What happened?
A business received a negative review on an online platform. The customer complained about the service and gave a low rating. Nothing unusual so far - this happens to every business.
But the owner responded emotionally. In their public reply, they mentioned details about the customer’s purchase, the reason for the visit, and in some cases even health-related information. The intention was to refute the complaint and “tell their side of the story.”
The result: a complaint to the supervisory authority and a fine for violating the GDPR.
Why is this a GDPR violation?
Personal data collected in the course of your services - purchase history, medical information, financial details, contact data - may only be used for the purpose for which it was collected. Publicly disclosing that data in response to an online review is not part of that purpose.
Specifically, this violates several GDPR principles:
- Purpose limitation (Article 5(1)(b)) - you use the data for a purpose other than what it was collected for
- Integrity and confidentiality (Article 5(1)(f)) - you make confidential data public
- Legal basis (Article 6) - you have no valid legal basis to share personal data publicly
If health data is involved, you also violate Article 9, the prohibition on processing special categories of personal data without a specific exception.
It does not matter if the customer is wrong
This is where many business owners stumble. “But the customer is lying! I want to show what really happened!”
That is understandable. But the GDPR makes no exception for situations where the customer is wrong. You received the personal data in a confidential context (the customer relationship), and you may not use it to defend yourself publicly.
Even if the review is unjustified, exaggerated, or outright false: disclosing personal data in your response is not allowed.
How should you respond to a negative review?
Rule 1: Keep it general
Respond professionally and in general terms. Do not mention specific details about the customer, the purchase, or the service.
Not: “This person came in on 15 March for treatment X and only paid 50 euros, which was already a discount.”
Instead: “We regret that your experience did not meet your expectations. We take every complaint seriously.”
Rule 2: Refer to a private conversation
Invite the customer to get in touch so you can discuss the situation privately.
“We would like to discuss this with you personally. You can reach us at [email/phone].”
Rule 3: Never share medical or financial details
Especially if you work in healthcare, coaching, or financial services: never reveal any indication of the reason for the visit, the diagnosis, the treatment, or the amount.
Rule 4: Limit who responds
Appoint one or two people responsible for responding to reviews. Make sure they are trained. An angry employee responding impulsively can commit a GDPR violation in just a few sentences.
What if it has already happened?
If you have already posted a response that contains personal data:
- Remove or edit the response immediately to delete all personal data
- Document the incident in your data breach register, since unauthorised disclosure of personal data is a data breach
- Assess whether you need to report it to the supervisory authority (depending on the nature and sensitivity of the disclosed data)
- Contact the data subject to inform them about what happened
Train your team
Make sure that everyone who communicates on behalf of your business - whether it concerns reviews, social media, or customer service - knows that customer data must never be used in public communication.
Include it in your GDPR awareness training:
- What can and cannot be said in public responses?
- Who should you contact if you are unsure?
- Who is responsible for managing online reviews?
GDPRWise helps you embed GDPR awareness in your organisation. From clear guidelines to practical documentation.