On January 16, 2025 the European Data Protection Board (EDPB) has published guidelines on pseudonymization of personal data for public consultation (available here), in the drafting of which the Berlin Data Protection Commissioner (BlnBDI) played a leading role (see the press release of the BlnBDI, available in German language here). The consultation phase is currently in progress. Comments on the draft guidelines can still be submitted until February 28, 2025 using the form provided by the EDPB (available here).
Definition of “Pseudonymization” and Distinction from Anonymization
In addition to comprehensive instructions on individual pseudonymization techniques, the proposed guidelines provide an overview of the advantages of pseudonymization in business practice. The General Data Protection Regulation (GDPR) defines pseudonymization as the processing of personal data in such a manner that the data can no longer be attributed to a specific person without the use of additional information. In this respect, pseudonymization differs from anonymization. In the latter case it is no longer possible to attribute the data to a specific person, even if additional information is used. The processing of anonymized data thus falls outside the scope of the GDPR, while pseudonymized data is still considered “personal data” and as such covered by the GDPR.
Advantages of Pseudonymization
The guidelines emphasize that the GDPR does not impose a general obligation to use pseudonymization. Nevertheless, the use of pseudonymization techniques offers companies the opportunity to improve their GDPR compliance and reduce risks of data breaches. Furthermore, pseudonymization can enhance the use of legitimate interests as a legal basis for processing (Art. 6 para. 1 lit. f GDPR) and helps to ensure that the data usage is compatible with the original purpose for which the data was collected (Art. 6 para. 4 GDPR). Accordingly, companies can use pseudonymization to develop privacy-enhancing applications for the usage and analysis of data that appropriately consider the rights of data subjects. This is particularly relevant in data-intensive sectors such as the financial industry, human resources management and healthcare.
Procedures of Pseudonymization
According to the guidelines, a central aspect of ensuring effective pseudonymization is the proper pseudonymization procedure that is conducted in three consecutive steps:
- First, personal data must be transformed by removing or replacing identifiers. Various procedures are applied here, including cryptographic algorithms such as message authentication codes or encryption algorithms as well as the creation of lookup tables in which pseudonyms are matched with identifiers.
- Second, it must be ensured that all additional information for subsequent re-identification – so-called pseudonymization secrets such as cryptographic keys or lookup tables – is stored separately and protected. The guidelines emphasize that information beyond the immediate control of the controller, which can reasonably be expected to be available to the controller, should be taken into account when assessing the effectiveness of pseudonymization.
- Finally, appropriate technical and organizational measures (TOMs) must be implemented to prevent unauthorized re-identification. These include the implementation of access restrictions, the storage of pseudonymization secrets in different locations and the random generation of pseudonyms.
The guidelines stipulate that the effective implementation of these measures contributes significantly to increasing data security and minimizes the risk of data breaches. The guidelines thus outline practical use cases that illustrate various scenarios that often occur in practice.
Outlook
Although the EDPB guidelines are not legally binding, practical experience shows that they are often used by courts and supervisory authorities as decisive guidance. In practice, they serve as a valuable guidance for the interpretation of the GDPR and offer companies a reliable basis for developing data protection compliant processes. Companies should therefore consider the guidelines’ recommendations not only as non-binding notice, but as important guidance for the design of their privacy practices. That does not only minimize legal risks but also strengthens the basis for argumentation in the event of official audits or legal disputes.
The guidelines thus offer companies practical support in balancing the protection and usage of data for business purposes. In particular, companies can use pseudonymization to create competitive advantages, e.g. by protecting customer data in the best possible way through privacy-enhancing business practices and subsequently increasing the customers’ trust in the handling of data.