A business asks too much information at signup — what now?
Data minimisation (GDPR Art. 5(1)(c)) prohibits unnecessary data requests. Ask basis per field, refuse unnecessary fields, AP complaint on systematic overstepping.
Businesses often want more data than needed — for future marketing, profiling, "just in case". GDPR Art. 5(1)(c) (data minimisation): personal data must be "adequate, relevant and limited to what is necessary". Not "nice to have" — strictly necessary. Concrete examples of over-asking: webshop asks DoB for product order (not needed — age band suffices), gym asks BSN (prohibited — Wabb Art. 10), travel insurer asks political view, hotel asks pay slip, email signup asks phone + address + employer. Routes: (1) Ask in writing for basis per field. Business must justify. No solid answer = field unnecessary. (2) Fill only necessary fields. For "required" fields not necessary: ask in writing why (typically no answer). (3) On refusal to sign up without unnecessary data: AP complaint — fines 2023-2025 for structural Art. 5 breach. Tip: some sites accept incomplete forms — try + validate.
Step by step
Ask basis per field in writing
Email to DPO. "Which legal basis underpins field X?"
Fill only necessary fields
Often forms accept incomplete data. Test + validate.
AP complaint on systematic over-asking
letter generator. AP fines 2023-2025.
Sources
🔎 Common search variants
Recognise your own search? Our answer above covers these too.
- “business asks too much data”
- “data minimisation breach”
- “unnecessary form fields”