Pseudonymisation

Pseudonymisation is legally defined in Art. 4(5) GDPR as the processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information. The condition is that this additional information is kept separately and is subject to technical and organisational measures ensuring that the data is not attributed to an identified or identifiable natural person. At its core, pseudonymisation means separating direct identifiers (such as a name or customer number) from the rest of the data set and replacing them with a pseudonym whose mapping key is held separately and protected.

Legally, the decisive point is that pseudonymised data remains personal data within the meaning of Art. 4(1) GDPR as long as re-identification is possible with reasonable effort (Recital 26). Unlike anonymisation, pseudonymisation does not remove the link to a person; it reduces the risk for the data subjects. It is therefore not a means of escaping the scope of the GDPR but a safeguard applied within that scope. Whoever holds the mapping key continues to process fully personal data, whereas for bodies without access to the additional information the risk situation may be assessed differently.

The GDPR attaches legal effect to pseudonymisation in several places. It is expressly cited as an example of data protection by design in Art. 25(1) GDPR and counts under Art. 32(1)(a) GDPR among the appropriate technical and organisational measures for ensuring an adequate level of protection. It is also a criterion in the compatibility test for a change of purpose (Art. 6(4)(e) GDPR) and facilitates processing for scientific, statistical or historical purposes (Art. 89(1) GDPR). Effective pseudonymisation can lower the processing risk and thus the liability exposure, but it does not replace the other obligations such as a legal basis, transparency and the safeguarding of data subjects' rights.