15
GDPR - Pocket Edition
amount of time required for identification, taking into consideration the
available technology at the time of the processing and technological
developments. The principles of data protection should therefore not
apply to anonymous information, namely information which does not
relate to an identified or identifiable natural person or to personal data
rendered anonymous in such a manner that the data subject is not or
no longer identifiable. This Regulation does not therefore concern the
processing of such anonymous information, including for statistical or
research purposes.
(27) This Regulation does not apply to the personal data of deceased
persons. Member States may provide for rules regarding the processing
of personal data of deceased persons.
(28) The application of pseudonymisation to personal data can reduce the
risks to the data subjects concerned and help controllers and processors
to meet their data-protection obligations. The explicit introduction of
‘pseudonymisation’ in this Regulation is not intended to preclude any
other measures of data protection.
(29) In order to create incentives to apply pseudonymisation when
processing personal data, measures of pseudonymisation should,
whilst allowing general analysis, be possible within the same controller
when that controller has taken technical and organisational measures
necessary to ensure, for the processing concerned, that this Regulation
is implemented, and that additional information for attributing the
personal data to a specific data subject is kept separately. The controller
processing the personal data should indicate the authorised persons
within the same controller.
(30) Natural persons may be associated with online identifiers provided
by their devices, applications, tools and protocols, such as internet
protocol addresses, cookie identifiers or other identifiers such as radio
frequency identification tags. This may leave traces which, in particular
when combined with unique identifiers and other information received
by the servers, may be used to create profiles of the natural persons and
identify them.
(31) Public authorities to which personal data are disclosed in accordance
with a legal obligation for the exercise of their official mission, such as
tax and customs authorities, financial investigation units, independent
administrative authorities, or financial market authorities responsible
for the regulation and supervision of securities markets should not be
regarded as recipients if they receive personal data which are necessary
to carry out a particular inquiry in the general interest, in accordance
with Union or Member State law. The requests for disclosure sent by the
public authorities should always be in writing, reasoned and occasional
and should not concern the entirety of a filing system or lead to the
interconnection of filing systems. The processing of personal data
by those public authorities should comply with the applicable data-
protection rules according to the purposes of the processing.
(32) Consent should be given by a clear affirmative act establishing a freely
given, specific, informed and unambiguous indication of the data
subject’s agreement to the processing of personal data relating to him
or her, such as by a written statement, including by electronic means,