Article 11
Processing not allowing identification

Official
Texts
Guidelines Caselaw Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 11 keyboard_arrow_down Hide the recitals of the Regulation related to article 11 keyboard_arrow_up

(57) If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.

There is no recital in the Directive related to article 11.

The GDPR

According to  Article 11 of the Regulation, where the processing purposes do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.

At first glance, this new provision may seem superfluous. However, Article 11 should be read by keeping in mind the definition of personal data that constitutes personal data to be: “any information concerning an identified or identifiable natural person (“data subject”) is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (see Art. 4 (1)).

According to recital 26 of the Regulation, to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used or to which the controller or any other person may have access (such as the costs of identification and the time required for it, the available technologies and their development).

In doing so, the processing is likely to fall within the Regulation scope when the controller is able to or has access to means to identify a person, on the basis of the processed data.

If the purpose does not  justify the use of such means anymore - and therefore, if it seems that the controller no longer resorts in compliance with the principle of purpose, the Regulation emphasizes that the controller must not hold, acquire or process any additional information about persons for the sole purpose of complying with the Regulation, unless the purpose(s) of processing so  impose(s). 

In that case, and provided that the controller is able to demonstrate that he or she is not (no longer ) in position to identify the persons, the controller must inform the data subjects, if possible. In this case, Articles 15 (on the right to access by the data subject), 16 (on the right to rectification), 17 (on the right to erasure and to be forgotten), 18 (on the right to restriction of processing), 19 (on the notification obligation regarding rectification or erasure of personal data or restriction of processing) and 20 (on the right to data portability) are not applicable to processing that does not allow identification.

The data subject concerned by these types of processing may, however, refer to the above provisions in order to exercise their rights under these articles, insofar as he or she provides the controller additional information that can identify him or her. The controller can not therefore refuse the additional information provided by the data subject in order to facilitate the exercise of such rights (see recital 57).

The Directive

Neither the Directive nor the Belgian or French laws provide for this type of provision.

Potential issues

The conditions for application of the provision are not clear. The logic suggests that the controller  no longer needs to  resort to any means of identification in accordance with the principle of purpose that no longer requires  him or her to identify the data subjects at the moment when compliance with the Regulation arises.

The obligation to notify about such a situation will also pose difficulties. Not only is it illogical to provide for an obligation to inform people that one is [no longer] able to identify but since the controller must provide evidence of impossible identification (negative proof), disputes can arise a posteriori on this matter.

Retour au sommaire
Regulation
1e 2e

Art. 11

1.   If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.

2.   Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.

1st proposal close

Art. 10

If the data processed by a controller do not permit the controller to identify a natural person, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.

2nd proposal close

Art. 10

1. If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain or acquire (...) additional information nor to engage in additional processing in order to identify the data subject for the sole purpose of complying with (...) this Regulation.(...)

2. Where, in such cases the controller is not in a position to identify the data subject, articles 15, 16, 17, 17a, 17b and 18 do not apply except where the data subject, for the purpose of exercising his or her rights under these articles, provides additional information enabling his or her identification.

.

Directive close

No specific provision

MADDE 7 - (1) Bu Kanun ve ilgili diğer kanun hükümlerine uygun olarak işlenmiş olmasına rağmen, işlenmesini gerektiren sebeplerin ortadan kalkması hâlinde kişisel veriler resen veya ilgili kişinin talebi üzerine veri sorumlusu tarafından silinir, yok edilir veya anonim hâle getirilir.

(2) Kişisel verilerin silinmesi, yok edilmesi veya anonim hâle getirilmesine ilişkin diğer kanunlarda yer alan hükümler saklıdır.

(3) Kişisel verilerin silinmesine, yok edilmesine veya anonim hâle getirilmesine ilişkin usul ve esaslar yönetmelikle düzenlenir.

close