In its decision of 5 December 2018 (DSB-D123.270/0009-DSB/2018, German), the Austrian Data Protection Authority (DPA) decided on an extremely relevant practical issue for the application of the GDPR. Is it sufficient for the erasure of personal data (and thus for the fulfillment of a data subject’s right to erasure under Article 17 (1) GDPR) for such data to be anonymized? The DPA’s assessment: the anonymization of personal data can in principle be a possible measure of deletion within the meaning of the GDPR.
Facts of the case
The case concerned a complaint lodged by a data subject against a company (with which there had originally also been a contractual relationship) requesting the erasure of all his data. However, the respondent refused to erase his data in full. The company, however, either erased the data that could be clearly assigned to the complainant immediately or anonymized them in a manner that was “GDPR-compliant”.
The information transmitted by the company to the DPA on how the anonymization is carried out was particularly relevant in this case. This was done by implementing the following combined steps of erasure and anonymization:
- Erasure of the contract offer: Both the customer inquiry and the offer that would have been created by the customer management system on the basis of the customer’s online information would have been deleted.
- Erasure of all electronic contacts (e-mail address, telephone number, etc.) of the customer.
- Change of person (surname, first name, address): Both surname and address were irrevocably overwritten manually by an anonymous, non-assignable person (John Doe) with identical gender and date of birth.
- The now empty customer connection is only assigned to John Doe.
- The internal process started automatically with a customer connection was stopped immediately.
- Merging the person to be erased with the new anonymous person to ensure that the overwriting is also technically sustainable.
- Erasure of the customer in the electronic file (history).
At DPA’s request, the company added that no further personal data would be stored in the log data, as identification would only take place via key figures (“ID´s”). However, the link would have been irreversibly removed there. It was not possible to restore or reconstruct the data from the log data.
The decision of the DPA
The DPA rightly points out at the outset that the binding part of the GDPR does not define the term “anonymization”. Only recital 26 GDPR mentions (but does not define) this and states that the GDPR does not apply to anonymized data, i.e. information “which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.”
Subsequently, the DPA deals with the definition of the term “processing” (Art. 4 №2 GDPR), in which, however, no definition of the term “erasure of personal data” (as used in Art. 17 (1) GDPR) can be found.
However, according to Art. 4 №2 GDPR, the DPA considers erasure and destruction to be alternative forms of processing (“erasure or destruction”) which are not necessarily identical.
Consequently, deletion does not necessarily require final destruction. This clarification by the DPA is already the first important statement of the decision. Erasure does not mean that data must actually be destroyed.
In the opinion of the DPA, the controller is entitled to make a selection of the measures (i.e. the manner in which the data will be erased).
The removal of the personal reference (“anonymization”) of personal data can thus in principle be a possible means of erasure within the meaning of Art. 4 №2 GDPR in conjunction with Art. 17 (1) GDPR.
However, in my opinion, the DPA rightly demands, that it must be ensured that neither the controller himself nor a third party can restore a personal reference without disproportionate effort. When such a disproportionate effort can be assumed is, of course, always an individual question in the end. Only if the controller aggregates the data on one level, so that no individual information can be identified, the resulting database, in the opinion of the DPA, can be described as anonymous (i.e. without personal reference) (in this regard, the DPA also refers to Statement 5/2014 by the former Art. 29 Data Protection Working Party).
In the present case, in the opinion of the DPA, the company has “partly destroyed (i.e. without “leaving” anonymous data), partly “erased” by removing the personal reference to the complainant.
In the opinion of the DPA, this combination of destruction and removal of the personal reference (also by replacing it with dummy data) is sufficient to be able to assume erasure in the sense of the GDPR.
In the end, the DPA refers to another important aspect: hypothetical developments, in particular, the further development of the technology, do not have to change anything about the result. The complainant argued that “the data could be “de-anonymized”” at a later stage. In the view of the DPA, erasure occurs when the processing and use of a data subject’s personal data are no longer possible. The fact that a reconstruction (e.g. by using new technical aids) proves possible at any time does not make the erasure insufficient. Complete irreversibility is therefore not necessary, regardless of the means used.