The European Data Protection Board’s New Guidelines on Pseudonymisation
In the first quarter of 2025, the European Data Protection Board (“EDPB“) adopted a new guideline under reference number 1/2025 (the “Guideline“), focusing on the principles and benefits of pseudonymisation under Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR). In this newsletter, we summarise the main findings of the Guidance that are relevant to practice.
What is the significance?
The rules on data processing apply in a wide range of roles, often as an employer, supplying partner or contractor. Choosing the right legal basis for data processing and complying with the principles is of paramount importance, as are the technical and organisational measures in place to ensure the security of the data processed. The GDPR considers pseudonymisation as a risk mitigation tool, whereby personal data are processed in such a way that it is not possible to identify the natural person to whom they relate without further information, i.e. identity can only be established by additional information.
It is a condition that this information – i.e. the pseudonym and the additional attribute – is stored separately and that it is ensured that the data cannot be linked to the natural person concerned unless the conditions are met. Where pseudonymisation is used, the specific risks that the method is intended to reduce must be identified and the procedure must be designed to be effective in achieving the stated aim. This may be particularly relevant in cases where the nature of the data processed would make it easy to identify the natural person. However, it is essential that pseudonymisation does not replace other data protection measures but complements them.
Supporting compliance with data protection principles
Pseudonymisation, as a good practice identified by the EU Commission, can, if properly applied, help data controllers to comply with the principles of the Regulation. According to the GDPR, data may only be collected for specified purposes and processed in a manner compatible with those purposes. Pseudonymisation reduces the risk that personal data may be further processed in a way that is incompatible with the purpose for which the data were originally collected.
For example, assigning widely different pseudonyms (e.g. employee identifiers) to data of persons with very similar identifiers (e.g. employees named Steven Smith) may not only enhance confidentiality, but also contribute to the requirement of accuracy and timeliness of personal data by reducing the possibility that data (e.g. payroll) are wrongly attributed to the wrong person.
Justification of the legal basis for processing
To demonstrate the lawfulness of processing, it is essential to indicate the appropriate legal basis. Since pseudonymisation reduces the risk to the rights and freedoms of data subjects, it can facilitate the use of legitimate interest as a legal basis (Article 6 (1) (f) GDPR). Pseudonymisation minimises the chances that the data will lead to unauthorised identification.
Likewise, pseudonymisation can help to ensure compatibility with the original purpose (Article 6 (4) GDPR). Pseudonymisation can also be a good safeguard when considering compatible purposes for further processing, as it can limit the possible consequences of the envisaged further processing for the data subjects, thus reducing the risk of further processing purposes.
How to apply?
The organisation acting as data controller must ensure that pseudonymised data cannot be linked to an individual as long as the additional information is processed separately. To achieve this, the data controller must modify the data and store additional keys and information separately so that only authorised persons can link the data.
For the sake of the efficiency of the method, pseudonymised data should not contain direct identifiers (e.g. known identification numbers such as tax identification number, ID number), because these direct identifiers can be used to easily associate data with data subjects. Instead, identifiers, unique codes that can only be assigned to data subjects using additional information may be used; this is the pseudonym. All this needs to be ensured by appropriate technical and organisational measures, such as:
– encryption,
– use of interpretation keys and separate storage,
– ensuring access only to authorised persons.
Data processed in the course of a pseudonymisation as personal data
It is important to note that pseudonymised data is still considered personal data, i.e. it is subject to the GDPR, and therefore the rights of the data subject must be ensured. For example, if the person can provide the pseudonym under which his or her data is stored and can prove that this pseudonym relates to him or her, the data controller must be able to identify the data subject, and the claims made in the exercise of the data subject’s rights must be met if any additional conditions are met.
The pseudonymisation of data reduces the risks for the data subjects, since in case of a possible unauthorised access or disclosure, with a proper pseudonymisation, the direct identification data relating to the natural person will not be disclosed (e.g. a cafeteria declaration is sent to the wrong place but only the pseudonym is indicated).
Interestingly, if the security of the pseudonymised data is compromised, leading to an unauthorised reversal of the pseudonymisation, this may constitute a data breach and appropriate action may need to be taken depending on the circumstances of the specific case.
Conclusion
The Guideline provides a useful framework for the use of pseudonymisation as a data processing safeguard. It is not only a technical tool, but a set of data protection procedures that contribute to the compliance with the GDPR rules, while at the same time helping to ensure data processing and related rights. The introduction of pseudonymisation is appropriate based on a review of the data processing strategy in place, but it also requires technical and organisational measures and the appropriate completion of the data processing documentation.
Image source: Markus Winkler, Pexels.com