GDPR and Schrems II: What It Means for Your CRM
The General Data Protection Regulation (GDPR) requires that personal data transferred outside the EU/EEA has adequate protection. The 2020 Schrems II ruling by the Court of Justice of the European Union invalidated the Privacy Shield framework, making transfers of personal data to the US legally complex.
What this means in practice for your CRM choice:
- Standard Contractual Clauses (SCCs) are now the primary mechanism for US data transfers, but they require case-by-case assessment of the receiving country's surveillance laws
- Transfer Impact Assessments (TIAs) must be conducted for each third-party processor — including your CRM vendor
- Supplementary measures like encryption may be required, but are not always sufficient if the CRM vendor can access data in the clear
- Public sector procurement in the Nordics increasingly requires EEA-only data processing as a baseline requirement
The simplest path to compliance: choose a CRM that stores and processes data within the EEA. If the data never leaves the EEA, Schrems II transfer rules do not apply.
Toolboks: Built in Stavanger, Data Stays in Norway
Toolboks is a Norwegian company, built in Stavanger, with all infrastructure hosted in Norway. Your customer data — contacts, contracts, invoices, activity logs — never leaves Norwegian soil.
What Norwegian data residency means for your business:
- No cross-border transfers — Data stays in Norway, within the EEA. Schrems II transfer restrictions do not apply.
- Norwegian legal jurisdiction — Your data is subject to Norwegian law, not US CLOUD Act or similar foreign legislation.
- Public sector ready — Meet data residency requirements for Norwegian and Nordic public procurement without additional legal review.
- GDPR compliant by design — Data processing agreements, retention policies, and access controls built into the platform from day one.
- No third-party US sub-processors for core data — Your CRM data is not routed through AWS US-East, Google Cloud US, or other US-based infrastructure.
For Nordic businesses that take data protection seriously, choosing a locally-built CRM is not just about compliance — it is about trust. Your customers expect their data to be handled with care, and you can tell them exactly where it lives.
← Back to The Complete Guide to Recurring Revenue CRM
Related Guides
- CRM for Public Sector Sales in the Nordics
- Best CRM for SaaS Companies
- The Complete Guide to Recurring Revenue CRM
Ready to see Toolboks in action?
Toolboks is built for teams that sell, bill, and grow on recurring revenue. Start your free trial today — no credit card required.
Why Data Residency Matters for Nordic Businesses
Data residency refers to the physical location where your business data is stored and processed. For Nordic businesses — especially those handling customer personal data, financial records, or serving public sector clients — knowing exactly where your CRM data resides is not a nice-to-have. It is a compliance requirement.
When you use a US-based CRM like Salesforce, HubSpot, or Pipedrive, your customer data typically crosses the Atlantic. It is stored on US servers, processed by US-based infrastructure, and subject to US legal frameworks like the CLOUD Act, which allows US authorities to compel access to data stored by US companies regardless of where the data is physically located.
For many Nordic businesses — particularly those in healthcare, finance, education, or public sector — this creates a compliance gap that is difficult to close with contractual clauses alone.