At the end of the testing, the controller should delete the dataset used for this purpose, unless there is a lawful need to maintain them, for instance for the purpose of refining or evaluating the system, or for other purposes compatible with those for which they were collected in accordance with the conditions set by Article 9.2 GDPR.

Anonymization represents an alternative to erasure^[1]. The consortium produced a dedicated document on the topic (https://www.datenschutzzentrum.de/uploads/projekte/IdentPseudoAnon-320-v1-0-web.pdf).
 

References

---

¹It should be noted that according to some scholars personal data, and biometric data in particular, cannot be fully anonymised. See for instance Justin Banda, ‘Inherently Identifiable: Is It Possible to Anonymize Health and Genetic Data?’, International Association of Privacy Professionals (blog), November 2019, https://iapp.org/news/a/inherently-identifiable-is-it-possible-to-anonymize-health-and-genetic-data/. ↑