How to Demonstrate Compliance With GDPR Article 11

GDPR Compliance Software

Book a demo

teamwork,together,professional,occupation,concept

GDPR Article 11 deals with data minimisation principles, which largely limit how data is processed linked to only that which is deemed necessary.

Controllers should delete or obscure any references to the data subject the moment the data is no longer required. When this occurs, controllers also need to obtain further info about the data subject to remain compliant.

If subjects would like to be re-identified, controllers should take this on board and formulate steps to address the request.

It’s important to note that, if the subject is not identified, Article 11 applies in part, but if they data subject requests re-identification, the controller needs to attempt this (unless, by burden of proof, this proves to be impossible).

GDPR Article 11 Legal Text

EU GDPR Version

Processing which does not require identification

  1. If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.

  2. Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.

UK GDPR Version

Processing which does not require identification

  1. If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.

  2. Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.
Jump to Topic
We can’t think of any company whose service can hold a candle to ISMS.online.
Vivian Kroner
ISO 27001, 27701 and GDPR lead implementer Aperian Global
100% of our users pass certification first time
Book your demo

EU GDPR Article 11 (1) And ISO 27701 Clause 7.4.5

PII De-identification and Deletion at the End of Processing

When PII no longer fulfils a stated purpose, organisations either need to completely destroy the data, or modify it in a way that prevents any form of identification in any way, either internally or externally.

As soon as the organisation established that the PII doesn’t need to be processed at any time in the future, the information should be deleted or amended in a way that makes it impossible for the data subject to be identified

EU GDPR Article 11 (2) And ISO 27701 Clause 7.3.2

Determining Information for PII Principals

Organisations should document the information that PII principals receive, that outlines how PII is processed.

There needs to be set of requirements that govern when information is to be provided, and precisely what that information is, such as:

  • The purpose of the PII being collected and processed.

  • Contact details.

  • How PII was obtained.

  • Written requirements (contractual, statutory).

  • The process through which consent is removed.

  • Data transfers.

  • A complaints procedure.

  • The internal decision-making process.

  • Data retention periods.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

ISMS.online will save you time and money

Get your quote

EU GDPR Article 11 (2) And ISO 27701 Clause 7.3.3

Providing Information to PII Principals

Organisations need to outline who the PII controller is, and how data is processed, through ‘clear and accessible’ means that do not inhibit the dissemination of crucial information.

Information should be easy to follow, and set out in layman’s terms so that anyone who reads it is able to understand the nature of what’s being conveyed, along with any technical or operational specifics (see ISO 27701 Clause 7.3.2).

Supporting ISO 27701 Clauses

  • ISO 27701 7.3.2

Supporting Controls From ISO 27701

GDPR ArticleISO 27701 ClauseISO 27701 Supporting Clauses
EU GDPR Article 11 (1)ISO 27701 7.4.5None
EU GDPR Article 11 (2)ISO 27701 7.3.2None
EU GDPR Article 11 (2)ISO 27701 7.3.3ISO 27701 7.3.2

How ISMS.online Helps

Our pre-built environment allows you to describe and demonstrate your approach to protecting your European and UK customer data in a way that seamlessly integrates into your management system.

The ISMS.online platform contains built-in guidance at each step, as well as our ‘Adopt, Adapt, Add’ implementation approach, which reduces the amount of effort required to comply with GDPR. You will also receive a range of time-saving benefits.

Whether you are having trouble getting to GDPR because of a lack of confidence, ability, or motivation to take action, we can help you by providing our in-house experts or by recommending one of our trusted partners.

Find out more by booking a demo.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

ISMS.online now supports ISO 42001 - the world's first AI Management System. Click to find out more