This blog was written in January 2025 before completion of the public consultation.
Since the entry into force of the General Data Protection Regulation (GDPR), pseudonymisation has become a widely accepted term in the privacy domain. It is defined as: “The processing of personal data in such a way that the data can no longer be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and technical and organisational measures are in place to ensure that the personal data are not attributed to an identified or identifiable natural person.”
The GDPR requires organisations to take appropriate technical and organisational measures to secure personal data. Pseudonymisation is one of the available options. For more information on an appropriate level of protection, I refer to my colleague’s earlier blog.
Although pseudonymisation is a well-established term used by privacy experts, it is not a closed topic for the European Data Protection Board (EDPB). At the plenary meeting of 16 January 2025, new guidelines on pseudonymisation were adopted and the definition and practical applicability of pseudonymisation were clarified. In this blog, I explain the new guidelines and highlight the advantages they emphasise.
The new guidelines
Let us start with the clarification of pseudonymisation. The guidelines state that pseudonymised data that can be linked back to a person through the use of additional information remain personal data, because identification of a natural person is still possible. This conclusion is logical. In principle, data qualify as personal data if they can be linked to a natural person. Whether this occurs directly or indirectly using other data does not matter.
The new guidelines also clarify the benefits of pseudonymisation. It can reduce security risks and make it easier to rely on legitimate interests as a legal basis. This is because pseudonymisation prevents the transfer of directly identifiable data. Only with additional information can the data be linked to a person. This reduces the privacy impact on individuals and positively influences the mandatory balancing test when relying on legitimate interests.
Pseudonymisation also ensures that, in the event of a data breach, an unauthorised party can do little with the data without the additional information. A win-win.
Protecting personal data
As mentioned, pseudonymisation is one of the measures that can contribute to an appropriate level of protection. The guidelines also expand on this. Pseudonymisation can serve as a cornerstone of privacy by design and privacy by default. Privacy by design means embedding privacy considerations into the design process (and thereafter) of a new application, service or procedure. Privacy by default means choosing the most privacy-friendly default settings (we share as little as possible by default, and you may opt for more).
Building in pseudonymisation as standard, for example by applying encryption across an application, is a privacy by design measure. A service provider could also offer pseudonymisation by default for client data. Only at the client’s request would this be changed. In other words, privacy-friendly default settings.
Transfers of personal data
Within the EU, we not only enjoy free movement of goods but also of personal data. Under the GDPR, secure transfers of personal data to third countries are allowed only with additional measures. Pseudonymisation can form part of these measures. You could, for example, share only pseudonymised data with parties in third countries while retaining the key to re-identify data within the EU. The key would be shared with authorised persons outside the EU only if strictly necessary.
A controller could also choose to apply an entirely new pseudonymisation method to the data that must be transferred. By pseudonymising data differently for external transfers than for internal processing, the impact of a potential breach is reduced. The external party receives a different encrypted version than the organisation uses internally. If a breach occurs at the external party, the shared data remain safe, provided the key has not also been leaked.
Other examples of pseudonymisation
Beyond the examples above, the guidelines provide several additional examples. By doing so, the EDPB offers practical tools for real-world use. To make this even clearer, the examples are linked to specific GDPR provisions. The areas covered include:
-
data minimisation,
-
purpose limitation,
-
appropriate security,
-
accuracy,
-
safeguards and derogations for processing for archiving in the public interest, scientific or historical research or statistical purposes,
-
security of processing,
-
legitimate interests,
-
further processing for purposes other than those for which the data were originally collected,
-
data transfers,
-
lawfulness, fairness and transparency.
These examples follow a clear structure with a problem description, the types of data that must be processed and the pseudonymisation process. When designing new appropriate organisational measures for data processing, it is highly advisable to turn to page 31 of the guidelines and use these examples for inspiration.
Conclusion
The EDPB’s new pseudonymisation guidelines clarify how the GDPR already works in practice. Although they do not necessarily introduce new information, they shed light on several underexposed areas within the privacy landscape. The guidelines also offer ten clear examples that companies and public bodies can put into practice. Especially because of these examples, the guidelines are a valuable and welcome addition to every policymaker’s privacy toolkit.
Do you want to specialise in privacy and learn how to design and implement effective privacy policies in line with the GDPR? Then join our training programme for Privacy Officers.
