Book Free Call
HubSpot Breeze AI GDPR compliance for German companies
tools

HubSpot Breeze AI GDPR Compliance: What German Companies Must Know

HubSpot Breeze AI can be used in a GDPR-compliant manner, but only if specific conditions are met. HubSpot’s Data Processing Agreement (DPA) covers Breeze AI processing, but German companies must separately verify AI sub-processor coverage, assess automated decision-making implications under Article 22 GDPR, establish a lawful basis for data enrichment via Breeze Intelligence, and update their records of processing before enabling Breeze AI features in production environments.

Is HubSpot Breeze AI GDPR-Compliant?

HubSpot Breeze AI is HubSpot’s suite of artificial intelligence features launched in 2024, comprising:

  • Breeze Copilot — conversational AI assistant with access to your full CRM data
  • Breeze Agents — autonomous AI agents for sales outreach, marketing campaigns, and lead follow-up
  • Content AI — AI-generated emails, blog content, and social copy using customer data
  • Breeze Intelligence — contact enrichment with third-party firmographic and demographic data

From a GDPR perspective, Breeze AI introduces three distinct compliance challenges beyond HubSpot’s standard CRM processing:

  1. AI data flows: Breeze Copilot and other AI features send CRM data to HubSpot’s AI processing infrastructure, which may differ from the EU data residency settings for standard CRM storage.
  2. Automated decision-making: Breeze Agents and predictive lead scoring can constitute solely automated decisions under Article 22 GDPR.
  3. Third-party data enrichment: Breeze Intelligence pulls external data to enrich contact profiles — a separate processing activity requiring its own lawful basis.

Note that several Breeze AI features are increasingly enabled by default in HubSpot accounts. German companies should audit their HubSpot settings to confirm that AI features are only active where a proper legal basis exists.

Breeze Copilot and Data Privacy

Breeze Copilot is an AI assistant embedded within HubSpot that can access and surface CRM data — including contact records, deal information, email history, and company data. When you interact with Breeze Copilot, your prompts and the CRM data it retrieves may be processed by HubSpot’s AI infrastructure, potentially involving third-party AI model providers.

Key data privacy questions for German companies:

  • AI sub-processors: HubSpot uses third-party AI model providers to power Breeze features. These providers appear on HubSpot’s sub-processor list at trust.hubspot.com. Verify which AI sub-processors are involved and whether they are located outside the EU.
  • EU data residency and AI processing: HubSpot’s EU data residency option covers storage of contact and CRM data in EU-based AWS data centers. However, AI inference — running Breeze Copilot queries and generating AI responses — may be processed on HubSpot’s US-based AI infrastructure regardless of your residency settings. Review HubSpot’s current documentation for explicit confirmation of where AI processing occurs.
  • Data minimization: Breeze Copilot has access to your full CRM context by default. Apply HubSpot’s permission settings to limit which data categories and objects are accessible to AI features.

Automated Decisions Under Article 22 GDPR

Article 22 GDPR grants individuals the right not to be subject to solely automated decisions that produce legal or similarly significant effects. HubSpot’s Breeze Agents — autonomous AI agents designed to handle sales outreach, prospecting, and customer engagement — can trigger this provision depending on how they are configured.

Scenarios that require Article 22 analysis:

  • Predictive lead scoring that determines whether and how quickly sales reps follow up with specific contacts
  • Breeze prospecting agents that autonomously decide which contacts to target and initiate outreach
  • Automated deal prioritization that influences commercial opportunities individuals receive

For each Breeze AI feature that makes decisions about individuals, German companies must:

  1. Determine whether the decision produces a legal or similarly significant effect on the individual
  2. Establish a valid lawful basis for automated processing (consent, contract necessity, or EU/Member State law under Article 22(2))
  3. Implement human oversight mechanisms — a human must be able to review and override AI-driven decisions
  4. Inform affected individuals in your privacy notice about the logic, significance, and potential consequences of automated processing

Deploying Breeze Agents for customer-facing tasks typically constitutes high-risk processing under Article 35 GDPR, making a Data Protection Impact Assessment (DPIA) mandatory before go-live. See our AI employee monitoring compliance guide for related automated decision-making obligations.

Breeze Intelligence Data Enrichment — Lawful Basis

Breeze Intelligence (formerly powered by Clearbit, acquired by HubSpot) automatically enriches your CRM contacts with data pulled from third-party sources: company size, industry, revenue, LinkedIn profiles, and other firmographic or demographic attributes.

This data enrichment is a separate GDPR processing activity because the data is not collected directly from the individual — it originates from third-party data brokers and publishers. Individuals may have no awareness their profiles are being enriched.

For Breeze Intelligence enrichment to be lawful under GDPR:

  • Document a lawful basis: Legitimate interest is commonly used, but requires a Legitimate Interest Assessment (LIA) documenting that enrichment is necessary, proportionate, and that individual privacy interests do not override the business purpose.
  • Update your privacy notice: Disclose the data enrichment in your privacy policy, identify the categories of data involved, and explain how individuals can object or request deletion.
  • Verify data sources: HubSpot’s enrichment data sources should themselves provide GDPR-compliant data acquisition and adequate transfer mechanisms for EU-US flows.
  • Apply data minimization: Only enable enrichment fields that are genuinely necessary for your business purposes. Enriching every contact with all available attributes without a clear purpose creates unnecessary GDPR exposure.

What German Companies Need to Check Before Enabling Breeze AI

Before activating Breeze AI features in HubSpot, complete this compliance checklist:

  • Review the sub-processor list at trust.hubspot.com — identify AI-specific sub-processors, their locations, and confirm that Standard Contractual Clauses (SCCs) are in place for any US-based AI processors
  • Confirm DPA coverage — verify HubSpot’s current DPA explicitly covers Breeze AI processing activities and all associated sub-processors
  • Conduct a DPIA — systematic profiling (lead scoring, contact enrichment, automated outreach via Breeze Agents) is high-risk processing under Article 35 GDPR; document the DPIA before enabling these features at scale
  • Update privacy notices — disclose AI-powered processing, the logic behind automated decisions, and data subjects’ rights to object or request human review
  • Configure AI permissions — use HubSpot’s permission and feature settings to limit Breeze Copilot and Breeze Agents to only the data and functions they require
  • Implement opt-out / human review — where Article 22 GDPR applies, ensure individuals can request human review of automated decisions affecting them
  • Involve the works council (Betriebsrat) — if Breeze AI features assess, score, or monitor employee behavior (e.g., sales rep activity logging, conversation intelligence), co-determination rights under §87(1) No. 6 BetrVG are triggered

Does HubSpot’s Standard DPA Cover Breeze AI Features?

HubSpot’s standard Data Processing Agreement applies to HubSpot’s processing of personal data on your behalf, including processing through Breeze AI features. However, several specific considerations apply:

  • Sub-processor updates: As Breeze AI matures, HubSpot may add AI-specific sub-processors. HubSpot is obligated to notify customers of sub-processor changes. Monitor trust.hubspot.com and ensure your internal records reflect the current sub-processor list.
  • Scope of the DPA: The DPA covers HubSpot as your data processor. For Breeze Intelligence enrichment, the DPA applies to HubSpot’s enrichment services — but the third-party data sources underlying enrichment are separate entities. Review whether those data sources operate under adequate GDPR transfer mechanisms.
  • Default-on features: Some Breeze features activate by default when HubSpot updates your account. Review HubSpot’s feature release notes and account settings periodically to ensure AI processing only occurs where you have a documented legal basis.

For HubSpot GDPR compliance beyond Breeze AI — including the AVV setup, EU data residency, Standard Contractual Clauses, and Betriebsrat obligations — see our comprehensive HubSpot GDPR and AVV guide.

Compound Law can review your HubSpot DPA and Breeze AI configuration for GDPR compliance, conduct DPIA assessments, and advise on Article 22 opt-out obligations. See our compliance services for details.

Frequently Asked Questions

Is HubSpot Breeze AI GDPR-compliant?

HubSpot Breeze AI can be used in a GDPR-compliant manner when HubSpot’s DPA is in place, AI-specific sub-processors are verified at trust.hubspot.com, privacy notices are updated to disclose AI processing, and automated decision-making obligations under Article 22 GDPR are addressed. Breeze AI introduces new compliance obligations — particularly for Breeze Agents (automated decisions) and Breeze Intelligence (data enrichment) — that go beyond HubSpot’s standard CRM compliance setup.

Does HubSpot store AI-processed data in the EU?

HubSpot’s EU data residency option covers CRM data storage. However, AI inference and processing through Breeze features may use HubSpot’s AI infrastructure, which can be hosted in the US regardless of your data residency settings. Review HubSpot’s current documentation and the sub-processor list at trust.hubspot.com to confirm where AI-processed data is handled for each Breeze feature.

Do I need to update my AVV if I enable HubSpot Breeze AI?

You should review your existing HubSpot DPA (Auftragsverarbeitungsvertrag) to confirm it covers Breeze AI processing and any new AI-specific sub-processors. If HubSpot has added AI sub-processors since you last reviewed the DPA, acknowledge the updated sub-processor list, update your records of processing activities under Article 30 GDPR, and revise your privacy notices to disclose AI-powered processing activities.

Related Tool Guides

AI tools for lawyers Germany BRAO GDPR professional secrecy compliance
tools

AI APIs for Law Firms in Germany — BRAO Compliance, GDPR & Professional.

Can lawyers in Germany use AI tools like Claude or ChatGPT? BRAO §43a, GDPR Art. 28, and BRAK guidance explained — with a 7-point compliance checklist.
Make.com DPA and GDPR compliance for German companies
tools

Make.com DPA: Does Make Have a Data Processing Agreement? (GDPR Guide)

Make.com offers a DPA for paid plan customers. What German companies must verify for GDPR compliance — EU data residency, sub-processors, and BetrVG.
Zapier GDPR Germany — DPA, data transfers, and workflow compliance for German companies
tools

Is Zapier GDPR Compliant? DPA, EU Data Residency & Guide for German.

Is Zapier GDPR compliant? Full guide on Zapier DPA, EU data residency, SCCs, and data transfer compliance for German businesses.
Claude GDPR compliance review — legal basis, DPA, and data protection measures for companies in Germany
tools

Claude GDPR Compliance: A Legal Framework for Businesses in Germany

Is Claude GDPR compliant? Legal basis, DPA, DPIA triggers, TOMs, and a practical compliance checklist for companies deploying Claude in Germany.
Airtable GDPR compliance guide for German companies
tools

Airtable and GDPR: DPA, Data Residency, and Compliance for German Companies

Airtable is GDPR-compliant on Enterprise plans with a signed DPA. Here is what German businesses must check before using Airtable for personal data.
Asana GDPR compliance guide for German companies
tools

Asana and GDPR: DPA, EU Data Residency, and Compliance for German Companies

Asana offers a DPA on all paid plans and EU data residency on Enterprise. Here is what German businesses must verify before using Asana for personal data.

Browse More AI Tools

Frequently asked questions

Is HubSpot Breeze AI GDPR-compliant?

HubSpot Breeze AI can be used in a GDPR-compliant manner when HubSpot's DPA is in place, AI-specific sub-processors are verified at trust.hubspot.com, privacy notices are updated to disclose AI processing, and automated decision-making obligations under Article 22 GDPR are addressed. Breeze AI introduces new compliance obligations — particularly for Breeze Agents (automated decisions) and Breeze Intelligence (data enrichment) — that go beyond HubSpot's standard CRM compliance setup.

Does HubSpot store AI-processed data in the EU?

HubSpot's EU data residency option covers CRM data storage. However, AI inference and processing through Breeze features may use HubSpot's AI infrastructure, which can be hosted in the US regardless of your data residency settings. Review HubSpot's current documentation and the sub-processor list at trust.hubspot.com to confirm where AI-processed data is handled for each Breeze feature.

Do I need to update my AVV if I enable HubSpot Breeze AI?

You should review your existing HubSpot DPA (Auftragsverarbeitungsvertrag) to confirm it covers Breeze AI processing and any new AI-specific sub-processors. If HubSpot has added AI sub-processors since you last reviewed the DPA, acknowledge the updated sub-processor list, update your records of processing activities under Article 30 GDPR, and revise your privacy notices to disclose AI-powered processing activities.

Book Free Call