Accessing business CRM and customer data

A data processor and any authorized person is allowed to access to personal data stored in CRM only limited to the purpose of the processing established in the privacy notice.

For more information about data processor and data controller, please read the article:EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/.

The principle of purpose limitation is one of the key principles of GDPR to keep in mind.Therefore, you cannot access for purposes outside the ones illustrated in the privacy notice. As a consequence, if the reason for accessing customer data stored in CRM is in line with the purpose of collection and storage (i.e. verifying payments) the access will be compliant with GDPR provision. If the purpose of accessing personal data is not covered by your privacy policy you may consider to amend it in order to inform your customers that you will access their data for that purpose.

Depending on the purpose you may also need to verify the legal ground of such processing and verify if you need customer consent or you can process under another legal ground.

For more information, please read the following articles: Understanding 6 key GDPR principles https://advisera.com/eugdpracademy/knowledgebase/understanding-6-key-gdpr-principles/

Article 7 – Conditions for consent  https://advisera.com/eugdpracademy/gdpr/conditions-for-consent/ Article 6 – Lawfulness of processing https://advisera.com/eugdpracademy/gdpr/lawfulness-of-processing/