Erasure and Anonymisation of Personal Data in Context of General Data Protection Regulation

Abstract

Many controllers have a desire to be able to continue using personal data instead of deleting them after the processing purpose has been fulfilled. The discussion regularly arises whether the erasure of personal data is required by the General Data Protection Regulation (GDPR) and whether it can also happen by anonymising the data. This article examines how the GDPR regulates the two terms of “erasure” and “anonymisation” as well as what requirements are demanded by using any of these in the personal data lifecycle. An obligation to delete personal data always requires personal data. In the case of anonymous data, erasure is not required and cannot be claimed. The question to be examined and discussed in the article is therefore: If personal data exist and there is a claim for erasure, can the obligation to erase be fulfilled by anonymising the personal data? Such question has not yet been addressed in the case law and has only been examined to a limited extent in the literature by different authors with no exact court ruling. Some authors state that the question can be answered in such a way that an obligation to delete can also be fulfilled by anonymising the data (Dierks & Roßnagel, 2021; Taeger & Gabel, 2021); meanwhile, others consider that anonymisation cannot be considered as data erasure. The answer to this question is important because it determines whether large data processors are allowed to keep data that they would have to delete and use in anonymised form for Big Data analysis or Artificial Intelligence applications that are an integral part of the world of technology.