Austri­an Data Pro­tec­tion Aut­ho­ri­ty: Anony­mizati­on of per­so­nal data as a form of deletion

EN 
EN  DE  FR 

from

on

Indu­stries

Aut­ho­ri­ty

Laws

,

Topics

,
Take-Aways (AI)
  • Anony­mizati­on is con­side­red the equi­va­lent of era­su­re under data pro­tec­tion law, pro­vi­ded that the per­so­nal refe­rence is com­ple­te­ly removed.
  • Anony­mizati­on is only per­mit­ted if neither the con­trol­ler nor third par­ties can resto­re the per­so­nal refe­rence wit­hout dis­pro­por­tio­na­te effort.

In prac­ti­ce, the que­sti­on often ari­ses as to whe­ther it is suf­fi­ci­ent to anony­mi­ze per­so­nal data instead of dele­ting it. The GDPR does not pro­vi­de any clear infor­ma­ti­on on this. Howe­ver, it cle­ar­ly fol­lows from the mea­ning of data pro­tec­tion law that the Anony­mizati­on must be sufficient:

  • The regu­la­to­ry cla­im of data pro­tec­tion law ends in prin­ci­ple with the rem­oval of the refe­rence to per­sons. In other words: Data pro­tec­tion law can­not exce­ed its mate­ri­al scope of appli­ca­ti­on, even with regard to the issue of deletion.
  • It is true that in anony­mizati­on the con­trol­ler pur­sues a spe­ci­fic pur­po­se – the fur­ther use of the anony­mi­zed data – which is not the case with dele­ti­on. Howe­ver, sin­ce this pur­po­se is not limi­t­ed to Peo­p­ledata, data pro­tec­tion law can­not or must not be of inte­rest for this purpose.
  • The con­trol­ler would be allo­wed to obtain the anony­mous data at any time wit­hout having to com­ply with data pro­tec­tion requi­re­ments (pro­vi­ded that the data also remain anony­mous during his own pro­ce­s­sing). It would be con­tra­dic­to­ry to pro­hi­bit him from anony­mi­zing the data if he is free to retrie­ve it.

From this, it had to be con­clu­ded that anony­mizati­on is equi­va­lent to dele­ti­on in terms of data pro­tec­tion law, i.e. it is a dele­ti­on equi­va­lent, and is the­r­e­fo­re always per­mis­si­ble wit­hout fur­ther ado if dele­ti­on is per­mit­ted or required.

This que­sti­on has now also been addres­sed by the Austri­an super­vi­so­ry aut­ho­ri­ty deals (Decis­i­on DSB-D123.270/0009-DSB/2018 of Decem­ber 5, 2018.). In respon­se to a request for dele­ti­on, the con­trol­ler had con­firm­ed that it had eit­her dele­ted the applicant’s data or “anony­mi­zed it in com­pli­ance with the GDPR,” depen­ding on the system. This pro­ce­du­re is equi­va­lent to dele­ti­on. The data pro­tec­tion aut­ho­ri­ty agrees with the data con­trol­ler: The GDPR does not defi­ne the term “dele­ti­on”. Howe­ver, it fol­lows from Artic­le 4(2) of the GDPR that dele­ti­on and des­truc­tion are two dif­fe­rent things, which in turn means that dele­ti­on does not neces­s­a­ri­ly requi­re final des­truc­tion. The rem­oval of the per­so­nal refe­rence could also be a pos­si­ble means of dele­ti­on within the mea­ning of Art. 4(2) in con­junc­tion with Art. 17(1) GDPR. Art. 17(1) GDPR. Howe­ver, the anony­mizati­on must be a com­ple­te one:

It must […] be ensu­red that neither the respon­si­ble par­ty its­elf nor a third par­ty can resto­re a per­so­nal refe­rence wit­hout dis­pro­por­tio­na­te effort […]. Only if the respon­si­ble par­ty aggre­ga­tes the data in the result on a level so that no indi­vi­du­al events are iden­ti­fia­ble any more, the resul­ting data stock can be cal­led anony­mous (i.e. wit­hout per­so­nal refe­rence) (cf. the State­ment 5/2014 on anony­mizati­on tech­ni­ques by the for­mer Artic­le 29 Working Par­ty, WP216, p. 10).