Stay GDPR compliant with Zoho CRM

Mere protection of a customer's personal data is not enough. GDPR requires that you are transparent and secure in handling their personal data. Make your data collection and data processing comply with GDPR using Zoho CRM.

CRM Software benefits | Zoho CRM

Here's how we can help you

  • Track data sources and ensure double opt-in
  • Obtain and manage consent
  • Encrypt and secure personal data
  • Address data subject requests easily
  • Control the information shared with other applications
  • Features
  • FAQs

Data Collection

Keep track of the sources for your customer data, and validate your customer's interest in your service before you start processing their information.

Data Source Tracking Data Source Tracking
Data Source Tracking

With multiple sources for customer data (webforms, imports, manual creation, APIs, or third-party integrations), keep track of it all under the customer's record details. In the case of webforms, additional details like form name and IP address will be captured.

Double Opt-in

Data Processing

Ensure lawful and secure processing of your customer's personal data. Stay accountable by documenting the processing activities done on a customer's data.

Data Processing Basis Consent Form Marking personal fields Encryption At Rest Audit Logs
Data Processing Basis

Identify, categorize, and mark customers based on one of the six lawful bases for data processing: Legitimate Interest, Consent, Performance of a Contract, Legal Obligations, Vital Interest, or Public Interests.

Consent Form

Based on the type of customer and the personal information being processed, you must ask for their consent. Easily obtain consent through a customizable form, which you can email to your customers.

Marking Personal Fields

Mark fields that contain personal information and decide if the information is sensitive or not. Based on the preferences under the Compliance Settings, you can restrict information in these fields from being processed during exports, APIs, and connected services.

Encryption At Rest (EAR)

Zoho CRM uses one of the strongest and most robust ciphers - AES (Advanced Encryption Standard) - to encrypt your sensitive data. In addition to protecting data during transit, Zoho CRM secures data stored in servers using AES-256 encryption standard to ensure anonymity of customer information, in case of a leak or a breach.

Audit Log

Monitor your team's activities with audit logs, so you can track who did what and when. For example, all actions done by your users with respect to record deletion and modifications will be audited.

Data Subject Rights

Customers can exercise various rights they are entitled to under GDPR at any time. Keep track of these requests and address them in a timely manner.

Access (Right to Access)

Let your customers access their data through the Customer Portal. Or let them know they can access it by sending them an email, which you can create by inserting the required merge fields in a template.

Rectify (Right to Rectify)

Export customer information with ease, send to them for rectification, and update it in CRM. If customers have access to the Customer Portal, they can view their information there and update it themselves, when necessary.

Export (Right to Data Portability)

Export customer information as a CSV file, which is directly attached to an email, and then sent to the customer. This export ensures that no information is stored on external devices.

Stop Process (Right to Restrict Processing)

When this right is exercised, the customer's record gets locked automatically to prevent any further processing of the information.

Erase (Right to be Forgotten)

You can easily delete a customer's information from Zoho CRM when a "Right to be Forgotten" is requested. Once deleted, the record will be moved to a blocklist to warn users when the same record is being pushed into the system again.


1. What is GDPR, and how will it impact organizations?
The General Data Protection Regulation (or GDPR) is a new regulation developed by the European Union (EU) which involves the protection and free movement of personal data and the rights of individuals, including children. It is a set of rules which will replace the existing Data Protection Directive (Directive 95/46/EC), and will be enforced across the EU. GDPR will empower EU residents by putting them directly in control of how they want their data to be processed, and will protect their data privacy.
2. Who will GDPR apply to?
GDPR will apply to companies located in the EU, as well as companies who do business with residents of the EU, irrespective of the company's location.
3. What kind of data does GDPR apply to?
GDPR applies exclusively to personal data. Personal data is defined as, "any information that relates to an identified or identifiable person, or a data subject." This includes the data subject's (customer's) name, email address, location, and other online identifiers, such as IP address, social media profile, and types of website cookies.
4. Will GDPR compliance be applicable to all modules in Zoho CRM?
GDPR compliance is applicable only for the people-related modules in the organization. In Zoho CRM, GDPR applies to the Leads, Contacts, Vendors, and custom modules.
5. Who are the key stakeholders in GDPR?
  • Data Subject- Any person whose personal data you collect or process.
  • Data Controller- The person who determines the purpose and methods for processing the data.
  • Joint Controllers- Two or more controllers who jointly determine the purposes and methods of processing data.
  • Data Processor- The person or company who processes data on behalf of the controller.
  • Data Sub-Processor- A third party individual or business which performs data processing for other companies, and is accountable for the processing of data.
  • Supervisory Authorities- Public authorities who monitor the application of GDPR.
6. What are the lawful bases the data controller can use to process customer data?
The data controller can choose from six data processing bases. These are:
  • 1. Contract- This applies when you need to process the customer's personal data to fulfill your contractual obligations, or to take some action based on the customer's request (e.g. sending a quote or invoice).
  • 2. Legal Obligation- This applies when you have to comply with an obligation under any applicable law (e.g. providing information in response to valid requests, such as an investigation by an authority).
  • 3. Vital Interests- This applies to urgent matters of life and death, especially with regards to health data.
  • 4. Public Task- This applies to activities of public authorities.
  • 5. Legitimate Interests- Legitimate interests can include commercial interests, such as direct marketing, individual interests, or broader societal benefits. The controller must document and keep a record of decisions on legitimate interests in the form of a Legitimate Interests Assessment.
  • 6. Consent- Consent is also a lawful basis to process data. Consent of the data subject means "any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
7. What is LIA?
LIA stands for Legitimate Interests Assessment. It specifies the reason an organization wants to process a customer's personal data. The organization must also conduct an LIA to show that the processing is necessary.
  • The assessment of whether a legitimate interest exists.
  • The establishment of the necessity for processing.
  • The performance of the balancing test.
8. Who/what is a DPO?
A Data Protection Officer (DPO) assists you to monitor internal compliance, informs and advises you on your data protection obligations, provides advice regarding Data Protection Impact Assessments (DPIAs), and acts as a contact point between data subjects and the supervisory authority.
A DPO also serves as the point of contact between the company and any Supervisory Authorities (SAs) who oversee activities related to data processing. It is recommended to every organization to have a DPO.
9. How can GDPR be enabled for existing customers?
You can enable GDPR for existing customers by clicking Setup > Users and Control > Compliance Settings, turning compliance settings on, and selecting the modules for which compliance will be applicable.
10. What will happen to my existing data in Zoho CRM after GDPR takes effect?
After GDPR takes effect on May 25, all existing records in your Zoho CRM account will need to be marked under the appropriate lawful processing basis. You can do this through:
  • The Overview page
  • List View of the relevant module
  • Individual records
11. How does Zoho CRM help in your GDPR compliance journey?
These are the ways through which Zoho CRM helps you with GDPR compliance.

Data source tracking- Zoho CRM records the source of the data (direct sources like web forms and indirect sources like the UI, imports, APIs and other third-party integrations), and additional details, if any (eg. URL, IP address), in the record's Details page. These details are shared with the customer, on request.

Marking personal fields- Users have the option to mark those fields containing personal data and also mark the sensitive fields.

Data subject rights- Your customers also have the right to ask to access, rectify, delete, export and restrict their data from being processed. As the data controller, you need to perform those actions.
12. What rights will data subjects have under GDPR in Zoho CRM?
Data subjects will have five out of eight fundamental rights under GDPR in Zoho CRM:
  • The Right to Access- Customers have the right to know exactly what information is held about them and how it is processed. (GDPR Article 15)
  • The Right to Rectify- Individuals/customers have the right to get their personal data rectified, in case it is inaccurate or incomplete. ( Article 16)
  • The Right to Portability- Customer-specific information can be exported, attached to an email, and sent to customers in a machine readable format (CSV), without being downloaded onto your device (Article 20).
  • The Right to Restrict Processing- Individuals have the right to limit the purposes for which the controller can process their data. (Article 18)
  • The Right to Erasure- Also known as "The Right to be Forgotten," individuals have the right to have their personal data deleted or removed whenever they want. (Article 17).
13. What are the different ways through which you can obtain consent from the customer?
You can obtain consent from the customer either through email (inline email or a consent form attached to the email), through portals, or orally through phone calls.
14. What will happen if organizations don't comply with GDPR?
Organizations can be fined up to 4% of their annual global turnover, or 20 million euros (whichever is higher), for the most serious data breaches or infringements, including not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
They can be fined 2% of their annual global turnover, or 10 million euros (whichever is higher), for not having their records in order, not notifying the supervisory authority and customer about a breach, or not properly conducting an LIA.
15. My business isn't based in the EU. I don't have customers from the EU either. Do I still need to comply with GDPR?
GDPR is not mandatory if you don't have a business in the EU or deal with EU residents. However, if you want to ensure better security and privacy of customers' data, it is recommended to have GDPR compliance turned on. You can do this by clicking on Setup > Users and Control > Compliance Settings and turning it on.
16. Is encryption of data mandatory under GDPR?
No, GDPR doesn't mandate the encryption of customers' data. However, Zoho CRM allows you to encrypt fields manually in the field's properties page.
17. Can I use the encrypted field in a webform?
Yes, you can use an encrypted field in the webform.
18. I have turned compliance off. How will this affect the existing data processing basis of my records?
When you go to the compliance settings page and turn compliance off, the processing activities that you had previously done with the data subject's data will become ineffective, and the data will be processed without any basis.
19. Can customers delete or remove their data from Zoho CRM?
Customers can use The Right to Erasure (also known as Right To Be Forgotten) (Article 17) to request that their personal data be deleted or removed from CRM. As a data controller, you will have to delete the data if the customers ask for it, unless you have overriding legal obligations for keeping the data (Refer to Article 17 of EU GDPR).
20. How can the data controller keep track of the various data processing activities that have taken place in Zoho CRM?
The data controller can go to the existing timeline view in Zoho CRM and track the updates and changes made to the data processing activities of individual records.
21. Is double opt-in mandatory for data processing?
No, double opt-in is not mandatory for data processing. However, a double opt-in is recommended to ensure that customers are genuinely interested in the product. Under double opt-in, customers will receive an additional email to confirm their identity, once they've signed up through webforms.
22. What happens to the data if the customer doesn't respond to a consent email within a certain time period?
If the customer doesn't respond to a consent email, the data controllers can decide how long they want to wait for a response. Once it exceeds that time period, the status of the records will be Not Responded and the data will not be processed.
23. How can the data controller classify fields in Zoho CRM?
The data controller has the option to mark the user's fields as personal and sensitive in Zoho CRM. The controller can also decide to restrict these fields from activities like exports, APIs, and other connected services of Zoho CRM. (Books, Finance, Campaigns, etc.)
24. Can I filter leads and contacts depending on the data processing basis?
Yes, you can filter leads and contacts based on their data processing basis.
25. Can data subjects edit or delete their own data before giving consent to the data controllers?
Yes, data subjects can edit and update their personal data, through the Right to Rectify (Article 16) and the Right to Erasure (Article 17).
26. Who can access the Compliance Settings in Zoho CRM?
Those with the Administrator profile can access the Compliance Settings in Zoho CRM.
27. How often can I review the lawful basis of processing data?
As the data controller, you should periodically review the lawful basis under which you processed data. This is because the lawful basis under which you initially processed personal data and the purpose of data collection can change over time.
28. My data currently resides in the US data center. How can I migrate this data to the EU data center for GDPR compliance?
GDPR doesn't mandate that data should reside only within the borders of the EU. It actually provides great transfer mechanisms for the free flow of data to and from countries outside the EU as well.

Some of these transfer mechanisms are the Binding Corporate Rules (Article 47), Privacy Shield and Model Contractual Clauses, among others. So if you have data in the US ( and have signed the Data Processing Addendum (DPA), your data is safe.

The DPA, which references the EU Model Contractual Clauses will still help in the transfer of data from non-EU countries. If you'd like us to send you your updated DPA, send an email to and clearly mention if you've signed up in or

However, if you really need to migrate your data to the EU DC, you can send an email to mentioning all the services you are using. This email will be forwarded to the relevant product teams.
29. Where can I find additional resources on GDPR?
Here are some links you can refer to for additional reading on GDPR
Note: Zoho Corporation is not responsible for the content in these pages and does not endorse these links.
30. Can I mark my data as personal?
Yes, you can mark your data as personal. Once you do that, you can additionally choose which fields you want to mark as normal and which fields you want to mark as sensitive.
31. How many fields can I mark as personal?
You can mark a maximum of 30 fields in each module as personal.
32. Which field types can be marked as personal?
All fields, with the exception of the lookup, user lookup, formula and auto number fields can be marked as personal.
33. How can I mark my data as personal?
To mark your data as personal:
  • Go to Setup > Customization > Modules and Fields
  • Hover your mouse pointer over the module that has the data subjects' personal information.
  • Click Manage Personal Fields from the drop-down list.
  • In the Manage Personal Fields section, click Mark Personal Field.
  • Select the data type as either Normal or Sensitive.
  • Click Done.
34. Once I've marked my data as personal, how will it impact data processing?
When you mark your data as personal, the data will be restricted from activities like exports, APIs and other connected services of Zoho CRM (Books, Finance, Campaigns etc).
35. Can the fields in subforms also be marked as personal ?
Yes, you can also mark those fields which are supported for processing in subforms as personal.
36. How do I enable double opt-in for my web form?
To enable double opt-in:
  • Go to Setup > Developer Space > Webforms > Create Web Form.
  • Drag and drop the fields that you want in your web form.
  • Click Next Step. In the Form Details page, enter the relevant form details.
  • In the Manage Personal Fields section, click Mark Personal Field.
  • Select the Enable Double Opt-In slider and save the changes.
37. Can I restrict personal data from being accessed outside Zoho CRM?
Yes, you can restrict the data subject's personal data from being accessed outside Zoho CRM. Once you've marked the data as normal and sensitive, you can
  • Restrict Data Transfer to Zoho Apps/ Integrations
  • Restrict Data Access through API
  • Restrict Data in Export
  • Restrict Data Access to Third Party Apps
38. How can I restrict personal data from being shared?
To restrict personal data from being shared:
  • Go to Setup > Users and Control > Compliance Settings.
  • Click on the Preferences tab.
  • Under Personal Data Handling, select where you would like to restrict data transfer (Zoho Apps, Third-party apps, APIs, Export)
39. Where can I update the data processing basis?
You can update the data processing basis for customers in the record details page. Click on the Data Privacy Tab, select or edit the data processing basis. You can also select records from the list view of a module and update the data processing basis. The third way that you can do this is through the consent overview dashboard. Go to Setup > Compliance Settings, click on the Overview tab, select the records and update the data processing basis.
40. What is waiting period?
It is the amount of time you would like to wait for a response to your consent email. The organization can set this waiting period. Once it exceeds this waiting period, all processing activities related to the record will be stopped.
41. Can I add a record that was previously block listed back into CRM?
Yes, a record which had been previously block listed can be added again as a new record into CRM. Before you add the record, you will receive an alert saying it was previously block listed.
42. Can the data subject use Portals to update his/her consent?
Yes, you can get the customer's consent through Portals.
43. Can data subject rights be raised through Portals?
Yes, data subjects rights can be raised through Portals.

Disclaimer : The information presented herein should not be taken as legal advice. We recommend that you seek legal advise on what you need to do to comply with the requirements of GDPR.