3 minute read
4. Legal consequences of effective anonymization
Legal consequences of effective anonymization 04
In case of sufficient de facto anonymization, the use of the anonymized data is excluded from the scope of the GDPR, as the data is no longer personal (see 5.1 below).
However, other regulations outside of the data protection regulations that are not or only indirectly linked to a personal reference may continue to apply or may have to be observed before anonymization. For example, certain information is particularly protected, for instance because it is subject to postal or telecommunications secrecy. Certain Union and national regulations also provide for anonymization or must be observed in connection with the anonymization process. For example, the processing of traffic data within the meaning of Section 3 no. 30 TKG, i.e. data that is collected, processed or used during the provision of a telecommunications service, is governed by Sections 91 et seqq. TKG. Location data that is used in relation to the users of public telecommunications networks or publicly accessible telecommunications services may only be processed, to the extent necessary for the provision of value added services (e.g. location services) and within the period required for this, if they have been anonymized or if the subscriber has given their consent to the provider of the value added service (cf. Section 98 para. 1 sentence 1 TKG). Further relevant legal bases with regard to data protection requirements in electronic communication (ePrivacy) or special regulations can be found in Section 282 of the German Social Code (SGB) III; Sections 276, 277, 287 SGB V; Section 64 SGB VIII; Sections 67c, 75 SGB X; Sections 79, 84, 85, 92a, 98, 115, 117 SGB XI; Sections 8d, 9a, 12a, 14, 15, 15g of the German Transplantation Act (TPG); Section 150b of the German Trade Regulation Act (GewO); Section 467 of the German Code of Criminal Procedure (StPO); Sections 26, 29 of the German Federal Police Act (BPolG); Section 38 of the German Road Traffic Act (StVG); Section 32 of the German Implant Registry Act (IregG) and Section 13 Of the German Infection Protection Act (IfSG). In addition, there are other protective regulations that can also affect the access or exclusivity of data, for example under copyright or trademark law, trade secret protection or antitrust law. Furthermore, contractual stipulations may have to be observed. Reference may also be made to Regulation (EU) 2018/1807 for the free movement of non-personal data. This regulation applies to the processing of electronic data that are not personal data if they are offered to users in the EU, regardless of where the service provider is domiciled, and to natural and legal persons in the EU who process this non-personal electronic data for their own needs. The regulation applies directly and makes various provisions in particular to remove obstacles to the cross-border traffic of non-personal data within the EU and to promote the data economy, such as a ban on data localization requirements. The presentation of these further legal restrictions is not the subject of this guide.
The de facto anonymization of personal data leads to the inapplicability of the GDPR, cf. Article 2 (1) GDPR and recital 26 GDPR. However, if “anonymization” is insufficient and the personal reference has not been at least de facto removed, the provisions of the GDPR are still applicable. If re-identification is possible at later time due to a further development of the technology with reasonable efforts, the degree of de-identification is no longer sufficient for de facto anonymization. From this point in time, there is (again) a personal reference, so that the provisions of the GDPR are again applicable. In such cases, in which the personal reference can only be restored with the passage of time (for example through further development of the state of the art), although it would also be conceivable to question the effectiveness of the anonymization from the beginning (retrospectively), such an approach would not be in accordance with the approach of “de facto anonymization” chosen in the GDPR, which specifically does not call for an absolute (permanent) removal of the personal reference.
