Recent ECJ judgement lays down rules
CRM systems are helpful for keeping track of your customer data. Often it is necessary to generate copies to run stress tests, trials for new features or fix technical issues. Recently, the CJEU had to decide on whether this practise is compliant with the principles of purpose and storage limitations. The ruling could have far-reaching implications also for your projects.
Bottom line of the judgement
The retention of personal data in test databases must only last for the duration of the testing procedure and until the issues are resolved. Additionally, the range of customer data used for these purposes has to be limited to the necessary amount. Any further storing violates the purpose of storage limitation as set out in Art 5(1)(e) GDPR.
Furthermore, the usage is only lawful under GDPR, as long as the testing is compliant with the original purpose of the data collection according to Art 5 (1) (b) GDPR. Any further processing has to be in accordance with Art 6 (4) GDPR as well. In that sense, the usage of customer data is still a case-by-case decision, but not outright unlawful.
Practical implementation
In order to clear up any uncertainties and be compliant with the recent CJEU ruling, consider adding “testing purposes” to the section concerning the processing purposes in your privacy policy. Additionally, you will have to adapt your internal guidelines to ensure the expiration of your testing databases and to use a representative amount of customer data.