The main purpose of Article 11 is to ensure that controllers don’t retain personal data just to support compliance with the GDPR (Art 11(1) GDPR) even if they don’t need the data to achieve the purposes of the processing.
If this is the case, Art. 11(2) GDPR waives certain requirements of the GDPR in the case where controllers can demonstrate that they are not in a position to identify data subjects. This can be the case for pseudonymization. To better understand when this is the case, the following gives a short overview. A deeper discussion of the argument can be found in the extended analysis of the topic (see https://uldsh.de/PseudoAnon).
The following analysis is based on the distinction of three kinds of additional information that are required by the purposes of processing:
(i) Reversibly pseudonymized data with bi-directional additional information:Here, re-identification is necessary for the purposes and therefore, bi-directional additional information is required. Referring to Figure 17 above, the controller has access to the identification methods (1) and (2).
(ii) Irreversibly pseudonymized data with one-directional additional information: Here, only one-directional additional information is required for the purposes of processing. This is for example the case when only new data of already known data subjects has to be integrated in a pseudonymous data set In this case, the purposes do not require to re-identify a data subject based on its pseudonymous handle. Referring to above, the controller thus loses access to the identification method (2) that “inverses” the data pseudonymization. Controllers still have access to identification method (1), however, i.e. they can locate the pseudonymous data belonging to a known data subject.
(iii) Irreversibly pseudonymized data without any additional information:Here, the purposes of processing require no additional information. This is the case when no re-identification is necessary and no data about existing data subject is acquired at a later point in time and needs to be integrated into the existing pseudonymous data. Referring to Figure 17 above, the controller thus lacks access to both methods, (1) and (2). Compared to the previous case, even if a data subject is known (e.g., by a unique handle), the controller is now unable to autonomously locate the corresponding pseudonymous data.
Based on the different kinds of additional information, these three cases represent different degrees of identifiability of data subjects. Embedded in a wider context that includes also identified and anonymous data, the three cases are shown in the following table.
| (i) | (ii) | (iii) | |||
| Type of data | identified data | strictly pseudonymous data | strictly pseudonymous data | strictly pseudonymous data | anonymous data |
| Split-off additional information kept by controller | N/A | bi-directional additional information | one-directional additional information | none | N/A |
| Is personal data? | yes | yes | yes | yes | no |
| Potential identification of pseudonymous data | direct | indirect
(withadditional information kept by the controller or external) |
indirect
(withadditional information external to the controller) |
indirect
(withadditional information external to the controller) |
not possible
(by any actor with means reasonably likely to be used now and in the future) |
| Does the condition of Art. 11(2) apply? | no | no | no | yes | (yes) |
| Can controller identify data subject autonomously?[1] | yes | yes | no | no | no |
| Can data subject provide suitable additional information to be identified? | N/A | generally yes
(typically a unique handle that matches to lookup-based additional information) |
generally yes
(typically a unique handle as input in the formula-based additional information) |
yes, sometimes
(unique combination of attributes or pseudonymous credential[2]) |
no, never |
| Does controller need to implement data subject rights | yes | yes | yes | yes, unless no single data subject can present suitable additional information | no |
Based on this analysis, a controller is not in a position to identify a data subject when:
- The controller stores (one- or bi-directional) split-off additional information and the data subject can neither provide
- trusted identity data that matches the input side of the split-off additional information,
- apseudonymous credential, previously issued by the controller[3], nor
- a trusted (combination of) value(s) that uniquely matches the pseudonymized data.
- The controller stores no split-off additional information and
- apseudonymous credential, previously issued by the controller, nor
- a trusted (combination of) value(s) that uniquely matches the pseudonymized data.
References
1“Autonomously” here means without obtaining additional information from outside, e.g., from the data subject. “Identify” must here be understood to go in the other direction than the “identify” used in Art. 11(2). ↑
2Pseudonymous credentials are described in the extended analysis of the argument. Note that to issue pseudonymous credentials is not required by the GDPR. ↑
3Pseudonymous credentials are described in the extended analysis of the argument. ↑