GDPR and EU Servers

SOLVE
seanearley
Member

Based on your GDPR page, Hubspot is still basing its compliance on Privacy Sheild.

 

https://www.hubspot.com/data-privacy/gdpr/product-readiness

 

Unfortunately, as of July 2020, Privacy Shield was declared void and has not been updated.

 

https://www.privacyshield.gov/article?id=EU-U-S-Privacy-Shield-Program-Update

 

Currently in Europe, in order to be fully compliant, EU client data MUST be stored on EU servers and not be transferrable to other non-EU countries. The USA included. 

 

https://europa.eu/youreurope/business/dealing-with-customers/data-protection/data-protection-gdpr/in...

 

So my question is, do you have EU servers and are you storing EU data on EU servers? Because if not, then legally, nobody can use your service to do business in Europe. We have consulted multiple German lawyers, and all of them state very clearly that if you don't use EU servers, then you are not compliant. Their advice was clearly to "stay away from all USA-based SAAS companies. This is a tidal wave in the making."

 

This is concerning because so far I can count on one hand the number of CRM/Marketing/Email SAAS companies that actually are fully compliant with EU servers. Everyone is still referencing Privacy Sheild for compliance, but again, this is no longer valid. The trend in Germany is also moving towards becoming more strict on this topic, so I don't understand how nobody in the entire US tech industry can not be addressing this? 

Can someone from your legal team clarify this? I love your service, but I can't find proof that my EU clients can legally use it.

0 Upvotes
1 Accepted solution

Accepted Solutions
jennysowyrda
Solution
Community Manager

Hi @seanearley,

 

Thank you for reaching out. 

 

Based on our Customer Terms of Service and Data Processing Agreement, HubSpot relies on standard contractual clauses as a legal basis for transfer of personal data. HubSpot takes necessary measures to provide appropriate safeguards, including incorporating these standard contractual clauses. Please note, HubSpot does not rely on Privacy Shield as a legal basis for transfers of personal data, however, we still follow Privacy Shield Principles. 

 

As of July 2021, HubSpot provides regional data hosting in Europe. Please see here for HubSpot’s Regional Data Hosting Policy. For additional information on HubSpot Cloud Infrastructure and Data Hosting please see this Knowledge Base Article.

 

To reiterate in light of the Schrems II ruling, we have publicly noted our commitment to protecting our customer’s data, including providing for a safe and legitimate transfer mechanism for data transfers from the EU to the US. For more information, please see here for our updates on HubSpot’s commitment to protecting EU data transfers.

As a quick summary:  

  • HubSpot relies on the European Commission's standard contractual clauses (or SCCs) which are included in our Customer Data Processing Agreement as a valid data transfer mechanism between the EU and US. 
  • We no longer rely on EU-US Privacy Shield as a transfer mechanism. And, although the EU-US Privacy Shield is no longer relied upon, the SCCs automatically apply and ensure that data is safely transferred from the EU, so our customers and partners can continue to use HubSpot without disruption, seamlessly transitioning to the new set of SCCs starting September 2021.
  • HubSpot now has Regional Data Hosting available in Europe, please see here for more information. 

 

Thanks!

View solution in original post

0 Upvotes
1 Reply 1
jennysowyrda
Solution
Community Manager

Hi @seanearley,

 

Thank you for reaching out. 

 

Based on our Customer Terms of Service and Data Processing Agreement, HubSpot relies on standard contractual clauses as a legal basis for transfer of personal data. HubSpot takes necessary measures to provide appropriate safeguards, including incorporating these standard contractual clauses. Please note, HubSpot does not rely on Privacy Shield as a legal basis for transfers of personal data, however, we still follow Privacy Shield Principles. 

 

As of July 2021, HubSpot provides regional data hosting in Europe. Please see here for HubSpot’s Regional Data Hosting Policy. For additional information on HubSpot Cloud Infrastructure and Data Hosting please see this Knowledge Base Article.

 

To reiterate in light of the Schrems II ruling, we have publicly noted our commitment to protecting our customer’s data, including providing for a safe and legitimate transfer mechanism for data transfers from the EU to the US. For more information, please see here for our updates on HubSpot’s commitment to protecting EU data transfers.

As a quick summary:  

  • HubSpot relies on the European Commission's standard contractual clauses (or SCCs) which are included in our Customer Data Processing Agreement as a valid data transfer mechanism between the EU and US. 
  • We no longer rely on EU-US Privacy Shield as a transfer mechanism. And, although the EU-US Privacy Shield is no longer relied upon, the SCCs automatically apply and ensure that data is safely transferred from the EU, so our customers and partners can continue to use HubSpot without disruption, seamlessly transitioning to the new set of SCCs starting September 2021.
  • HubSpot now has Regional Data Hosting available in Europe, please see here for more information. 

 

Thanks!

View solution in original post

0 Upvotes