Notes

GDPR customer records: the CNIL rules for shops

What GDPR really requires of a shop's customer file: legal bases, CNIL retention periods, banned entries, the register, and the EUR 2.25M Carrefour fine.

A customer leaves your repair shop and you type three lines into her record: the amp she dropped off, the quote she accepted, her email address. Then the doubt: is keeping this even allowed? What shop owners believe about GDPR is wrong in both directions: consent is not required for everything, and small shops are not exempt from the paperwork. The real rules are more permissive than the myth and more precise than the guesswork. Here they are, backed by decisions from the CNIL, France's data-protection regulator.

Consent is not the legal basis for a customer file

Keeping a record of your customers does not require their consent. Consent is only one of the legal bases article 6 of the GDPR offers, and a shop's file normally rests on two others: performance of a contract (the sale, the repair, the warranty) and legitimate interest for the relationship's history. "Bought the Telecaster, asked about a hard case" needs no signature.

For the ordinary data in a customer file, consent enters through one door: marketing. The CNIL's rules on email prospecting require prior opt-in for promotional email to consumers (free, specific, informed, never a pre-ticked box), with one exception worth knowing: existing customers may be emailed about similar products or services from your own business, an unsubscribe link in every message. Existing means bought; an account created without a purchase does not qualify. The file needs no consent; the newsletter usually does.

How long can you keep customer data under GDPR?

No number appears in the GDPR itself: data may be kept "no longer than necessary" (storage limitation, article 5). France's CNIL turned that principle into benchmarks in its 2022 referential on commercial management: three years for prospects, the relationship plus three years for customers, ten years for invoices.

DataHow longWhen the clock starts
Prospect who never bought3 yearsCollection, or their last contact (an email click counts)
CustomerRelationship, plus 3 yearsEnd of the commercial relationship
Invoices10 years in a restricted archive, a commercial-code duty per the CNIL's retention guidanceIssuance of the invoice

None of these benchmarks are binding; the CNIL's own Q&A says you may deviate if you justify the gap. Keeping everything forever is the one policy that never qualifies. In 2020 the CNIL fined Carrefour France EUR 2.25 million (deliberation SAN-2020-008), partly over retention: over 28 million loyalty members inactive for five to ten years, as legal publisher Lefebvre Dalloz reported. As published, the decision is anonymized (standard CNIL practice after the publicity window), hence the press source for the name.

What you never write in a record

Two families of entries turn a useful file into a liability: special-category data, and comments you would not say to the customer's face. Article 9 of the GDPR bans processing data revealing health, religion, ethnic origin, political opinions, union membership, sex life or sexual orientation. It applies by default; outside narrow exceptions such as the customer's explicit consent, no retail purpose lifts it.

Comment boxes are where shops break this rule without noticing. In 2015 the CNIL put a household-appliance retailer on formal notice after inspectors found 5,828 irrelevant comments in its customer database; decision no. 2015-063 quotes entries like "CLIENT TRES CON" and "CLIENTE DE CONFESSION JUIVE" verbatim. That decision too is anonymized today; the retailer was Boulanger, as Next reported at the time. Each line was counter shorthand: either sensitive data collected unlawfully, or a remark the customer had every right to read.

One test settles the rest: everything in a record is disclosable, because the customer can ask for a copy and get one. Write dated facts (bought, promised, repaired, refunded) and the test passes itself.

The register: small shops are not exempt

A three-person boutique still owes a record of processing activities. Article 30(5) of the GDPR reads like an exemption for organizations under 250 employees, but it only covers occasional processing, and a customer file is the textbook non-occasional case. The CNIL's register guidance lists customer management among the treatments that must appear whatever the head count. Most small-business guides claim the opposite; they are wrong.

Scale is the good news. For a shop, the register is a short spreadsheet with a few lines per activity: what the processing is for, which data, who sees it, how long you keep it. The CNIL publishes a free simplified template in ODS format. Filling it in takes an afternoon, and it is when you choose your retention periods rather than inherit the software's defaults.

One month to answer an access or erasure request

When a customer asks what you hold on them, article 12(3) of the GDPR gives you one month to answer, extendable by two months for complex requests if you say so within the first month; the first copy is free, per the CNIL's guidance for professionals.

Erasure runs on the same one-month deadline, with one boundary to explain at the counter: marketing data goes on request, but invoices under the ten-year commercial duty stay in the restricted archive, because erasure cannot override a legal retention duty. Tell the customer which part you deleted and which part the law makes you keep. And expect no letterhead: a two-line email counts.

Dated events beat a notes blob

None of this requires software. But the shape of the record decides whether staying compliant is a filter or an archaeology dig. A history kept as dated, factual events, one line per fact (March 3, bought the amp; June 12, collected the repair), is structurally easier to keep lawful than one long notes box.

Three mechanics do the work. Purging: the three-year deadline runs from the last contact, so with events the purge is a query on each customer's last entry date, while a notes blob leaves nobody able to say when a relationship ended. Filter the contacts whose latest event is over three years old, skim, delete: a minute of work, because every entry carries a date. Comments: the Boulanger failure is a design smell of free text, since a comments box invites opinions where an event asks what happened, and when. Access: the request becomes a timeline export, not a nervous read-through of years of remarks.

This is the model Historis, a client-tracking CRM built for retail stores, rests on: every entry is a dated event on one person's timeline, every write, human or AI, is attributed and traceable, and the data stays on EU-hosted infrastructure. No tool makes you compliant; those decisions stay yours. But structure turns the purge into a query instead of a project.

Why it matters

The customer file is a shop's real asset. A file with known legal bases, decided durations and factual entries is simply a better one: searchable, exportable, defensible, ready for the day a customer, an accountant or a buyer asks to see it. Answer "here is everything we hold on you, dated" within a week, and you have shown the care that brings people back.

This is general information about EU and French rules, not legal advice. For a specific situation, talk to a lawyer or your data-protection authority.

Related: why one client should mean exactly one record, and who can see a record inside your team.

Frequently asked questions

Do you need a customer's consent to keep a customer file?
No. The GDPR offers six legal bases and consent is only one of them: a shop's customer file rests on performance of a contract and legitimate interest. Consent becomes mandatory for one thing, promotional email to consumers, and even there the CNIL allows an exception: existing customers may be emailed about similar products from the same business, with an unsubscribe link in every message.
How long can a shop keep customer data under GDPR?
The GDPR sets no fixed period, only "no longer than necessary". France's CNIL gives enforcement benchmarks in its 2022 commercial-management referential: three years for prospects from collection or their last contact, the relationship plus three years for customers, ten years for invoices in a restricted archive. The Carrefour France fine of 2020 (EUR 2.25 million, partly over 28 million inactive loyalty records) shows the principle is enforced.
What are you not allowed to write in a customer record?
Special-category data under article 9 (health, religion, ethnic origin, political opinions, union membership, sexual orientation) is banned by default; outside narrow exceptions such as explicit consent, no retail purpose lifts the ban. Gratuitous or insulting comments are the other trap: the CNIL put Boulanger on formal notice in 2015 after finding 5,828 excessive comments in its customer base. The practical test: the customer can request a copy of everything you wrote.
Does a shop under 250 employees need a record of processing activities?
Yes, for its customer file. Article 30(5) of the GDPR exempts organizations under 250 employees only for occasional processing, and managing customers is the textbook non-occasional case: the CNIL lists it among the treatments that must appear in the register regardless of size. The CNIL also publishes a free simplified template (ODS format); for a shop, a few lines per activity are enough.

Related posts