May I reuse customer data for marketing another activity?

Many business owners conduct several commercial activities under the same company. The question often arises whether e-mail addresses collected for one service (for example, a fitness subscription) may be used for direct marketing of another activity (such as events). The short answer is no. The Data Protection Authority (DPA) ruled in a January 9, 2026 decision (04/2026) that this is a violation of the purpose limitation principle. You need specific consent for each individual activity unless the purposes are closely related.

The facts and background

In this case, a consumer filed a complaint against the owner of a fitness club. The complainant had joined the gym and had given permission in his contract to be kept informed of “news” via e-mail”.

The conflict arose when membership records were used for another concept. The entrepreneur decided not to send emails for his nightclub events through the fitness address anymore, but through a new email address linked to the event concept. Although legally the same company was behind the controls, this new sender name aroused suspicion among the member. The client believed he never gave permission to this ‘organizer’ and went to the DPA.

The entrepreneur defended himself by arguing that his goal was broader than sports, namely to strengthen the “sense of community,” and that both activities were operated by the same person.

The decision of the DPA

The DPA Litigation Chamber ruled against the entrepreneur. It held that there were violations of purpose limitation, legality and transparency (articles 5.1.b, 6 and 13.3 General Data Protection Regulation (GDPR)).

The key points from the decision are:

• No valid consent: Permission for “news” in a fitness contract does not cover “nightclub events.” Because there is no logical connection between sports and entertainment, these are incompatible purposes.
• Lack of transparency: The business owner's privacy statement explicitly stated, “This privacy policy relates only to this Website.” As a result, there was legally no information provided regarding the processing of data in connection with membership or events.
• The sanction: Despite the breaches found, the DPA did not impose a fine. The Authority took into account that the data processing was done by the same controller and had not been transferred to third parties. The impact on the data subject was therefore considered “limited.” The business owner did receive a strict order to bring its practices and privacy statement into compliance within 30 days.

Legal analysis and interpretation

This decision is a textbook example of how administrative sloppiness leads to legal problems.

Purpose limitation is strict (Article 5.1.b GDPR)

The DPA reaffirms that personal data cannot simply be “reused” even within one company. The “compatibility test” of Article 6.4 GDPR fell in the negative here: a sportsman does not expect an advertisement for a nightclub. That the money ends up in the same cash register (company) is irrelevant to the GDPR; what matters is the expectation of the data subject.

The pitfall of standard documentation

The ruling painfully demonstrates how dangerous “copy-paste” privacy statements are. The clause that the policy “relates only to this Website” is a standard phrase often found in templates, but disastrous if you also offer physical services (such as membership). As a result, the business owner did not comply with its information obligation (Art. 13 GDPR) for its core business.

Transparency as a trust factor

The complaint was triggered by confusion about the sender. Legally, it was the same entity, but to the consumer it felt like spam from a third party. Transparent communication (“You are receiving this message from X because you are a member of Y”) might have prevented the complaint.

What this means for your company in concrete terms

• Segment your databases: Don't lump all customer data together. If you operate different trade names or diverse concepts, you usually need separate permissions.
• Check your privacy statement for restrictive clauses: Make sure your privacy policy does not inadvertently state that it applies only to the website. Make sure it covers all your business activities (customer management, offline services, events).
• Be specific with opt-ins: Do not ask general permission for “news,” but specify: “news about sports activities” and “event invitations.” Let the customer choose.
• Manage your sender names: If you launch a new brand name, communicate very clearly the link to your parent company to avoid distrust (and complaints).

Frequently Asked Questions (FAQ)

May I email my existing customer base about a totally new activity of my company?
No, usually not. If the new activity is not closely related to the service for which the customer originally signed up, it is an “incompatible purpose.” You must first seek specific permission for this or demonstrate that it is within the customer's reasonable expectations (which is rarely the case with totally new activity).

Why was this business owner not fined?
The DPA ruled that the breach had a “limited impact” on the customer because the data had not actually been transferred to an outside party; it remained within the same company. Note that this is not a free pass. Larger-scale abuse or repeat offenses may well result in a fine.

Is it enough if I update my privacy statement before I send the emails?
No. Article 13.3 GDPR does require you to inform people before using data for a different purpose, but informing alone is not a legal basis. If the original processing was based on consent, you also need a new, specific consent for the new purpose.

Is opening an e-mail proof of consent?
No. The business owner tried to show that the customer was interested because he opened the mails. The DPA rejected this: opening a mail (tracking) never replaces the required prior, free and specific consent.

Conclusion

Reusing personal data for different commercial activities is not automatic. The GDPR requires strict purpose limitation. A fitness subscriber is not a nightclub attendee unless they explicitly choose to be one. In addition, a sloppy privacy notice - which limits itself to the website - is an unnecessary risk that you can easily avoid.