What anonymization criteria must be kept in mind to properly comply with the legal mandate?

Without prejudice to the definition of the General Data Protection Regulation in relation to anonymous information, in accordance with article 32.4 of Law 2/2023, the personal data contained in the internal system must be deleted if it has not been initiated an investigation action, except that the purpose is to leave evidence of the operation of the system. This article refers specifically to the fact that the communication contained in the internal channel should be anonymous, that is to say, it should not be related to an identified or identifiable person.

In matters of anonymization, the criteria of the Spanish Data Protection Agency (AEPD) and the practical guidelines it has drawn up in the document Guidelines and guarantees in the anonymization procedures of personal data. Likewise, the Agency has a free anonymization tool: Anonymization tool the Singapore Personal Data Protection Commission (PDPC) | AEPD.