When we recommend HubSpot as a CRM and integrated marketing automation platform to our customers, we often see a touch of panic in their eyes: "An American software-as-a-service platform? Can we even use HubSpot in Germany or Switzerland without restrictions regarding data protection and do we have to expect warnings?"
Since May 2018, HubSpot has already provided its users with extensive functions to meet the requirements of the DSGVO. However, there was great uncertainty because in July 2020, the EU-US Privacy Shield was declared invalid by the Schrems II ruling of the Court of Justice of the European Union. "Companies must now check in every case of data transfer to the USA whether their contractual partner offers an equivalent level of data protection. This requires extensive research - also in US law - which hardly any company can manage on its own," reports Stephan Wernicke, legal expert of the Association of German Chambers of Industry and Commerce.
The situation changed again on 4 June 2021. On that day, the European Commission published and adopted two updated sets of standard contractual clauses. HubSpot immediately incorporated the updated standard contractual clauses into its terms of use (see section 5.4 of the HubSpot Terms of Use). The SaaS provider agrees in the Data Processing Agreement to comply with the Standard Contractual Clauses and to process personal data of European citizens in accordance with these clauses, as set out in Section 7(f). The updated Standard Contractual Clauses are included in Annex 3 of the Data Processing Agreement. Since then, HubSpot customers or partners have not been required to take any action to have the updated standard contractual clauses applied to the transfer of their personal data.
Nevertheless, uncertainty persisted about the use of US software in general and HubSpot in particular. This is because data protection compliance was still readily presented as an advantage by European competitors.
On Monday 10 July 2023, the European Commission adopted its adequacy decision for the new EU-US Data Privacy Framework(DPF). This is a self-certification programme similar to the former EU-US Privacy Shield. The new EU-US Privacy Framework now states that the United States ensures an adequate level of protection - comparable to that of the European Union - for personal data transferred from the EU to certified US companies based on the new framework.
On the basis of the new adequacy decision, personal data can therefore be transferred safely from the EU to US companies participating in the framework without the need for additional data protection safeguards.
The new framework brings significant improvements by introducing new binding safeguards to address all concerns raised by the European Court of Justice. This includes limiting US intelligence agencies' access to EU data to what is necessary and proportionate, and establishing the Data Protection Review Tribunal to which EU citizens have access.
US companies can sign up to the data protection framework by committing to detailed data protection requirements. These include, for example, obligations to delete personal data when it is no longer necessary for the purpose for which it was collected and to ensure continued protection when personal data is disclosed to third parties.
HubSpot already participates in the new EU-US Data Privacy Framework, the corresponding certification of HubSpot Inc. can be viewed here: Data Privacy Framework Program: HubSpot, Inc.
The Swiss-US Data Privacy Framework came into force on 17 July 2023. Organisations that had already certified under the Swiss-US Privacy Shield Framework Principles (such as HubSpot, Inc.) must now comply with the new Swiss-US DPF Principles and are thus automatically certified. HubSpot is therefore also already certified under the new Swiss-US Privacy Shield Framework. The corresponding certification can be viewed here: Data Privacy Framework Program: HubSpot, Inc.
However, HubSpot users will not be able to base data transfers from Switzerland to the US on the new Swiss-US Data Privacy Framework until the Swiss Federal Administration has recognised the adequacy of the Swiss-US Data Privacy Framework, which is expected to happen soon.
For German customers, HubSpot's certification means that personal data can be transferred from the EU to HubSpot, Inc. without risk and without any further data protection precautions.