Let’s start with the bad news for many European companies. If you use Hubspot CRM, you might break the law. If you use other US CRM, you might break the law. If you use Indian CRM, you might break the law.
On July 16, 2020, the Court of Justice of the European Union issued its long-awaited decision in the case Data Protection Commission v. Facebook Ireland, Schrems. That decision invalidates the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies rely to conduct trans-Atlantic trade in compliance with EU data protection rules.
Data exporters are liable to personal data when performing a cross-border transfer. The Data exporter is your company - a CRM service customer.
Data exporters need to implement supplemental technical measures to prevent governmental authorities from identifying individuals pertaining to the data in the target countries. In the case of CRM, it is not possible. You need to save customer details in cleartext.
Alternatively, you might get explicit consent from your customers for their personal data to be processed in the US. It is called Standard Contractual Clauses (SCCs).
Suppose, you hire someone to collect marketing leads for you. You have the list now. Now, you need to contact each guy asking for his consent for his details to be saved in the USA (i.e. Hubspot).
I am sure, no one is going to do it. No one will bother his potential customers asking for their consent that their personal data will be saved out of European Union.
If landing pages are your only method to collect prospects, you win. You can add a checkbox on your landing pages asking for your customer’s consent for his details to be processed by US companies. It must not be pre-checked. Otherwise, you break another GDPR rule ;-).
At Privacybunker website we maintain a list of European SaaS companies you can work with: https://privacybunker.io/blog/european-cloud-saas-vendors/.