1,620,000,000 has already been paid in GDPR fines.

It takes a minute to get a comprehensive report.

For example:

Enter your email to open a trial acount for you