Data protection under the General Data Protection Regulation (GDPR) is set to be strengthened with the European Data Protection Board (EDPB) releasing its Guidelines 01/2025 on Pseudonymisation on January 16, 2025. Currently under public consultation – Guidelines 01/2025 on Pseudonymisation | European Data Protection Board, these guidelines clarify the legal framework, scope, and technical aspects of pseudonymisation. While recognised as an effective means of enhancing data security, the EDPB highlights that pseudonymisation differs from anonymisation and does not exempt data controllers or processors from GDPR obligations.

Pseudonymisation, as defined in Article 4(5) of the GDPR (Regulation – 2016/679 – EN – gdpr – EUR-Lex), refers to a technique that alters personal data so that it cannot be directly linked to an individual without additional, separately stored information. This typically involves replacing identifiers, such as names or ID numbers, with generated values or coded references. However, the ability to re-establish the link in controlled circumstances distinguishes pseudonymisation from anonymisation. This approach enhances privacy while still allowing for legitimate data processing and analysis.

While pseudonymisation reduces the risks associated with data breaches, it does not provide absolute anonymity. Unlike anonymisation, which irreversibly removes the possibility of re-identification, pseudonymised data remains classified as personal data under the GDPR and must comply with all relevant legal requirements. Consequently, the guidelines emphasize that controllers and processors must implement strict measures to ensure that any additional information enabling re-identification remains securely stored and inaccessible to unauthorized parties.

Pseudonymisation provides multiple benefits, particularly as a risk mitigation measure that enhances compliance with key GDPR principles such as data minimisation, purpose limitation, and security. By reducing the likelihood of direct identification, pseudonymisation helps controllers demonstrate accountability under Article 5(2) of the GDPR. It may also serve as a safeguard when processing data under Article 6(1)(f), provided it effectively balances legitimate interests with data subject rights. However, its effectiveness relies on the strict separation and protection of additional information required for re-identification, ensuring that only authorised entities have controlled access.

Beyond risk mitigation, pseudonymisation enables organisations to process data more securely by restricting the exposure of directly identifiable information during internal analyses or research activities. This supports compliance with data protection by design and by default under Article 25 GDPR. Additionally, in the event of a data breach, pseudonymisation reduces the risk of harm to data subjects, as the exposed data remains indecipherable unless unlawfully combined with separately stored identifying information.

A key concept introduced in the guidelines is the notion of the “pseudonymisation domain,” which defines the scope within which attribution of data to an individual is restricted. This domain is established by the controller based on a risk assessment and encompasses the entities, systems, and individuals authorised to process pseudonymised data while ensuring that additional identifying information remains strictly segregated. By structuring the pseudonymisation domain effectively, controllers can enhance data protection, minimise the risk of unauthorised re-identification, and demonstrate compliance with the GDPR’s principles of security and accountability.

The scope of the pseudonymisation domain is not uniform but varies depending on the processing context. It may be confined to a specific organisational unit, extend to a predefined group of legitimate recipients, or even incorporate external entities that pose a risk of unauthorised access. The robustness of the pseudonymisation domain depends on the implementation of stringent technical and organisational measures, including access restrictions, data segregation, and legal safeguards such as contractual agreements. Moreover, controllers must ensure that any additional information enabling re-identification remains securely stored outside the domain and is subject to reinforced protections.

Despite its advantages, pseudonymisation does not exempt controllers and processors from their GDPR compliance obligations, as pseudonymised data remains personal data and is subject to the rights of data subjects under Chapter 3 of the GDPR. Accordingly, individuals retain their rights to access, rectify, and erase their data. However, under Article 11 GDPR, a controller may demonstrate that it is not in a position to identify a data subject, particularly if it does not have access to additional information enabling re-identification, cannot lawfully obtain such information, and is unable to reverse the pseudonymisation. In such cases, where a data subject cannot be identified without disproportionate effort, the obligations under Articles 11(2) and 12(2) GDPR may be limited, except where the data subject provides additional information that enables their identification.

To ensure transparency, controllers must inform data subjects of the limitations on their rights when applicable. Where possible, they should indicate how individuals can obtain and use their pseudonyms to exercise their rights. If a data subject can provide the pseudonym under which their data is stored, along with proof linking the pseudonym to their identity, the controller should be able to recognise the data subject and process their request accordingly. In such cases, the controller may need to provide details on how pseudonyms are assigned and maintained, as well as the contact information of the relevant entity responsible for pseudonymisation.

Another important aspect outlined in the guidelines is the role of pseudonymisation in enabling the secure use of data for secondary purposes such as research, statistical analysis, and public interest initiatives. The GDPR imposes strict conditions on further processing, requiring that any secondary use aligns with the original purpose for which the data was collected. Pseudonymisation supports compliance with key principles such as data minimisation and purpose limitation by ensuring that data remains useful for analytical purposes while minimising risks of re-identification. However, its effectiveness depends on the implementation of strict technical and organisational measures that safeguard the integrity of the pseudonymised data and prevent potential linkages that could restore identifiability.

The EDPB emphasises that controllers must conduct thorough assessments to determine whether pseudonymisation, in isolation, provides adequate protection for secondary processing or whether additional safeguards are necessary. These measures may include robust encryption protocols, stringent access controls, and legally binding agreements that impose clear restrictions on the re-identification of pseudonymised data. Furthermore, organisations should implement structured governance frameworks that define the responsibilities of each entity handling the data, ensure compliance with GDPR requirements, and establish mechanisms to detect and mitigate any risks of function creep.

Moreover, the guidelines address the issue of unauthorised reversal of pseudonymisation, emphasizing that any breach leading to re-identification constitutes a personal data breach under the GDPR, necessitating notification to supervisory authorities and potentially affected data subjects. Given the growing sophistication of re-identification techniques, organisations must adopt stringent security measures to safeguard both pseudonymised data and the additional information required for re-identification. Ensuring the ongoing confidentiality, integrity, and availability of these data elements is paramount to maintaining compliance and mitigating risks.

As the EDPB Guidelines 01/2025 remain open for public consultation until March 14, 2025, interested organisations are encouraged to engage actively in the process and provide meaningful feedback to refine the proposed recommendations. The final adoption of these guidelines will play a key role in shaping best practices for pseudonymisation within the EU data protection framework, ensuring that organisations receive clear and actionable guidance on the effective implementation of this technique while upholding the fundamental rights of data subjects. Ensuring effective implementation, however, requires its integration into a broader compliance framework that aligns with the GDPR principles of accountability, transparency, and proportionality.

Adela Nuță, Managing Associate BACIU PARTNERS