Legal issues: using anonymized data instead of personal data
Home » Geolocation » Minimize intrusion » Legal issues: using anonymized data instead of personal data

Developers must keep in mind that data controllers in charge of their devices or systems will have to be able to demonstrate that the processing is necessary for the objective being pursued and is less intrusive than other options for achieving the same goal; not that it is a necessary part of their chosen methods.[1] If there are realistic, less intrusive alternatives, the processing of personal data is not deemed necessary.[2] Thus, developers should provide devices and systems with options that allow them minimize the use of data to what is strictly needed (see minimisation principle in this module of the Guidelines). The concept of necessity is, however, complex, and has an independent meaning in European Union law.[3] In general, it requires that processing is a targeted and proportionate way of achieving a specific purpose. Although it does not have to be interpreted in such a strict way as to mean that only absolutely essential data are processed, it is not enough to argue that processing is necessary because controllers have chosen to operate their business in a particular way. For instance, the tool must not allow users to be directly identified when using the application.

The data minimization principle stipulates that personal data should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.[4] (see the “Minimization Principle” in the principles section of these Guidelines). This ethical principle means that, when it comes to using location or proximity data, preference should always be given to the processing of anonymized data rather than personal data[5] (see the ‘Lawfulness and fairness’ principle section and anonymization section in the General Part of these Guidelines). Indeed, if personal data can be substituted with non-personal data without affecting the purposes of the processing, the use of anonymized data should be clearly preferred, according to the GDPR.

Checklist[6]: Anonymized data

 The tool is based on an architecture relying as much as possible on users’ devices.

 Requests made by the applications to the central server do not reveal unnecessary information for the purposes of the service to the system.

 In order to avoid re-identification by the central server, proxy servers are implemented. The purpose of these non-colluding servers is to mix the identifiers of several users before sharing them with the central server, so as to prevent the central server from knowing the identifiers (such as IP addresses) of users.

 The application and the server are carefully developed and configured in order not to collect any unnecessary data (e.g., no identifiers should be included in the server logs, etc.) and in order to avoid the use of any third party collecting data for other purposes.




1EDPS (2017) Necessity toolkit: assessing the necessity of measures that limit the fundamental right to the protection of personal data, p.5. European Data Protection Supervisor, Brussels. Available at: (accessed 15 May 2020); ICO (no date) Lawful basis for processing. Information Commissioner’s Office, Wilmslow. Available at: (accessed 15 May 2020).

2See CJEU, Joined Cases C‑92/09 and C‑93/09, Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen, 9. November 2010.

3See CJEU, Case C‑524/06, Heinz Huber v Bundesrepublik Deutschland, 18 December 2008, para. 52.

4Article 5(1)(c) of the GDPR.

5EDPB, Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak Adopted on 21 April 2020

6This checklist has been built on the basis of the one included in the EDPB, Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak Adopted on 21 April 2020, at:


Skip to content