HubSpot privacy and GDPR compliance for German businesses
tools

HubSpot Privacy in Germany: GDPR, DPA, and Works Council Risks

How does HubSpot privacy compliance work in Germany?

HubSpot can be used in a GDPR-compliant way in Germany, but not by default. German businesses need a signed DPA acting as an AVV, a review of SCC-based transfers and EU data hosting limits, valid legal bases for CRM and marketing use, and often a works council review for employee-related features.

  • Sign HubSpot's DPA and document the processor relationship in your Article 30 records of processing activities.
  • Review EU data hosting, subprocessors, and SCC-backed transfers for any data flows touching the US or other third countries.
  • Assess email tracking, call analysis, and user activity reporting for co-determination rights under §87(1) No. 6 BetrVG.

HubSpot privacy compliance in Germany is possible, but only with a DPA, transfer review, appropriate configuration, and often works council alignment. For German businesses, the real question is not whether HubSpot is generically “allowed”, but whether CRM, marketing, and tracking features are deployed in a way that fits GDPR, SCCs, EU data hosting, and Betriebsrat requirements.

Quick buyer check

  • Is the Data Processing Agreement (DPA/AVV) signed and internally approved?
  • Have third-country transfers been assessed under SCCs and your internal transfer process?
  • Is it clear which HubSpot data can stay in the EU and which support or infrastructure paths remain global?
  • Do tracking, reporting, or call features trigger works council rights in Germany?

If you are specifically evaluating HubSpot Breeze AI or other AI features, use our dedicated guide on HubSpot Breeze AI GDPR compliance. This page is intentionally focused on the base HubSpot CRM and marketing compliance question.

This article provides general information only and does not replace legal advice for your specific implementation. For the processor-contract layer, see also our guide to the Data Processing Agreement / AVV.

HubSpot privacy in Germany: is HubSpot GDPR compliant?

HubSpot is not automatically GDPR compliant, but it can be used lawfully. Your company remains the controller deciding why and how personal data is processed, while HubSpot typically acts as a processor for many product functions.

For German businesses, that means:

  • the DPA/AVV must be in place before live use
  • legal bases for CRM storage, email communication, cookies, and lead capture should be assessed separately
  • international transfers should be documented under SCCs and your broader transfer assessment
  • the actual setup should match data minimization, retention, access control, and where relevant works council requirements

HubSpot’s own GDPR materials make the same basic point: the platform can support compliant workflows, but it does not make a customer’s deployment compliant by itself.

What DPA does HubSpot provide?

HubSpot provides a Data Processing Agreement that functions as the Article 28 GDPR processor agreement, commonly referred to in Germany as the AVV. In its DPA, HubSpot addresses the processing of customer personal data and incorporates the EU Standard Contractual Clauses for relevant third-country transfers.

When reviewing the DPA, focus on more than document existence:

  1. Product scope: Are the actual hubs, add-ons, and integrations you use included?
  2. Subprocessors: Which downstream providers are involved, and in which regions?
  3. Transfer structure: Which SCC modules apply to your controller/processor relationship?
  4. Security and deletion: Are the TOMs, incident commitments, and deletion mechanics adequate for your use case?

HubSpot’s published DPA states that, depending on the role setup, Module 2 or Module 3 SCC terms apply to customer personal data. That distinction matters where your organization is operating within a processor chain.

Where does HubSpot store personal data?

HubSpot promotes EU data hosting and launched an EU data center on July 19, 2021. That is helpful for German businesses, but it should not be read as a blanket “EU only” conclusion.

In practice:

  • some product data can be hosted in the EU
  • not every data flow will remain exclusively in the EU
  • support, security, or group-company access may still create global processing touchpoints
  • subprocessors and connected tools may add further third-country transfers

That is why legal, procurement, and IT teams should review the real data architecture rather than relying on a single “EU hosting” label. Comparable questions also arise with tools such as Salesforce Einstein and Zapier, especially where integrations extend the vendor chain.

What privacy risks remain even with a signed DPA?

A signed DPA solves the contract layer only. The common residual risks sit in the way HubSpot is used.

HubSpot deployments often combine lead capture, newsletter handling, sales communication, website tracking, and internal CRM notes. Those activities do not all rest on the same legal basis. HubSpot’s own GDPR guidance distinguishes between the basis for processing/storing data and the basis for communicating with contacts.

Data minimization and deletion

Many HubSpot environments expand over time. Old contacts, marketing lists, notes, and tracking records then remain longer than necessary. For German businesses, this is often a governance issue more than a software issue: fields, retention rules, exports, and user roles need deliberate control.

International transfers

Even where SCCs are incorporated into HubSpot’s DPA, controllers still need their own view of what data goes where, who can access it, and whether supplementary measures are appropriate in light of post-Schrems II expectations.

Employee data and performance visibility

Once HubSpot is used for sales management, email tracking, call analysis, or activity reporting, the review shifts beyond customer data and into employee data. In Germany, that often triggers employment-law and co-determination analysis alongside GDPR review.

When is the standard review no longer enough?

The baseline review of DPA, SCCs, privacy notice, and records of processing is often not enough where:

  • special-category or high-volume personal data is processed in HubSpot
  • the deployment sits in highly regulated sectors such as healthcare, finance, or the public sector
  • HubSpot is used for employee monitoring, sales performance measurement, or call review
  • Breeze AI or similar AI functions are activated with separate data-flow and transparency questions
  • it is unclear whether a DPIA under Article 35 GDPR is required

At that point, the review should deepen into data-flow mapping, transfer analysis, permissions design, deletion logic, Article 30 documentation, and coordinated rollout across privacy, HR, IT, and works council stakeholders.

HubSpot privacy checklist for German businesses

Use this as a procurement and rollout checklist, not just a marketing recap:

  • DPA signed: HubSpot’s DPA approved, accepted, and stored in version-controlled vendor records.
  • Product scope defined: Clear inventory of hubs, add-ons, and integrations in use.
  • Data categories mapped: Customer, prospect, employee, and tracking data separated in your review.
  • Legal bases documented: Storage, communications, cookies, and automation assessed individually.
  • EU data hosting checked: Reviewed against actual product limits and data paths, not only feature labels.
  • SCC transfer review documented: US or other third-country transfers captured in your privacy process.
  • Subprocessors reviewed: Current list checked and aligned with vendor-management expectations.
  • Article 30 records updated: HubSpot added to your records of processing activities.
  • Privacy notices updated: Website, customer, applicant, or employee notices aligned to real use.
  • Retention rules set: Contacts, logs, exports, and lists have defined deletion logic.
  • Access model reviewed: Only necessary teams can access personal data and exports.
  • Works council assessed: Tracking, reporting, and activity features screened for co-determination.
  • Works agreement prepared: Where employee data is involved, consultation addressed before rollout.
  • DPIA threshold reviewed: Article 35 GDPR analysis documented where the use case is higher risk.
  • AI reviewed separately: For Breeze AI, continue with the dedicated HubSpot Breeze AI GDPR guide.

HubSpot is usable for many German businesses, but GDPR compliance has to be actively built. A DPA alone is not enough. The decisive issues are the real data flows, the split between CRM and marketing legal bases, the transfer assessment, the meaning of EU data hosting in practice, and the role of the works council once employee-related features are enabled.

Compound Law advises businesses across Germany and the DACH region on compliance and privacy questions as well as vendor contract, transfer, and works council reviews. For a concrete assessment, you can also book a call.

Related Tool Guides

Claude ZDR zero data retention guide for Anthropic API and Claude Code enterprise use
tools

Claude ZDR: Zero Data Retention for Enterprise and Claude Code

Claude ZDR is available only on qualified Anthropic API and Claude Code enterprise paths. Learn scope, exclusions, retention exceptions, and procurement steps.

DeepL DPA and GDPR approval guide for companies in Germany
tools

DeepL DPA and GDPR in Germany: Approval Guide for Buyers

DeepL can usually be approved in Germany only on paid business plans with a signed DPA, feature review, and confidentiality checks. DeepL Free is not approved.

Cursor DPA and GDPR review for teams in Germany
tools

Cursor DPA 2026: Where to Find It and What It Covers

The Cursor DPA is public at cursor.com/terms/dpa, but German teams still need the right paid plan, Privacy Mode, and transfer review before using personal data.

DeepSeek GDPR compliance analysis for German companies
tools

Is DeepSeek GDPR Compliant? What German Companies Need to Know

Hosted DeepSeek still creates GDPR and procurement risk for German companies. Self-hosted deployments can work with EU infrastructure and proper controls.

Zapier GDPR 2026 Germany — DPA, Article 28, SCCs and EU data transfers for German companies
tools

Is Zapier GDPR Compliant? Germany Guide 2026

Is Zapier GDPR compliant for German companies? DPA, SCCs, EU data residency, and when Zapier is too risky for personal data workflows.

Claude Code GDPR compliance — DPA, data retention and EU hosting guide
tools

Claude Code Data Privacy: GDPR, DPA & No Training Policy

Claude Code's data privacy policy: no training on your code by default, GDPR DPA included via Anthropic API, zero data retention for Enterprise.

Tool Library

Browse More AI Tools by Topic

Compare more tools, privacy issues, and deployment scenarios in the full AI tool library.

View all AI tools

Frequently asked questions

HubSpot can be used in a GDPR-compliant manner if the DPA is in place, transfers are properly assessed, your legal bases and privacy notices match the real use case, and the concrete configuration is reviewed under German employment and data protection rules. The platform does not make your use automatically compliant.

Yes. HubSpot provides a Data Processing Agreement that functions as the Article 28 GDPR processor agreement, commonly called an AVV in Germany. You should still confirm that the actual products, subprocessors, integrations, and transfer mechanisms used in your setup are covered.

HubSpot offers EU data hosting for certain data, but depending on product scope, support access, and subprocessor chains, some data flows may still involve processing outside the EU. The right question is not only where data is stored, but also how it is accessed, transferred, and supported.

Often yes. If HubSpot allows employee activity, performance, email tracking, call data, or usage logs to be monitored, co-determination rights under German works council law are commonly triggered. A works agreement or comparable consultation should be addressed before rollout.

Book Free Call