Where the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller does not need to store, obtain or process additional information to identify the data subject for the sole purpose of complying with his or her obligations under the GDPR. In such a situation, the controller should inform the data subject, in particular if the data subject makes a request on the basis of GDPR Articles 15 to 20.
If, in the above cases, the controller can demonstrate that he or she is not in a position to identify the data subject, GDPR Articles 15 to 20 shall not apply. However, the obligation to comply with a data subject's request based on one of the provisions of GDPR Articles 15 to 20 (such as a request for a copy of the data or a request to erase the data) shall apply if the data subject provides the controller with additional information that enables the controller to identify the data subject.
When does this provision apply?
“Personal data” within the meaning of the GDPR includes data relating to an “identifiable individual”. Therefore, it may happen that the controller processes personal data but does not identify the individual whose personal data he or she is processing, even though, at least in theory, he or she has the ability to do so.
Any processing of personal data should be carried out for a specific purpose determined by the controller. The purpose of the processing of personal data may in turn be as follows:
From the moment of data collection, the controller does not need to identify the data subject (in other words, the controller can fulfil the purpose of the processing without identifying the data subject);
From a certain moment of data processing,the controller no longer needs to identify the data subject (in other words, the controller can fulfil the purpose of the processing from a certain moment without the identification of the data subject).
The rule discussed applies to both situations.
For example, a controller monitors the Internet traffic on his or her website in order to ensure its security, stable operation and development, and in doing so objectively processes a range of information that can be considered (under certain circumstances) as personal data of website users. This is mainly information relating to their interaction with the website (e.g. date, time or type of interaction), including IP numbers, logs, etc. However, the controller does not need to identify the data subjects in order to fulfil the above purpose of processing. In particular, colloquially speaking, there is no need to ‘match’ the personal data processed by the controller to an individual identified by name and surname.
Another example would be the processing of the image of a person taken in the course of the operation of a CCTV system. The controller processes personal data in the form of the image, but does not always ‘match’ the image to an individual identified by name and surname (as the purpose of the processing does not require it).
What right does the controller have under this rule?
In the cases referred to above, i.e. where the purpose of the processing of personal data by the controller:
Can be achieved without identifying the data subject;
Can be achieved from a certain point in time without identifying the data subject;
the controller is not obliged to maintain, acquire or process additional information to identify the data subject for the sole purpose of complying with the GDPR, in particular for the exercise of data subjects’ rights.
In particular, this means that the controller is not obliged to acquire information in order to identify the data subject, including directly from the data subject, if such acquisition would only take place in the event that the data subject contacts the controller in the future with one of the requests referred to in GDPR Articles 15 to 20. Similarly, the controller may delete the part of the data that allows the identification of the data subject if that data is no longer necessary for the controller to carry out further processing in accordance with its purpose.
Going back to the example above, GDPR Article 11 gives the controller the right not to collect the information necessary to identify a website user (i.e. to ‘match’ personal data to a specific individual ‘by name and surname’) if that collection would only be necessary in the event the data subject contacts the controller in the future with one of the requests referred to in GDPR Articles 15 to 20.
When and of what should the controller inform the data subject if there is no identification requirement?
When the purpose of the processing of personal data by the controller:
Can be achieved without identifying the data subject; or
Can be achieved from a certain point in time without identifying the data subject;
and at the same time the controller is able to demonstrate that he or she is not in a position to identify the data subject, he or she shall inform the data subject accordingly.
This seems to be primarily a case of informing the data subject that he or she is not identifiable, and therefore that his or her request cannot be fulfilled, if he or she contacts the controller in the future with one of the requests referred to in GDPR Articles 15 to 20.
However, it also seems advisable - if only for the sake of transparency of data processing - to inform data subjects in advance that the controller will not be able to identify them in certain cases. Such information could be provided, for example, in the privacy policy available on the website.
Non-identifiability and the exercise of data subjects’ rights
If the purpose of the processing of personal data by the controller:
Can be achieved without identifying the data subject; or
Can be achieved from a certain point in time without identifying the data subject;
and at the same time the controller can demonstrate that he or she is unable to identify the data subject, GDPR Articles 15 to 20 do not apply.
This means that, in the above cases, the controller will not be obliged to comply with a data subject's request based on one of the provisions of GDPR Articles 15 to 20, e.g. a request to obtain a copy of the data or to erase the data.
However, there is an obligation to comply with the request if the data subject, in order to exercise his or her rights under GDPR Articles 15 to 20, provides the controller with additional information allowing him or her to identify the data subject. In this context, GDPR Recital 57 further indicates that:
The controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights.
In other words, the controller may not refuse to take additional information to evade the data subject's request.
In addition, GDPR Recital 57 provides important practical guidance in relation to the processing of personal data online in the context of a request to exercise the rights under GDPR Articles 15 to 20, where the controller is unable to identify the data subject, namely that:
Identification should include the digital identification of the data subject, for example by means of an authentication mechanism, such as the same credentials used by the data subject to log in to the online service provided by the data controller.
In practice, this means that if, for example, the controller provides online services that are accessible by means of authentication data, such as a user-selected login, which may be a fancy name, especially one that does not include the user's name (e.g. DarkLordCauliflower) and a password set by the user, then the data controller is obliged, in accordance with GDPR Articles 15 to 20, to respond to the user's request for the data associated with the user's log-in and password in question, if the request is authenticated with the correct log-in and password that the user enters to access the service. In other words, the user does not have to provide the controller with his or her real name; it is sufficient that the user correctly provides his or her username (e.g. DarkLordCauliflower) and password.
Commentary to art. 11
Processing that does not require identification
When does this provision apply?
“Personal data” within the meaning of the GDPR includes data relating to an “identifiable individual”. Therefore, it may happen that the controller processes personal data but does not identify the individual whose personal data he or she is processing, even though, at least in theory, he or she has the ability to do so.
Any processing of personal data should be carried out for a specific purpose determined by the controller. The purpose of the processing of personal data may in turn be as follows:
The rule discussed applies to both situations.
For example, a controller monitors the Internet traffic on his or her website in order to ensure its security, stable operation and development, and in doing so objectively processes a range of information that can be considered (under certain circumstances) as personal data of website users. This is mainly information relating to their interaction with the website (e.g. date, time or type of interaction), including IP numbers, logs, etc. However, the controller does not need to identify the data subjects in order to fulfil the above purpose of processing. In particular, colloquially speaking, there is no need to ‘match’ the personal data processed by the controller to an individual identified by name and surname.
Another example would be the processing of the image of a person taken in the course of the operation of a CCTV system. The controller processes personal data in the form of the image, but does not always ‘match’ the image to an individual identified by name and surname (as the purpose of the processing does not require it).
What right does the controller have under this rule?
In the cases referred to above, i.e. where the purpose of the processing of personal data by the controller:
the controller is not obliged to maintain, acquire or process additional information to identify the data subject for the sole purpose of complying with the GDPR, in particular for the exercise of data subjects’ rights.
In particular, this means that the controller is not obliged to acquire information in order to identify the data subject, including directly from the data subject, if such acquisition would only take place in the event that the data subject contacts the controller in the future with one of the requests referred to in GDPR Articles 15 to 20. Similarly, the controller may delete the part of the data that allows the identification of the data subject if that data is no longer necessary for the controller to carry out further processing in accordance with its purpose.
Going back to the example above, GDPR Article 11 gives the controller the right not to collect the information necessary to identify a website user (i.e. to ‘match’ personal data to a specific individual ‘by name and surname’) if that collection would only be necessary in the event the data subject contacts the controller in the future with one of the requests referred to in GDPR Articles 15 to 20.
When and of what should the controller inform the data subject if there is no identification requirement?
When the purpose of the processing of personal data by the controller:
and at the same time the controller is able to demonstrate that he or she is not in a position to identify the data subject, he or she shall inform the data subject accordingly.
This seems to be primarily a case of informing the data subject that he or she is not identifiable, and therefore that his or her request cannot be fulfilled, if he or she contacts the controller in the future with one of the requests referred to in GDPR Articles 15 to 20.
However, it also seems advisable - if only for the sake of transparency of data processing - to inform data subjects in advance that the controller will not be able to identify them in certain cases. Such information could be provided, for example, in the privacy policy available on the website.
Non-identifiability and the exercise of data subjects’ rights
If the purpose of the processing of personal data by the controller:
and at the same time the controller can demonstrate that he or she is unable to identify the data subject, GDPR Articles 15 to 20 do not apply.
This means that, in the above cases, the controller will not be obliged to comply with a data subject's request based on one of the provisions of GDPR Articles 15 to 20, e.g. a request to obtain a copy of the data or to erase the data.
However, there is an obligation to comply with the request if the data subject, in order to exercise his or her rights under GDPR Articles 15 to 20, provides the controller with additional information allowing him or her to identify the data subject. In this context, GDPR Recital 57 further indicates that:
In other words, the controller may not refuse to take additional information to evade the data subject's request.
In addition, GDPR Recital 57 provides important practical guidance in relation to the processing of personal data online in the context of a request to exercise the rights under GDPR Articles 15 to 20, where the controller is unable to identify the data subject, namely that:
In practice, this means that if, for example, the controller provides online services that are accessible by means of authentication data, such as a user-selected login, which may be a fancy name, especially one that does not include the user's name (e.g. DarkLordCauliflower) and a password set by the user, then the data controller is obliged, in accordance with GDPR Articles 15 to 20, to respond to the user's request for the data associated with the user's log-in and password in question, if the request is authenticated with the correct log-in and password that the user enters to access the service. In other words, the user does not have to provide the controller with his or her real name; it is sufficient that the user correctly provides his or her username (e.g. DarkLordCauliflower) and password.