03
Terms In legal and technical literature, the terms relating to anonymization are used inconsistently, which increases legal uncertainty with regard to GDPR-compliant anonymization. The most important terms are defined below and hereinafter only used in this sense in the context of this guide.
3.1 Personal data Personal data means any information relating to an identified or identifiable natural person (cf. Article 4 no. 1 GDPR). What is crucial for the identifiability is whether the information can be attributed to a natural person directly or indirectly, e.g. by reference to an identifier such as a name, number, location or other attributes. If, after a certain identifier (e.g. a name) has been removed, data can be attributed to a natural person by reference to further identifiers (e.g. a job title and company, if this position only exists once in the company) or by consulting other additional information (e.g. an IP address and information on the identity of the user behind by the provider), this data continues to be personal. Note: In many cases, despite certain individual attributes, individual data cannot be clearly attributed to a data subject at first glance, but can be attributed to a certain group of people and a natural person can be identified due to the insufficient size of the group (for example, a re-identification can be carried out if a “female member of the executive board” of a group is mentioned and there are only one or two women on this executive board) or, when this data is combined with other (available) data, a specific person can be identified (e.g. for an employee: salary level in connection with starting date; for a patient: gender, zip code and a rare diagnosis). In these cases, there is still a personal reference due to the identifiability of a person.
3.2 Processing of personal data
Data protection law is linked to the “processing” of personal data. The term processing has a broad meaning and includes any operation that is “performed on” personal data (cf. Article 4 no. 2 clause 1 GDPR). In practice, there are hardly any conceivable operations in the handling of personal data that do not fall under this broad definition of processing. The (mere) collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data constitutes processing in each case (cf. Article 4 no. 2 clause 1 GDPR). Different opinions are expressed on the question of whether the anonymization of personal data, i.e. the withdrawal of personal reference, also constitutes data processing. Since the anonymization process influences the personal reference of a set of data – as with the erasure or pseudonymization of data (cf. Article 4 nos. 2, 5 GDPR) – it is argued that the process should be treated as processing within the meaning of the GDPR.3 Against this, it is noted that anonymization precisely does not involve a data protection-relevant process, as the anonymization process is privileged by the GDPR in itself and should therefore not be subject to the requirements of the GDPR4. In the context of the consultation process of the Federal Commissioner for Data Protection and Freedom of Information (BfDI), the BDI very clearly concurred with this opposing view5. Nevertheless, due to the broadly worded concept of processing and in the absence of case law of the highest courts, no conclusively reliable statement can be made at the moment as to how anonymization is to be classified in relation to the legal definition of processing within the meaning of the GDPR.
3
The Federal Commissioner for Data Protection and Freedom of Information, position paper on anonymization under the GDPR with special consideration of the telecommunications industry, valid as of: 29 June 2020, page 5.
4
The anonymization of the data is typically also in the interests of the data subject or at least does not run counter to these interests, Hornung/ Wagner, ZD 2020, 223 (224) with further references on the dispute.
5
BDI e.V., opinion on the BfDI consultation procedure “Anonymization of personal data” dated 23 March 2020, available at: https://www. bfdi.bund.de/DE/Infothek/Transparenz/Konsultationsverfahren/01_ Konsulation-Anonymisierung-TK/Stellungnahmen/BDI. pdf?_blob=publicationFile&v=1. 9
