Due to the Personal Data Regulation, it is important to clarify whether you are a data controller or a data processor.
You and your company are responsible for compliance with the Personal Data regulation. You decide how personal data is processed.
A good rule of thumb is that the data controller is the one registered to exercise his rights under the Personal Data regulation.
If you store and / or process personal data for others, you are categorized as a data processor. This means that you are not allowed to use the data for anything other than completing the task where you are a data controller.
There is a number of obligations that your organization needs to be compliant with when handling other people’s data. For instance you must have a written contract setting the framework for data processing - a data processing agreement - and you may only process data according to clear and documented instructions from the data controller.