Authors: Laura Carmichael, Emma Cradock and Sophie Stalla-Bourdillon
1.If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.
2.Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.
I. General remarks
A key aim of the GDPR is to reduce the risks of personal data processing. The GDPR therefore introduces the principle of data protection by design and by default (→ Art. 25), which requires controllers to employ appropriate technical and organisational measures that implement data protection principles (→ Art. 25 mn. 1). Given the focus on risk reduction, as well as the longstanding importance of the principle of data minimisation (Art. 5 para. 1 lit. c), it would be counterproductive to require controllers to maintain, acquire or process more information than they need solely for the identification of data subjects. This is because there would be no opportunity or incentive for controllers to minimise the data they process (Art. 5 para. 1 lit. c), as controllers would be required to keep additional information in the event that a data subject invoked his or her rights. In light of this, Art. 11 confirms the position that controllers are not obliged to maintain, acquire or process such additional information, in order to identify the data subject for the sole purpose of compliance with the GDPR (Art. 11 para. 1).
Pursuant to Art. 11, controllers are provided with an exemption to the application of the data subject’s rights under Art. 15 to Art. 20 – on the condition that the controller is able to demonstrate it is not in a position to identify the data subject (Art. 11 para. 2 and Art. 12 para. 2 sentence 2). Where this is the case, the controller must inform the data subject that it cannot identify him or her (Art. 11 para. 2 sentence 1). If the data subject can provide additional information that enables identification, then this exemption will not apply (Art. 11 para. 2 sentence 2).
II. Legislative history
There had been no previous equivalent to Art. 11 under the DPD. The introduction of Art. 11 can be seen as a direct response to College van burgemeester en wethouders van Rotterdam v M.E.E. Rijkeboer,[1] where the CJEU balanced the right of the data subject to access his or her data with the burden of the data controller to store personal data.[2] The CJEU acknowledged the disproportionate effort that would result from a legal obligation to keep personal data for a long period in order to keep them in an identifiable format. Art. 11 can therefore be viewed as delineating this balance between the interests of the data subject and the controller in relation to processing which does not require identification.
Art. 11 also appears to introduce a “spectrum”[3] of de-identification into the framework, in contrast to the DPD’s “largely binary approach”[4] treating data as either personal or anonymous. This spectrum is further reinforced by the current framework via, e.g., a greater emphasis on the ‘identifiable person’ within the GDPR’s definition of personal data (Art. 4 no. 1) or the explicit introduction of the definition of pseudonymisation (Art. 4 no. 5).[5]
III. De-identified personal data and the controller’s obligations to inform
- Purposes for which a controller processes personal data (para. 1)
The need to abide by fundamental data protection principles – in particular, ‘purpose limitation’ (Art. 5 para. 1 lit. b), ‘data minimisation’ (Art. 5 para. 1 lit. c) and ‘storage limitation’ (Art. 5 para. 1 lit. e) – may give rise to the two situations outlined by Art. 11 para. 1.[6] First, wherein the purposes for which a controller processes personal data do not require the identification of a data subject – e.g., the processing of pseudonymised data where the methods of pseudonymisation[7] preclude the controller from re-identifying data subjects without additional information (‘data minimisation’, ‘purpose limitation’).[8] Second, wherein the purposes for which a controller processes personal data no longer require the identification of a data subject – e.g., where the controller anonymises or pseudonymises personal data in accordance with its retention policy (‘storage limitation’, ‘purpose limitation’).
[…]
[1]See Case C-553/07, 07.05.2009, College van burgemeester en wethouders van Rotterdam v M.E.E. Rijkeboer, ECLI:EU:C:2009:293, concerning the DPD.
[2]For instance, some key arguments related to the potential burden placed on controllers – including “cost-effectiveness”, “technical difficulties […]” and “re-linking files after the keys allowing re-linking are destroyed” – are discussed in: EDPS, “Opinion on safeguards and derogations under Art. 89 GDPR in the context of a proposal for a Regulation on integrated farm statistics,” Opinion 10/2017, November 20, 2017, 8-12.
[3]As stated in: M. Hintze, ‘Viewing the GDPR through a de-identification lens: a tool for compliance, clarification, and consistency,’ International Data Privacy Law 8, no. 1, 91 (2018).
[4]As stated in: Hintze, ‘Viewing the GDPR through a de-identification lens,’ 88, 89.
[5]Ibid. Hintze, 89.
[6]Note “[t]he basic remit of Article 11(1) is to provide legal certainty” in these two situations – as stated in: Georgieva, ‘Art. 11’ in Kuner/Bygrave/Doxley, 394.
[7]As defined in: Art. 4 no. 5.
[8]See Maldoff, ‘Top 10 operational impacts of the GDPR: Part 8 – Pseudonymisation,’ International Association of Privacy Professionals, February 12, 2016.