It might sound familiar. Your company has developed a great product, like SaaS. You have customers who upload data about their employees/customers, etc. to your product. You store their data, evaluate it, or offer additional services and functionality.
Times are fast and so is the competition. But how to keep up with the development? By continuously improving your product. Ideally on a set of real data, which can be the personal data of real users.
Under what conditions can you use raw data for testing without violating GDPR obligations?
A preliminary ruling proceeding is pending before the Court of Justice of the European Union which provides useful guidance on the use of real data in test databases.
The proceedings before the CJEU are not yet over. The Advocate General's opinion on the case was issued a few months ago. In it, he focuses on two basic principles that must be taken into account in the case of test databases - purpose limitation and time limitation of storage.
In other words, if the use of test databases is to comply with the GDPR, the principles must be properly considered in the context of fulfilling other obligations under the GDPR.
From the Advocate General's point of view, the principle of purpose limitation consists of two parts:
Any further use of the personal data processed (other than that for which the data were originally collected) must be examined in respect of the specific purpose of the new processing and its compatibility with the original purpose for which the data were collected.
In practice, we often encounter cases where the collected data are further processed for several other purposes. However, even the different purposes of a particular processing must have an objective and sufficiently close link.
Therefore, for the use of the test database to comply with the purpose limitation principle, users must anticipate ( = be informed of) this testing. At the same time, the testing must be related to the functionalities of the product. It is not recommended to use the database for other applications, for example.
Do you need to prepare an information obligation for the users of your application? Do not hesitate to contact us ↗.
In order to use the test database, the data must be stored in a form that permits identification of data subjects for no longer than is necessary for the purposes for which they are processed.
The explanatory memorandum to the GDPR clearly states that the retention period of personal data must be "limited to the minimum necessary".
In order to use the test database, it is necessary to store the "raw data" only for the time needed for testing and then delete or anonymize it.
We recommend setting the storage time comprehensively, across the entire company. For all processing activities. A simple document describing the process is ideal. We can prepare such a document, do not hesitate to contact us ↗.
In the light of the Advocate General's opinion, it can be concluded that the use of real data within the test database is possible under the prescribed conditions. It is necessary:
The above information is not final. The Advocate General's opinion may not be decisive for the decision of the Court of Justice of the European Union. If you would like to follow the latest developments, please click here ↗.