The classic trap
Article 11 is presented as a relief, but it becomes a trap the moment it is invoked wrongly. The CNPD and the CNIL sanction controllers who refuse to honour an access request by claiming Article 11(2) while in fact holding indirect identifiers (cookie ID, IP address, device ID, hashed email) that link the data back to the person. Recital 57 is clear: if the controller can identify the person with the help of reasonably provided additional information, it cannot hide behind a supposed impossibility. The burden of proof is reversed: it is up to you to demonstrate that you are not in a position to identify, not for the person to prove the opposite.
The defensible non-identification test
Invoking Article 11 without an evidence file means exposing yourself to a re-qualification as an unlawful refusal of access (Article 15). The points the CNPD checks during an inspection:
- The purpose genuinely no longer requires identification (aggregated analytics, statistics, pseudonymised research) and this absence of need is documented.
- The controller does not keep, elsewhere in its IS, a mapping table or re-identification key (CRM, server logs, backups).
- The absence of exploitable indirect identifiers (IP, cookie, fingerprint, advertising ID) is verified and traced.
- The person was informed, where possible, that they cannot exercise Articles 15 to 20 in the current state.
- A mechanism exists to reactivate the rights if the person provides additional identifying information.
- Pseudonymisation is not confused with anonymisation: pseudonymised data remains personal data fully subject to the GDPR.
How Luxgap automates this risk
Our Luxgap Identifiability Prover makes abusive reliance on Article 11 impossible by measuring, dataset by dataset, your real re-identification capacity. The tool scans your data stores (PostgreSQL, BigQuery, Snowflake, S3, Azure Data Lake) and your analytics tools (Matomo, GA4, Mixpanel) to detect residual direct and indirect identifiers, then computes a defensible identifiability score instead of leaving you to guess.
- Automatically scans your tables and buckets to spot columns containing direct or indirect identifiers (email, IP, cookie ID, device ID, reversible hash).
- Detects mapping tables and re-identification keys scattered across the IS, including in backups and logs, that wreck an Article 11 defence.
- Computes a k-anonymity and singling-out risk score to distinguish truly anonymised data from mere pseudonymisation.
- Generates the evidence file documenting why the purpose no longer requires identification, in line with Recital 57.
- Publishes a mechanism to reactivate Articles 15 to 20 rights when the person provides additional information.
- Produces a timestamped PDF report, enforceable before the CNPD, demonstrating the real inability to identify or, conversely, alerting you that Article 11 does not apply to your case.
Available as a complement to a Luxgap DPO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real data, with a free scan within 48h to measure your re-identification capacity before any engagement.