A Choice of Governance, Accountability, and Long-Term Vision

The question is no longer theoretical. It now cuts across all organizations, both public and private: Do companies have a collective responsibility to build a sovereign CRM ecosystem? The perspective of Hubert Poncelet, General Counsel at efficy Belgium.

Long viewed as a mere sales tool, CRM has become the central infrastructure of business intelligence. It consolidates customer data, market knowledge, purchasing behaviors, decision-making cycles, and revenue forecasts. “Entrusting your CRM means entrusting much more than just software: it means delegating part of your strategic memory,” says Hubert Poncelet, General Counsel at efficy Belgium.

The debate is no longer solely about functionality, usability, or ROI. It now centers on three fundamental dimensions: the protection of individuals’ fundamental rights, legal control over data, and the sharing of the value created by that data.

In Europe, the principle is clear: citizens’ data must be protected in accordance with European standards. However, the recent history of adequacy decisions between the European Union and the United States reveals recurring legal instability. Two successive agreements (Safe Harbor and Privacy Shield) have already been invalidated by the Court of Justice of the European Union. The third, the Data Privacy Framework (DPF), although approved in 2025, remains controversial and is still the subject of debate.

Can a long-term strategy be built on a potentially fragile legal framework?

Who actually controls the data? It is often claimed: “The data is hosted in Europe.” But sovereignty is not limited to the geographical location of servers. It begins where control over the code lies, where parent companies have access, where extraterritorial legal obligations apply, where invisible sub s are involved, and where update and support mechanisms are in place.

Legislation such as the Cloud Act or FISA introduces an extraterritorial dimension to companies’ legal obligations. Thus, a company owned by an entity subject to a foreign jurisdiction—for example, a European subsidiary of an American corporation—may be legally compelled to provide data, regardless of its physical location.

The Cloud Act (enacted in 2018) allows U.S. authorities (FBI, NSA, DOJ) to demand access to any data stored by a U.S. company, even if that data is hosted in Europe or elsewhere. In other words, the location of the servers does not protect the data if the company is subject to U.S. law.

Similarly, Section 702 of the FISA (Foreign Intelligence Surveillance Act) authorizes the mass collection of foreign personal data stored on U.S. servers, including that of European citizens. This means that data transiting through or stored on U.S. infrastructure—even if it pertains to residents outside the United States—can be accessed and analyzed by U.S. intelligence agencies without the individuals concerned being notified.

These mechanisms therefore pose a major legal and strategic risk for European organizations, particularly with regard to data protection and digital sovereignty. The question, therefore, is not only where the data is stored, but also who can legally access it.

Has choosing a CRM become a political act?

Yes, in the noblest sense of the term. It determines which jurisdictions the company is subject to, which technological ecosystem it contributes to, which digital governance model it participates in, and where the economic value generated is redistributed. Choosing a CRM means choosing a digital infrastructure model. And when a large number of players in a given region make the same choice, it shapes the local ecosystem in a lasting way. Companies are no longer mere consumers of technology: they are systemic players.

The 5 Essential Questions to Ask Before Choosing a CRM

  1. First, where is the data actually processed? Beyond hosting, what are the cross-border data flows, and is there remote access outside the European Union?
  2. Second, who is the supplier’s beneficial owner? The ownership structure, parent company, and legal dependency must be carefully examined, as a European subsidiary is not always legally independent.
  3. Third, which subcontractors are involved? Does the contract clearly list all technical service providers?
  4. Fourth, what is the level of contractual control? Audit clauses, reversibility, portability, oversight of updates, and transparency regarding security are all critical factors.
  5. Finally, who captures the strategic value generated by the data? Does the software vendor improve its algorithms using customer data, and is there an implicit sharing of business intelligence

The Collective Challenge

This is not about pitting stakeholders against one another or demonizing business models. It is about strategic clarity. In an unstable geopolitical context, marked by regulatory tensions and digital restructuring, technological dependence is becoming a source of vulnerability. Companies—particularly those that handle sensitive data or operate in critical sectors—have a collective responsibility. Every individual decision helps shape the digital ecosystem of tomorrow. Sovereignty does not mean isolation. It means the ability to make informed choices.

Today, choosing a CRM is no longer just about selecting a tool. It is a choice of governance, accountability, and long-term vision.

Sources :