Article 11

Processing which does not require identification

1.   If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.

2.   Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.

What does it mean?

In essence, Article 11 states that if you can achieve your purpose without identifying specific individuals, then you are not obligated to continue storing their data or go through the additional steps of determining their identities in the first place.

Imagine you wish to conduct an employee engagement survey. Your aim is to gather candid feedback about workplace culture, management, and satisfaction levels. To encourage honest responses, you design the survey to be anonymous. You do not collect names or other personally identifiable information.

Since your purpose does not necessitate linking responses to specific individuals, Article 11 states that you are not required to implement additional measures to establish the identities of respondents.

If a survey respondent from the previous example were to exercise their rights under the GDPR, their ability to do so would be limited because the survey was conducted anonymously.

However, Article 11 provides an exception to this. If a respondent wishes to exercise their rights and comes forward with enough additional information to be identified, the company would then be obliged to address their request.

It reinforces the idea that companies shouldn’t collect more personal data than strictly necessary, and it can save organizations time and resources by avoiding those unnecessary identification steps.

Awareness Training

Ensure that your entire company is equipped with the necessary awareness training on the basics of GDPR and IT security.

Discover

About