Forget me yes, part two.
Austrian Data Protection Authority holds that a data controller can meet its obligations to satisfy a data subject’s erasure request under GDPR by anonymizing personal data.
Some points:
-
Erasure is not the same as destruction; the controller can select means to carry out the erasure.
-
The controller must ensure that neither the controller himself nor a third party can restore a personal reference without disproportionate effort.
-
The fact that a reconstruction of the data may become possible in future due to new technology, does not render the erasure insufficient.
-
The measures used by the company that were deemed to be sufficient for erasure were:
-
delete the contract offer
-
delete all contacts (e.g. mail address, telephone number, etc.)
-
irrevocable manual deletion of the first and last name and replacement by “John Doe” (with the same date of birth)
-
stop communication with the individual
-
merge the person to be erased with the new anonymous person to ensure that the overwriting is also technically sustainable
-
erase customer in electronic file
Details from the Austrian Data Protection Authority.
[View source.]