Twitter Logo Youtube Circle Icon LinkedIn Icon

The Legal 500 Hall of Fame Icon The Legal 500 Hall of Fame highlights individuals who have received constant praise by their clients for continued excellence. The Hall of Fame highlights, to clients, the law firm partners who are at the pinnacle of the profession. In Europe, Middle East and Africa, the criteria for entry is to have been recognised by The Legal 500 as one of the elite leading lawyers for seven consecutive years. These partners are highlighted below and throughout the editorial.
Click here for more details

Austria > Legal Developments > Law firm and leading lawyer rankings

Editorial

AUSTRIA: ANONYMISATION ACCEPTED AS VALID DATA DELETION METHOD

On 5th December 2018, the Austrian data protection authority (Datenschutzbehörde, "DSB") issued a decision (DSB-D123.270/0009-DSB/2018) on data subject's right to data deletion according to Art 17 GDPR. In a nutshell, the DSB accepted consistent anonymisation as a valid alternative to physical and technical deletion. Beside the clear statement that anonymous data is not subject to the GDPR, the DSB provided detailed information on (technical) requirements of anonymisation methods:

Anonymisation instead of erasure is permitted

In the specific case an individual claimed for deletion of its personal data that it had provided during an online application for an insurance contract. The responsible data controller, an Austrian insurance company, responded timely and informed the data subject that (i) the data used for marketing purposes will be irreversibly deleted within a few weeks, while (ii) some other personal information will be anonymised as a first step, only. This would be required due to specific IT system dependencies. In fact, any personal information was changed to anonymous "dummy" data (like "John Doe", which is "Max Mustermann" in Austria), which has also been transparently communicated to the data subject. However, as continued claims by the data subject for full erasure have not been satisfied by the data controller – who, of course, consistently responded to its former prospect, but still relied on its argumentation – a claim for GDPR-infringement has been filed with the DSB.

The DSB dismissed the claim and stated that the data controller has fully met complainant’s request for the deletion of his data by excluding the traceability of the person. The key finding of the decision is that anonymisation instead of full deletion is permitted, because neither processing nor any other further use are possible as there is no personal reference left. The Authority further highlighted that Recital 26 already provides that the GDPR does not apply to anonymous information. In addition, the DSB clearly ruled that a data subject does not have any right of choice for a specific form of deletion. This is in line with former Austrian case-law, which clarified that it is solely data controller's right to choose adequate technical and organisational security measures as long as these are in line with legal requirements, nowadays with Art 32 GDPR.

Essential requirements on anonymisation processes

The reasoning of the decision does further provide more details on how to validly anonymize personal data, which can be used by other data controllers when implementing data erasure concepts: First of all, neither the controller himself nor any third party shall be able to restore any personal references at reasonable costs. Thus, personal data shall be aggregated in such a way that individual information can no longer be retrieved. This part of the reasoning is based on a former decision by the Austrian Highest Administrative Court (2008/05/0079), which stated that blackening of hardcopy papers is sufficient, if the name of the data subject and all other data relating to him are anonymized. As a result, in the specific case the anonymization of log files was also required, which had been done and been proofed by the insurance company. In fact, the data controller was required to provide evidence by specific screenshots on all log-files connected to the anonymisation process. Finally, the DSB considered the complainant’s argument for the (theoretical) possibility of any future de-anonymisation through the use of new technical means: The DSB held that even if future technologies could make reconstruction possible, a complete irreversibility is not necessary.

Practical consequences

The Austrian decision has recently made headlines in Europe, as it is highly pragmatic and gives a guidance how to implement feasible data retention processes. The most important impact in practice is that data controllers may (i) amend its data retention and erasure concepts, (ii) implement consistent anonymisation tools and processes as well as (iii) develop anonymised statistic models instead of having to fully delete prospects' or customers' data. This may allow long-term analytics in line with GDPR requirements, which is, of course, of a great value for all future marketing campaigns or strategic decisions.

Nino Tlapak, Attorney at Law at DORDA Rechtsanwälte GmbH in Vienna, specialised in Data Protection, Privacy and Cybersecurity Law

Interview with...

Law firm partners and practice heads explain how their firms are adapting to clients' changing needs

International Law Firm Networks

International comparative guides

Giving the in-house community greater insight to the law and regulations in different jurisdictions.

Select Practice Area

GC Powerlist -
Europe

International Law Firm Networks