NEWS

Public Consultation Procedure: When and How May Personal Data Be Anonymised under GDPR?

In times of ubiquitous data collection and big data as decision-making tool, the amount of personal data is growing, which in turn allows comprehensive conclusions to be drawn about consumers. GDPR aims to reduce the risks to consumers arising from this trend. To this end, personal data should be anonymised.


The scope of those anonymised data is clear, but their implementation is only partially regulated. It is therefore disputed whether their anonymisation requires a legal basis and, if so, which one. In his first consultation procedure, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) will highlight the legal framework for the anonymisation of personal data. Additionally, a guideline on anonymisation is to be developed, especially for the telecommunications sector.

In the view of the Federal Commissioner for Data Protection and Freedom of Information (BfDI), the European Commission had presented the anonymisation of personal data as an option in GDPR but had not regulated when it could be considered appropriate.

On principle, it is sufficient to anonymise the data in such a way that re-identification is not possible, and the data subject's identity can only be recovered with a disproportionate effort. Furthermore, any anonymisation through the alteration of data constitutes data processing within the meaning of GDPR. This in turn requires a legal basis.

Possible legal bases are the elements of permission mentioned in Article 6 GDPR. However, the specific legal basis that can be used depends on the circumstances of each situation. Anonymisation may be possible, for example, through effective consent or because the data serves a specific purpose. Anonymisation can also fulfil the obligation to delete personal data – this is possible if the personal reference is effectively removed by anonymisation.

Furthermore, the specific legal norms of the German Telecommunications Act (TKG) can also regulate anonymisation. According to TKG, the data may be used for the marketing of telecommunications services if consent has been obtained. Location data may also be processed if they have been anonymised or with the data subject's consent.

 

In conclusion, it can be stated that the anonymisation of personal data – including in the telecommunications sector – is permissible on principle, provided that a legal basis exists. Whether this is the case ultimately remains a case-by-case decision taking into account all circumstances.