GDPR Article 11 Explained: The Key to Data Minimization

GDPR Article 11 deals with data minimisation principles, which largely limit how data is processed linked to only that which is deemed necessary.

Controllers should delete or obscure any references to the data subject the moment the data is no longer required. When this occurs, controllers also need to obtain further info about the data subject to remain compliant.

If subjects would like to be re-identified, controllers should take this on board and formulate steps to address the request.

It’s important to note that, if the subject is not identified, Article 11 applies in part, but if they data subject requests re-identification, the controller needs to attempt this (unless, by burden of proof, this proves to be impossible).

GDPR Article 11 Legal Text

EU GDPR Version

Processing which does not require identification

  1. If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.
  2. Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.

UK GDPR Version

Processing which does not require identification

  1. If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.
  2. Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.



Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo



EU GDPR Article 11 (1) And ISO 27701 Clause 7.4.5

PII De-identification and Deletion at the End of Processing

When PII no longer fulfils a stated purpose, organisations either need to completely destroy the data, or modify it in a way that prevents any form of identification in any way, either internally or externally.

As soon as the organisation established that the PII doesn’t need to be processed at any time in the future, the information should be deleted or amended in a way that makes it impossible for the data subject to be identified

EU GDPR Article 11 (2) And ISO 27701 Clause 7.3.2

Determining Information for PII Principals

Organisations should document the information that PII principals receive, that outlines how PII is processed.

There needs to be set of requirements that govern when information is to be provided, and precisely what that information is, such as:

  • The purpose of the PII being collected and processed.
  • Contact details.
  • How PII was obtained.
  • Written requirements (contractual, statutory).
  • The process through which consent is removed.
  • Data transfers.
  • A complaints procedure.
  • The internal decision-making process.
  • Data retention periods.



Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo



EU GDPR Article 11 (2) And ISO 27701 Clause 7.3.3

Providing Information to PII Principals

Organisations need to outline who the PII controller is, and how data is processed, through ‘clear and accessible’ means that do not inhibit the dissemination of crucial information.

Information should be easy to follow, and set out in layman’s terms so that anyone who reads it is able to understand the nature of what’s being conveyed, along with any technical or operational specifics (see ISO 27701 Clause 7.3.2).

Supporting ISO 27701 Clauses

  • ISO 27701 7.3.2

Supporting Controls From ISO 27701

GDPR Article ISO 27701 Clause ISO 27701 Supporting Clauses
EU GDPR Article 11 (1) ISO 27701 7.4.5 None
EU GDPR Article 11 (2) ISO 27701 7.3.2 None
EU GDPR Article 11 (2) ISO 27701 7.3.3 ISO 27701 7.3.2

How ISMS.online Helps

Our pre-built environment allows you to describe and demonstrate your approach to protecting your European and UK customer data in a way that seamlessly integrates into your management system.

The ISMS.online platform contains built-in guidance at each step, as well as our ‘Adopt, Adapt, Add’ implementation approach, which reduces the amount of effort required to comply with GDPR. You will also receive a range of time-saving benefits.

Whether you are having trouble getting to GDPR because of a lack of confidence, ability, or motivation to take action, we can help you by providing our in-house experts or by recommending one of our trusted partners.

Find out more by booking a demo.


Jump to topic

Max Edwards

Max works as part of the ISMS.online marketing team and ensures that our website is updated with useful content and information about all things ISO 27001, 27002 and compliance.

ISMS Platform Tour

Interested in an ISMS.online platform tour?

Start your free 2-minute interactive demo now and experience the magic of ISMS.online in action!

Try it for free

We’re a Leader in our Field

Users Love Us
Leader Winter 2025
Leader Winter 2025 United Kingdom
Best ROI Winter 2025
Fastest Implementation Winter 2025
Most Implementable Winter 2025

"ISMS.Online, Outstanding tool for Regulatory Compliance"

-Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

-Karen C.

"Innovative solution to managing ISO and other accreditations"

-Ben H.

DORA is here! Supercharge your digital resilience today with our powerful new solution!