On 5th December 2018, the Austrian data protection authority (Datenschutzbehörde, "DSB") issued a decision (DSB-D123.270/0009-DSB/2018) on data subject's right to data deletion according to Art 17 GDPR. In a nutshell, the DSB accepted consistent anonymisation as a valid alternative to physical and technical deletion. Beside the clear statement that anonymous data is not subject to the GDPR, the DSB provided detailed information on (technical) requirements of anonymisation methods:
Anonymisation instead of erasure is permitted
In the specific case an individual claimed for deletion of its personal data that it had provided during an online application for an insurance contract. The responsible data controller, an Austrian insurance company, responded timely and informed the data subject that (i) the data used for marketing purposes will be irreversibly deleted within a few weeks, while (ii) some other personal information will be anonymised as a first step, only. This would be required due to specific IT system dependencies. In fact, any personal information was changed to anonymous "dummy" data (like "John Doe", which is "Max Mustermann" in Austria), which has also been transparently communicated to the data subject. However, as continued claims by the data subject for full erasure have not been satisfied by the data controller – who, of course, consistently responded to its former prospect, but still relied on its argumentation – a claim for GDPR-infringement has been filed with the DSB.
The DSB dismissed the claim and stated that the data controller has fully met complainant’s request for the deletion of his data by excluding the traceability of the person. The key finding of the decision is that anonymisation instead of full deletion is permitted, because neither processing nor any other further use are possible as there is no personal reference left. The Authority further highlighted that Recital 26 already provides that the GDPR does not apply to anonymous information. In addition, the DSB clearly ruled that a data subject does not have any right of choice for a specific form of deletion. This is in line with former Austrian case-law, which clarified that it is solely data controller's right to choose adequate technical and organisational security measures as long as these are in line with legal requirements, nowadays with Art 32 GDPR.
Essential requirements on anonymisation processes
The reasoning of the decision does further provide more details on how to validly anonymize personal data, which can be used by other data controllers when implementing data erasure concepts: First of all, neither the controller himself nor any third party shall be able to restore any personal references at reasonable costs. Thus, personal data shall be aggregated in such a way that individual information can no longer be retrieved. This part of the reasoning is based on a former decision by the Austrian Highest Administrative Court (2008/05/0079), which stated that blackening of hardcopy papers is sufficient, if the name of the data subject and all other data relating to him are anonymized. As a result, in the specific case the anonymization of log files was also required, which had been done and been proofed by the insurance company. In fact, the data controller was required to provide evidence by specific screenshots on all log-files connected to the anonymisation process. Finally, the DSB considered the complainant’s argument for the (theoretical) possibility of any future de-anonymisation through the use of new technical means: The DSB held that even if future technologies could make reconstruction possible, a complete irreversibility is not necessary.
The Austrian decision has recently made headlines in Europe, as it is highly pragmatic and gives a guidance how to implement feasible data retention processes. The most important impact in practice is that data controllers may (i) amend its data retention and erasure concepts, (ii) implement consistent anonymisation tools and processes as well as (iii) develop anonymised statistic models instead of having to fully delete prospects' or customers' data. This may allow long-term analytics in line with GDPR requirements, which is, of course, of a great value for all future marketing campaigns or strategic decisions.