Criteria to distinguish between deleting and not deleting data

Anonymized data is not personal data. Moreover, the process of anonymization of personal data is equivalent to the deletion of personal data, because the process is irreversible and data cannot be used to identify a data subject, directly or indirectly. So, according to GDPR, you do not need to delete data that is not personal data. However, please pay attention that the data controller does not refer to pseudonymized data, which according to Art 4 GDPR – Definitions – is “personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;”. In this case, pseudonymized data is personal data and is subject to GDPR requirements, including obeying a controller request for personal data deletion.

As part of our GDPR Toolkit, we have a document called Anonymization and Pseudonymization policy that you can use. Please check the links below:

• Anonymization and Pseudonymization Policy: https://advisera.com/eugdpracademy/documentation/anonymization-and-pseudonymization-policy/
• EU GDPR Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
• Article 4 GDPR – Definitions: https://advisera.com/gdpr/definitions/