Identifying GDPR-compliant CRM integrations

Red Cactus is not the only developer of CRM integrations for telephony platforms.
But as a Red Cactus partner, you have a clear competitive advantage: our integrations are demonstrably GDPR-compliant, while other solutions often appear to violate fundamental principles of the GDPR. When you're speaking with a potential customer who is considering multiple options, this is a crucial differentiator for you as a partner. But how can you tell which integrations truly comply with the GDPR — and which ones may not?

Essential information to begin with

When developing CRM integrations for telephony platforms, two technical approaches are commonly used to process personal data such as names, phone numbers, and other customer information. CRM integration developers typically adopt one of the following two methods:

1. Periodic Data Synchronization (copying and storing)
   In this model, a selection of personal data from CRM systems is periodically copied to an external environment, where it is processed — for example, to identify the caller. This approach is technically simpler and more cost-effective to implement, and is widely used in the market.
   
   
2. Real-Time Access (federated queries)
   In this model, data is retrieved at the moment it is needed, without being stored externally. This requires more complex integrations and API connections, but ensures minimal data processing. Red Cactus adopts this model as its standard, based on the principles of privacy by design and data minimization.

Data synchronization or real-time access? What does the GDPR say?

Under the GDPR, the focus is not on the technology itself, but on the legal basis for processing personal data. At the same time, technical choices are inherently linked to how a CRM integration developer implements that processing. GDPR requires that the chosen technical approach must be appropriate for the purpose, necessary, and aligned with principles such as data minimization and storage limitation.

If a CRM integration developer opts for periodic data synchronization (copying and storing) instead of real-time access (federated queries), they must be able to demonstrate why that choice is justified and how they still comply with the core principles of the GDPR, even though safer and more privacy-friendly alternatives are available.

Although the GDPR does not explicitly mandate real-time access (federated queries) as the required technical method for CRM integration developers, the following provisions illustrate why choosing the alternative — periodic data synchronization — is problematic and fundamentally at odds with the spirit of the law:

_{Article 5(1)(c) – Data Minimisation
"Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."}

Why this constitutes a violation: If the intended purpose can also be achieved by retrieving data at the moment of use (real-time), then storing entire datasets is not necessary. With periodic data synchronization, you process more data than needed, which violates the principle of data minimisation.

_{Article 5(1)(e) – Storage Limitation
"Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed."}

Why this constitutes a violation: If personal data can be retrieved in real time and there is no necessity to store it, the justification for long-term or structural storage no longer applies. The principle of storage limitation requires that data be retained only for as long and in such a form as is strictly necessary for the intended purpose. Periodic data synchronization often disregards this principle, as data continues to be stored even when this is functionally unnecessary due to the technical possibility of real-time retrieval (federated queries).

_{Article 25 – Data Protection by Design
"The controller shall [...] implement appropriate technical and organisational measures [...] which are designed to implement data-protection principles [...] in an effective manner."}

Why this constitutes a violation: If real-time access is technically feasible, Article 25 obliges the data controller to incorporate this option into the design of the processing. If despite this the controller opts for data synchronization involving the storage of personal data, while this poses greater privacy risks and is not functionally necessary, then privacy-friendly measures are insufficiently applied. This constitutes a breach of the principle of ‘privacy by design’.

_{Article 6(1) – Lawfulness of Processing
"Processing shall be lawful only if [...] the processing is necessary..."}

Why this constitutes a violation: The necessity criterion applies to all legal bases for processing, such as legitimate interest or performance of a contract. If the storage of personal data is not necessary because the purpose can also be achieved through a safer and less intrusive alternative, the processing does not meet the conditions of Article 6. In that case, the processing is not lawful, unless one relies on a very broad and creatively interpreted justification of the chosen legal basis.

Real-time access also prevents this often-overlooked issue

In addition to privacy and security concerns, there is another significant drawback to periodic data synchronization (copying and storing) compared to real-time access (federated queries): the data is not always up to date. Since synchronization operates on fixed time intervals, there is an inherent delay in data transfer. For example, if you add a new contact in your CRM, it will only be recognized during phone calls after the data has been copied to the CRM integration developer’s database and that only happens during the next synchronization cycle.

How awareness can help you win the deal

As surprising as it may seem after reading the GDPR principles outlined in this article, integrations based on copying and storing data are still common across nearly every sector — even in highly sensitive fields like healthcare and legal services. That’s not unusual, as this type of integration is technically simpler, cheaper, and faster to build than a real-time solution like those offered by Red Cactus.

But how can you tell whether a competitor is offering integrations based on periodic data synchronization? There are several indicators. The simplest is to check whether the data is always up to date, or if it's refreshed at fixed intervals. Another approach is to raise awareness among customers and encourage them to ask targeted questions to the provider of the competing solution.

In doing so, you increase awareness among customers and partners, and help them maintain control over where their CRM data resides — significantly reducing the risk of unnecessary data breaches. For organizations that want to handle customer data responsibly, that’s a crucial differentiator.

The more end customers become aware of this, the greater the pressure on the market to develop integrations that are both functional and GDPR-compliant. This reduces the likelihood of errors, improves integration quality, and gives you the decisive edge to win the deal based on quality.

Bubble Desktop and Bubble Cloud

The architecture of both Bubble Desktop and Bubble Cloud is built on the privacy-by-design principle. This means real-time communication via federated queries, supported by a robust and secure infrastructure. But we go even further. Whenever a CRM platform offers a certification program, we actively participate wherever possible. That’s why many of our 200+ CRM integrations on the marketplace feature a green label marked “Official Integration Partner.” This builds trust with end customers and gives Red Cactus partners a clear competitive advantage.