We are a processor of personal data, some of this data are anonymized and some are not - if the controller forwards us a request to delete data of a particular data subject, do we also need to delete the anonymized data? What is the criteria to distinguish clearly between the data we need to delete and the data we do not need to delete?
Anonymized data is not personal data. Moreover, the process of anonymization of personal data is equivalent to the deletion of personal data, because the process is irreversible and data cannot be used to identify a data subject, directly or indirectly. So, according to GDPR, you do not need to delete data that is not personal data. However, please pay attention that the data controller does not refer to pseudonymized data, which according to Art 4 GDPR – Definitions – is “personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;”. In this case, pseudonymized data is personal data and is subject to GDPR requirements, including obeying a controller request for personal data deletion.
As part of our GDPR Toolkit, we have a document called Anonymization and Pseudonymization policy that you can use. Please check the links below: