HighLevel UP YOUR GAME
GoHighLevel GDPR: Data Protection Agreement
How to stay compliant with GDPR & HighLevel
If you're using GoHighLevel (also known as HighLevel or GHL) and doing business in the UK or EU, you're legally obliged to follow the rules set out under GDPR.
One area that is often overlooked but is at the heart of GDPR, is the use of private data and who is responsible for it.
Disclaimer: The information provided in this guide (and any associated downloads or web pages) is for general informational purposes only. While every effort has been made to ensure accuracy, this content does not constitute legal advice. GDPR and data protection laws can be complex and may vary depending on your specific circumstances or jurisdiction. You are strongly encouraged to consult a qualified legal professional or data protection officer (DPO) to ensure your business practices, policies, and communications are fully compliant.
What are the key data roles in GDPR?
The General Data Protection Regulation (GDPR) is a privacy law that applies to anyone who handles personal data of individuals in the EU or UK. It gives people more control over how their data is collected, used, and shared.
Under GDPR, there are two key roles:
Data Controller:
The person or business who decides what data is collected and why
Data Processor:
The service or person that processes that data on the controller’s behalf
If your using HighLevel for your own business, you are the Data Controller, and HighLevel is the Data Processor. It's a basic arrangement that ensures that both you and HighLevel are GDPR compliant - However, if you're an agency or are white-labelling HighLevel, a different set of rules apply.
What is a DPA (Data Protection Agreement)?
A DPA is a legally required contract under GDPR when someone handles data on behalf of someone else. It’s like saying: ‘Yes, I’ll take care of your customer data, and I promise not to mess it up.'
HighLevel have taken steps to help you comply with GDPR:
They provide a Data Processing Agreement (DPA) with Standard Contractual Clauses for data transfers to the US
They are certified under the Data Privacy Framework to handle data in the UK & EU
They do not use your contact data for their own purposes - they only process it on your instructions
They have security safeguards and measures in place to ensure that any personal data they hold is stored securely
As a data processor, they are fully GDPR compliant.
HighLevel's DPA is available to download inside of your Agency Account. Head to:
Agency View > Settings > Compliance > GDPR Compliance
...to download your copy of the DPA and sign it. This is a legal document that confirms your relationship with HighLevel. If you're using HighLevel for your own business, this document will be called upon under any GDPR investigations.
I've signed the DPA, does that mean I'm covered?
The key principle is simple: DPAs are only needed when one party is processing data on behalf of another. When both parties are making their own decisions about data (joint or independent controllers), they need different types of agreements or separate compliance frameworks entirely.
Just using HighLevel to help run your business means, you are making the decisions about what to do with that data - making you the Data Controller- and HighLevel is processing - making them the data processor. If this is your relationship with HighLevel and you've signed the DPA, then yes, you are covered.
However, HighLevel can be used in a number of different scenarios, which are broken down with guidance below...
The GDPR Basics: Who's the Controller, Who's the Processor?
Controller = decides what data is collected, why, and how it's used.
Processor = acts only on instructions from the controller, doesn’t decide purpose or means.
Use Case 1:
You're using HighLevel for your own business
Example: You're a coach, consultant, or business using GHL to manage your own clients.
* You = Controller
* HighLevel = Processor
* You decide what data to collect, how to contact people, what automations to run. HighLevel just follows your setup.
✅ You must:
* Sign HighLevel’s DPA
* Have a privacy policy and lawful basis for processing
* Handle data requests from your contacts
Use Case 2:
You're an agency using HighLevel on behalf of your clients
Example: You run campaigns, manage contacts, set up automations inside your client’s sub-account under the instructions of your client.
Now the roles shift:
* Your client = Controller
* You (agency) = Processor
* HighLevel = Sub-Processor
✅ You must:
* Sign a DPA with your client
* Ensure your client signs HighLevel’s DPA
* Be able to help your client handle DSARs and data deletion
* Notify your client if there's a breach
If you’re making high-level marketing decisions (e.g., writing emails, segmenting lists, scheduling automations) — you’re still processing the data, even if you're influential in the strategy.
Use Case 3:
You're an agency who independently manages and markets to your client's customers (client has no HighLevel access)
Example: You're a marketing agency that takes full control of your client's customer marketing. You upload their customer lists, decide what campaigns to run, write all content, choose targeting, and manage everything without client input. Your client has no access to HighLevel and doesn't give you specific instructions about individual campaigns.
* You (agency) = Controller (for marketing activities)
* Your client = Controller (for their original customer relationship)
* HighLevel = Processor
✅ You must:
* Have a Joint Controller Agreement in place
* Create your own privacy policy explaining your marketing processing
* Sign HighLevel's DPA (you're the controller instructing HighLevel)
* No DPA needed with your client (you're both controllers, not controller-processor)
Use Case 4:
You're white-labelling HighLevel and reselling it as your own CRM platform (totally hands off)
Example: You provide GHL under your own brand (completely white-labelled) and let clients run their own automations, manage contacts, etc.
* Your client = Controller
* You = Processor
* HighLevel = Sub-Processor
Even if you don’t touch the data, the fact that you host and manage the infrastructure (and technically can access the data) may make you a Processor. Think of it like AWS or Mailchimp - hands-off doesn’t mean zero responsibility.
✅ You still need:
* Your own DPA with clients
* Your privacy policy outlining sub-processors (like HighLevel)
* A signed DPA with HighLevel
Use Case 5:
You white-label AND actively provide services (e.g., campaign builds, data handling)
Example: You provide GHL under your own brand (completely white-labelled) and manage contacts & set up automations inside your client’s sub-account.
* Your client = Controller
* You (agency) = Processor (AND platform operator)
* HighLevel = Sub-Processor
You take on greater responsibility, since from the client's point of view, you are the software provider - not HighLevel. This increases your risk and compliance duties.
✅ You need:
* Your own DPA and Terms of Service
* Data access processes and security measures
* Clear privacy communication around how you (and HighLevel) process data
In Conclusion:
Understanding your role under GDPR isn't just about compliance paperwork, it's about knowing your responsibilities and protecting both your business and your clients' data. The key takeaway is simple: whoever makes the decisions about data processing bears the compliance burden.
Whether you're a Controller making strategic decisions, a Processor following instructions, or operating in a Joint Controller arrangement, each role comes with specific obligations. Getting this wrong doesn't just create legal risk. It can damage client relationships and your professional reputation.
The most important steps to take now:
Assess your current client relationships honestly - are you making independent marketing decisions or following specific instructions?
Get the right agreements in place - DPAs for controller-processor relationships, Joint Controller Agreements where you share decision-making, or clear contractual terms between independent controllers.
Document your processing activities and ensure you have lawful bases for all data processing.
Review your privacy policies to accurately reflect your role and any sub-processors you use.
GDPR compliance isn't a one-time checkbox exercise - it's an ongoing responsibility that evolves with your business relationships. When in doubt, err on the side of transparency with your clients and data subjects. Clear communication about data processing builds trust and demonstrates your commitment to data protection.
Remember: compliance protects everyone - your business, your clients, and ultimately the individuals whose data you're processing. Take the time to get it right, and don't hesitate to seek professional legal advice for complex situations.
The digital marketing landscape will continue evolving, but your commitment to responsible data processing should remain constant.
Meet Tim, Your HighLevel Expert
"With over 25 years of digital marketing expertise and as the UK's first certified HighLevel administrator, I've helped businesses of all sizes transform their marketing operations and achieve dramatic growth.
GDPR compliance is essential for every business operating in the EU/UK, including businesses who provide services to customers in that area.
However, it's often overlooked and and under-prioritised, which could leave your business open to serious penalties for non-compliance."
Social Media Management
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.
Ready to get GDPR compliant?
Introducing: The All-in-One Snapshot to Keep Your Communications Compliant
The HighLevel GDPR Snapshot gives you plug-and-play HighLevel templates, compliant workflows, policy generators, and a full setup guide. Everything you need to make compliance part of your growth strategy.
GDPR Compliance Made Easy for HighLevel Marketers & Agencies
Don't Delay! Get the GDPR HighLevel snapshot today and kiss goodbye to GDPR worries.
GDPR Snapshot FAQ
Still unsure this is right for you? Check out the FAQ.
Is this snapshot only for UK users?
No - it’s designed to comply with UK and EU GDPR, so it’s perfect for anyone targeting customers in the UK or Europe. If your clients or leads are based there, this applies to you.
What platforms does it work with?
It’s built for HighLevel - so if you use GoHighLevel, you’re good to go. Just import the snapshot and start using the prebuilt assets.
Is there any training included?
Yes - a short companion course is coming soon, walking you through how to set everything up and how to talk to clients about compliance. You'll get access as soon as it's ready.
Do I need separate consent for each channel?
Yes. The snapshot includes granular consent options so users can opt-in to email, SMS, and WhatsApp individually - in line with GDPR best practices.
Can I use this for client accounts?
Absolutely - this is ideal for agencies. Use it as-is or customise it for each client. It saves hours of setup time and helps you sell GDPR compliance as a premium add-on.
Does this replace legal advice?
No. This snapshot gives you a solid, compliant working system - but it’s not a substitute for formal legal advice. Always check with a legal professional if you're unsure about specific situations.
What if I already have forms in HighLevel?
No problem - just assign your existing forms to the pre-built workflows and it'll work perfectly.
Disclosure: Boost My Business an independent entity from HighLevel. We are not an agent or employee of HighLevel and have no authority to make binding contract or represent HighLevel. We receive referral payments from HighLevel. The opinions expressed here are our own and shall NOT be interpreted or considered as representations, guarantees, or statements made by HighLevel Inc or any of its subsidiaries, agents, or assigns.
We Automate, You Dominate.
Professional and affordable consultation, design and management for GoHighLevel agencies & users.