CHAPTER V CHAPTER IV CHAPTER III CHAPTER II CHAPTER I Table of Contents

15

GDPR - Pocket Edition

amount of time required for identification, taking into consideration the

available technology at the time of the processing and technological

developments. The principles of data protection should therefore not

apply to anonymous information, namely information which does not

relate to an identified or identifiable natural person or to personal data

rendered anonymous in such a manner that the data subject is not or

no longer identifiable. This Regulation does not therefore concern the

processing of such anonymous information, including for statistical or

research purposes.

(27) This Regulation does not apply to the personal data of deceased

persons. Member States may provide for rules regarding the processing

of personal data of deceased persons.

(28) The application of pseudonymisation to personal data can reduce the

risks to the data subjects concerned and help controllers and processors

to meet their data-protection obligations. The explicit introduction of

‘pseudonymisation’ in this Regulation is not intended to preclude any

other measures of data protection.

(29) In order to create incentives to apply pseudonymisation when

processing personal data, measures of pseudonymisation should,

whilst allowing general analysis, be possible within the same controller

when that controller has taken technical and organisational measures

necessary to ensure, for the processing concerned, that this Regulation

is implemented, and that additional information for attributing the

personal data to a specific data subject is kept separately. The controller

processing the personal data should indicate the authorised persons

within the same controller.

(30) Natural persons may be associated with online identifiers provided

by their devices, applications, tools and protocols, such as internet

protocol addresses, cookie identifiers or other identifiers such as radio

frequency identification tags. This may leave traces which, in particular

when combined with unique identifiers and other information received

by the servers, may be used to create profiles of the natural persons and

identify them.

(31) Public authorities to which personal data are disclosed in accordance

with a legal obligation for the exercise of their official mission, such as

tax and customs authorities, financial investigation units, independent

administrative authorities, or financial market authorities responsible

for the regulation and supervision of securities markets should not be

regarded as recipients if they receive personal data which are necessary

to carry out a particular inquiry in the general interest, in accordance

with Union or Member State law. The requests for disclosure sent by the

public authorities should always be in writing, reasoned and occasional

and should not concern the entirety of a filing system or lead to the

interconnection of filing systems. The processing of personal data

by those public authorities should comply with the applicable data-

protection rules according to the purposes of the processing.

(32) Consent should be given by a clear affirmative act establishing a freely

given, specific, informed and unambiguous indication of the data

subject’s agreement to the processing of personal data relating to him

or her, such as by a written statement, including by electronic means,