As has been shown, several concepts that are defined outside of Art 5 GDPR are relevant for the understanding of the principle of storage limitation. In particular, these are:
- Direct and indirect identification defined in Art. 4(1) GDPR,
- pseudonymization that is defined in Art. 4(5) GDPR, and
- anonymous data that is defined in Recital 26 GDPR.
In Art. 11(1), the GDPR states:
|If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.|
This provides guidance about the importance the principle of storage limitation has in comparison to other concepts in the GDPR: Storage limitation has a clear precedence over other obligations of the GDPR in the sense that a controller shall not collect or store identifiers for the sole purpose to comply with these obligations.
In Art 11(2) GDPR, this is then stated explicitly for the obligations of the data subject rights of Articles 15 to 20:
|Where, in cases referred to in paragraph 1 of this Article, the controllers are able to demonstrate that they are not in a position to identify the data subject, the controllers shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising their rights under those articles, provides additional information enabling their identification.|
Beyond this, the GDPR emphasizes the importance of pseudonymization in in various contexts:
Art. 89(1) emphasizes the importance of pseudonymization for the case where after fulfilling the initial purposes, data is processed further for “compatible purposes”. In particular, “archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes”. Art. 89(1) GDPR (2nd sentence) explicitly mandates that for this further processing, “technical and organizational measures need to be in place and lists pseudonymization as sole example for such measures (3rd sentence). It further states (4th sentence): “Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.” This seems to be a direct application of the principle of storage limitation.
Art. 6(4)(e) further underlines the role of pseudonymization when a controller determines, whether an additional purpose is compatible with the purposes for which the data was collected.
Art. 25(1) lists pseudonymization as sole example for a measure that can be implemented during data protection by design.
Also Art. 32(1)(a) lists pseudonymization together with encryption as a measure in support of security. While this further underlines the importance of pseudonymization and thus storage limitation, it may be questioned however, whether pseudonymization does indeed support one of the common protection goals of IT security, namely confidentiality, integrity, and availability.
1See also Art. 12(2) GDPR that further discusses this case. ↑
2See Art. 5(1)(b) GDPR. ↑
3Wordig taken from Art. 5(1)(b) GDPR. ↑