Book Free Call
HubSpot GDPR compliance for German businesses using CRM and marketing tools
tools

Is HubSpot GDPR Compliant? DPA, SCCs, and Works Council Risks

Is HubSpot GDPR compliant for German businesses?

Yes, HubSpot can be used in a GDPR-compliant way, but not by default. German businesses need a signed DPA acting as an AVV, a review of SCC-based transfers and EU data hosting limits, valid legal bases for CRM and marketing use, and often a works council review for employee-related features.

  • Sign HubSpot's DPA and document the processor relationship in your Article 30 records of processing activities.
  • Review EU data hosting, subprocessors, and SCC-backed transfers for any data flows touching the US or other third countries.
  • Assess email tracking, call analysis, and user activity reporting for co-determination rights under §87(1) No. 6 BetrVG.

Yes, HubSpot can be used in a GDPR-compliant way, but only with a DPA, transfer review, appropriate configuration, and often works council alignment. For German businesses, the real question is not whether HubSpot is generically “allowed”, but whether CRM, marketing, and tracking features are deployed in a way that fits GDPR, SCCs, EU data hosting, and Betriebsrat requirements.

Quick buyer check

  • Is the Data Processing Agreement (DPA/AVV) signed and internally approved?
  • Have third-country transfers been assessed under SCCs and your internal transfer process?
  • Is it clear which HubSpot data can stay in the EU and which support or infrastructure paths remain global?
  • Do tracking, reporting, or call features trigger works council rights in Germany?

If you are specifically evaluating HubSpot Breeze AI or other AI features, use our dedicated guide on HubSpot Breeze AI GDPR compliance. This page is intentionally focused on the base HubSpot CRM and marketing compliance question.

This article provides general information only and does not replace legal advice for your specific implementation. For the processor-contract layer, see also our guide to the Data Processing Agreement / AVV.

Is HubSpot GDPR compliant?

HubSpot is not automatically GDPR compliant, but it can be used lawfully. Your company remains the controller deciding why and how personal data is processed, while HubSpot typically acts as a processor for many product functions.

For German businesses, that means:

  • the DPA/AVV must be in place before live use
  • legal bases for CRM storage, email communication, cookies, and lead capture should be assessed separately
  • international transfers should be documented under SCCs and your broader transfer assessment
  • the actual setup should match data minimization, retention, access control, and where relevant works council requirements

HubSpot’s own GDPR materials make the same basic point: the platform can support compliant workflows, but it does not make a customer’s deployment compliant by itself.

What DPA does HubSpot provide?

HubSpot provides a Data Processing Agreement that functions as the Article 28 GDPR processor agreement, commonly referred to in Germany as the AVV. In its DPA, HubSpot addresses the processing of customer personal data and incorporates the EU Standard Contractual Clauses for relevant third-country transfers.

When reviewing the DPA, focus on more than document existence:

  1. Product scope: Are the actual hubs, add-ons, and integrations you use included?
  2. Subprocessors: Which downstream providers are involved, and in which regions?
  3. Transfer structure: Which SCC modules apply to your controller/processor relationship?
  4. Security and deletion: Are the TOMs, incident commitments, and deletion mechanics adequate for your use case?

HubSpot’s published DPA states that, depending on the role setup, Module 2 or Module 3 SCC terms apply to customer personal data. That distinction matters where your organization is operating within a processor chain.

Where does HubSpot store personal data?

HubSpot promotes EU data hosting and launched an EU data center on July 19, 2021. That is helpful for German businesses, but it should not be read as a blanket “EU only” conclusion.

In practice:

  • some product data can be hosted in the EU
  • not every data flow will remain exclusively in the EU
  • support, security, or group-company access may still create global processing touchpoints
  • subprocessors and connected tools may add further third-country transfers

That is why legal, procurement, and IT teams should review the real data architecture rather than relying on a single “EU hosting” label. Comparable questions also arise with tools such as Salesforce Einstein and Zapier, especially where integrations extend the vendor chain.

What privacy risks remain even with a signed DPA?

A signed DPA solves the contract layer only. The common residual risks sit in the way HubSpot is used.

HubSpot deployments often combine lead capture, newsletter handling, sales communication, website tracking, and internal CRM notes. Those activities do not all rest on the same legal basis. HubSpot’s own GDPR guidance distinguishes between the basis for processing/storing data and the basis for communicating with contacts.

Data minimization and deletion

Many HubSpot environments expand over time. Old contacts, marketing lists, notes, and tracking records then remain longer than necessary. For German businesses, this is often a governance issue more than a software issue: fields, retention rules, exports, and user roles need deliberate control.

International transfers

Even where SCCs are incorporated into HubSpot’s DPA, controllers still need their own view of what data goes where, who can access it, and whether supplementary measures are appropriate in light of post-Schrems II expectations.

Employee data and performance visibility

Once HubSpot is used for sales management, email tracking, call analysis, or activity reporting, the review shifts beyond customer data and into employee data. In Germany, that often triggers employment-law and co-determination analysis alongside GDPR review.

When is the standard review no longer enough?

The baseline review of DPA, SCCs, privacy notice, and records of processing is often not enough where:

  • special-category or high-volume personal data is processed in HubSpot
  • the deployment sits in highly regulated sectors such as healthcare, finance, or the public sector
  • HubSpot is used for employee monitoring, sales performance measurement, or call review
  • Breeze AI or similar AI functions are activated with separate data-flow and transparency questions
  • it is unclear whether a DPIA under Article 35 GDPR is required

At that point, the review should deepen into data-flow mapping, transfer analysis, permissions design, deletion logic, Article 30 documentation, and coordinated rollout across privacy, HR, IT, and works council stakeholders.

HubSpot GDPR checklist for German businesses

Use this as a procurement and rollout checklist, not just a marketing recap:

  • DPA signed: HubSpot’s DPA approved, accepted, and stored in version-controlled vendor records.
  • Product scope defined: Clear inventory of hubs, add-ons, and integrations in use.
  • Data categories mapped: Customer, prospect, employee, and tracking data separated in your review.
  • Legal bases documented: Storage, communications, cookies, and automation assessed individually.
  • EU data hosting checked: Reviewed against actual product limits and data paths, not only feature labels.
  • SCC transfer review documented: US or other third-country transfers captured in your privacy process.
  • Subprocessors reviewed: Current list checked and aligned with vendor-management expectations.
  • Article 30 records updated: HubSpot added to your records of processing activities.
  • Privacy notices updated: Website, customer, applicant, or employee notices aligned to real use.
  • Retention rules set: Contacts, logs, exports, and lists have defined deletion logic.
  • Access model reviewed: Only necessary teams can access personal data and exports.
  • Works council assessed: Tracking, reporting, and activity features screened for co-determination.
  • Works agreement prepared: Where employee data is involved, consultation addressed before rollout.
  • DPIA threshold reviewed: Article 35 GDPR analysis documented where the use case is higher risk.
  • AI reviewed separately: For Breeze AI, continue with the dedicated HubSpot Breeze AI GDPR guide.

HubSpot is usable for many German businesses, but GDPR compliance has to be actively built. A DPA alone is not enough. The decisive issues are the real data flows, the split between CRM and marketing legal bases, the transfer assessment, the meaning of EU data hosting in practice, and the role of the works council once employee-related features are enabled.

Compound Law advises businesses across Germany and the DACH region on compliance and privacy questions as well as vendor contract, transfer, and works council reviews. For a concrete assessment, you can also book a call.

Related Tool Guides

Claude GDPR review for Germany with DPA, plan tiers, and privacy controls
tools

Claude GDPR: Which Claude Plans Work for Germany in 2026

Claude GDPR in Germany depends on plan tier, DPA coverage, transfer setup, and rollout controls. This guide separates consumer plans from business options.
Anthropic Standard Contractual Clauses SCC Module 2 Module 3 GDPR data transfer
tools

Anthropic SCCs: GDPR Data Transfer Guide for Module 2 and 3

Anthropic's EU SCCs (Module 2 and 3) are included in their DPA automatically. Find out which module applies and what else is required for GDPR compliance.
Zoom AI Companion GDPR compliance for German businesses
tools

Zoom AI Companion GDPR Compliance for German Businesses

Is Zoom AI Companion GDPR compliant in Germany? Review Zoom's DPA, AI processing, EU data residency, and the checklist for German businesses.
Claude Business plan comparison: Team vs Enterprise for companies in Germany
tools

Claude Team vs Enterprise: Which Plan Is GDPR-Compliant for Your Team?

Choosing between Claude Team and Enterprise? Both include a GDPR DPA — but SSO, Zero-Data-Retention, and audit logs only come with Enterprise.
Claude Team vs Enterprise plan comparison table for German businesses
tools

Claude Team vs Enterprise: Plan Comparison for German Businesses

Claude Team (~€25/user/month) vs Claude Enterprise: features, GDPR compliance, and which plan fits your business in Germany.
Claude Zero Data Retention ZDR enterprise API guide for GDPR compliance in Germany
tools

Claude Zero Data Retention: Anthropic ZDR GDPR Guide

Anthropic Zero Data Retention (ZDR) explained for German businesses: eligibility, retained exceptions, Claude Code scope, and GDPR implications.

Tool Library

Browse More AI Tools by Topic

Compare more tools, privacy issues, and deployment scenarios in the full AI tool library.

View all AI tools

Frequently asked questions

HubSpot can be used in a GDPR-compliant manner if the DPA is in place, transfers are properly assessed, your legal bases and privacy notices match the real use case, and the concrete configuration is reviewed under German employment and data protection rules. The platform does not make your use automatically compliant.

Yes. HubSpot provides a Data Processing Agreement that functions as the Article 28 GDPR processor agreement, commonly called an AVV in Germany. You should still confirm that the actual products, subprocessors, integrations, and transfer mechanisms used in your setup are covered.

HubSpot offers EU data hosting for certain data, but depending on product scope, support access, and subprocessor chains, some data flows may still involve processing outside the EU. The right question is not only where data is stored, but also how it is accessed, transferred, and supported.

Often yes. If HubSpot allows employee activity, performance, email tracking, call data, or usage logs to be monitored, co-determination rights under German works council law are commonly triggered. A works agreement or comparable consultation should be addressed before rollout.

Book Free Call