Following decisions on the relationship between erasure obligations and legal retention periods as well as on the storage of contact data for possible future contacts, the DPA recently decided on the "anonymization" of personal data as appropriate means to comply with the right to erasure (matter: DSB-D123.270/0009-DSB/2018).
In the underlying case, the complainant (data subject) and the controller apparently had a customer relationship, from which data from terminated contracts and from an online consultation were processed.
After receiving the request for erasure, the controller first destructed the existing contract offers and all electronic contact information (e-mail address, telephone number, etc.). Furthermore - and of particular relevance - the personal data (name, first name, address) that could be assigned to the data subject were irrevocably and manually overwritten by an anonymous, non-assignable person ("Max Mustermann") with the same gender and date of birth. In this way the (content free) customer relationship was only assigned to "Max Mustermann". Thus, the files no longer had any identifying features that could be assigned with the complainant.
Nevertheless, the data subject complained because the controller had "only" anonymized the personal data of the data subject (at least partially), but not completely destructed it. Further, the data subject claimed the entitlement to erasure because anonymized data - under certain circumstances - could be de-anonymized again and priority had to be given to the destruction of personal data.
Decision of the Data Protection Authority
The DPA basically stated that the EU General Data Protection Regulation (GDPR) does not contain a definition of the terms "anonymization" and "erasure". However, the recitals state that the GDPR does not apply to anonymized data which is understood as information "that does not relate to an identified or identifiable natural person or personal data that has been anonymized in a manner that the person concerned cannot or can no longer be identified". Further, the definition of "processing" (Art. 4 (2) GDPR) speaks of "erasure" and "destruction" as forms of data processing, from which the DPA derives two alternative forms of action that are not necessarily congruent. According to the DPA "erasure" within the meaning of the GDPR does not necessarily require a final destruction of the relevant data. Against this background, the DPA appoints the controller the right to select the means of erasure.
The DPA confirmed that the removal of the personal reference ("anonymization") to personal data can in principle be a possible means of erasure within the meaning of the GDPR. However, it must be ensured that neither the controller nor a third party can "restore a personal reference without disproportionate effort". In the underlying case, the "anonymization process" was explained comprehensibly in the proceedings and there were no indications that any reference to the person continues to exist or that the restoration of the personal reference was possible without disproportionate effort. Moreover, the DPA stated that complete irreversibility, irrespective of the means of erasure, is not necessary. The appeal was therefore dismissed.
From the perspective of companies, the decision is to be welcomed as it does bring a certain relief to the erasure issue which could be challenging in practice. Therefore, the following conclusions may be drawn:
- The "right to erasure" does not necessarily require the destruction of data, but can be fulfilled by anonymization, as long as the data subject cannot be identified or can no longer be identified.
- By way of overwriting the personal data with a "Dummy customer connection", the anonymization of the data subject can basically be achieved. This fulfills the erasure requirement if the personal reference cannot be restored "without disproportionate effort". Particular attention should be paid to log-files, which, as "hidden data", may still allow an assignment!
- Complete irreversibility is not required and therefore a possible later reconstruction does not harm. However, the use of technical means or the implementation of "big data" must not compromise anonymization processes!
- It should not be sufficient to simply modify the data organization in the way that "targeted access" to the relevant data is ruled out (eg merely capping the logical accessibility). Only if data are aggregated on a level, that no individual events are identifiable, can the resulting data be described as anonymous (i.e. without personal reference).
- The means used to ensure erasure must be sufficiently documented and stored so that they can be proven to the authority in case required!