1 minute read
Legality of de-identification measures
02
An overview of the “anonymization” of personal data
The regulations of data protection law in the European Union (EU) and in Germany place certain requirements on the processing of personal data. In particular, the processing of personal data is subject to strict regulations, i.e. a legal basis is always required for any form of processing (cf. Article 6 and 9 GDPR). In addition, there are further data protection obligations, such as the obligations to fulfill information and data subject rights (cf. Article 12 to 23 GDPR) and to protect personal data by implementing appropriate technical and organizational measures (cf. Article 32 GDPR).
Data that has no personal reference (for the concept of personal data, cf. 3.1) are excluded from the substantive scope of the GDPR (cf. Article 2 (1) GDPR). If personal data is anonymized in such way that it “loses” its personal reference, the data protection regulations are no longer applicable (cf. Recital 26 GDPR). Anonymization means nothing more than the (step-by-step) removal of the personal reference – this process is described in this guide as “de-identification” of data (see 3.4) – until a sufficient degree of de-identification is available (de facto anonymization, see 3.3.1).
Anonymization within the meaning of the GDPR must be distinguished from other forms of reducing the personal reference or making it difficult to re-identify, which, however, alone do not lead to a sufficient removal of the personal reference. These measures include, in particular, “pseudonymization.” In the case of pseudonymization, information can still be attributed to a natural person by using certain additional information and, thus, there is still a personal reference, so that the data protection regulations still apply (see 3.6 for the delimitation).
