Anonymisation
Anonymisation is the irreversible alteration of personal data so that the data subject can no longer be identified with reasonable effort, with the result that the GDPR no longer applies.
Anonymisation refers to altering personal data in such a way that information about a person's personal or factual circumstances can no longer be attributed to an identified or identifiable natural person, or only with a disproportionate effort in terms of time, cost and manpower. Recital 26 of the GDPR makes clear that the principles of data protection do not apply to anonymous information, that is, information which does not relate to an identified or identifiable person. Effectively anonymised data therefore falls entirely outside the material scope of the GDPR.
The decisive criterion is irreversibility: re-identification must be permanently and practically excluded according to the state of the art. The Article 29 Working Party (Opinion 05/2014) measures the robustness of an anonymisation against three risks: singling out individual records, linkability with other datasets, and inference of information. Only when all three risks are sufficiently excluded does a robust anonymisation exist. Common techniques include aggregation, generalisation, k-anonymity, l-diversity, differential privacy, or the complete removal of identifying attributes.
Anonymisation must be sharply distinguished from pseudonymisation (Art. 4(5) GDPR). In pseudonymisation, identifying attributes are replaced by an identifier, but the link to the person remains restorable through additional information kept separately (such as a mapping table or a key). Pseudonymised data remains personal data and therefore subject to the GDPR; it merely qualifies as an appropriate technical and organisational measure. Anonymised data, by contrast, is definitively severed from any link to a person. The act of anonymisation itself constitutes processing within the meaning of Art. 4(2) GDPR and therefore requires a legal basis.
Legal Basis
Recital 26 GDPR; Art. 4(1) and 4(5) GDPR; Opinion 05/2014 of the Article 29 Working Party
Practical Example
A data protection officer at a hospital wishes to share treatment data with a research institute for a scientific study. Instead of merely pseudonymising the data, the officer has it aggregated and generalised: dates of birth are reduced to age groups, postcodes are truncated to their first two digits, and rare diagnosis combinations are grouped together until each record matches at least five others (k-anonymity). Because re-identification is thereby practically excluded and no mapping table exists, the shared dataset no longer falls under the GDPR. The officer documents the anonymisation itself as a processing activity in the record of processing activities.