Data Privacy for Customer Data: Obligations and Best Practices

Customer data forms the backbone of every business relationship. Names, addresses, phone numbers, purchase histories and communication preferences accumulate over years. But with each piece of stored information, your obligations grow. The GDPR sets clear requirements for handling personal data, and customer records sit right at the centre of those rules.

Yet many businesses remain uncertain. Which data may you store, and for how long? Who should have access? And what happens when a customer demands disclosure or deletion? The answers to these questions determine not only your legal standing but also the quality of your data assets.

Which Customer Data Falls Under Data Privacy Law?

Personal data under Art. 4 GDPR covers any information relating to an identified or identifiable natural person. In a typical customer database, that includes nearly every field:

Data Category	Examples	Sensitivity
Identification data	Name, date of birth, customer ID	Medium
Contact data	Address, phone, email	Medium
Contract data	Orders, contracts, invoices	Medium
Payment data	Bank details, credit card, payment history	High
Communication data	Email threads, complaints, notes	Medium to high
Behavioural data	Purchase history, website tracking, preferences	Medium
Special categories	Health data (e.g. pharmacies), religious affiliation	Very high

The key point: data that appears harmless on its own can identify a person when combined. A postcode alone is not personal data. Together with a surname and date of birth, it becomes part of a protected record.

B2B Contacts: A Special Case

Pure business-to-business contacts without reference to natural persons do not fall under the GDPR. However, as soon as a contact person with name and email is recorded, data protection applies in full. In practice, purely company-level records without any personal reference are rare.

The Five Most Common Mistakes with Customer Data

Many organisations believe their data privacy practices are solid. Yet the same problems appear again and again:

1. Storing data without a legal basis

Every processing activity requires a legal basis under Art. 6 GDPR. A frequent mistake: addresses collected for a prize draw are used for newsletters, even though the consent only covered the competition. Or contact details from trade fair business cards end up in the CRM without documented consent or legitimate interest.

2. No defined retention periods

Customer data accumulates but never gets deleted. Many CRM systems contain records of customers who had no contact for five or ten years. Without a documented deletion policy, this violates the storage limitation principle (Art. 5(1)(e) GDPR).

3. Uncontrolled access

The entire customer database is visible to every employee, from sales to accounting to interns. This contradicts the data minimisation principle. Each employee should only see the data they need for their specific role.

4. Data in insecure formats

Excel files with customer data on shared network drives, CSV files forwarded by email, address lists on USB sticks. All of these are privacy risks that occur daily in practice and immediately stand out during an audit.

5. Missing documentation

No record of processing activities, no documented legal bases, no logs of data subject requests. When a supervisory authority asks questions, you must be able to demonstrate compliance. Without documentation, it becomes your word against theirs.

Legal Bases for Processing Customer Data

The GDPR lists six possible legal bases in Art. 6. Four are relevant in practice for customer data:

Overview of legal bases for customer data:

Contract performance (Art. 6(1)(b))
├── Delivery address for orders
├── Billing address for payment processing
├── Contact details for contract communication
└── Customer ID for contract management

Legitimate interest (Art. 6(1)(f))
├── Direct mail to existing customers
├── Credit checks for new customers
├── Fraud prevention
└── Internal analysis and statistics

Consent (Art. 6(1)(a))
├── Email newsletter
├── Telephone marketing (B2C)
├── Profiling and personalised advertising
└── Sharing with third parties for marketing

Legal obligation (Art. 6(1)(c))
├── Tax retention requirements (10 years)
├── Commercial law obligations (6 years)
└── Anti-money laundering law (5 years)

Important: different legal bases can apply to the same record depending on the purpose. A customer's delivery address is stored on the basis of contract performance. Using that same address for a marketing mailing relies on legitimate interest. You must document these separately.

Retention Periods: When Customer Data Must Be Deleted

There is no one-size-fits-all answer to how long customer data may be stored. It depends on the type of data and the processing purpose:

Data Type	Period	Legal Basis
Invoices and accounting records	10 years	German Tax Code (AO), Commercial Code (HGB)
Business correspondence	6 years	Commercial Code (HGB)
Contract data	Contract duration + 3 years (limitation period)	German Civil Code (BGB)
Marketing data (with consent)	Until withdrawal	Art. 7(3) GDPR
Marketing data (legitimate interest)	Recommended: 2–3 years after last contact	Art. 5 GDPR
Advertising objections	Permanently on suppression list	Art. 21 GDPR

A practical example:

Customer Max Mueller – last order: 15 March 2023

Invoice address:
→ Retain until 31 December 2033 (tax obligation, 10 years from end of fiscal year)

Delivery address (different):
→ Retain for contract performance (warranty)
→ Delete 3 years after delivery (limitation period), by 31 December 2026 at latest

Newsletter consent:
→ Active until withdrawal
→ If inactive: request re-opt-in after 24 months without opens

Advertising suppression (objection 2024):
→ Keep on suppression list permanently, never delete

The biggest challenge is not the theory but the implementation. In practice, customer data is often scattered across CRM, accounting, Excel files, email systems and sometimes on individual employees' personal drives. A deletion policy only works if it covers all of these storage locations.

Data Subject Rights: What Customers Can Demand

The GDPR grants data subjects extensive rights. In practice, you need to be prepared for four types of requests:

Access request (Art. 15 GDPR)

A customer asks: "What data do you hold about me?" You must respond fully within one month, covering all stored data, processing purposes, recipients and planned retention periods.

This sounds straightforward but becomes complex when customer data sits in multiple systems. A typical scenario:

Systems holding data on "Max Mueller":
1. CRM (Salesforce)      → Name, address, phone, purchase history
2. Accounting (DATEV)    → Name, address, invoices, payments
3. Newsletter (Mailchimp)→ Email, open rates, click behaviour
4. Excel file (Sales)    → Name, phone, notes, visit appointments
5. Email inbox           → Correspondence containing customer data

If you overlook system 4 or 5 in an access request, your response is incomplete and therefore non-compliant.

Erasure (Art. 17 GDPR)

A customer demands deletion of their data. You must check whether statutory retention obligations apply. If so, you may not delete the data but must restrict it, meaning it can only be used for the legally required purpose and no longer for marketing.

Rectification (Art. 16 GDPR)

A customer notifies you of a move and requests their address be updated. The change must be applied across all systems, not just the primary one. That is easier said than done when addresses exist in five different databases.

Objection to direct marketing (Art. 21(2) GDPR)

This right is absolute. If a customer objects to the use of their data for advertising purposes, you must implement this immediately. There is no balancing test and no exception. The customer must go on a suppression list that is checked before every mailing.

Technical and Organisational Measures

Art. 32 GDPR requires "appropriate" technical and organisational measures to protect personal data. What counts as appropriate depends on the risk. For typical customer data, these minimum standards apply:

Access control

Role-based access model – example:

Sales:
→ Read: Contact data, purchase history, notes
→ Write: Own contacts, visit reports
→ No access: Payment data, HR files

Accounting:
→ Read: Invoice addresses, payment data
→ Write: Payment status, reminders
→ No access: Sales notes, marketing data

Marketing:
→ Read: Addresses, segmentation criteria
→ Write: Campaign assignments
→ No access: Payment data, sales notes

Management:
→ Read: Aggregated reports and KPIs
→ No access to individual records (data minimisation)

Encryption and secure transfer

Customer data should be encrypted both at rest and in transit. This is especially important for data leaving the organisation, such as when an address list goes to a mailing house or print shop.

Sending unencrypted Excel files by email is one of the most common violations supervisory authorities find during audits. The alternative: encrypted archives or secure transfer channels.

Local processing instead of cloud

When you clean, merge or prepare customer data for mailings, where the processing takes place matters. Cloud services require data processing agreements, checks on server locations and regular audits of the provider. Local processing on your own machine bypasses this complexity entirely.

This is exactly where ListenFix comes in: the software runs entirely offline on your Windows PC. Customer addresses are cleaned locally, duplicates detected and households merged without a single record ever leaving your device. No cloud upload, no third-party involvement, no data processing agreement required. Learn more in our article on GDPR-compliant address cleaning.

Practical Guide: Implementing Customer Data Privacy in 8 Steps

Rather than abstract advice, here is a concrete roadmap that has proven effective in practice:

Step 1 – Conduct a data inventory: List every system where customer data is stored. CRM, accounting, email marketing, Excel files, paper records. Every system counts.

Step 2 – Document legal bases: For each processing purpose, record which legal basis applies. "We have always done it this way" is not a legal basis.

Step 3 – Define retention periods: Set a specific deadline for each data category and document who is responsible for execution.

Step 4 – Review access rights: Who has access to which data? Does the intern really need the full customer database? Grant access on a need-to-know basis.

Step 5 – Create a record of processing activities: The RoPA under Art. 30 GDPR is mandatory for most organisations. It documents which data you process and for what purpose.

Step 6 – Define a process for data subject requests: Who receives requests? How do you ensure all systems are covered? How is the one-month deadline met?

Step 7 – Train employees: Data privacy only works when people in the organisation know what matters. Regular short training sessions are more effective than one-off large events.

Step 8 – Review regularly: Data privacy is not a project with an end date. Conduct at least an annual review: Are retention periods being met? Are access rights still correct? Are there new processing activities that need to go into the RoPA?

What Violations Actually Cost

The GDPR allows fines of up to EUR 20 million or 4% of global annual turnover. In practice, amounts are lower but far from negligible:

Violation	Typical Fine	Example
Missing privacy policy	EUR 5,000–25,000	Online shop without privacy notice
Mailing despite advertising objection	EUR 5,000–50,000	Letter sent to suppressed address
Incomplete access response	EUR 10,000–100,000	System overlooked, data not disclosed
Failure to delete	EUR 10,000–500,000	Old customer data never cleaned up
Data breach without notification	EUR 50,000–1 million	Customer data leak without authority notification
Systematic violations	From EUR 1 million	Missing TOMs, no RoPA, no DPO

Beyond fines, additional costs arise: legal advice, internal effort for cooperating with the authority, notifying affected customers in case of a breach, and the trust damage. A publicly known data privacy incident can drive customers away permanently.

Small businesses and associations are not exempt. Supervisory authorities are increasingly auditing SMEs, especially when complaints from data subjects are received.

Customer Data as a Foundation of Trust

Data privacy for customer data is more than a compliance exercise. Organisations that manage their customer data properly benefit in three ways: they avoid fines and legal risks, they work with more reliable data, and they signal to customers that their trust is well-placed.

The effort required is manageable when you approach it systematically. The eight steps in this guide provide a concrete foundation. Start with the data inventory and everything else follows from there. And if you want to be on the safe side with address cleaning: local processing without cloud dependency is the simplest way to eliminate one more data privacy hurdle.