In the context of the complaint procedure for GZ: DSBD123.270/0009-DSB/2018, the data protection authority had to deal with the question of which means can be used for deletion in its decision of December 5, 2018. The complainant had requested the deletion of all data. However, the respondent complied with the deletion request in the form that it deleted the complainant’s data in part by deleting it from its system, but in part it merely removed the personal reference to the complainant (i.e., it “anonymized” the complainant’s data). In the course of his complaint to the data protection authority, the complainant argued that the primacy of de facto erasure applied and that his right to erasure was therefore violated. The data protection authority has stated that the controller has a discretionary right to choose the means – i.e. the manner in which the deletion is carried out. Since the GDPR does not apply to data without a personal reference, the removal of the personal reference (i.e. “anonymization”) is in principle a possible means to comply with a deletion request. However, a strict standard applies, according to which it must be ensured that neither the person responsible himself nor a third party can restore the personal reference without disproportionate effort. In the present case, the respondent has proven by multiple screenshots from its system that the personal reference has been removed. Furthermore, the respondent has sufficiently and comprehensibly explained the process of removing the personal reference. The complaint was therefore dismissed in the result.