Aggregated Data

Aggregated data is information gathered and expressed in a summary form for statistical analysis. According to Recital 162 of the EU's General Data Protection Regulation (GDPR), the statistical purpose implies that the result of processing is not personal data, but aggregate data, and this result is not used to support measures or decisions regarding any particular natural person. In other words, once data is properly processed so it can no longer identify a specific individual, it becomes aggregated data and falls outside the scope of personal data protection laws.

If aggregation is handled improperly, leading to the possibility of 're-identification' of individuals, it is considered a personal data breach. Under Taiwan's Personal Data Protection Act (PDPA), failure to take appropriate security measures can result in fines of up to NT$15 million and potential class-action lawsuits. Furthermore, clients in international supply chains (e.g., semiconductor, automotive) often require their suppliers to comply with global standards like the GDPR, making compliant data processing a key factor for maintaining global competitiveness.

The main related standards are: 1. **ISO/IEC 27701 (Privacy Information Management System)**: As a privacy extension to ISO 27001, several of its controls (e.g., A.7.4.5) require organizations to de-identify or delete Personally Identifiable Information (PII) at the end of processing. 2. **ISO/IEC 27001 (Information Security Management System)**: Its Annex A controls, such as A.18.1.4 (Privacy and protection of PII), mandate the protection of personal data throughout its lifecycle, which applies to the raw data before aggregation. 3. **EU GDPR**: Recital 162 explicitly defines aggregated data for statistical purposes and clarifies that it is not considered personal data.

Winners Consulting is Taiwan's pioneering firm integrating Enterprise Risk Management (ERM), data science, and technology law. Our team, comprising tech lawyers and ISO Lead Auditors, assists companies from legal compliance and technical implementation to management systems. We ensure your aggregated data processes meet international standards and regulations, effectively integrating them into existing corporate governance and internal controls to avoid redundancy. Our extensive experience with the semiconductor and other supply chain industries allows us to provide the most practical, industry-specific solutions.