Lexicon > Anonymization

IT Lexicon

Anonymization

Anonymization refers to the use of a set of techniques to remove the possibility of associating, with “reasonable effort”, personal data relating to an identified or identifiable individual.

The notion of “reasonable effort” takes into account objective elements (time, technical means, state of knowledge) and contextual elements that can vary greatly depending on the categories of data concerned (nature and volume of data, density of the population concerned, etc.).

The European Data Protection Board considers that the reliability of anonymization is based on the following three criteria:

  • The ability to isolate an individual within a larger group based on the data;
  • The ability to link two records about the same person and ;
  • The ability to infer, with high probability, unknown information about a person.

It is marked by the irreversible nature of the loss of the identifiable character of the persons concerned, and should therefore not be confused with pseudonymization, which limits the risk of direct correlation between data but is reversible.

While anonymized data is no longer personal data and therefore falls outside the material scope of the GDPR, pseudonymized data is still personal data subject to the GDPR.

Anonymization makes it possible to carry out data processing whose risks for the rights and freedoms of the persons concerned are greatly limited.

It can substitute the deletion of data and thus allow the data controller to carry out statistics.

GDPR Point

The principles of data protection should apply to any information concerning an identified or identifiable natural person.

Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes”

Recital 26 of the GDPR

Point of jurisprudence

The Austrian supervisory authority was able to consider that “anonymization of personal data can therefore in principle be a valid means of data deletion within the meaning of Article 17 of the GDPR (i.e. within the meaning of the right to erasure)”

Datenschutzbehörde, December 5, 2018, DSB-D123.270/0009-DSB/2018

The Bouchara Law firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.