Untested software is worthless – as far as the truism goes. Especially in the case of further developments or bug fixes in productive environments, not only is testing indispensable, but in particular one must work with real data.
The classic is a further developed customer support system to which the changeover is to be made. As a rule, initial test runs are carried out here (in extracts) with existing customer data records. But is this permissible under data protection law? This question has been controversial up to now, but has now been answered by the EU Court of Justice – quite satisfactorily – in a rough outline.
Purpose limitation does not prevent real data testing
The core problem can be reduced to the so-called purpose limitation provided for in Art. 5 para. 1 lit. b GDPR. This purpose limitation, which is generally provided for in data protection law, contains two requirements, one in relation to the purposes of the original collection of the personal data and one in relation to the further processing of these data:
- During the initial collection, care must be taken to ensure that the personal data are collected for specified, explicit and legitimate purposes. With the case law of the ECJ, this is to be understood as meaning that the purposes of the processing must be determined at the latest at the time of the collection of the personal data, that the purposes of this processing must be clearly stated and that the purposes of said processing must in particular ensure the lawfulness of the processing of the data concerned within the meaning of Art. 6 para. 1 of Regulation 2016/679;
- In the case of further processing, care shall be taken to ensure that the personal data are not further processed in a manner incompatible with the purposes of the original processing.
The ECJ first states that it constitutes a “further processing” of personal data if the controller collects and stores in a newly established database personal data that were stored in another database. This is hardly surprising given the broad understanding of “further processing” – but: Art. 5 para. 1 letter. b GDPR does not specify under which conditions further processing of personal data is to be considered compatible with the purposes of the original collection of the data. This is now where the ECJ comes in.
The EU Court of Justice does not provide a general, standardized answer, but rather specifies criteria that the courts must examine, so that although it depends on the individual case, there is no fundamental inadmissibility. The cumulative criteria to be examined in individual cases are:
- Whether there is a connection between the purposes for which the personal data were collected and the purposes of the intended further processing;
- The context in which the personal data was collected, in particular the relationship between the data subjects and the controller;
- Um welche Art von personenbezogenen Daten es sich handelt;
- What consequences the intended further processing will have for the data subjects;
- Whether appropriate safeguards exist in both the original and intended further processing operations.
In doing so, the ECJ expressly emphasizes that the performance of tests and the correction of errors affecting a database containing data of customers have a concrete connection with the performance of the contracts concluded with customers, since such errors may adversely affect the performance of the contracted service for which the data were originally collected. And then concludes by answering that.
the … principle of “purpose limitation” does not preclude the controller from collecting and storing in a database set up for testing and troubleshooting purposes personal data previously collected and stored in another database, if such further processing is compatible with the specific purposes for which the personal data were originally collected, which must be assessed on the basis of the criteria set out in Art. 6 ( 4) of this Regulation and all the circumstances of the individual case.the … principle of “purpose limitation” does not preclude the controller from collecting and storing in a database set up for testing and troubleshooting purposes personal data previously collected and stored in another database, if such further processing is compatible with the specific purposes for which the personal data were originally collected, which must be assessed on the basis of the criteria set out in Art. 6 ( 4) of this Regulation and all the circumstances of the individual case.
No unrestricted use
However, at the same time, the ECJ emphasizes that the principle of “storage limitation” precludes the controller from storing in a database established for testing purposes and for the correction of errors personal data previously collected for other purposes for longer than is necessary for the performance of those tests and the correction of those errors ( Art. 5 para. 1 lit. e GDPR).
Conclusion: Test purposes yes, but check and implement cleanly in individual cases
To put it positively: The use of real data within the same company for further development or troubleshooting of systems directly related to this data will no longer be able to meet any fundamental concerns.
But: In individual cases, it will still be necessary to check, and in particular to carry out a data protection impact assessment – and to keep an eye on the storage period and the scope of storage. This is already for self-protection, because test systems already have a certain fragmentary character inherent in them – as the present case also showed:But: In individual cases, it will still be necessary to check, and in particular to carry out a data protection impact assessment – and to keep an eye on the storage period and the scope of storage. This is already for self-protection, because test systems already have a certain fragmentary character inherent in them – as the present case also showed:
On September 23, 2019, D. learned that an “ethical hacker” had accessed personal data stored by her of around 322 000 individuals. This “ethical hacker” himself informed her of this and sent her an entry from the test database as proof. D. fixed the bug that had allowed this access and entered into a confidentiality agreement with the hacker, granting him a reward. After deleting the test database, D. reported the personal data breach to the authority on September 25, 2019, which then opened an investigation.
Just such an incident excellently underlines why one does not necessarily have to have a problem with the use of real data for testing purposes – but the storage duration and the storage scope are of outstanding importance.
That’s why: Testing yes, but the test environment is also subject to rules and (until deletion) continuous control.
Our law firm specialises in criminal defence, white-collar crime and IT law / technology law. Note our activity in digital evidence in IT security and software law.