Under Article 11 of the EU General Data Protection Regulation, the provisions governing processing that does not require identification might be considered one of the embodiments of the data minimization principle, i.e., requirement that personal data are adequate, relevant and limited to what is necessary with the purposes for which they are processed.
Article 11 limits some of the data controllers’ obligations and, at the same time, aims to emphasize how the GDPR requirements may not be used as an excuse to collect more data than otherwise would be needed. If a purpose for which a controller processes personal data does not or no longer require them to identify a data subject, then they are not obliged to maintain, acquire or process additional information to identify the data subject for the sole purpose of complying with the GDPR, such as with the obligation to enable data subjects’ rights.
However, it seems the provisions limiting some of the data controller’s obligations under Article 11 are open to misinterpretation — in the way they are used as an argument for rejecting data subjects from exercising their rights. Also, the processing in question does not require identification and therefore, a data controller is not obligated themselves to identify data subjects by collecting additional data for the purpose of enabling their rights.
This misinterpretation stems from the “oversight” in the second paragraph of Article 11, which states Articles 15 through 20 of the GDPR shall not apply if the controller can demonstrate that it is not in a position to identify the data subject, except where data subjects provide additional information enabling identification. Recital 57 of the GDPR provides additional guidance, stating that the data controller should not refuse to take additional information provided by the data subject to support the exercise of their rights.
Misconception and the Stop COVID-19 app
The app is decentralized (as opposed to a centralized approach where all relevant data are stored in the central server), operates on the Bluetooth Low Energy technology, and is based on the Google and Apple exposure notification system. It collects and processes only randomly generated keys, which change several times every hour, proximity data and the date and duration of the contact between users. These should be treated as pseudonymized data, even though it is claimed the data is anonymized.
Considering the data being processed via the app, it is evident the main purpose is not to identify data subjects nor does it require identification, irrespective of whether it is possible to do so. The ministry would indeed need additional information from users to assign the above-mentioned pseudonymized data to them to, for example, enable the right of access.
It is, of course, possible the ministry or any other data controller in the same or similar situation would be unable to identify data subjects to enable them to exercise their rights with regards to the respective processing activity even after they provide additional data. However, the GDPR provisions, including the full text of Article 11, should be duly followed. If a controller is unable to identify a data subject requesting their rights, they should first inform the data subject of that inability clearly and transparently. Further, if a data subject is willing to provide additional data to enable their identification, and such data would still not be enough for identification, then Article 11 would be fully embodied.
Photo by Joshua Sortino on Unsplash
European Data Protection reviews concepts, criteria and obligations of the GDPR and related laws, examines the territorial and material scope of the GDPR, legitimate processing criteria, information provision obligations, data subjects’ rights, security of processing, accountability requirements, and supervision and enforcement. The book also provides practical concepts concerning the protection of personal data and cross-border data transfers.
This interactive tool provides IAPP members ready access to critical EU General Data Protection Regulation resources — enforcement precedent, interpretive guidance, expert analysis and more — all in one location.
If you want to comment on this post, you need to login.