Skip to main content

Beyond Legal #39: The customer success manager who didn't understand why

·8 mins
Beyond Legal Customer Success Purpose Limitation Data Subject Rights GDPR Article 5 Article 6 Accountability GDPR at 10

Beyond Legal #39: The customer success manager who didn’t understand why

She told me not to share the personal data with the account team. I didn’t understand why. — Zara R., former Customer Success Manager

Not understanding why is the most common precursor to a data protection incident I encounter. The instruction was given. The reason was not explained. The person receiving the instruction could not see the harm in doing the thing they were told not to do. And because they could not see the harm, the instruction felt bureaucratic rather than principled — something that existed to satisfy a compliance function, not something that existed to protect a person.

Zara’s story #

Zara is a Customer Success Manager at a B2B SaaS company operating across 7 EU member states. Her role is to ensure that customers achieve the outcomes they contracted for — managing relationships, monitoring product adoption, identifying risks to renewal, and escalating issues across the internal teams that can resolve them. She is the person the customer calls when something goes wrong, and the person who knows the customer’s business in more detail than almost anyone else in the company.

That knowledge was the problem.

The Data Protection Leader — let’s call her Aoife — had been working to tighten the boundary between the customer success function and the account management team. Customer success collected personal data about customer contacts in the course of support interactions — sometimes sensitive information about job roles, organisational structures, internal conflicts, and individual performance concerns. This data was collected to support the customer, under the lawful basis of performance of a contract. It was not collected for sales or commercial purposes, and using it to inform account management activities — upselling conversations, renewal strategy, competitive intelligence — was a purpose limitation violation under Article 5(1)(b).

Aoife had explained this to the customer success team in a team briefing. She had documented the instruction. She had noted that sharing contact-level personal data with the account team for commercial purposes was not permitted without a fresh assessment of the lawful basis.

Zara had been at the briefing. She had not fully understood the explanation. She had thought the instruction was about data security — about keeping sensitive information away from people who might misuse it commercially. She had not understood that the issue was about the purpose for which the data had been collected, and why that purpose could not be extended unilaterally to a different use.

Three weeks later, she shared a detailed contact-level data export with the account team ahead of a renewal negotiation. The export included personal data about 8 named individuals at the customer organisation — their roles, their concerns about the product, a note about a restructuring one of them had mentioned in confidence.

The customer found out. They raised a formal complaint. The Supervisory Authority got involved and reviewed the company’s processing activities for the customer success function.

What the investigation found #

Aoife’s documentation showed the instruction had been given and the reason explained. Zara’s documentation showed a data export that had been created and shared in direct contravention of that instruction. The investigation found a purpose limitation violation — personal data collected under a lawful basis of contractual performance had been used for a commercial purpose that was incompatible with the original processing purpose, without any assessment of whether the extended use was permissible and without the data subjects being informed.

The Supervisory Authority issued an enforcement notice requiring the company to implement access controls that technically prevented the data export Zara had performed, and to conduct a full review of its customer success processing activities.

Aoife had the documentation to show she had governed her programme correctly. She was not promoted — the board took the view that the incident had occurred on her watch, regardless of the documentation. She had not done enough to ensure that the understanding, not just the instruction, had reached the people who needed it. Zara resigned before a formal review concluded.

What does purpose limitation mean for a customer success function? #

Under Article 5(1)(b) of the GDPR, personal data collected for one specified, explicit, and legitimate purpose may only be further processed in a manner that is compatible with that purpose. For a customer success function, this has a specific operational meaning: the personal data collected in the course of supporting a customer — contact information, notes about individual users, records of support interactions, details shared in confidence — is collected under the lawful basis applicable to the service delivery relationship, typically contractual performance under Article 6(1)(b) or legitimate interests under Article 6(1)(f). Using that data to inform commercial decisions — renewal strategy, upselling, competitive intelligence — is a different purpose that requires its own lawful basis assessment, and the data subjects must be informed of any new processing purpose before it takes effect.

Two enforcement decisions illustrate the scale of enforcement when purpose limitation failures become systemic. In 2021, the Austrian Data Protection Authority fined Unser Ö-Bonus Club GmbH — the operator of REWE’s jö loyalty programme — €2 million after finding that the company had collected shopping behaviour data from 2.3 million customers and used it to build individual profiles for commercial purposes, including sharing insights with advertising partners — without meaningfully informing users that this was happening. The consent form was designed so that information about profiling appeared only below the fold, after the consent selection had already been presented — meaning most users agreed before they understood what they were agreeing to. The authority found violations of Articles 6, 7, 12, and 13: the consent was not freely given, the transparency obligations had not been met, and the processing therefore lacked a valid lawful basis. What makes this case relevant to purpose limitation is the gap it exposed between what data subjects believed they were consenting to — participation in a loyalty discount scheme — and what the company was actually doing with their data. The regulator sided with the data subjects’ reasonable expectation, not the company’s commercial intent.

In late September 2023, Italy’s Garante fined Axpo Italia €10 million after finding that the company’s sales agents had used inaccurate and outdated personal data to activate unsolicited electricity and gas supply contracts in the names of more than 5.000 individuals — without those individuals’ knowledge or consent. The company had no adequate process to verify that the data held by its sales network corresponded to actual, consenting customers. The Garante found violations of Articles 5(1)(a) and 5(1)(d) — lawfulness and accuracy — as well as Articles 5(2) and 24 on accountability. The case is not a textbook purpose limitation decision, but it illustrates a closely related failure: personal data being used in a context and for a purpose that the data subjects had no reason to expect, with no mechanism in place to ensure the processing was either accurate or authorised. When a company cannot demonstrate that the people whose data it holds have any awareness of how that data is being used, the boundary between a lawfulness failure and a purpose limitation failure becomes operationally indistinguishable.

What does a customer success manager need to understand about GDPR data flows? #

A customer success manager is one of the most data-rich roles in a company. They hold detailed personal data about named individuals at customer organisations — data that has been shared in the context of a support relationship and that carries with it an implicit expectation about how it will be used. The GDPR makes that expectation legally enforceable: data shared for one purpose cannot be repurposed for another without a fresh assessment, without informing the data subjects, and without a lawful basis for the new use. A CSM who does not understand why they cannot share that data internally is not merely non-compliant. They are a risk vector that no amount of documentation by the Data Protection Leader can fully mitigate — because documentation of an instruction is not the same as the instruction being understood.

The challenge for today: Map the data that your customer success or account management team holds about named contacts at customer organisations. For each category of data, identify the purpose for which it was collected and the lawful basis that supports it. Then ask: which of those purposes would cover the use of that data by the sales or commercial team for renewal, upselling, or competitive strategy? If the answer is uncertain, the boundary is not yet governed.

For more on how purpose limitation creates real operational boundaries, see Beyond Legal #27 on using data beyond its original purpose, and Beyond Legal #37 on what happens when commercial pressure overrides data protection governance.

Article references: Article 5(1)(a) (lawfulness, fairness, transparency), Article 5(1)(b) (purpose limitation), Article 5(1)(d) (accuracy), Article 5(2) (accountability), Article 6(1)(b) (contractual performance), Article 6(1)(f) (legitimate interests), Article 13 (information obligations), Article 24 (responsibility of the controller), Article 83(5) (fines for principles violations).

Series: This is post 19 in the Beyond Legal series — 20 roles, 20 days, real consequences. Aoife, Zara and the story are fictitious, the two cases from Austria and Italy are real.

Author
Tim Clements

Browse by Topic

access controls accountability accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation article 12 article 13 article 22 article 25 article 28 article 30 article 32 article 35 article 46 article 5 article 6 article 7 audit and assessment automated decision-making awareness awareness campaigns behaviour change beyond legal board reporting case law change management cloud infrastructure compliance monitoring consent cookie compliance cross-border transfers customer success dark patterns data accuracy data breach notification data flows data mapping data minimisation data processing agreements data protection data protection by design data protection day data protection hero data protection leader data quality data residency data retention data science data sovereignty data subject rights datatilsynet deceptive design direct marketing dora dpia education employee data employee engagement enterprise architecture eprivacy esg executive communication external legal counsel finance and banking gdpr gdpr at 10 generative ai governance grc healthcare horizon scanning hr and data protection hr and employment incident response information security intellectual property internal communications international transfers lawful basis leadership lego serious play machine learning marketing nis2 privacy by design privacy culture product management profiling public sector purpose limitation quantum computing records of processing regulatory guidance risk management risk reduction ropa sales security software development special category data standard contractual clauses strategic planning sub-processors supply chain sustainability system design third-party risk training design transparency trend radar ux design vendor management visual communication weak signals workshop facilitation

Related Posts