CRM systems are helpful for keeping track of your customer data. Often it is necessary to generate copies to run stress tests, trials for new features or fix technical issues. Recently, the CJEU had to decide on whether this practise is compliant with the principles of purpose and storage limitations. The ruling could have far-reaching implications also for your projects.
The retention of personal data in test databases must only last for the duration of the testing procedure and until the issues are resolved. Additionally, the range of customer data used for these purposes has to be limited to the necessary amount. Any further storing violates the purpose of storage limitation as set out in Art 5(1)(e) GDPR.
Furthermore, the usage is only lawful under GDPR, as long as the testing is compliant with the original purpose of the data collection according to Art 5 (1) (b) GDPR. Any further processing has to be in accordance with Art 6 (4) GDPR as well. In that sense, the usage of customer data is still a case-by-case decision, but not outright unlawful.