GDPR: Erasing data does not necessarily mean destructing data
Is it sufficient for the erasure of personal data and thus the fulfilment of the data subject’s right to erasure in accordance with Article 17 (1) GDPR to anonymize these data?
The Austrian data protection authority had to deal with this extremely relevant practical question for the application of the GDPR (Austrian data protection authority, decision of december 5, 2018, reference D123.270/0009-DSB/2018).
In the opinion of the data protection authority, the removal of the personal reference (“anonymisation”) of the personal data can in principle be a possible means for erasure according Article 4 number 2 in conjunction with Art. 17 (1) GDPR. This means that the data doesn’t need to be destructed.
Insurance customer demanded erasure of his data
An Austrian demanded from his former insurance company to erase his personal data. The insurance company then deleted the contact details and prepared insurance offers and stopped all advertising. Furthermore, the insurance company replaced the name and address with “Max Mustermann” (= John Doe) and an anonymous sample address. However, the insurance company retained information on previous insurance contracts.
On the request of the data protection authority, the respondent (i.e. the insurance company) explained its anonymization process. The original customer connection had been removed by implementing the following steps:
- Erasure of the customer inquiry as well as the contract offer
- Erasure of all electronic contacts (e-mail address, telephone number, etc.) of the customer
- Change of person (surname, first name, address): both surname and address have been irrevocably overwritten manually by an anonymous, non-assignable person (John Doe) with identical gender and date of birth
- The internal process started automatically with a customer connection was stopped immediately
- Merger of the person to be deleted with the new anonymous person to ensure that the transfer is also technically sustainable.
- Erasure of the customer in the electronic file (history)
By implementing all the steps outlined above, a de facto anonymization of the original customer connection was achieved by overwriting it with a “dummy customer connection”.
The insurance company informed the customer, that it won’t destruct finally all data until March 2019. However, the customer insisted on the immediate destruction and complained to the data protection authority.
Difference between erase and destruct
The data protection authority agreed with the insurance company. In its decision, the authority points out that Article 17 (1) GDPR provides a right to erasure of personal data. At the same time, Article 4 number 2 GDPR lists data processing methods, including “erasure or destruction”. Consequently, erasure and destruction are not identical.
In the view of the data protection authority, erasure occurs when the processing and use of personal data of a person concerned is no longer possible. The GDPR doesn’t specify how and, above all, the means by which a data controller achieves this result. Therefore, the data controller can implement individually the erasure. The controller is therefore entitled to a selection discretion with regard to the erasure method.
Erasure of personal data is also possible through anonymization
Destruction is about eliminating the data without leaving any residue. If companies have to erase data, it’s sufficient to make it anonymous. All they have to do is ensure that neither the controller nor third parties can establish a personal connection without disproportionate effort.
In the present case, according to the data protection authority, the company has partly destructed (i.e. without “leaving” anonymous data) and partly “erased” the personal data by removing the personal reference to the complainant.
In the opinion of the data protection authority, this combination of destruction and removal of the personal reference (also by replacing it with dummy data) is sufficient to be able to assume erasure within the meaning of the GDPR. The data protection authority therefore decided that the insurance company had fulfilled its legal obligation.
The authority does not require that anonymisation can never be reversed. An erasure exists when the processing and use of personal data is no longer possible. The fact that at any time a reconstruction (e.g. by using new technical aids) proves to be possible doesn’t make the erasure by obliteration’ insufficient. A complete irreversibility is therefore not necessary.
If customers want companies to erase their personal data, it’s sufficient to anonymize the data and to clean up or delete the corresponding log data. However, simply blocking data from access is not sufficient to comply with a customer’s request for erasure. It’s important to document how the data was erased. This can serve as a proof in the case of a claim.