GDPR: Decision of the DPA on the erasure of personal data

14 November – need2know

The daily business of a company is simply inconceivable without the processing of data and it is difficult to imagine constellations in which a company does not process personal data.

As a rule, however, this data processing is not possible for an unlimited period, so sooner or later the time comes when the data must be erased. This also coincides with the data subjects’ right to demand the erasure of their data from the controller if certain reasons exist.

The question, therefore, remains as to what is meant by “erasure” in the sense of the General Data Protection Regulation (GDPR’)?

The GDPR does not define this, nor does it provide any information on how the erasure of personal data is to be carried out.

If one considers that a conventional hard disk consists of millions of bits that can assume two states (e.g. 1 or 0, On or Off) and whose number always remains the same, it quickly becomes clear: When a file is erased, these bits do not simply disappear from the hard disk; much more, the file system merely notes that the corresponding data area is free again for new data. To physically destroy data completely, it would be necessary to destroy the hard disk with a hammer, a drill or the like. This solution is not always feasible. Fortunately, the data protection authority (DPA) recently dealt with the question regarding which technical characteristics result in an erasure (DPA 5.12.2018, DSB-D123.270/009-DPO/2018).

In the specific case, a policyholder lodged a complaint with the data protection authority because the insurance company did not erase all personal data from its systems by irreversibly overwriting them, but “merely” anonymised some of them. As part of this anonymisation, the individual’s details name, address and sex were irrevocably overwritten manually with a “dummy customer connection”, namely “John Doe”. Also, the customer connection was aggregated with a further non-assignable entry, whereby also the change sequence was no longer reconstructable. The insurance argued that due to this overwriting no further information would be present, which would refer to the identity of the policyholder.

“Processing”: erasure and destruction are not necessarily congruent

In its decision, the DPA stated that the definition of “processing” in the GDPR does not necessarily mean that erasure and destruction are identical. From this, the authority deduced that erasure does not necessarily require the final destruction of the data. A possible measure of erasure could also be the removal of the personal reference, i.e. anonymisation, if it is ensured that no one can restore this personal reference without disproportionate effort. Even the possibility of restoring the data at a later point in time, for example by using new technical procedures, does not mean that the erasure by anonymisation is currently insufficient. Complete irreversibility is therefore not required by the authority. It would also be up to the controller to decide how the erasure is to be carried out. The data subject therefore has no subjective claim to a concrete method.

As a result, this decision is to be welcomed for controllers. On the one hand it allows a certain flexibility with regard to the erasure modalities and, on the other hand, it makes it easier for more complex technical systems, where the erasure of data is not simply possible by pressing the “delete” button, to comply with the requirements of the GDPR through anonymisation.

Here you will find the decision of the data protection authority.

Author:
Emanuel Hackl

Practice Group:
IP/IT/Data protection