Austria: Anonymisation accepted as valid data deletion method

Monday, 25 March 2019

On 5 December 2018, the Austrian data protection authority ('DSB') issued a decision (DSB- D123.270/0009-DSB/2018) on a data subject's right to erarsure under Article 17 of the General Data Protection REgulation (Regulation (EU) 2016/679) ('GDPR'). The DSB accepted anonymisation as a valid alternative to physical and technical deletion, and besides the clear statement that anonymous data is not subject to the GDPR, the DSB provided information on the technical requirements for anonymisation methods. Nino Tlapak, Attorney at Law at DORDA Rechtsanwälte GmbH, discusses the details of the DSB's decision, and the essential requirements for the anonymisation process.

Anonymisation instead of erasure

In the case concerend, an individual claimed for the deletion of their personal data that they had provided during an online application for an insurance contract. The responsible data controller, an Austrian insurance company, responded in a timely fashion and informed the data subject that:

1. the data used for marketing purposes would be irreversibly deleted within a few weeks; while

2. some other personal informaton would be anonymised as a first step only. This would be necessary due to specific IT system dependencies.

In fact, any personal information was changed to anonymous 'dummy' data (like 'John Doe', which is 'Max Mustermann' in Austria), which was also communicated to the data subject in a transparent manner. However, as continued claims by the data subject for full erasure were not satisfied by the data controller, who consistently responded to its former prospect but still relied on its argumentation, the data subject filed a claim of GDPR infringement with the DSB.

The DSB dismissed the claim, and stated that the data controller fully met the complainant's request for the deletion of their data by excluding the traceability of the person. The key finding of the decision is the anonymisation instead of full deletion is permitted, because neither processing nor any other further uses for the data are possible as there is no personal reference left. The DSB further highlighted that Recital 26 of the GDPR does ot apply to anonymous information, and also ruled that a data subject does not have any right of choice regarding a specific form of deletion. This is in line with Austrian case law, which clarified that it is solely the data controller's right to choose adequate thechnical and organisational security measures as long as these are in line with legaul requirements, nowadays under Artible 32 of the GDPR.

Essential requirements for anonymisation processes

The reasoning of the decision further provides detail on how to validly anonymise personal data, which can be used by other data controllers when implementing data erasure concepts. First of all, neither the controller themselves nor any third party shall be able to restore any personal references at reasonable costs. Thus, personal data shall be aggregated in such a way that individual information can no longer be retrieved. This part of the reasoning is based on a former decision by the Highest Administrative Court (2008/05/0079), which stated that the blackening of hardcopy papers is sufficient, if the name of the data subject and all other data relating to them are anonymised. As a result, in this specific case, the anonymisation of log files was also required, which had been done and proofed by the insurance company. In fact, the data controller was required to provide evidence by specific screenshots of all log-files connected to the anonymisation process. Finally, the DSB considered the complainant's argument for the (theoretical) possibility of any future de-anonymisation through the use of new technical means. The DSB held that even if future technologies could make reconstruction possible, a complete irreversibility is not necessary.

Practical consequences

The DSB's decision has recently made headlines in Europe, as it is highly pragmatic and gives guidance on how to implement feasible data retention processes. The most important impact in practice is that data controllers may:

1. amend their data retention and erasure concepts;

2. implement consistent anonymisation tools and processes; and

3. develop anonymised statistic models instead of having to fully delete prospects' or customers' data.

This may allow long- term analytics in line with GDPR requirements, which is, of course, of a great value for all future marketing campaigns or strategiv decisions for businesses.