Forget me yes, part two.

Austrian Data Protection Authority holds that a data controller can meet its obligations to satisfy a data subject’s erasure request under GDPR by anonymizing personal data.

Some points:

  • Erasure is not the same as destruction; the controller can select means to carry out the erasure.
  • The controller must ensure that neither the controller himself nor a third party can restore a personal reference without disproportionate effort.
  • The fact that a reconstruction of the data may become possible in future due to new technology, does not render the erasure insufficient.
  • The measures used by the company that were deemed to be sufficient for erasure were:
    • delete the contract offer
    • delete all contacts (e.g. mail address, telephone number, etc.)
    • irrevocable manual deletion of the first and last name and replacement by “John Doe” (with the same date of birth)
    • stop communication with the individual
    • merge the person to be erased with the new anonymous person to ensure that the overwriting is also technically sustainable
    • erase customer in electronic file

Details from the Austrian Data Protection Authority.