[Access official publication on EDPB Website]
The GDPR defines the term ‘pseudonymisation’ for the first time in EU law and refers to it several times as a safeguard that may be appropriate and effective for the fulfilment of certain data protection obligations.
As per that definition, pseudonymisation can reduce the risks to the data subjects by preventing the attribution of personal data to natural persons in the course of the processing of the data, and in the event of unauthorised access or use.
Applying pseudonymisation, controllers can thus retain the option to analyse the data, and, optionally, to merge different records relating to the same person. Pseudonymisation can also and often will be set up so that it is possible to revert to the original data. Thus, controllers can process personal data in original form in some stages of the processing, and in pseudonymised form in others.
Pseudonymised data, which could be attributed to a natural person by the use of additional information, is to be considered information on an identifiable natural person, and is therefore personal. This statement also holds true if pseudonymised data and additional information are not in the hands of the same person. Even if all additional information retained by the pseudonymising controller has been erased, the pseudonymised data can be considered anonymous only if the conditions for anonymity are met.
The GDPR does not impose a general obligation to use pseudonymisation. The explicit introduction of pseudonymisation is not intended to preclude any other measures of data protection (Rec. 28 GDPR). It is the responsibility of the controller to decide on the choice of means for meeting its obligations having regard to the accountability principle. Depending on the nature, scope, context and purposes of processing, and the risks involved in it, controllers may need to apply pseudonymisation in order to meet the requirements of EU data protection law, in particular in order to adhere to the data minimisation principle, to implement data protection by design and by default, or to ensure a level of security appropriate to the risk. In some specific situations, Union or Member State law may mandate pseudonymisation.
The risk reduction resulting from pseudonymisation may enable controllers to rely on legitimate interests under Art. 6(1)(f) GDPR as the legal basis for their processing provided they meet the other requirements of that subparagraph; contribute to establishing compatibility of further processing according to Art. 6(4) GDPR; or help guarantee an essentially equivalent level of protection for data they intend to export.
Finally, the contribution of pseudonymisation to data protection by design and default, and the assurance of a level of security appropriate to risk may make other measures redundant – even though pseudonymisation alone will normally not be a sufficient measure for either. Controllers should establish and precisely define the risks they intend to address with pseudonymisation. The intended reduction of those risks constitutes the objective of pseudonymisation within the concrete processing activity. Controllers should shape pseudonymisation in a way that guarantees that it is effective in reaching this objective.
Controllers may define the context in which pseudonymisation is to preclude attribution of data to specific data subjects. This context will be called the pseudonymisation domain in these guidelines. The pseudonymisation domain does not have to be all-encompassing, but may be restricted to defined entities, most often to the set of all authorised recipients of the personal data that will process the data for a given purpose. The effectiveness of pseudonymisation in the implementation of dataprotection principles or in the assurance of a level of security appropriate to the risk is highly dependent on the choice of the pseudonymisation domain and its isolation from additional information that allows the attribution of pseudonymised data to specific individuals.
Thus, pseudonymisation is a safeguard that can be applied by controllers to meet the requirements of data protection law and, in particular, to demonstrate compliance with the data protection principles in accordance with Art 5(2) GDPR. These guidelines will help controllers to choose effective techniques for the modification of original data, to protect pseudonymised data from unauthorised attribution, and to manage user rights when processing pseudonymised data.
Controllers must always bear in mind that pseudonymised data, which could be attributed to a natural person by the use of additional information, remains information related to an identifiable natural person, and thus is personal data (Rec. 26 GDPR). Therefore, the processing of such data needs to comply with the GDPR, including the principles of lawfulness, transparency, and confidentiality under Art. 5 GDPR, and the requirements of Art. 6 GDPR. Controllers must maintain an appropriate level of security by implementing further technical and organisational measures. Finally, controllers must ensure transparency, and need to facilitate the exercise of the data subject rights set out in Chapter III of the GDPR, unless the exception provided for in Art. 11(2) and 12(2) GDPR applies.
The European Data Protection Board
Having regard to Article 70(1)(e) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, (hereinafter “GDPR”),
Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018,
Having regard to Article 12 and Article 22 of its Rules of Procedure,
HAS ADOPTED THE FOLLOWING GUIDELINES