The new guidelines on #pseudonymisation (“Guidelines 01/2025 on Pseudonymisation”, “Guidelines”) of the European Data Protection Board #EDPB out for consultation up to 28 February 2025 are a must-read. What are we talking about? Pseudonymisation is a technique that makes personal data more difficult to identify without additional information.
Within the scope of Regulation (EU) 2016/679 (“GDPR”), which introduces the concept for the first time, pseudonymisation is considered one of the technical measures that the data controller or processor can use to fulfil their obligations regarding personal data protection. Specifically, the pseudonymisation procedure consists of making personal data relating to a specific individual no longer attributable to that individual, except – and this is the substantial difference with anonymisation – through the use of additional information, including any additional information that is beyond the control of the party carrying out the pseudonymisation. Such additional information (so-called pseudonymisation secrets) must be stored separately and protected by adequate security measures. The aim is to ensure that those who process the pseudonymised data are not able to attribute it to the individual to whom the data belongs.
As stated in the Guidelines, since pseudonymised data constitutes information relating to an identifiable natural person, it remains personal data to all intents and purposes and, as such, is subject to the provisions of the GDPR.
In this regard, the EDPB seems to adopt a very broad notion of personal data, in contrast to the recent conclusions of Advocate General Dean Spielmann in case C-413/23 P of 6 February 2025. In fact, adopting a more restrictive approach, the Advocate General emphasises that, in order to determine whether pseudonymised data should be considered personal data and therefore fall within the objective scope of the GDPR, one must take into account the reasonable likelihood that the additional information can be used by the recipient of the data to identify the data subject, as the mere theoretical identifiability of the data subject is not sufficient.
Going back to the Guidelines, a fundamental concept introduced by the EDPB is that of “pseudonymised domain”, which can be defined as the set of authorised individuals and systems that can access the pseudonymised data. Within said domain, which is to be determined by the data controller/processor, the pseudonymised data can be processed minimising the risk of re-identifying the data subjects. This logically implies that pseudonymisation secrets must be kept separate from the pseudonymisation domain.
Keeping in mind the accountability principle, the controller is required to evaluate, also through periodic risk assessments, the likelihood of re-identification within the pseudonymisation domain, so as to ensure that the risk remains negligible throughout the entire processing period.
On the other hand, the Guidelines also provide useful operational guidance for companies and operators, giving some examples of appropriate technical measures for pseudonymisation, including:
advanced encryption techniques, such as SHA-3 hash functions, which can be used to create pseudonymised data. To increase the security of the process, it is possible to combine such functions with a salt, i.e. a randomly and securely generated data string;
security measures relating to the IT infrastructure, such as limiting access to pseudonomysation secrets (in concrete terms, access could be limited to system administrators only, applying also to them the principle of least privilege);
the use of data protection engineering tools on so-called quasi-identifiers (i.e. information that, if combined, can indirectly identify an individual), including techniques such as generalisation and suppression, which modify the level of detail of the data or eliminate highly risky data to reduce the risk of re-identification.
In conclusion, the analysis of the Guidelines highlights the fundamental role that pseudonymisation can play in the application of the principle of privacy by design, as well as in some areas of business activity that are extremely sensitive from a data protection point of view, such as the management of whistleblowing channels and the transfer of personal data outside the EU. As clarified by the Guidelines, pseudonymisation can also facilitate the use of legal bases such as the legitimate interest referred to in Article 6(1)(f) of the GDPR for the processing of personal data - an approach that is certainly useful when looking for an alternative to consent and balancing the interests of companies and the rights of individuals - and favour the compatibility of the data processed by any recipients with the evaluation of the original purpose of the processing, pursuant to Article 6(4) GDPR.
