Forget me yes, part two.
Austrian Data Protection Authority holds that a data controller can meet its obligations to satisfy a data subject’s erasure request under GDPR by anonymizing personal data.
- Erasure is not the same as destruction; the controller can select means to carry out the erasure.
- The controller must ensure that neither the controller himself nor a third party can restore a personal reference without disproportionate effort.
- The fact that a reconstruction of the data may become possible in future due to new technology, does not render the erasure insufficient.
- The measures used by the company that were deemed to be sufficient for erasure were:
- delete the contract offer
- delete all contacts (e.g. mail address, telephone number, etc.)
- irrevocable manual deletion of the first and last name and replacement by “John Doe” (with the same date of birth)
- stop communication with the individual
- merge the person to be erased with the new anonymous person to ensure that the overwriting is also technically sustainable
- erase customer in electronic file
Details from the Austrian Data Protection Authority.