Companies are regularly faced with the question of whether redacting or anonymizing data is sufficient to comply with GDPR. This page explains when data is considered anonymous, what requirements the GDPR imposes and where errors often occur in practice.
The GDPR addresses the question of whether data is linked to data protection law are subject, not to the type of processing, but to whether there is a personal connection.
The decisive factor is whether a natural person is identified or identifiable based on the available information. Decisive for this is Recital 26 GDPR, which requires objective consideration: It is not the intention of the person responsible that is decisive, but whether identification would be realistically possible.
According to Recital 26 of the GDPR, data are only considered anonymous if the identification of the data subject is no longer possible, taking into account all means that are “reasonably likely to be used” by the controller or by another person.
What matters is not only direct identification, but also any form of indirect re-identification through additional knowledge, data linkage, or technical means. If re-identification cannot be practically ruled out, the data remain personal data within the meaning of the GDPR.
In practice, these terms are often equated, although they must be assessed differently from a legal point of view.
Redaction visually obscures content, but often allows the original data to be retained in the document. Recovery is often possible without technical removal.
• PDF text can be copied
• Layers are retained in metadata
• Hidden content can still be read
GDPR-compliant anonymization removes or technically changes data in such a way that conclusions can no longer be drawn about people — even with additional knowledge.
• Content is removed or irreversibly changed
• Metadata is cleaned
• Review based on defined criteria
Many data protection breaches do not result from intent, but from incomplete or faulty procedures.
Content is only visually covered, but is technically retained in the document. As a result, they can be reconstructed and made visible again, for example by copying, exporting or analysis tools.
Author names, version histories, or comments may still contain personal information, even if the visible text has been redacted. This metadata is often retained in the document and allows conclusions to be drawn about people involved or internal processes, unless removed.
Combinations of time, location, or project data can make it possible to re-identify people.
Redacting data may be sufficient in individual cases, but not in the following scenarios.
As soon as documents are transmitted to external bodies, the anonymization must be technically reliable. Optical blackening is usually not enough.
With larger amounts of data, the risk of indirect identification increases. This requires clear rules and automatic procedures.
When documents are archived or kept for audits, personal data must be permanently removed. Subsequent access must not allow any inferences to be drawn.
Explore further aspects or check which formats and scenarios are relevant for your company. We are happy to provide you with an individual evaluation.
Overview of formats, risks and appropriate anonymization channels.
Overview of typical risks of incorrect anonymization.
Would you like to learn more about use cases, document types or the use of Project A? Get in touch with us — we will give you individual advice and show you the appropriate next steps.
Receive an offer
