| Read your own cite: nothing about the UUID in question is associable with an identified or identifiable natural person, which is what the GDPR concerns. This is false and a misunderstanding of the GDPR. It is not about whether it is currently possible. But whether it would be possible if it was correlated with other data. What differs pseudonymisation from anonymisation is that the latter consists of removing personal identifiers, aggregating data, or processing this data in a way that it can no longer be related to an identified or identifiable individual. Unlike anonymised data, pseudonymised data qualifies as personal data under the General Data Protection Regulation (GDPR). Therefore, the distinction between these two concepts should be preserved. https://edps.europa.eu/press-publications/press-news/blog/ps... ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; https://gdpr-info.eu/art-4-gdpr/ So, basically if we have a data set with three columns: Personal name, UUID, Action (e.g. brew install fzf) Removing the first column is pseudonymization, and thus qualifies as personal data under the GDPR. Removing the first and the second column is anonymisation and is not personal data. Again IANAL, but it is clear from the GDPR that the only thing you could do without consent is e.g. recording what packages get installed/uninstalled, but without a UUID. |
We do not store anything else that could correlate with that UUID. We don't expose it to anybody else and it's unclear how, even if we did, it would result in personal correlation.