Photo credit: freepik
From 17 Jan 2025 to 28 Feb 2025, the EU Data Protection Board seeks comments on the Guidelines 01/2025 on Pseudonymisation.
Pseudonymisation is used to protect data by making it more difficult to link back to individuals for GDPR compliance purposes, for example, security or data protection by design (incorporating privacy measures from the start of data processing), and by default (processing data with the highest level of privacy protection). Legally, pseudonymisation is defined by Article 4(5) GDPR as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” In the other words, it works by replacing personal data with information that does not directly identify a specific individual. To reconnect the data to a person, extra information is needed, like a lookup table or a secret key.
The guidelines clarify the nature and functions of pseudonymisation. First, pseudonymised data, which can be linked back to an individual using additional information, is still personal data (Rec. 26 GDPR). This remains true when another party keeps the additional information. Second, it can reduce both security risks and the risks of using data for a purpose that had not been agreed. It can also make it easier for organisations to use legitimate interest as a legal basis for processing data. The guidelines also introduce a new concept: “pseudonymisation domain”, to capture one aspect of the freedom of the controllers to tailor their pseudonymisation processes to the objectives they intend to achieve: to determine who should be precluded from attributing the pseudonymised data to individuals.
In addition, the guidelines provide technical measures and safeguards for pseudonymisation, including pseudonymisation transformation, technical and organisation measures preventing unauthorised attribution of pseudonymised data to individuals and the linkage of pseudonymised data. The pseudonymisation is a safeguard that can be applied by controllers to meet the requirements of data protection law and, in particular, to demonstrate compliance with the data protection principles in accordance with Art 5(2) GDPR. These guidelines will help controllers to choose effective techniques for the modification of original data, to protect pseudonymised data from unauthorised attribution, and to manage user rights when processing pseudonymised data.
Executive Summary: https://www.edpb.europa.eu/system/files/2025-02/edpb_summary_202501_pseudonymisation_en.pdf
Full-text Guidelines: https://www.edpb.europa.eu/system/files/2025-01/edpb_guidelines_202501_pseudonymisation_en.pdf
For more discussions of personal data protection: https://astraiagear.com/category/data/personal-data-protection/
Follow us at https://www.linkedin.com/company/astraia-gear and connect with the author: https://www.linkedin.com/in/tranganhmac/
Leave a Reply
You must be logged in to post a comment.