US CRM might be illegal for most European companies

Privacybunker.IO Founder

An open-source developer that helps companies and startups to solve data security and privacy challenges.

Let’s start with the bad news for many European companies. If you use Hubspot CRM, you might break the law. If you use other US CRM, you might break the law. If you use Indian CRM, you might break the law.

On July 16, 2020, the Court of Justice of the European Union issued its long-awaited decision in the case Data Protection Commission v. Facebook Ireland, Schrems. That decision invalidates the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies rely to conduct trans-Atlantic trade in compliance with EU data protection rules.

Why Schrems-II compliance so important?

Data exporters are liable to personal data when performing a cross-border transfer. The Data exporter is your company - a CRM service customer.

Data exporters need to implement supplemental technical measures to prevent governmental authorities from identifying individuals pertaining to the data in the target countries. In the case of CRM, it is not possible. You need to save customer details in cleartext.

Alternatively, you might get explicit consent from your customers for their personal data to be processed in the US. It is called Standard Contractual Clauses (SCCs).

Suppose, you hire someone to collect marketing leads for you. You have the list now. Now, you need to contact each guy asking for his consent for his details to be saved in the USA (i.e. Hubspot).

I am sure, no one is going to do it. No one will bother his potential customers asking for their consent that their personal data will be saved out of European Union.

For the companies using landing pages to collect leads

If landing pages are your only method to collect prospects, you win. You can add a checkbox on your landing pages asking for your customer’s consent for his details to be processed by US companies. It must not be pre-checked. Otherwise, you break another GDPR rule ;-).

List of European SaaS providers.

At Privacybunker website we maintain a list of European SaaS companies you can work with:

Free takeaway

You can easily check your websites for GDPR violations now.

You have 40 minutes to sign up for free!

No credit card is required.


Get a full GDPR compliance report for your website.

  1. No credit card is required. View report example.
  2. No need to modify the website or install anything.
  3. It is safe and non intrusive check.