The European Data Protection Board (hereinafter the EDPB) recently adopted the Guidelines 01/2025 on Pseudonymisation (hereinafter the Guidelines), providing comprehensive insights into the use and benefits of pseudonymisation under the General Data Protection Regulation (hereinafter the GDPR). These Guidelines set out the legal and technical requirements the EDPB considers necessary for pseudonymization to be effective.
1. The concept of ‘pseudonymisation’ and the ‘pseudonymisation domain’
Pseudonymisation is a technical measure that, together with other measures, can reduce risks to data subjects by ensuring that personal data cannot be linked to a specific person without using additional information. These risks include confidentiality risks, the risks of function creep (i.e., the risk that personal data is further processed in a manner that is incompatible with purposes for which it was collected), and the risk to accuracy.
Pseudonymisation is defined in Article 4(5) GDPR as “the processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the data are not attributed to an identified or identifiable natural person”. The desired effect of pseudonymisation is therefore to control the attribution of personal data to specific data subjects by denying this ability to some persons or parties.
The Guidelines introduce the concept of the ‘pseudonymisation domain’, which refers to a domain within which the people only process pseudonymised data and have no access to the additional information allowing them to link the pseudonymised data with a particular data subject. In any case, such additional information that would enable attribution to the data subject shall be kept separate from the pseudonymisation domain and shall be protected by appropriate technical and organisational measures.
2. Pseudonymisation and its advantages
The EDPB considers pseudonymisation as an effective tool to meet certain data protection requirements, in particular when it is complemented by additional measures. Of course, controllers shall need to assess the appropriateness of all measures taken together to establish whether they suffice to meet the relevant data protection requirements. First, pseudonymisation may be employed as one of several technical and organisational measures to comply with the principles of data protection by design and by default, in particular data minimisation and confidentiality. It may also contribute to safeguarding the lawfulness, fairness, purpose limitation and accuracy principles.
In particular, pseudonymisation can be used as an appropriate measure for the implementation of the data minimisation, confidentiality, and possibly also purpose limitation principles if data are to be transmitted to and processed by an external recipient, be it a processor or a controller. This could also benefit controllers receiving personal data, as it aids in fulfilling their data protection obligations, such as data minimisation. Moreover, pseudonymisation may constitute a so-called “supplementary measure” to ensure compliance for third country data transfers and protect personal data transferred to a third country from disproportionate government access by public authorities of that country [1]. Another benefit of pseudonymisation is its significant role in the legitimate interest assessment (LIA), which is essential for relying on legitimate interests under Article 6(1)(f) of the GDPR.
3. Yet, pseudonymised personal data remains personal data
Contrary to anonymised data, pseudonymised data remains personal data, meaning data subjects retain their rights under Chapter 3 of the GDPR. However, if the controller cannot identify a data subject—due to a lack of access to additional identifying information or an inability to reverse pseudonymisation—certain rights (under Articles 11(2) and 12(2) of the GDPR) may not apply unless the data subject provides identifying details.
To uphold data subject rights, controllers should inform individuals on how to retrieve and use their pseudonyms to verify their identity. If necessary, they may need to provide details of the data source or the entity responsible for pseudonymisation.
Regarding security, an unauthorised reversal of pseudonymisation qualifies as a data breach. Therefore, it may be required to notify the supervisory authority unless it is unlikely to result in a risk to the rights and freedoms of natural persons. If it poses a high risk to individuals, the controller must notify affected data subjects.
4. Technical measures and safeguards
Controllers should identify and clearly define the risks they aim to mitigate through pseudonymisation. The goal of pseudonymisation within a specific processing activity is to achieve a measurable reduction of these risks. To ensure effectiveness, controllers must design pseudonymisation measures that reliably fulfil this objective.
The guidelines provide detailed recommendations on the technical measures and safeguards for effective pseudonymisation. Below are our most important take-aways:
- Pseudonymising Transformation – This involves modifying original data to prevent attribution to specific data subjects without additional information. It shall be ensured that pseudonymised data does not contain any direct identifiers. Cryptographic algorithms (‘first class’) or lookup tables (‘second class’) can be used.
- Preventing Unauthorised Attribution – To prevent the unauthorised attribution of pseudonymised data, measures should be taken in three (3) directions. First, the pseudonymising transformation should be protected against reversal by choosing a suitable design and ensuring an appropriate level of security for the pseudonymisation secrets. Second, quasi-identifiers should be appropriately handled. Third, data controllers should ensure that their objectives about the scope of the pseudonymisation domain, about the use of pseudonymised data and about the accessibility of relevant information sources within it are met.
5. Real-world scenarios illustrating the use and benefits of pseudonymisation
The Guidelines provide several real-world examples illustrating the use and benefits of pseudonymisation for various kinds of undertakings. The examples of pseudonymisation aim to safeguard one or more of the following GDPR provisions: (i) data minimisation, (ii) purpose limitation, (iii) confidentiality, (iv) accuracy, (v) safeguards for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, (vi) security of processing, (vii) lawfulness of legitimate interests, (viii) further processing, (ix) appropriate safeguards for transfers, and (x) fairness.
6. Developments in case law
It must be noted that European case law on the notions of personal data, identifiability, pseudonymisation and anonymisation has evolved progressively. There are several cases in this regard[2], which are interestingly not mentioned in these new Guidelines. Moreover, we are currently awaiting the decision of the CJEU in the SRB case[3], which is particularly interesting as the disclosure of masked data to a third-party recipient is mentioned as a use case of pseudonymisation in the Guidelines. The Guidelines have therefore received a significant amount of criticism from legal scholars. To avoid legal uncertainty, we hope that substantial amendments will be made to the Guidelines following the public consultation and/or that this jurisprudence will be addressed in the EDPB's guidelines on anonymization.
7. Contact us
As described in the Guidelines, pseudonymisation can be a powerful tool for ensuring compliance, but its effectiveness depends on proper implementation. Our Lydian Data Protection team is available to assist you with any questions you may have regarding the EDPB Guidelines, or any other data protection matters. Please feel free to reach out to us for further assistance.
[1] Subject to the conditions enumerated in paragraph 85 of Annex 2 to the EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
[2] Such as Breyer, Scania, IAB Europe.
[3] Case C-413/23 P (European Data Protection Supervisor / Single Resolution Board). The Advocate General has rendered its opinion on 6 February 2025:
