The present Article provides a contextualised commentary to the preliminary ruling of 16 January 2019 by the CJEU, in case C-496/17 Deutsche Post AG v. Hauptzollamt Köln which concerned interpretations of requirements related to maintaining Authorized Economic Operator (AEO) status by Deutsche Post AG in the context of data protection of the personal information from senior management under the Regulation 2016/679 (GDPR) and sets out the broader implications stemming therefrom. It also provides a brief selected overview of certain recent developments concerning data protection cases within the sphere of customs law at country level and EU institutional level. It finally also highlights certain relevant issues important for cross-border data flow in the EU such as the current use and future creation of various EU integrated databases used by customs and other authorities, the right of access to these, and the new European Data Protections Board’s guidelines on lawful data processing for online services.