Test data and GDPR

Michaela Holíková 15.09.2022

It might sound familiar. Your company has developed a great product, like SaaS. You have customers who upload data about their employees/customers, etc. to your product. You store their data, evaluate it, or offer additional services and functionality.

Times are fast and so is the competition. But how to keep up with the development? By continuously improving your product. Ideally on a set of real data, which can be the personal data of real users.

Under what conditions can you use raw data for testing without violating GDPR obligations?

Clues can be found through a current court proceeding

A preliminary ruling proceeding is pending before the Court of Justice of the European Union which provides useful guidance on the use of real data in test databases.

What's that about?

  • In 2019, an "ethical hacker" alerted the Hungarian company Digi (internet service provider) that he had access to the personal data of approximately 322,000 people. The company entered into an NDA with the hacker and provided him with a reward (ethical hacking reward).
  • A few days later, it reported the security breach to the local data protection authority on the grounds that it had created a "test database" in 2018 into which it had copied the personal data of a third of its customers.
  • In the course of the Hungarian authority's inspection of Digi, it was found that the company had violated Article 5(1)(b) and (e) of the GDPR by failing to delete the test database originally created to correct the errors after the necessary tests and corrections had been carried out. The Authority further ordered the company to review all of its databases containing personal data to determine whether it was justified to apply a data encryption system to them.
  • The result? A fine of HUF 100,000,000, court proceedings and a preliminary question to the EU Court of Justice: "Is the creation of such a test database in line with the GDPR?"

The proceedings before the CJEU are not yet over. The Advocate General's opinion on the case was issued a few months ago. In it, he focuses on two basic principles that must be taken into account in the case of test databases - purpose limitation and time limitation of storage.

In other words, if the use of test databases is to comply with the GDPR, the principles must be properly considered in the context of fulfilling other obligations under the GDPR.

Principle #1: Purpose Limitation

From the Advocate General's point of view, the principle of purpose limitation consists of two parts:

  • on the one hand, personal data must be collected for "specified, explicitly expressed and legitimate" purposes;
  • personal data must be processed in a way that is consistent with the original purpose.  

Any further use of the personal data processed (other than that for which the data were originally collected) must be examined in respect of the specific purpose of the new processing and its compatibility with the original purpose for which the data were collected.

In practice, we often encounter cases where the collected data are further processed for several other purposes. However, even the different purposes of a particular processing must have an objective and sufficiently close link.

Therefore, for the use of the test database to comply with the purpose limitation principle, users must anticipate ( = be informed of) this testing. At the same time, the testing must be related to the functionalities of the product. It is not recommended to use the database for other applications, for example.

Do you need to prepare an information obligation for the users of your application? Do not hesitate to contact us ↗.

Principle #2: Time limitation of storage

In order to use the test database, the data must be stored in a form that permits identification of data subjects for no longer than is necessary for the purposes for which they are processed. 

The explanatory memorandum to the GDPR clearly states that the retention period of personal data must be "limited to the minimum necessary".

In order to use the test database, it is necessary to store the "raw data" only for the time needed for testing and then delete or anonymize it.

We recommend setting the storage time comprehensively, across the entire company. For all processing activities. A simple document describing the process is ideal. We can prepare such a document, do not hesitate to contact us ↗.


In the light of the Advocate General's opinion, it can be concluded that the use of real data within the test database is possible under the prescribed conditions. It is necessary:

  • Inform the user that their data will be used to improve existing functionality. For this you will need to produce an information document ↗.
  • Properly set up the contractual relationship with your customer. The use of test databases should also be reflected in the terms of use ↗.
  • Establish, implement and maintain appropriate technical and organisational security measures to ensure the protection of processed data.
  • Comply with all obligations of the controller, in particular to keep up-to-date records of personal data processing activities. We will be happy to map ↗ any specific activities for you.

Final note

The above information is not final. The Advocate General's opinion may not be decisive for the decision of the Court of Justice of the European Union. If you would like to follow the latest developments, please click here ↗.