Article 11 GDPR
Legal Text
1. If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.
2. Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.
Relevant Recitals
Commentary
The data minimisation principle in Article 5(1)(c) GDPR limits controllers in their processing operations, as it specifically requires them to only process data which is necessary for the fulfilment of specific purposes. During the legislative process there were worries, that the GDPR could be interpreted to require processing more personal data, just to comply with certain requirements and rights of the data subjects - which would be counterproductive. Article 11 GDPR is meant to address this matter.
Under Article 11(1) GDPR, when a processing operation does not or no longer requires the identification of the data subject, then the controller should act accordingly, deleting or otherwise hiding the identifying reference to the data subject. When this happens, the controller is not obliged to process additional information about the data subject for the sole purpose of GDPR compliance.
Article 11(2) GDPR provides for an important exception to the above-mentioned rule. If a data subject wants to exercise their GDPR rights and to that extent provides further information allowing their (re)identification, the controller shall consider that information and, if possible, address the request.
Article 11 GDPR only address the use of personal data. There are many other duties under the GDPR which regularly require the keeping of records, proof or evidence. They are not affected by Article 11 GDPR.
(1) If the data subject is not identified, the GDPR applies in part
Article 11 GDPR applies when “personal data do not or do no longer require the identification of a data subject”. One could think that this refers to an anonymisation scenario, but this conclusion would make little sense. First, the GDPR does not apply to anonymous data. Second, under Article 11(2) GDPR, it would be impossible to inform a data subject who is not identifiable.[1]
Under Article 4(1) GDPR, personal data means any information relating to an “identified” or “identifiable” natural person. Looking attentively at the wording of Article 11(1) GDPR, it is clear that the provision only covers situations in which the data subject is not or no longer “identified”,[2] but clearly excludes cases where they are still “identifiable”. In other words, the provision applies in case of pseudonymisation which, according to Recital 26, refers to information about an identifiable person. In the case of pseudonymisation, regardless whether it was implemented from the beginning (“does not require”) or at a later stage (“does no longer require”) of the processing operation, the GDPR grants the controller a privilege which reflects the favour towards data minimisation, storage limitation and data security. In particular, the controller shall not be obliged to retain, obtain or process further information about the individual if such information is needed to identify them and comply with one or more part of the GDPR.
This privilege is not absolute but refers exclusively to those parts of the GDPR that require the identification of the data subject.[3] Some examples are possible. Take the case of the Google Street View. This process undoubtedly involves the collection of some personal data of inhabitants and their homes. However, it is argued, Google would probably not be obliged to collect the contact details of individual inhabitants in order to inform them of the processing under Articles 13 or 14 GDPR. This can be drawn from the final sentence of Article 11(1) GDPR.[4]
It must be assessed with the utmost attention whether GDPR provisions require the identification of the data subject, and under no circumstances should Article 11(1) GDPR be regarded as a carte blanche for the transgression of data protection regulations. The data minimisation principle limits controllers in their processing operations, as it specifically requires them to only process data which is necessary for the fulfilment of specific purposes. Under Article 11(1) GDPR, when a processing operation does not or no longer requires the identification of the data subject, then the controller should act accordingly, deleting or otherwise hiding the identifying reference to the data subject. When this happens, the controller is not obliged to obtain additional information about the data subject for the sole purpose of GDPR compliance. Article 11(2) GDPR provides for an important exception to the above-mentioned rule. If a data subject wants to exercise their GDPR rights and to that extent provides further information allowing their (re)identification, the controller shall consider that information and, if possible, address the request. [5] In particular, all other GDPR requirements that do not require the data subject’s identification remain applicable, including, but not limited to, security of processing (Article 32(1) GDPR) and the general principles of processing set out in Article 5 GDPR.
(2) If the data subject exercises their rights, the controller must try the identification
In confirming the above interpretation, Paragraph 2 sets out a specific framework for the case that a data subject exercises their rights under Articles 15 to 20 GDPR. By definition, this situation requires the identification of the data subject, as a right only exists insofar as it is given to a specific person and they exercise it. In such circumstances, if, after pseudonymisation ("In cases referred to in paragraph 1 of this Article"), the controller receives a request to exercise the data subject’s right, but for technical reasons is unable to identify them, the controller must (i) prove this impossibility and (ii) inform the data subject of the reasons which render the request impossible. This will suffice to stay the claim ("In such cases, Articles 15 to 20 shall not apply") unless the data subject provides additional information allowing their identification. If their identification is possible following the receipt of the additional information, the exception will not apply and the controller shall comply with the data subject’s request.
Burden of Proof
The controller must be able to demonstrate that identifying the data subject is impossible. This demonstration should provide a transparent explanation of the reasons why the controller is unable to do so. Generic or circular arguments (e.g. "Our systems are unable to identify your data") do not meet the requirement of a proper demonstration under the fairness and transparency principle (Article 5(1)(a) GDPR).
Obligation to Inform
Article 11(2) GDPR provides for a peculiar informative obligation ("Where [...] the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible"). Such information is clearly different from that received under Articles 13 or 14 GDPR, and is particularly important as it allows the data subject to evaluate the allegedly non-identifying processing, as well as provide additional information to enable their identification. The controller should therefore provide tailored information and explain why identification is not possible. Furthermore, to comply with the principle of fairness the controller should indicate in advance which data the data subject should provide for their (re)identification.[6]
Decisions
→ You can find all related decisions in Category:Article 11 GDPR
References
- ↑ Georgieva, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 11 GDPR, p. 395 (Oxford University Press 2020).
- ↑ Indeed, certain processing operations require the collection of personal data, but not necessarily the (ongoing) identification,of the data subject. It can be assumed that in general business transactions only a few use cases under Article 11(1) exist because the business purpose usually requires identification of the business partner, for example to carry out deliveries, to assess creditworthiness or to maintain business correspondence.
- ↑ Kampert, in Sydow, Europäische Datenschutzgrundverordnung, Article 11 GDPR, margin number 7 (C.H. Beck 2018, 2nd Edition).
- ↑ For this and other examles, see Gola, Datenschutz-Grund-verordnung, Article 11 GDPR, margin number 2 (C.H. Beck 2018, 2nd Edition).
- ↑ Kampert, in Sydow, Europäische Datenschutzgrundverordnung, Article 11 GDPR, margin number 7 (C.H. Beck 2018, 2nd Edition).
- ↑ In this regard, the WP29 has already invited stakeholders "to elaborate, precisely with reference to Article 11 calls for proposals from the C-ITS WG on the concept of ‘additional information’ that can be provided in the context of this new service to make this provision effective". WP29, Opinion 3/2017 on processing personal data in the context of Cooperative Intelligent Transport Systems, p. 7.