EDPB advises on pseudonymisation for GDPR compliance, Privacy Laws & Business

Time 12 Minute Read
June 5, 2025
Publication

On 16 January 2025 the European Data Protection Board (EDPB) adopted its Guidelines 01/2025 on Pseudonymisation (the Guidelines). The consultation period on the Guidelines finished at the end of February; a final version is expected to be published later in 2025. The Guidelines provide helpful guidance to organisations on the legal definition of pseudonymisation under the GDPR, the benefits associated with using pseudonymisation, and when organisations are expected to implement pseudonymisation.

The Guidelines leave a number of open questions for organisations, in particular in relation to how organisations should, as a practical matter, assess the effectiveness of their pseudonymisation methods, and are inconsistent in that regard. This article provides an overview of the key parts of the Guidelines, highlights some of the key benefits for businesses resulting from the Guidelines, and indicates some topics in relation to which additional clarity should be provided.

WHAT IS PSEUDONYMISATION?

The GDPR for the first time includes a definition of pseudonymisation in European data protection law. Article 4(5) defines pseudonymisation as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” Note that, by its nature, pseudonymised information constitutes personal data under the GDPR, as it relates to an identified or identifiable individual, even though additional information is required to identify a particular individual.

According to the EDPB, the process of pseudonymisation requires three distinct steps to satisfy the definition provided in the GDPR.

First, controllers need to modify or transform the data so that it is fit for subsequent processing in pseudonymised form. This procedure must modify the original data in such a way that the result (i.e. the pseudonymised data) cannot be attributed to specific data subjects without additional information. Typically, this step will involve replacing information that can be used to identify particular data subjects with new identifiers that allow attribution to a specific data subject only with additional information. In doing so, organisations should take into account any additional information that may enable individual identification, including both information under control of the organisation and information outside of its control. To the extent that such information is reasonably expected to be available (e.g. information on social media posts) the EDPB indicates that organisations should assess the extent to which additional transformation of the data is  required, or technical or organisational measures should be put in place to reasonably restrict the likelihood of such information being used to identify particular data subjects.

The second step in achieving pseudonymisation is that the additional information that is used to re-identify the pseudonymised dataset must be kept separate (i.e. from those who are to be prevented from attributing the pseudonymised data from the identified individuals).

The third step is that appropriate technical and organisational measures must be in place to ensure that the pseudonymised data is not attributed to an identified or identifiable natural person.

The Guidelines do not provide a clear test as to what is considered an effective or ineffective form of pseudonymisation. Instead, the EDPB introduces the concept of the “pseudo - nymisation domain” – that is, the context in which pseudo nymisation is intended to preclude attribution to specific data subjects and in which additional information that would enable attribution to particular data subjects is excluded. Organisations are, according to the guidelines required to determine the scope of the pseudo - nymisation domain and adopt appropriate technical and organisational means to effectively enforce the pseudo - nymisation domain “guaranteeing that pseudonymised data does not leave the pseudo nymisation domain.” As a practical matter, a “guarantee” that pseudo nymised data will not leave the pseudo nymised domain as well as certain other rigid requirements for effective pseudo nymisation are at odds with the “reasonable likelihood” of identification approach advocated by the EDPB earlier in the Guidelines and referred to above. Organisations would welcome clarity on what “reasonable likelihood” means in this context as well as a generally more flexible approach to assessing the effectiveness of pseudonymisation.

WHEN SHOULD ORGANISATIONS USE PSEUDONYMISATION?

The Guidelines take the view that, when carried out effectively, pseudonymisation is a measure that reduces “confidentiality risks” (i.e. the risk that their confidential information is made available to an unauthorised person) for data subjects, while still allowing organisations to carry out analysis using the pseudonymised data when required.

In the EDPB’s view it does so in two ways, first by limiting the group of individuals (who may legitimately process the data in pseudonymised form) to whom direct identifiers relating to the data subjects are disclosed. Second, in the event of unauthorised disclosure of or access to the pseudonymised data set, pseudonymisation may reduce the severity of the risk and mitigate potential negative consequences of such disclosure or access to data subjects. The extent of such risk reduction will ultimately depend on the effectiveness of the pseudonymisation process carried out, the technical and organisational measures in place to prevent reidentification as well as whether or not the person with unauthorised access may utilise outside information to identify individuals.

The EDPB also highlights the potential ability to reduce the risk of “function creep” and the processing of personal data for purposes incompatible with the initial purposes for which it was collected. This is because a person with access to the pseudonymised dataset would not, provided the pseudonymisation is effective, be able to use those data for any purpose that requires direct identification of data subjects, thus precluding use of that data set alone from any purpose that involves direct interaction with data subjects.

PSEUDONYMISATION ALONE IS NOT ENOUGH

In addition to the general benefits associated with risk reduction, the Guidelines indicate that pseudonymisation can be used by controllers or processors to assist in meeting certain specific GDPR compliance requirements. The Guidelines do not, however, consider pseudonymisation to be a measure that is alone sufficient to ensure compliance, and instead controllers are required to evaluate the appropriateness of all technical and organisational measures, including pseudonymisation, taken together.

In particular, the EDPB highlights that pseudonymisation can be a measure for achieving compliance with the GDPR’s “data protection by design and by default” obligation, on the basis that pseudonymised data can be used when the processing does not require the data being linked to a particular individual, yet allowing individuals to be directly identified in exceptional cases when required. The EDPB also highlights these benefits in the context of data sharing with third parties, and in that case pseudonymised data may enable the recipient of the data to fulfil their own data protection obligations, including compliance with the data minimisation principle, data protection by design and by default, and the implementation of appropriate security measures as a general matter.

APPROPRIATE SECURITY MEASURES

The EDPB also considers the use of pseudonymisation as one of the security measures implemented by a controller or processor to ensure a level of security appropriate to the risk of the data processing activity, in accordance with Article 32 of the GDPR. When the pseudonymisation domain is set appropriately, the level of risk associated with use of the pseudonymised data within the pseudonymised domain is low, as no one should be able to use that data to the disadvantage of a particular data subject.

However, organisations still need to implement a level of security that is appropriate for the remaining risks involved, which may include, for example, measures to prevent the use of additional information that would enable identification by individuals within the pseudonymisation domain. The overall security level will therefore depend on both the security level in respect of the pseudonymised data, and the security level in respect of the availability of additional information – if, for example, it is very easy for a third party to obtain additional information sufficient to enable reidentification, the overall benefit of pseudonymisation may be low even if access to the pseudonymised data is secure.

One particular area of risk assessment discussed relates to the mitigation of adverse effects in the context of personal data breaches. The EDPB recognises that pseudo - nymisation may in some cases be considered an appropriate technical or organisational measure that limits the impact of a data breach and potentially an organisation’s obligation to notify impacted data subjects of the breach. The EDPB notes that, in any case, an unauthorised third party will have access to the pseudonymised data and that data can be analysed by that third party even in the absence of additional information enabling re-identification. As such, while it is helpful that the benefits of pseudonymisation in the context of a breach are recognised, the Guidelines recommend that careful analysis is required, and do not elaborate on the circumstances in which pseudonymisation may be sufficient to exempt an organisation from notifying impacted individuals.

On the other hand, unauthorised reversal of pseudonymisation may itself, where it results from a breach of security, constitute a personal data breach, and if that results in a high risk to data subjects, notification to impacted data subjects may be required. Depending on the nature of the impacted data and whether and the extent to which pseudonymised data was reversed, controllers may not be reasonably able to communicate with data subjects if there is a lack of sufficient identifying information. In those cases, controllers may need to consider other forms of communication (e.g., working with a third party to identify relevant data subjects) with data subjects, and if that would involve disproportionate effort, issue a public notification related to the breach instead.

INTERNATIONAL TRANSFERS

In respect of international data transfers, the Guidelines indicate that pseudonymisation may constitute a “supplementary measure” to ensure compliance with Article 44 of the GDPR when organisations are assessing the risks associated with such transfers. In particular, the use of pseudonymisation in data transfers may be an effective measure to reduce the risk that such data will be subject to disproportionate government access in the destination country. Such recognition is beneficial, however, the conditions to be met for it to constitute an effective measure are overly prescriptive and arguably go beyond what is required by Chapter V of the GDPR (for example, the Guidelines require the assessment to include whether public authorities can be expected to possess or obtain with reasonable means additional information, even if they are precluded by local legal norms from obtaining such information). As a practical matter, the recognition of the relevance of pseudonymisation as a supplementary measure is welcome, however, the Guidelines risk adopting an overly prescriptive standard that goes beyond what is required by the GDPR.

DATA SUBJECT RIGHTS

The Guidelines also consider the impact of the use of pseudonymised data in the context of the rights of data subjects. First, the Guidelines note that, by definition, since pseudonymised data can be attributed to an individual with the use of additional information, the rights of data subjects apply with respect to that data. In addition, the Guidelines recognise that it may be the case that pseudonymised data may fall within scope of Article 11 of the GDPR, which provides an exemption from responding to data subject rights requests when the organisation is able to demonstrate that it is not in a position to identify the data subject. In those cases, the organisation would not be required to respond to the request unless the data subject provides additional information enabling their identification. In relevant cases, the EDPB suggests that controllers give additional information to data subjects regarding where they can obtain the pseudonyms relating to them (e.g., the name of the source of the pseudonymised data), so that data subjects may fully benefit from their rights.

It is unclear how this would work in practice, and the EDPB does not elaborate. Clarity also is required regarding when data subject rights are likely to apply with respect to pseudonymised data The EDPB’s approach here is at odds with the more flexible approach taken when first laying out the concept of pseudonymised data, which is based on whether additional information allowing identification is reasonably likely to be available to the organisation, rather than a stricter test of whether the relevant data can in fact be attributed to a particular individual.

GUIDANCE IS A STARTING POINT

As a general matter, the Guidelines provide a helpful starting point for organisations to begin to understand what pseudonymisation is from a data protection perspective, how data can, at a high level be pseudonymised within the meaning of the GDPR, as well as the impact (and benefits) of the use of pseudonymisation from a compliance perspective. While the Guidance is largely helpful, there is a lack of clarity particularly regarding how organisations should assess the effectiveness of their pseudonymisation procedures, and the lack of clarity around what constitutes “reasonable means” for reidentification may deter some organisations from implementing pseudonymisation. Organisations likely would welcome clearer guidance on how to carry out that assessment.


Originally published on June 5, 2025 online with Privacy Laws & Business. Reprinted with permission. Further duplication without permission is prohibited. All rights reserved.

Related Insights

Jump to Page