Is HubSpot GDPR Compliant? GDPR Tools, Consent & DPA Setup
HubSpot provides comprehensive GDPR compliance tools built into its platform. When the GDPR functionality is enabled, HubSpot offers consent-based contact management, cookie consent banners, data processing agreements, and tools for handling data subject access requests. As a US-based service, international data transfer mechanisms are in place.
HubSpot is GDPR compliant when you enable GDPR tools in account settings. HubSpot provides built-in consent management, cookie banners, lawful basis tracking, DPA, and DSAR tools. GDPR features must be manually enabled — they are not active by default.
Compliance Assessment
HubSpot provides consent-based contact management with lawful basis tracking (consent, legitimate interest, contract). Must be enabled in settings.
Built-in cookie consent banner that integrates with HubSpot tracking code. Configurable for GDPR consent requirements.
HubSpot provides a DPA compliant with GDPR Article 28. Available in account settings for all customers.
Built-in GDPR tools for handling access, deletion, and data portability requests. DSAR dashboard in the privacy settings.
Track and store the lawful basis for processing each contact (consent, legitimate interest, performance of contract). Requires GDPR mode enabled.
HubSpot encrypts data in transit (TLS 1.2+) and at rest (AES-256). SOC 2 Type II and ISO 27001 certified.
HubSpot is US-based. Uses EU-US Data Privacy Framework, Standard Contractual Clauses, and offers EU data hosting for Enterprise customers.
HubSpot allows configuring data retention for email tracking, form submissions, and contact properties. Must be actively configured.
Granular email subscription types allow contacts to manage their communication preferences, supporting GDPR consent granularity.
HubSpot provides activity logs for contact record changes, email sends, and user actions. Enterprise plans offer more comprehensive audit logs.
How to Make HubSpot GDPR Compliant
Enable GDPR tools in HubSpot Settings > Privacy & Consent > Data Privacy Settings.
Configure the cookie consent banner to display before HubSpot tracking code activates.
Set up lawful basis tracking for contacts — configure default legal basis and enable per-contact tracking.
Accept the HubSpot Data Processing Agreement in Settings > Account Defaults.
Update all forms to include GDPR-compliant consent checkboxes and privacy policy links.
Configure email subscription types to provide granular consent options for different communication categories.
Limitations
- GDPR tools are not enabled by default — must be manually activated, and enabling is a one-way setting.
- US-based data processing relies on EU-US Data Privacy Framework and SCCs.
- EU data hosting is only available on Enterprise plans.
- Enabling GDPR mode changes how contact records work and cannot be reversed.
- Third-party HubSpot integrations must be individually assessed for GDPR compliance.
Alternative Tools & Related Assessments
Frequently Asked Questions
Is HubSpot GDPR compliant?
Yes, HubSpot is GDPR compliant when you enable the GDPR tools in account settings. HubSpot provides consent management, cookie banners, DPA, lawful basis tracking, and data subject request tools.
How do I enable GDPR in HubSpot?
Go to Settings > Privacy & Consent > Data Privacy Settings and enable GDPR functionality. Note: this is a one-way setting that changes how contact records work and cannot be reversed.
Does HubSpot have a DPA?
Yes. HubSpot provides a Data Processing Agreement compliant with GDPR Article 28. Accept it in your HubSpot account settings under Account Defaults.
Can I use HubSpot for EU contacts?
Yes. With GDPR tools enabled, HubSpot supports lawful basis tracking, consent collection, and data subject rights management for EU contacts. Enterprise customers can also use EU data hosting.
Does HubSpot offer EU data hosting?
Yes, HubSpot offers EU data hosting (data center in Germany) for Enterprise plan customers. Other plans store data in the US with SCCs and Data Privacy Framework protections.
How do I handle GDPR deletion requests in HubSpot?
Use the GDPR Delete function in the contact record, which permanently removes the contact and their associated data. You can also use the DSAR dashboard for batch processing of data subject requests.
Is HubSpot's cookie banner GDPR compliant?
HubSpot's built-in cookie consent banner can be configured for GDPR compliance. It integrates with HubSpot tracking and can block cookies until consent is given. For complex sites, consider a dedicated CMP like Cookiebot or OneTrust.
Generate GDPR policies for your stack
PoliWriter creates all the GDPR policies you need, customized to tools like HubSpot and your specific configuration. AI-powered, audit-ready, hours not months.
Get Started Free