Many companies want to retain information in order to keep statistics, which often requires information to be stored for a long time. By pseudonymizing or anonymizing the personal data, you create a safer processing, which may even fall outside the scope and applicability of the GDPR. However, there are high requirements for a personal data to be considered anonymous. We have in a previous blog post mentioned that anonymization is an important GDPR concept. In this blog post we go deeper into what anonymization and pseudonymization means.
Different types of data
For starters, we can note that there are three different types of data according to GDPR, which are processed in slightly different ways. The different types are:
1. Personal data
2. Pseudonymized data
3. Anonymized data
Personal data is information that relates to an identified or identifiable natural person, and is fully covered by the GDPR requirements (Article 4(1) GDPR).
Pseudonymized data is information that can only be linked to an identifiable natural person by means of additional information (Article 4(5) GDPR).
Anonymized data is information that can not identify a natural person and is therefor not covered by the GDPR. This type of data can be stored e.g for research reasons of for the purpose of creating (anonymized) statistics.
Pseudonymization is defined in Article 4(5) GDPR:
”‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;”
As mentioned, this type of data are still possible to relate to and natural person with the help of additional information, and because of that these data are still covered by GDPR.
Pseudonymization is a type of technical security measure to reduce the possibility of relating information to natural persons. This technical security measure is strongly encouraged by GDPR, and is considered a way to ensure security in the processing of personal data under Article 32(1)(b) GDPR. However, pseudonymization does not preclude other organizational and technical security measures (see recital 28 GDPR).
The anonymization procedure consists of two parts;
1. It must be irrevocable; and
2. It has been made in a way that it is impossible (or extremly impractical) to identify the natural person.
For example, it is not enough to remove the name of a natural person in a CRM system where there are other information relating to the individual, because based upon the remaining information you are till able to identify (and therefore the personal data regarding the individual have not been anonymized). In order for the anonymization to be properly performed, it should in principle be impossible to identify the natural person after the implementation. To determine if it is possibly to identify a person, using other information available, one must see if it is reasonable for the person to be identified directly of indirectly though the information. What is considered “reasonable” depends on the costs and time spent in identification, available technology at the tie of processing and technological development. The former Article 29 Data Protection Working Party has written an opinion with more technical details on how anonymization can be done (which is based on the former Data Protection Directive (95/46/EC)).
Taxi 4×35 risks DKK 1.2 million in administrative fine
Not so long ago, the Danish Data Protection Agency decided to report the taxi company Taxa 4×35 (Taxa) to the Danish police and recommended an administrative fine of DKK 1.2 million for violating GDPR. The Danish Data Protection Agency considered that Taxa failed to delete or anonymize personal data. Taxa, which provides an application where the user orders taxis for travel in Copenhagen, collects information about the customer’s name, telephone number, travel date, start time and end time, the length of the journey, payment details, address and GPS coordinates.
Taxa kept the personal data for two years, and then they “anonymized” the data by removing the customer’s name. After another five years, the remaining data were deleted. The reason why taxi kept the data was to develop their application.
The Danish Data Protection Agency discovered that Taxa had stored personal data on nearly 9 million travelers for five years. The company was not considered to have completed the anonymization of the personal data after two years, because it was still possible to identify the persons by means of addresses and telephone numbers. In addition, the Authority considered that the processing of personal data did not fulfill the purpose because the telephone numbers were not needed for the company to be able to analyze data on customers’ driving habits and thus develop the app.
Good to know!
In most of the EU member states, the national supervisory authority can itself impose administrative penalties, but the rules differ in some countries, such as Estonia and Denmark. There, the national supervisory authority evaluates and assesses the situation, and if they consider that someone have acted in violation of the GDPR they will report this to the police. The police will then investigate whether there is a basis for imposing an administrative fine, and in the end the case will be judged by the court who haw the authority to sentence administrative fines.
If you have questions and concerns regarding pseudonymisation or anonymisation of personal data, you are most welcome to contact ut either by email firstname.lastname@example.org or by phone +46 (0)46 – 273 17 17.