07
Organizational implementation of the de facto anonymization by third parties
The controller can carry out an effective de facto anonymization of personal data itself or use a service provider. If the original data set cannot be deleted (for example due to statutory retention obligations or because justified processing of the original data set is to be carried out), the involvement of a third party may reduce the risk of re-identification. This is because if the third party deletes the original data set and other users (i.e., not the person holding the original data set) are only provided with the anonymized data set, a further security threshold has been created for the third party and these additional users with regard to possible re-identification. This procedure can also be a helpful organizational measure within a group of companies. In our opinion, however, the use of third parties is not mandatory, provided that internal structures (for example so-called Chinese walls) create organizational foundations that effectively exclude the consolidation of information that is available in a company.32
7.2 Third-party liability under data protection law
7.1 Organizational measures
In practice, it may occur that a processor would like to reserve the right to anonymize personal data for its own purposes (e.g. for internal analysis and statistical purposes). If it is assumed that the de facto anonymization constitutes data processing (see 3.2), the following problems arise with this approach:
In addition to the technical requirements for de facto anonymization, companies must also take accompanying organizational measures to ensure that re-identification is prevented. Such measures include authorization concepts that describe access rules for users or user groups, clear data governance structures (e.g. including the use of independent control bodies) that regulate the handling and access to data as well as anonymization through standards and guidelines, but also contracts and directives that prohibit and sanction the re-identification of anonymized data. With the help of contractual provisions in particular, a controller can agree on how to act towards third parties in the event of (possibly unintentional) re-identification. This does not make the anonymization as such more effective or more efficacious, but underlines and proves the honest efforts of the controller to achieve an effective anonymization. For example in the context of discretionary decisions of a data protection authority and its possible legal consequences, the authority may audit and evaluate these measures.
32
30
See already 3.4
If a third party (i.e., an external service provider or an affiliated group company) is called in for the de facto anonymization of the data, the distribution of roles under data protection law must be determined in more detail according to the general criteria.
7.2.1 Processor If the third party only de-identifies personal data on the instructions of the controller, so that the commissioning company alone decides on the means and purpose of data processing, the third party is acting as a processor. Therefore, a data processing agreement would have to be concluded with the service provider within the meaning of Article 28 GDPR and also the other statutory requirements must be complied with.
.
in this case, the processor does not act on the instructions of the client, there is a risk that it could be classified as a joint controller,
. .
the de facto anonymization may trigger information obligations (see 9.1) and if the anonymized data should become re-identifiable later (for example due to technical progress) and thus become personal, the data transmitted to the processor would have to be erased as well or replaced by “re-anonymized” data.
Therefore, this procedure and the corresponding consequences should be contractually excluded or clearly regulated between the parties (for example by agreeing on joint control for the activities in which the service provider does not act on behalf of the controller, if this represents joint control according to the GDPR, which also regulates the information and possible erasure obligations).
