Is Zapier GDPR Compliant? Germany Guide 2026
Is Zapier GDPR compliant for German companies?
Yes, Zapier can be GDPR compliant for ordinary business workflows if German companies sign the DPA, document US transfers, and minimise what each Zap sends downstream. Zapier is usually the wrong default for special-category data, employee monitoring, or client-confidential workflows without deeper review.
- Assess each workflow individually: trigger, action, connected app, log, retention setting, and data category all matter.
- The DPA is only the first layer. You also need to review subprocessors, transfer mechanics, and what happens after Zapier passes data into other apps.
- High-risk workflows with employee monitoring, special-category data, or AI decision support require DPIA and usually broader governance before rollout.
Yes, Zapier can be GDPR compliant for German companies, but only for the right workflows and with the right setup. As of June 29, 2026, the practical answer is this: Zapier is usually workable for low- to medium-risk business automation if you sign the DPA under Article 28 GDPR, document the US transfer basis, minimise the fields passed through each Zap, and review the connected app chain rather than Zapier in isolation. It is often the wrong default for special-category data, employee monitoring, legal-client confidentiality, or broad AI-assisted decision workflows unless a deeper review has already been completed. For the wider procurement framework, see GDPR AI procurement, the GDPR AI vendor assessment checklist, and our Make.com guide.
Is Zapier GDPR Compliant? Direct Answer for Germany
Direct answer
Zapier can be GDPR compliant in Germany. The usual conditions are:
- Sign the Zapier DPA and verify it covers all seven Article 28(3) GDPR requirements.
- Confirm the transfer basis and keep a written Transfer Impact Assessment for the actual data categories in scope.
- Review the full vendor chain: source app, Zapier, every connected destination, and any AI or support tooling involved.
- Treat logs, task history, and replay data as part of the personal-data footprint.
- For employee-related, health, legal-client, or high-volume customer data, evaluate DPIA and works council obligations before rollout.
- For Zapier AI Actions or AI-connected workflows, assess EU AI Act deployer obligations separately.
This page provides general legal information, not legal advice for a specific deployment. For related guidance, see AI customer service compliance, Zendesk, HubSpot, Make.com, and Notion AI.
When Zapier Is Usually Compliant, Borderline, or a Poor Fit
Many searches for Zapier GDPR compliance are really asking for a quick use-case verdict. This is the practical view for Germany:
| Workflow type | Typical GDPR answer | Why |
|---|---|---|
| Internal status alerts, CRM routing with limited fields, contract reminders | Usually yes | These are often low- to medium-risk automations if the DPA, transfer file, and retention settings are in place. |
| Customer support triage, marketing enrichment, lead qualification, AI-assisted summaries | Maybe, after review | The workflow can still be compliant, but it needs field-level minimisation, downstream app review, and a check that no hidden profiling or excessive retention is created. |
| Employee monitoring, health data, legal-client documents, special-category data, high-volume profiling | Usually no as a default setup | These cases often trigger DPIA, works council, confidentiality, or Article 9 GDPR problems that make a general automation hub the wrong first choice. |
That is why the better question is not “Is Zapier compliant?” in the abstract. It is “Is this Zapier workflow compliant for our company, our data, and our app stack?”
What Zapier GDPR Compliance Requires in Germany
The question is not whether Zapier as a platform is GDPR-compliant in the abstract. The question is whether your specific Zapier deployment is compliant. Under the GDPR, that requires:
- a clear legal basis under Article 6 GDPR (and Article 9 for special categories)
- a processor contract under Article 28 GDPR — the signed DPA
- a valid international transfer mechanism under Chapter V GDPR — typically SCCs
- technical and organizational measures appropriate to the risk under Article 32 GDPR
- a DPIA where required under Article 35 GDPR
For German companies in particular, the local regulatory environment adds:
- §87(1) no. 6 BetrVG (Works Constitution Act) for employee-related automations that touch monitoring
- BDSG requirements on top of GDPR for employment data processing
- Enforcement patterns from German data protection authorities including the Baden-Württemberg, Hamburg, and Berlin DPAs, which have shown a focus on processor contracts and US transfer risk
The practical outcome for most businesses is that low-risk internal automations are manageable, customer-data automations need careful design, and employee, health, and finance workflows need a formal legal review before rollout.
Zapier DPA and GDPR Article 28: What It Must Contain
Zapier offers a Data Processing Addendum as part of its legal documentation. Accepting it is the first required step, but reviewing its substance against all seven requirements of Article 28(3) GDPR matters more than its existence.
Article 28(3) GDPR — Checklist for the Zapier DPA
| Requirement (Art. 28(3)) | What to verify in the Zapier DPA |
|---|---|
| lit. a Processing only on documented controller instructions | Does the DPA explicitly confirm instruction-bound processing? Are instruction channels defined? |
| lit. b Confidentiality of authorized persons | Are Zapier staff with data access bound by confidentiality? Is this verifiable? |
| lit. c Security measures (Art. 32) | Does the DPA reference concrete TOMs? Is a current security whitepaper attached or linked? |
| lit. d Subprocessor conditions | Does the DPA regulate subprocessor engagement? Is there a right to object to new subprocessors? |
| lit. e Assistance obligations (Art. 32–36) | Does Zapier commit to helping with DPIAs, data subject rights, and breach notifications? |
| lit. f Deletion or return of data | Are timeframes for deletion or return after contract end clearly defined — including task histories and logs? |
| lit. g Audit rights | Does your company have the right to audit Zapier or have it audited by a third party? |
Confirming the DPA exists is the first step; verifying it covers all seven points is what matters for Article 28 compliance.
Processor vs. Controller Distinction
Under most Zapier deployments, your company is the controller and Zapier is the processor. This means Zapier must act only on your instructions, and you remain responsible for the lawfulness of the underlying processing purpose.
However, that allocation is not always clean. Zapier collects operational telemetry about workflow runs, uses subprocessors, and notes in its DPA that the processor terms do not govern what happens once Customer Data is transferred to a third-party service at your direction. That matters because many buyers treat the Zapier DPA as if it solved the whole chain. It does not. You still need to assess each downstream destination on its own terms.
Why Zapier Changes the Vendor Chain
The core GDPR risk with Zapier is not only “US SaaS provider” risk. It is integration sprawl. One workflow can involve:
- a source system that collected the personal data
- Zapier as the automation layer
- one or more destination apps that receive the payload
- logs, replay tools, support access, and subprocessors around the workflow
- optional AI endpoints that classify, summarise, or rewrite the content
That means the legal review has to answer four separate questions:
- Is the original transfer into Zapier lawful and necessary?
- Does Zapier need every field the team wants to send?
- Is each destination app covered by its own lawful basis, DPA position, and retention logic?
- Do the combined tools create a broader transfer or profiling footprint than the business team realised?
This is why buyer-side reviews often fail when they only file the Zapier DPA and skip the surrounding stack.
Subprocessor List and Risk
Zapier publishes a list of subprocessors. Key practical steps:
- Download or bookmark the current list at the time of your assessment.
- Note which subprocessors receive which categories of data from your workflows.
- Confirm whether any subprocessors are located in third countries without an adequacy decision, and whether SCCs or binding corporate rules cover that transfer.
- Check the change notification procedure — Zapier must notify you of new subprocessors, and you should have a process for reviewing those notifications and objecting where necessary.
Deletion Commitments
The DPA should specify what happens to data when the relationship ends: when task histories are deleted, whether logs are purged, and within what timeframe. Zapier task histories, error payloads, and replay data can contain personal data that outlives the actual business purpose. Verify that the deletion terms match your retention policy and that downstream copies in connected systems are addressed as well.
Zapier Data Transfers: Is US Processing Still Happening?
For German companies assessing Zapier data processing agreement GDPR or Zapier Schrems II questions, the short answer is: yes, Zapier can process data in the United States, and you need to assess whether that is acceptable for your specific workflows.
Standard Contractual Clauses Review
Zapier relies on the EU Standard Contractual Clauses (SCCs) adopted by the European Commission in June 2021 for transfers of EEA personal data to the United States and other third countries. Post-Schrems II, SCCs alone are not sufficient — they must be supplemented by a Transfer Impact Assessment (TIA) that evaluates the legal access risk in the destination country.
For most US-based SaaS providers, the relevant risk factors are:
- US surveillance law, including FISA Section 702 and Executive Order 14086 safeguards
- Whether Zapier employees with US access can reach unencrypted personal data
- The likelihood that your specific data categories would be of intelligence interest
For routine business automation of non-sensitive data, most TIAs conclude that the residual risk is acceptable with appropriate supplementary measures. For workflows involving large-scale customer databases, financial data, or any data with government-adjacent sensitivity, the TIA requires closer analysis.
Zapier’s EU Data Residency Offering
Zapier offers EU data residency controls for certain paid business setups. This can reduce transfer exposure for some task and execution data, but EU data residency is not equivalent to EU-only processing:
- Support access may still originate from outside the EEA
- Some infrastructure components and subprocessors may still process data in the US
- Metadata and telemetry data may not be covered by residency settings
- The coverage may differ by plan tier
Before relying on Zapier’s EU data residency as a compliance argument, verify which data categories it actually covers in your plan, which subprocessors it does not neutralize, and whether the connected apps in the same workflow immediately re-export the same data outside the EU anyway.
Post-Schrems II Analysis and DPF Status as of June 29, 2026
The CJEU Schrems II judgment of July 2020 invalidated the Privacy Shield and required supplementary measures for US transfers. The EU-US Data Privacy Framework (DPF) adopted in July 2023 partially addresses this for certified US companies — Zapier is DPF-certified.
Current status as of June 29, 2026: The DPF remains legally in force, but relying on it alone is not a strong procurement posture for a Germany-facing risk file. German companies should:
- Document the transfer basis as both DPF certification and SCCs — so the SCCs remain valid as a fallback if the DPF is challenged.
- Complete a TIA that addresses US surveillance law risk for your data categories.
- Confirm that supplementary measures (encryption, access controls, minimization) are implemented and documented.
- Set a review cadence, since both the DPF legal landscape and Zapier’s subprocessor list can change.
EU AI Act and Zapier Automations (2026)
Since the EU AI Act’s provisions on prohibited practices, general-purpose AI systems, and high-risk AI applications came into force, businesses using Zapier for AI-powered automations must consider an additional compliance layer. The EU AI Act applies alongside GDPR — both frameworks operate simultaneously.
Zapier AI Actions and GPAI Interfaces
Zapier’s AI Actions connect to large language models such as OpenAI, Anthropic, and others. Companies using these features are deployers of AI systems under the EU AI Act. Deployer obligations include:
- Fundamental rights impact assessment for high-risk AI systems (Article 27 EU AI Act)
- Human oversight — ensuring AI outputs can be reviewed or overridden before they affect individuals
- Transparency to users when interacting with AI-generated content
- Recording and monitoring of AI system use in the workflow
High-Risk Classification for Zapier Workflows
Zapier automations may qualify as high-risk AI systems when used in domains listed in Annex III of the EU AI Act:
| Application area | Typical Zapier workflow | High-risk? |
|---|---|---|
| Employment decisions | Automated candidate shortlisting, performance scoring | Yes — Art. 6(2) + Annex III no. 4 |
| Creditworthiness assessment | Lead scoring with financial or behavioral data | Yes — Annex III no. 5 |
| Essential public services | Automated routing in social or health services | Potentially — Annex III no. 6 |
| Internal tools, marketing | CRM sync, newsletter triggers, calendar automation | Generally no |
High-risk AI systems require technical documentation, a quality management system, and human oversight mechanisms before deployment.
Prohibited AI Practices under Article 5
Certain automation patterns are prohibited regardless of the tool used. Zapier workflows that implement the following are unlawful under Article 5 EU AI Act:
- Social scoring of individuals based on their behavior or personal characteristics
- Biometric categorization to infer sensitive attributes (religion, political views, sexual orientation)
- Subliminal manipulation techniques that bypass conscious decision-making
- Real-time remote biometric identification in publicly accessible spaces (with narrow exceptions)
These prohibitions apply even where the automation is otherwise technically and GDPR-compliant.
For a full overview of EU AI Act compliance requirements, see our EU AI Act compliance guides and the AI Act by industry pages.
Zapier GDPR Compliance by Workflow Type
This is the most operationally valuable analysis. Rather than assessing Zapier as a platform, assess each category of workflow by the data it processes.
Low-Risk: Internal Tool Integrations
These workflows generally process limited personal data, often limited to internal identifiers or metadata. Examples:
- Notion to Slack notifications for project status changes (non-sensitive metadata)
- CRM deduplication workflows operating on company email domains
- Calendar and scheduling syncs for internal meetings
- Supply chain notifications based on inventory or logistics triggers — see AI supply chain management compliance
- Automated reminders for contract or task deadlines with no personal data in the payload
These are typically justifiable under Article 6(1)(f) GDPR (legitimate interest) with standard security controls, data minimization, and a completed DPA.
Medium-Risk: Customer Data Automations
These workflows touch personal data belonging to customers or leads, which raises the stakes for data minimization, retention, and transfer risk. Examples:
- Form submission routing to CRM (name, email, business context)
- Support ticket categorization and routing (may include customer message content)
- Email marketing workflow triggers (behavioral signals)
- Lead scoring automations that combine data from multiple sources
For medium-risk workflows, specific steps matter: strip free-text content where possible, pass identifiers rather than full records, set short retention on Zapier task history, and confirm that connected app DPAs are aligned. Review HubSpot GDPR compliance and Zendesk GDPR compliance alongside Zapier for integrated customer data stacks.
High-Risk: Employee Data, Health Data, Financial Data, and Broad Customer Profiling
These categories require a stricter pre-deployment review:
| Data Type | Why High-Risk | Key Requirements |
|---|---|---|
| Employee data | §87(1) no. 6 BetrVG, BDSG §26, monitoring risk | Works council review, explicit legal basis, minimization |
| Health / biometric data | Article 9 GDPR special categories | Explicit consent or other Art. 9(2) basis, DPIA likely required |
| Financial data | Confidentiality obligations, banking secrecy | Segregation of access, restricted log visibility, formal vendor assessment |
| Broad customer profiling | Profiling rules under Article 22 GDPR, transparency | Layered privacy notice, right to object, potential DPIA |
For any of these, a general “Zapier is GDPR-compliant” statement is not sufficient as a compliance foundation.
DPIA: When Does Zapier Use Require a Data Protection Impact Assessment?
Under Article 35 GDPR, a Data Protection Impact Assessment is required before processing that is likely to result in high risk to individuals’ rights and freedoms. German DPA guidance indicates that the following Zapier workflow patterns likely trigger this requirement:
- Systematic monitoring of employees — any workflow that consolidates employee behavior data across systems, generates productivity metrics, or creates alerts about individual staff activity
- Large-scale processing of special category data — health, biometric, or union-membership data moving through automated workflows
- Automated decision-making with legal or significant effects — workflows that trigger automated outcomes for individuals without human review
- Large-scale customer profiling — combining behavioral, transactional, and communication data to build profiles used for targeting, segmentation, or credit/insurance-adjacent purposes
The DPIA must describe the processing, assess necessity and proportionality, identify risks, and document the measures taken to address them. It should be completed before the workflow goes live, not after.
If your Zapier deployment spans multiple of these risk factors, the DPIA scope expands accordingly.
Works Council Considerations for German Companies
German businesses are subject to the Betriebsverfassungsgesetz (BetrVG). Section 87(1) no. 6 specifically grants the works council (Betriebsrat) co-determination rights over the introduction and use of technical devices designed to monitor employees’ conduct or performance.
Zapier workflows can trigger §87 BetrVG even when monitoring is not the stated purpose. The test is whether the tool enables monitoring, not whether it is intended to monitor. Typical triggers:
- Automations that log employee response times (e.g., time from ticket assignment to first reply)
- Workflows that consolidate activity data from Slack, email, or CRM into a management dashboard
- Alerting logic based on individual employee inactivity or SLA breach
- Integration with HR tools that tracks attendance, shift changes, or absence patterns
Where §87(1) no. 6 BetrVG applies, the works council must be consulted and its agreement reached before the system is introduced. Operating without this consent exposes the employer to injunctions, potential prohibition orders, and labor law liability.
The practical recommendation: involve HR, legal, and the works council early in the design phase, before a workflow is built or deployed.
Zapier in Specific Industries
Certain industries face heightened standards regardless of the general workflow risk tier.
Healthcare and Medical Services
Workflows touching patient data, appointment records, referral information, or any health-related content fall under Article 9 GDPR (special categories) and, in some contexts, additional German health data law. Standard no-code automation through a US-linked SaaS provider is generally not the default-acceptable approach here. At minimum: explicit consent or a statutory basis under Article 9(2), a DPIA, and a security review covering encrypted payloads, restricted log access, and limited subprocessor exposure.
HR and Recruiting
German employment data law under §26 BDSG imposes strict requirements on processing employee or applicant data. Automating recruiting workflows, onboarding steps, or performance data through Zapier requires a documented legal basis for each data element, minimization to only what is genuinely necessary, and works council involvement where applicable. Retention must be actively managed — applicant data that flows through Zapier and into connected systems needs defined deletion timelines.
Legal and Professional Services
Law firms and professional services firms have additional confidentiality obligations. Routing client matter information, contract content, or case-related data through third-party automation creates data governance questions beyond GDPR. Check bar association rules, professional secrecy obligations, and whether client consent or matter-specific data handling agreements are needed before using Zapier for client-facing data.
Zapier Alternatives with Better EU Compliance Profiles
If the US transfer risk, subprocessor footprint, or EU data residency limitations are blockers for your use case, the following alternatives offer different compliance profiles:
| Tool | Key compliance advantage | Trade-offs |
|---|---|---|
| Make.com | EU-headquartered (Czech Republic), EU data center options | Smaller template library, steeper learning curve |
| n8n | Self-hosted option, full data control, open source | Requires technical setup and ongoing maintenance |
| Pipedream | Source-available, self-hosting available | Less mature enterprise documentation |
| Zapier EU Data Residency | Keeps task data in EU infrastructure | Does not eliminate all US subprocessor exposure |
None of these alternatives eliminates the need for a DPA, transfer assessment, or workflow risk review. The advantage is that EU-headquartered or self-hosted tools reduce the transfer risk surface area, which can simplify the TIA and reduce DPIA scope.
Checklist: Zapier GDPR Readiness for German Companies (June 2026)
Use this before enabling any production Zapier workflow that processes personal data.
Contract and legal basis:
- Zapier DPA signed or accepted
- DPA verified against all Article 28(3) requirements (lit. a–g)
- Legal basis under Article 6 GDPR identified and documented for each workflow
- Article 9 GDPR basis documented if special categories are involved
- Transfer mechanism confirmed (SCCs, DPF certification, or both — dual documentation recommended)
- Transfer Impact Assessment completed for US-transferred data
Workflow design:
- Workflow mapped end to end: triggers, actions, apps, fields, logs, retention
- Data minimization applied — only necessary fields transferred
- Free-text content stripped or suppressed where possible
- Task history retention set and deletion tested
- Downstream app DPAs reviewed for alignment
Risk assessment:
- Workflow categorized as low, medium, or high risk
- DPIA completed if high-risk indicators are present
- Works council review initiated if employee data or monitoring potential exists
- Industry-specific requirements checked (healthcare, HR, legal)
EU AI Act (where AI components are used):
- Zapier AI Actions or AI integrations identified as AI systems
- Deployer role confirmed and high-risk classification assessed (Annex III)
- Human oversight mechanism in place for AI outputs
- Prohibited AI practices under Article 5 ruled out
Documentation:
- Approved use case recorded in records of processing activities (Art. 30 GDPR)
- Restrictions, data categories, legal basis, and review date documented
- Subprocessor list reviewed and added to vendor register
FAQ
Is Zapier GDPR compliant?
Zapier can be used in a GDPR-compliant way, but only after a workflow-specific review. The DPA, transfer documentation, subprocessor review, retention settings, and connected-app chain all matter. There is no defensible one-line approval that covers every Zap a company may build.
Does Zapier have a DPA (Data Processing Agreement)?
Yes. Zapier offers a public DPA intended to address Article 28 GDPR. That should be reviewed for the full Article 28(3) checklist, but also for the practical carve-out that downstream third-party services in the workflow are not covered just because Zapier is.
Does Zapier transfer data outside the EU?
Yes. Zapier states that service-related data may be processed in the United States. Buyers in Germany should therefore document the SCC position, record the DPF status as of the review date, and complete a Transfer Impact Assessment for the real workflow data categories involved.
Does Zapier store data in the EU?
Sometimes. Zapier offers EU data residency controls for certain paid setups, but that does not automatically cover all metadata, support access, subprocessors, or connected destinations. Verify the plan scope before using EU residency as a key approval argument.
Why are Zapier integrations a separate compliance problem?
Because Zapier usually expands the vendor chain. One automation may route the same personal data through multiple apps, each with different terms, retention, subprocessors, and transfer posture. The legal risk often sits in that combined architecture, not just in Zapier alone.
Are task logs and histories a GDPR issue?
Yes. Task history, debug logs, payload previews, and replay features can keep personal data longer than the team expects. Retention settings, deletion testing, and field-level minimisation should be part of the approval workflow.
When is a DPIA required for using Zapier?
A DPIA is usually required when the workflow systematically monitors employees, processes special-category data at scale, supports automated decisions with significant effects, or builds broad customer profiles from multiple sources.
Can German companies use Zapier for sensitive or employee data?
Sometimes, but this is the category where many deployments should pause for a deeper review. Employee data triggers BDSG and often works council questions. Health data, legal-client material, and similar sensitive payloads usually require a narrower architecture and stronger controls than a general-purpose automation hub provides by default.
This page provides general legal information for German companies evaluating Zapier. It is not legal advice for a specific deployment. Compound Law advises businesses and founders in Germany on GDPR, commercial contracts, employment law, and AI-related compliance. If you want to review a Zapier deployment, a DPA, or a sensitive automation workflow, contact us.