The Austrian data protection authority (‘DSB’) published, on 30 January 2019, its decision, dated 5 December 2018, on the right to data erasure, further to an individual’s complaint. In particular, the DSB highlighted that the complainant had alleged that an unnamed insurance company had infringed his right to data erasure by only deleting data stored for marketing purposes and anonymising the remainder. The DSB dismissed the claim and found that the company had met the complainant’s request for the deletion of his data by excluding the traceability of the person.
Gernot Fritz, Principle Associate at Freshfields Bruckhaus Deringer LLP, told DataGuidance, “The DSB considered the question of data erasure from a result-oriented perspective. Processing of personal data must no longer be possible […] The shredding of hard disks is not required just because a customer does not want to have their data processed anymore [and so] it would be quite implausible to not consider the anonymisation of data as being sufficient when it comes to a data subject’s right of erasure.”
The DSB highlighted that the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) does not define ‘anonymisation’ and only refers to the term in Recital 26, which provides that the principles of data protection do not apply to anonymous information. Moreover, the DSB interpreted the deletion of personal data within the meaning of Article 4(2) of the GDPR, in conjunction with Article 17 of the GDPR, which refer to processing operations and the right of erasure, respectively.
The qualification of relative anonymisation as a form of erasure of personal data is a welcomed clarification
Nino Tlapak, Attorney at Dorda Rechtsanwälte GmbH, added, “Neither anonymisation nor deletion can be practically conducted […] The company [in this decision] managed to delete parts of the personal data, however, due to IT system dependencies, was not able to completely delete all gathered data. Thus, the internal decision had been made to anonymise the remaining identifiable data fields [such as] name, address, email address and phone number [which] had been changed to ‘John Doe’ fields (‘Max Mustermann’ in Austria) […] Thus, this decision is pragmatic and a good sign for all companies that might struggle with common data retention processes.”
In addition, the DSB considered the complainant’s argument for the possibility of the ‘de-anonymisation’ of their personal data, for example, through the use of new technical aids in the future. The DSB held that irrespective of the fact that the reconstruction of data may prove to be possible, the deletion of data through anonymisation is not deemed inadequate, regardless of the means used.
János Böszörmenyi, Associate at Schönherr Rechtsanwälte GmbH, concluded, “The qualification of relative anonymisation as a form of erasure of personal data is a welcomed clarification […] I agree with the DSB’s conclusion [that] total irreversibility is not necessary [and] we do not know the ways in which future techniques will enable re-identification […] As a consequence of this decision, companies might feel encouraged to re-use anonymised data.”
Lauren Sherlock Privacy Analyst