Zapier GDPR 2026: DPA, Article 28 & EU Data Transfer Guide
Can German companies use Zapier under GDPR?
Zapier is GDPR-compliant in Germany with a signed DPA covering all Article 28(3) requirements, documented US transfers via SCCs and DPF, and DPIA/works council review where required. As of May 2026, EU AI Act obligations apply where Zapier AI Actions or AI integrations are deployed.
- Assess each workflow individually — triggers, actions, connected apps, data categories, and logs all matter.
- Sign the Zapier DPA and verify all Article 28(3) requirements: instructions, confidentiality, TOMs, subprocessors, deletion, audits.
- High-risk workflows with employee monitoring, health data, or AI components require DPIA and possibly works council review.
Zapier is GDPR compliant — with conditions. Zapier processes data in the United States but offers a Data Processing Agreement (DPA, required under GDPR Article 28) and EU Data Residency on paid plans. As of May 2026, German companies must also consider the EU AI Act where Zapier is used to power AI-driven automations. A signed DPA is mandatory before any automation workflow handling personal data goes live. Whether a specific deployment is fully GDPR-compliant depends on per-workflow data category assessment, the international transfer basis under Standard Contractual Clauses (SCCs), and any DPIA or works council review required. For a broader survey of automation and workflow tools reviewed for the German market, see the AI tools guide.
Is Zapier GDPR Compliant? Direct Answer
Direct answer
Zapier can be used GDPR-compliantly in Germany. The conditions are:
- Sign the Zapier DPA and verify it covers all seven Article 28(3) GDPR requirements.
- Confirm the transfer basis (SCCs, DPF) and document a Transfer Impact Assessment for your data categories.
- Run workflow-level risk classification — not a one-time platform check.
- For employee-related, health, or high-volume customer data, evaluate DPIA and works council obligations before rollout.
- For any Zapier AI Actions or AI integrations, assess EU AI Act deployer obligations.
This page provides general legal information, not legal advice for a specific deployment. For related guidance, see AI customer service compliance, Zendesk, HubSpot, Make.com, and Notion AI.
GDPR Requirements for Zapier in Germany
The question is not whether Zapier as a platform is GDPR-compliant in the abstract. The question is whether your specific Zapier deployment is compliant. Under the GDPR, that requires:
- a clear legal basis under Article 6 GDPR (and Article 9 for special categories)
- a processor contract under Article 28 GDPR — the signed DPA
- a valid international transfer mechanism under Chapter V GDPR — typically SCCs
- technical and organizational measures appropriate to the risk under Article 32 GDPR
- a DPIA where required under Article 35 GDPR
For German companies in particular, the local regulatory environment adds:
- §87(1) no. 6 BetrVG (Works Constitution Act) for employee-related automations that touch monitoring
- BDSG requirements on top of GDPR for employment data processing
- Enforcement patterns from German data protection authorities including the Baden-Württemberg, Hamburg, and Berlin DPAs, which have shown a focus on processor contracts and US transfer risk
The practical outcome for most businesses is that low-risk internal automations are manageable, customer-data automations need careful design, and employee, health, and finance workflows need a formal legal review before rollout.
Zapier DPA and GDPR Article 28: What It Must Contain
Zapier offers a Data Processing Addendum as part of its legal documentation. Accepting it is the first required step, but reviewing its substance against all seven requirements of Article 28(3) GDPR matters more than its existence.
Article 28(3) GDPR — Checklist for the Zapier DPA
| Requirement (Art. 28(3)) | What to verify in the Zapier DPA |
|---|---|
| lit. a Processing only on documented controller instructions | Does the DPA explicitly confirm instruction-bound processing? Are instruction channels defined? |
| lit. b Confidentiality of authorized persons | Are Zapier staff with data access bound by confidentiality? Is this verifiable? |
| lit. c Security measures (Art. 32) | Does the DPA reference concrete TOMs? Is a current security whitepaper attached or linked? |
| lit. d Subprocessor conditions | Does the DPA regulate subprocessor engagement? Is there a right to object to new subprocessors? |
| lit. e Assistance obligations (Art. 32–36) | Does Zapier commit to helping with DPIAs, data subject rights, and breach notifications? |
| lit. f Deletion or return of data | Are timeframes for deletion or return after contract end clearly defined — including task histories and logs? |
| lit. g Audit rights | Does your company have the right to audit Zapier or have it audited by a third party? |
Confirming the DPA exists is the first step; verifying it covers all seven points is what matters for Article 28 compliance.
Processor vs. Controller Distinction
Under most Zapier deployments, your company is the controller and Zapier is the processor. This means Zapier must act only on your instructions, and you remain responsible for the lawfulness of the underlying processing purpose.
However, that allocation is not always clean. Zapier collects operational telemetry about workflow runs, may use certain aggregated data for product improvement, and shares data with subprocessors under its own contract terms. Review the DPA to confirm which parts of the data flow are genuinely on controller-processor terms and which fall outside that boundary.
Subprocessor List and Risk
Zapier publishes a list of subprocessors. Key practical steps:
- Download or bookmark the current list at the time of your assessment.
- Note which subprocessors receive which categories of data from your workflows.
- Confirm whether any subprocessors are located in third countries without an adequacy decision, and whether SCCs or binding corporate rules cover that transfer.
- Check the change notification procedure — Zapier must notify you of new subprocessors, and you should have a process for reviewing those notifications and objecting where necessary.
Deletion Commitments
The DPA should specify what happens to data when the relationship ends: when task histories are deleted, whether logs are purged, and within what timeframe. Zapier task histories can contain personal data that outlives the use case they were created for. Verify that the deletion terms match your own retention policy and that downstream copies in connected systems are addressed.
Zapier Data Transfers: Is US Processing Still Happening?
For German companies assessing Zapier data processing agreement GDPR or Zapier Schrems II questions, the short answer is: yes, Zapier can process data in the United States, and you need to assess whether that is acceptable for your specific workflows.
Standard Contractual Clauses Review
Zapier relies on the EU Standard Contractual Clauses (SCCs) adopted by the European Commission in June 2021 for transfers of EEA personal data to the United States and other third countries. Post-Schrems II, SCCs alone are not sufficient — they must be supplemented by a Transfer Impact Assessment (TIA) that evaluates the legal access risk in the destination country.
For most US-based SaaS providers, the relevant risk factors are:
- US surveillance law, including FISA Section 702 and Executive Order 14086 safeguards
- Whether Zapier employees with US access can reach unencrypted personal data
- The likelihood that your specific data categories would be of intelligence interest
For routine business automation of non-sensitive data, most TIAs conclude that the residual risk is acceptable with appropriate supplementary measures. For workflows involving large-scale customer databases, financial data, or any data with government-adjacent sensitivity, the TIA requires closer analysis.
Zapier’s EU Data Residency Offering
Zapier has introduced EU data residency options for business and higher plans. This means that certain task data and workflow execution data is stored in EU-based infrastructure rather than the United States. However, EU data residency is not equivalent to EU-only processing:
- Support access may still originate from outside the EEA
- Some infrastructure components and subprocessors may still process data in the US
- Metadata and telemetry data may not be covered by residency settings
- The coverage may differ by plan tier
Before relying on Zapier’s EU data residency as a compliance argument, verify which data categories it actually covers in your plan, which subprocessors it does not neutralize, and whether your DPA reflects the residency configuration.
Post-Schrems II Analysis and DPF Status as of May 2026
The CJEU Schrems II judgment of July 2020 invalidated the Privacy Shield and required supplementary measures for US transfers. The EU-US Data Privacy Framework (DPF) adopted in July 2023 partially addresses this for certified US companies — Zapier is DPF-certified.
Current status as of May 2026: The DPF remains legally in force, but ongoing legal challenges from privacy organizations (including pending court proceedings) create uncertainty about its long-term stability. A third invalidation of a US-EU transfer mechanism would be significant. German companies should:
- Document the transfer basis as both DPF certification and SCCs — so the SCCs remain valid as a fallback if the DPF is challenged.
- Complete a TIA that addresses US surveillance law risk for your data categories.
- Confirm that supplementary measures (encryption, access controls, minimization) are implemented and documented.
- Set a review cadence, since both the DPF legal landscape and Zapier’s subprocessor list can change.
EU AI Act and Zapier Automations (2026)
Since the EU AI Act’s provisions on prohibited practices, general-purpose AI systems, and high-risk AI applications came into force, businesses using Zapier for AI-powered automations must consider an additional compliance layer. The EU AI Act applies alongside GDPR — both frameworks operate simultaneously.
Zapier AI Actions and GPAI Interfaces
Zapier’s AI Actions connect to large language models such as OpenAI, Anthropic, and others. Companies using these features are deployers of AI systems under the EU AI Act. Deployer obligations include:
- Fundamental rights impact assessment for high-risk AI systems (Article 27 EU AI Act)
- Human oversight — ensuring AI outputs can be reviewed or overridden before they affect individuals
- Transparency to users when interacting with AI-generated content
- Recording and monitoring of AI system use in the workflow
High-Risk Classification for Zapier Workflows
Zapier automations may qualify as high-risk AI systems when used in domains listed in Annex III of the EU AI Act:
| Application area | Typical Zapier workflow | High-risk? |
|---|---|---|
| Employment decisions | Automated candidate shortlisting, performance scoring | Yes — Art. 6(2) + Annex III no. 4 |
| Creditworthiness assessment | Lead scoring with financial or behavioral data | Yes — Annex III no. 5 |
| Essential public services | Automated routing in social or health services | Potentially — Annex III no. 6 |
| Internal tools, marketing | CRM sync, newsletter triggers, calendar automation | Generally no |
High-risk AI systems require technical documentation, a quality management system, and human oversight mechanisms before deployment.
Prohibited AI Practices under Article 5
Certain automation patterns are prohibited regardless of the tool used. Zapier workflows that implement the following are unlawful under Article 5 EU AI Act:
- Social scoring of individuals based on their behavior or personal characteristics
- Biometric categorization to infer sensitive attributes (religion, political views, sexual orientation)
- Subliminal manipulation techniques that bypass conscious decision-making
- Real-time remote biometric identification in publicly accessible spaces (with narrow exceptions)
These prohibitions apply even where the automation is otherwise technically and GDPR-compliant.
For a full overview of EU AI Act compliance requirements, see our EU AI Act compliance guides and the AI Act by industry pages.
Workflow-Level GDPR Risk Assessment
This is the most operationally valuable analysis. Rather than assessing Zapier as a platform, assess each category of workflow by the data it processes.
Low-Risk: Internal Tool Integrations
These workflows generally process limited personal data, often limited to internal identifiers or metadata. Examples:
- Notion to Slack notifications for project status changes (non-sensitive metadata)
- CRM deduplication workflows operating on company email domains
- Calendar and scheduling syncs for internal meetings
- Supply chain notifications based on inventory or logistics triggers — see AI supply chain management compliance
- Automated reminders for contract or task deadlines with no personal data in the payload
These are typically justifiable under Article 6(1)(f) GDPR (legitimate interest) with standard security controls, data minimization, and a completed DPA.
Medium-Risk: Customer Data Automations
These workflows touch personal data belonging to customers or leads, which raises the stakes for data minimization, retention, and transfer risk. Examples:
- Form submission routing to CRM (name, email, business context)
- Support ticket categorization and routing (may include customer message content)
- Email marketing workflow triggers (behavioral signals)
- Lead scoring automations that combine data from multiple sources
For medium-risk workflows, specific steps matter: strip free-text content where possible, pass identifiers rather than full records, set short retention on Zapier task history, and confirm that connected app DPAs are aligned. Review HubSpot GDPR compliance and Zendesk GDPR compliance alongside Zapier for integrated customer data stacks.
High-Risk: Employee Data, Health Data, Financial Data, and Broad Customer Profiling
These categories require a stricter pre-deployment review:
| Data Type | Why High-Risk | Key Requirements |
|---|---|---|
| Employee data | §87(1) no. 6 BetrVG, BDSG §26, monitoring risk | Works council review, explicit legal basis, minimization |
| Health / biometric data | Article 9 GDPR special categories | Explicit consent or other Art. 9(2) basis, DPIA likely required |
| Financial data | Confidentiality obligations, banking secrecy | Segregation of access, restricted log visibility, formal vendor assessment |
| Broad customer profiling | Profiling rules under Article 22 GDPR, transparency | Layered privacy notice, right to object, potential DPIA |
For any of these, a general “Zapier is GDPR-compliant” statement is not sufficient as a compliance foundation.
DPIA: When Does Zapier Use Require a Data Protection Impact Assessment?
Under Article 35 GDPR, a Data Protection Impact Assessment is required before processing that is likely to result in high risk to individuals’ rights and freedoms. German DPA guidance indicates that the following Zapier workflow patterns likely trigger this requirement:
- Systematic monitoring of employees — any workflow that consolidates employee behavior data across systems, generates productivity metrics, or creates alerts about individual staff activity
- Large-scale processing of special category data — health, biometric, or union-membership data moving through automated workflows
- Automated decision-making with legal or significant effects — workflows that trigger automated outcomes for individuals without human review
- Large-scale customer profiling — combining behavioral, transactional, and communication data to build profiles used for targeting, segmentation, or credit/insurance-adjacent purposes
The DPIA must describe the processing, assess necessity and proportionality, identify risks, and document the measures taken to address them. It should be completed before the workflow goes live, not after.
If your Zapier deployment spans multiple of these risk factors, the DPIA scope expands accordingly.
Works Council Considerations for German Companies
German businesses are subject to the Betriebsverfassungsgesetz (BetrVG). Section 87(1) no. 6 specifically grants the works council (Betriebsrat) co-determination rights over the introduction and use of technical devices designed to monitor employees’ conduct or performance.
Zapier workflows can trigger §87 BetrVG even when monitoring is not the stated purpose. The test is whether the tool enables monitoring, not whether it is intended to monitor. Typical triggers:
- Automations that log employee response times (e.g., time from ticket assignment to first reply)
- Workflows that consolidate activity data from Slack, email, or CRM into a management dashboard
- Alerting logic based on individual employee inactivity or SLA breach
- Integration with HR tools that tracks attendance, shift changes, or absence patterns
Where §87(1) no. 6 BetrVG applies, the works council must be consulted and its agreement reached before the system is introduced. Operating without this consent exposes the employer to injunctions, potential prohibition orders, and labor law liability.
The practical recommendation: involve HR, legal, and the works council early in the design phase, before a workflow is built or deployed.
Zapier in Specific Industries
Certain industries face heightened standards regardless of the general workflow risk tier.
Healthcare and Medical Services
Workflows touching patient data, appointment records, referral information, or any health-related content fall under Article 9 GDPR (special categories) and, in some contexts, additional German health data law. Standard no-code automation through a US-linked SaaS provider is generally not the default-acceptable approach here. At minimum: explicit consent or a statutory basis under Article 9(2), a DPIA, and a security review covering encrypted payloads, restricted log access, and limited subprocessor exposure.
HR and Recruiting
German employment data law under §26 BDSG imposes strict requirements on processing employee or applicant data. Automating recruiting workflows, onboarding steps, or performance data through Zapier requires a documented legal basis for each data element, minimization to only what is genuinely necessary, and works council involvement where applicable. Retention must be actively managed — applicant data that flows through Zapier and into connected systems needs defined deletion timelines.
Legal and Professional Services
Law firms and professional services firms have additional confidentiality obligations. Routing client matter information, contract content, or case-related data through third-party automation creates data governance questions beyond GDPR. Check bar association rules, professional secrecy obligations, and whether client consent or matter-specific data handling agreements are needed before using Zapier for client-facing data.
Zapier Alternatives with Better EU Compliance Profiles
If the US transfer risk, subprocessor footprint, or EU data residency limitations are blockers for your use case, the following alternatives offer different compliance profiles:
| Tool | Key compliance advantage | Trade-offs |
|---|---|---|
| Make.com | EU-headquartered (Czech Republic), EU data center options | Smaller template library, steeper learning curve |
| n8n | Self-hosted option, full data control, open source | Requires technical setup and ongoing maintenance |
| Pipedream | Source-available, self-hosting available | Less mature enterprise documentation |
| Zapier EU Data Residency | Keeps task data in EU infrastructure | Does not eliminate all US subprocessor exposure |
None of these alternatives eliminates the need for a DPA, transfer assessment, or workflow risk review. The advantage is that EU-headquartered or self-hosted tools reduce the transfer risk surface area, which can simplify the TIA and reduce DPIA scope.
Checklist: Zapier GDPR Readiness for German Companies (May 2026)
Use this before enabling any production Zapier workflow that processes personal data.
Contract and legal basis:
- Zapier DPA signed or accepted
- DPA verified against all Article 28(3) requirements (lit. a–g)
- Legal basis under Article 6 GDPR identified and documented for each workflow
- Article 9 GDPR basis documented if special categories are involved
- Transfer mechanism confirmed (SCCs, DPF certification, or both — dual documentation recommended)
- Transfer Impact Assessment completed for US-transferred data
Workflow design:
- Workflow mapped end to end: triggers, actions, apps, fields, logs, retention
- Data minimization applied — only necessary fields transferred
- Free-text content stripped or suppressed where possible
- Task history retention set and deletion tested
- Downstream app DPAs reviewed for alignment
Risk assessment:
- Workflow categorized as low, medium, or high risk
- DPIA completed if high-risk indicators are present
- Works council review initiated if employee data or monitoring potential exists
- Industry-specific requirements checked (healthcare, HR, legal)
EU AI Act (where AI components are used):
- Zapier AI Actions or AI integrations identified as AI systems
- Deployer role confirmed and high-risk classification assessed (Annex III)
- Human oversight mechanism in place for AI outputs
- Prohibited AI practices under Article 5 ruled out
Documentation:
- Approved use case recorded in records of processing activities (Art. 30 GDPR)
- Restrictions, data categories, legal basis, and review date documented
- Subprocessor list reviewed and added to vendor register
FAQ
Is Zapier GDPR compliant?
Yes, with conditions. Zapier processes data in the United States but offers a DPA as required by GDPR Article 28 and EU Data Residency on paid plans. For German companies, GDPR compliance means: signing the DPA and verifying all Article 28(3) requirements, documenting the transfer mechanism (SCCs, DPF certification), assessing each workflow by data category, and conducting a DPIA or works council review where required.
Does Zapier have a DPA (Data Processing Agreement)?
Yes. Zapier publicly offers a Data Processing Addendum that satisfies the processor contract requirement under GDPR Article 28. Review it against all seven Article 28(3) requirements — role allocation, subprocessor terms, deletion commitments, transfer clauses, assistance obligations, confidentiality, and audit rights — confirming its existence is the first step, not the last.
Does Zapier store data in the EU?
Zapier offers EU data residency on paid plans for task data and certain execution data. EU data residency does not mean all processing stays within the EU — support access, subprocessors, and metadata may still involve processing outside the EEA. Verify exactly which data types your plan covers before relying on this as a compliance argument.
Is Zapier secure for customer data?
Zapier encrypts data in transit and at rest, supports role-based access controls, and publishes a subprocessor list and security documentation. Technical security and GDPR lawfulness are two separate requirements — a workflow can be technically secure but still unlawful without a valid legal basis, a signed DPA, and proper data minimization. Both conditions must be met.
Does the EU AI Act apply to Zapier automations?
Yes, where Zapier AI Actions or third-party AI integrations are used. Businesses are deployers of AI systems under the EU AI Act and carry deployer obligations: human oversight, transparency, and — for high-risk AI systems in employment, credit, or essential services — fundamental rights impact assessments and technical documentation. Pure data-routing automations without AI components are not directly covered.
What is Zapier GDPR compliance for German companies?
It is the legal assessment of whether a specific Zapier workflow can be operated lawfully under the GDPR in Germany. This covers the legal basis, the signed DPA verified against Article 28(3), international transfer mechanism, subprocessors, data minimization, retention, security, and — for German-specific workflows — works council and BDSG considerations. As of May 2026, EU AI Act obligations apply where AI components are used.
Does Zapier transfer data outside the EU?
Yes. Zapier service-related data can be processed in the United States. Zapier relies on Standard Contractual Clauses and participates in the EU-US Data Privacy Framework (DPF, currently in force as of May 2026 but subject to ongoing legal challenge). Companies should document both mechanisms and complete a Transfer Impact Assessment for their specific data categories.
When is a DPIA required for using Zapier?
A DPIA is required under Article 35 GDPR when a Zapier workflow systematically monitors employees, processes special category data at scale, enables automated decisions with legal effects, or involves large-scale customer profiling. Germany’s DPAs indicate that monitoring-adjacent automations trigger DPIA requirements even without an explicit monitoring label.
Can German companies use Zapier for employee data?
Sometimes, but employee data automation in Germany requires special care. §26 BDSG governs employment data processing. §87(1) no. 6 BetrVG may require works council agreement before deploying workflows that could monitor employee behavior. Even unintentional monitoring effects matter legally. Always involve HR and legal counsel before deploying employee-related Zapier workflows.
What are the best EU-compliant alternatives to Zapier?
Make.com (EU-headquartered), n8n (open-source, self-hostable), and Pipedream (self-host available) offer different risk profiles. The main advantage is reducing US transfer exposure. None eliminate the need for a DPA, transfer assessment, or workflow review. See Make.com GDPR compliance for a parallel analysis.
This page provides general legal information for German companies evaluating Zapier. It is not legal advice for a specific deployment. Compound Law advises businesses and founders in Germany on GDPR, commercial contracts, employment law, and AI-related compliance. If you want to review a Zapier deployment, a DPA, or a sensitive automation workflow, contact us.