Expert Advice Community

Guest

Criteria to distinguish between deleting and not deleting data

  Quote
Guest
Guest user Created:   Jan 25, 2022 Last commented:   Jan 26, 2022

Criteria to distinguish between deleting and not deleting data

We are a processor of personal data, some of this data are anonymized and some are not - if the controller forwards us a request to delete data of a particular data subject, do we also need to delete the anonymized data? What is the criteria to distinguish clearly between the data we need to delete and the data we do not need to delete?
0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Tudor Galos Jan 26, 2022

Anonymized data is not personal data. Moreover, the process of anonymization of personal data is equivalent to the deletion of personal data, because the process is irreversible and data cannot be used to identify a data subject, directly or indirectly. So, according to GDPR, you do not need to delete data that is not personal data. However, please pay attention that the data controller does not refer to pseudonymized data, which according to Art 4 GDPR – Definitions – is “personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;”. In this case, pseudonymized data is personal data and is subject to GDPR requirements, including obeying a controller request for personal data deletion.

As part of our GDPR Toolkit, we have a document called Anonymization and Pseudonymization policy that you can use. Please check the links below:

Tudor Galos
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 25, 2022

Jan 26, 2022

Suggested Topics