GDPR and CRM Systems – Consent and the Right to Be Forgotten

In this focus article, we will take a closer look at a specific type of system that typically contains a lot of personal data – CRM systems.

To make it clear, we are talking about the type of CRM systems that are used for both registration and documentation of existing customers and for the company’s prospecting, or registering data about potential customers.

CRM systems are an interesting topic in the context of the new data protection rules, because a CRM system actually often contains both general and sensitive personal data, and because a great deal of companies have never obtained consent to register this information.

The rules

So, let’s start by looking at what the GDPR says:

When you register personal data, you must support the following rights:


The consent given by the data subject must be freely given, specific and informed. This means that a person must not be forced to give consent, but you are allowed to make the provision of a service or product conditional on consent, unless you are contractually obliged to provide the service or product anyway. You are also required to inform the person about what you are registering, for what purpose and for how long you intend to keep the data.

The right to be forgotten

If the data subject asks for it, you must delete all data about him or her in all your systems, unless otherwise required by law.

The right to access

The data subject is entitled to see which data you have about him or her on request.

The right to data portability

The data subject is entitled to have his or her data transferred to another company, for example in connection with the transfer of an existing customer relationship.

The right to rectify

The data subject is entitled to rectify his or her data.

You also have to tell the data subject when you register the data that he or she has these rights, and how long you will keep the data.

The right to object

The data subject is entitled to object against profiling. Profiling comprises different forms of automatic analyses of the data subject’s personal data, including big data analyses. With regard to CRM systems, this right specifically comprises the right to object against analyses aiming to predict the data subject’s behaviour and interests.

About data registration in CRM systems

The really interesting case in this context is companies’ use of CRM systems to record data about prospects. These are potential customers to which you have no particular relation, but who you have registered in your systems because you believe that you may be able to get business from them.

When you register such person by name, mobile number and email address, you become data processor. Or put in a different way: If you register a prospect’s work email without having obtained their consent, you will basically be in conflict with the GDPR.

Clearly, this will profoundly change the way you work with sales in many companies, but for the time being, as long as the new Data Protection Act has not been adopted, we have to rely on the concrete wording of the rules.

So, it is too early to say anything about the kind and scope of sanctions that may be imposed if the rules are violated. One could “hope” that such decisions take into account that this will entail a radical change of practice for almost all companies – but we do not know yet.

Netic recommends that you start the preparations for GDPR while keeping in mind that it is still unclear what the CRM practice will be, and this includes considering documented processes for consent, information and the right to be forgotten.

Sensitive personal data in CRM systems

Often you do not really think about it in your everyday work, but a great number of CRM systems also contain sensitive personal data. These are data that can be used to identify a person’s race, political opinions, health status and the like. This also applies to CRM systems for B2B companies.

How so?

Many salespersons are very good listeners, and they later use what they hear in their talks with the customers. For example, if a prospect says that he has to wait to follow up because he is going a party congress, the salesperson and the prospect might very well go on to discuss politics. Many salespeople will make a note of this in the CRM system – typically in a free text field – to remember to ask about it next time.

So, now sensitive personal data have been registered in the CRM system.

Of course, this opens up the same challenges as mentioned above with respect to consent, the duty to inform and the right to be forgotten. But how do you even document this use of the CRM system, and is it possible from a data governance perspective to structure this work?

Netic believes that it is important to document these things before the GDPR enters into force and to consider how the company will deal with these issues. As a general rule, registering sensitive personal data should be avoided to comply with the principle of Privacy by Default.


Read on: Putting “Smart” into how you process log files

Share content