|
From the https://gdpr-info.eu/art-4-gdpr/: "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;" The central question for you should be: is it possible to identify a natural person from the data you're processing? If it's randomly generated ID and if no-one (including you and your employees) can identify an individual from that ID (or other data you're storing/processing) then you should be on a safe side, and GDPR should not apply to you. However, if it is possible to identify an individual from the ID (other data), then you should comply with the GDPR. In that case, you should determine a lawful basis for processing (e.g., legitimate interest, consent), possibly ask for consent, ensure that a data subject knows what his rights are (e.g., right to be informed, to rectification, data erasure, etc.) My favorite GDPR resource is: https://ico.org.uk/for-organisations/guide-to-the-general-da...
For basics, take a look here: https://www.gdprhq.io/post/how-the-new-european-general-data... |
"If it's randomly generated ID and if no-one (including you and your employees) can identify an individual from that ID ..."
If this is the relevant criterion, that is, if it's practically possible to deanonymize the data, I'd be in fact on the safe side.
However, theoretically, if someone would access the device of a user and extract the user's ID (which would in practise require enormous efforts), the data could be deanonymized. I'm wondering if there's a way to clarify that.
I will check your linked resources, maybe they clarify that.