In this article, I will review legal implications of storing user data in cloud CRM vendors like Salesforce and Hubspot for European companies.
On July 16, 2020, the Court of Justice of the European Union issued its long-awaited decision in the case Data Protection Commission v. Facebook Ireland, Schrems. That decision invalidates the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies rely to conduct trans-Atlantic trade in compliance with EU data protection rules.
Data exporters are liable to personal data when performing a cross-border transfer. The Data exporter is your company - a CRM service customer.
Data exporters need to implement supplemental technical measures to prevent governmental authorities from identifying individuals pertaining to the data in the target countries. In the case of CRM, it is not possible. You need to save customer details in cleartext.
For that, you must get explicit consent from your customers for their personal data to be processed in the USA. You can also use Standard Contractual Clauses (SCCs).
Sometimes, you can not get explicit consent.
Suppose, you hire someone to collect marketing leads for you and you get the list of contacts. Now, you need to reach out each guy asking for his consent for his details to be saved in the USA (i.e. Hubspot). It is not feasible.
I am sure, no one is going to do it. No one will bother their potential customer asking for their consent.
Solution here is quite simple. Stick with European vendors. You better pick one of the European CRM companies or use an open-source CRM and host the personal data in Europe. Here is a list of vendors: https://privacybunker.io/blog/european-cloud-saas-vendors/
If landing pages are your only method to collect prospects, you win. You can add a checkbox on your landing pages asking for your customer’s consent for his details to be processed by USA companies. It must not be pre-checked. Otherwise, you break another GDPR rule ;-).