Anonymous vs. Pseudonym
The dilemma of having to choose between privacy protection and data analysis.
Pseudonymous data are data for which there are basically options for allocation (e.g. by the person who carried out the pseudonymization). These can also expressly lie outside the access options of the person responsible (data processor). If personal or personally identifiable data is referenced to persons, anonymization takes place. According to the Federal Commissioner for Data Protection and Freedom of Information (BfDI), anonymization occurs when the personal reference of data has been removed in such a way that it cannot be restored or can only be restored with disproportionate expenditure of time, costs and manpower.
The following applies to pseudonymized data:
They are still within the jurisdiction of the GDPR, so they may not simply be shared and only saved with the consent of the persons concerned.
It is different with anonymized data. The GDPR does not apply here. No explicit consent is required to save and pass on the data.
The difference between pseudonymized and anonymous use of a service.
A service that stores user data pseudonymized in profiles can use this data by means of a differentiated data analysis to generate valuable insights. At the same time, however, he accepts that the real identities of his users can be revealed by third parties in case of doubt.
In contrast, a purely anonymously used service can guarantee the absolute protection of the privacy of its users, but forego the possibility of a differentiated data analysis.
Anonymization fulfills the obligation to delete
Resolving the contradiction between compliance and usage for future data-based business models
As a consequence, companies invest in the necessary data. However, conflicting goals inevitably arise between their protection and use: On the one hand, unlimited access and permanent exploitation collide with the protection of the data. In particular, the use of protected data is only intended with the consent of the data subject for a specific purpose and the possibility of data deletion. On the other hand, companies want their data investments to be amortized as best as possible. How do you get out of this data dilemma?
In 2020, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) stipulated that an obligation to delete according to Art. 17 GDPR can be fulfilled through anonymization. Provided that the company concerned has lawfully collected the personal data. In addition, they must have been anonymized in such a way that the personal reference cannot be restored or can only be restored with disproportionate effort.