On February 10, 2020, Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI) launched its first public consultation procedure.  The consultation invites comments on a position paper of the BfDI which addresses the anonymization of personal data under the General Data Protection Regulation (GDPR), with a particular focus on the telecommunications sector (for example, the anonymization of location data in mobile networks).

The position paper points out that the processing of anonymized data is not regulated by the GDPR, although the GDPR does not make clear under what circumstances data can be considered fully “anonymous”.  Moreover, the steps necessary to anonymize personal data may constitute a form of “processing” that, in and of itself, requires a legal basis under the GDPR.  Hence, the public consultation addresses the following questions:

  • What are the requirements for personal data to be anonymized?
  • Does anonymization constitute processing of personal data that requires a legal basis?
  • If so, what legal basis can be used for anonymization efforts?

The draft position paper proposes the following answers:

  • For personal data to be anonymized, the link to a person must be removed in such a way that re-identification is practically impossible – i.e., the link to the individual can only be restored with a disproportionate expenditure of time, costs and manpower. The controller remains responsible to continuously monitor the validity of the anonymization efforts.
  • Anonymization, including through aggregation of data, is a form of processing of personal data that does indeed require a legal basis.

The paper also sets out a number of possible legal bases for such anonymization efforts, in particular:

  • 6(4) GDPR (i.e., processing of personal data for a new purpose that is compatible with the original purpose for which they were collected) is one option. For example, it could relied on if customer data collected under Art. 6(1)(b) GDPR (performance of an agreement) that did not include any “particularly sensitive” data and is anonymized for the purpose of optimizing services.
  • Under the German Telecommunications Act, location data can be used to provide value-added services (Dienste mit Zusatznutzen – i.e., location-based services) if the user consents to this, or if the data have been anonymized.
  • Anonymization could also be based on Art. 6(1)(c) GDPR (compliance with a legal obligation) & Art. 17 GDPR (right to erasure), because the legal obligation to erase personal data can be met by anonymizing the data. This also applies to traffic data (Verkehrsdaten) collected pursuant to sec. 96(1), 2nd sentence of the German Telecommunications Act.

Interested stakeholders may submit comments via email to konsultation@bfdi.bund.de until March 9, 2020.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ulrike Elteste Ulrike Elteste

Ulrike Elteste is an experienced technology, media and intellectual property lawyer in the firm’s Frankfurt office. She also advises on related regulatory aspects, in particular, privacy law, financial services supervisory law, and telecommunications law. She is regularly involved in cross-border transactions with a…

Ulrike Elteste is an experienced technology, media and intellectual property lawyer in the firm’s Frankfurt office. She also advises on related regulatory aspects, in particular, privacy law, financial services supervisory law, and telecommunications law. She is regularly involved in cross-border transactions with a focus on technology or IP. Ulrike also represents clients in commercial and IP litigation.

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.