top of page



Customers’ personal data

Your customers provide their personal data to you for one or more specific purposes. This means that you cannot use this personal data for anything else (purpose limitation).

To a certain extent, you are however allowed to use your customers personal data to market products like the one they purchased from you. To be allowed to do this, you must however specifically make sure(1)  that they are offered the possibility to refuse that their data is used for such marketing (opt-out) and (2) that they can easily unsubscribe from further receiving such marketing at any moments.


All the general requirements of course also apply, such as informing your customers on how you will process their personal data through your privacy policy.

FORM (1).png

Limited use of personal data 

Under the GDPR you can only use personal data for the purpose for which it was provided to you (purpose limitation) and you cannot collect more information than required for such purpose (data minimisation).

This means in practice that, you cannot require your customers to communicate, for example, the following information if you do not strictly need this information to sell them your product or deliver your service:

  1. Date of birth: if you want to obtain this to be able to send your customer a birthday card, than you should make this field optional (not mandatory) and explain why you request this information in so called meta-information (“providing your data of birth allows us to send you a card and/or promotion on your birthday”).

  2. Gender: we understand that it is useful to know the gender of your customers to be able to know how to address them and maybe to be able to profile them. You cannot make this field mandatory, however. You can request the information adding in the meta-information “By choosing your gender, we know how to address you and we may be able, if allowed, to better define interesting products and opportunities for you”.

  3. Names of their children and/or significant other,

  4. Etc.

FORM (3).png

Sending marketing to existing customers and clients 

You can send marketing to your existing customers, relying on your legitimate interest. This is called the “soft opt-in” for existing customers. You can only do this if the following conditions are met:

  1. the customer must be given, the possibility to oppose against receiving such marketing, at the time that you receive their personal information

  2. the customer must be given the opportunity to oppose further receiving marketing from you, every time they receive marketing communication. In practice this is solved by adding an “unsubscribe” button to every marketing email.

  3. the marketing must relate to products or services similar or related to the products bought by such customer. For example, if you have a bakery you can send information about new products in the bakery to existing customers. If, besides the bakery, you also own a butcher’s shop that is not part of the same shop, then you cannot use data obtained from customers of the bakery, to send them information about your butcher’s shop.

  4. Furthermore, of course, the fact that you are marketing your products to these customers, must be mentioned in your privacy policy.


General obligations with regards to personal data

In addition to the specific requirements above, all the other general requirements with regards to such processing also apply, such as duly informing your clients, protecting and securing their personal data, respecting their rights, etc.

Processing personal data on behalf of your customers or clients 

If your customers provide personal data to you that they are processing and which you need to process on their behalf, you become a data processor.

This means that you will have to enter into a data processing agreement with them and that you can only use this data to perform your services.

Legal bases to process your customers’ or clients’ personal data 

In general, you will process your customers personal data based on the following legal grounds:

  1. Contractual obligation: if you need to process their personal data to be able to perform your obligations. For example, if you need to deliver something to a customer, you need their name and address to be able to do so.

  2. Legal obligation: if you are required by law to process specific information. For example, if your customer is subject to VAT, you’ll need to process their VAT-number by law.

  3. Legitimate interest: if you have a legitimate interest to process some personal data of your customer, that overrides the interest of your customer not to have its personal data processed. This applies, for example, to the processing to send marketing to your existing customers and to the processing of contact details of employees of your customer.

  4. Consent: if you need to rely on consent to be allowed to process personal data of your customer. You will need consent if, for example, you want to send your customers personalized information (marketing) or if you want to send marketing that is not covered by the soft opt-in described above.

Time for action!

Make sure that:

  • you don’t use personal data of (contact persons at) your customers in other ways than allowed,

  • you inform your customers about the ways you process their data,

  • you use the correct legal bases to process your customer’s personal data,

  • that your privacy policy contains the right mentions if you are using your customer’s personal data for marketing purposes,

  • a data processing agreement is in place when you process personal data on behalf of your customers.

bottom of page