On 16 January 2025, the European Data Protection Board (EDPB) released guidelines on pseudonymisation. Public consultation on the guidelines is ongoing until 28 February 2025. 

The GDPR defines pseudonymisation as the process of transforming personal data in a way that the data can no longer be attributed to a specific data subject (pseudonymised data) without the use of extra information, provided that such information is kept separate and is subject to technical and organisational measures that ensure it cannot be linked back to a specific person (additional information).

The EDPB guidelines explain the benefits of pseudonymisation as an effective safeguard for controllers to meet data protection obligations and demonstrate compliance with the data protection principles. For example, the guidelines highlight pseudonymisation as a key security measure for reducing privacy and security risks and, therefore, make it easier to rely on legitimate interests as a legal basis if all other GDPR requirements are met. Pseudonymisation can also aid in securing compatibility with the original purpose since it may limit the possible consequences of further processing for data subjects, under Article 6(4) GDPR. 

The guidelines clarify that the rights of data subjects apply to pseudonymised data and, therefore, controllers must ensure that data subjects can exercise their rights, even when their data is pseudonymised. Further, any breach of security leading to the unauthorised reversal of pseudonymisation constitutes a personal data breach and could, therefore, require the controller to notify the supervisory authority unless it is unlikely to result in a risk to the rights and freedoms of individuals.

The guidelines introduce the concept of a "pseudonymisation domain", i.e., the environment created by controllers and processors in which they can set the parameters for precluding attribution of data to specific persons by the groups operating within it. Controllers and processors can decide which groups to include in the domain, ranging from known internal recipients to external unauthorised recipients. This is an important consideration for evaluating how robust the pseudonymisation process will be as the EDPB notes that different measures will likely need to be considered depending on the actors within the domain.

The issue of data in different hands

The EDPB guidelines do not aim to explore in too much detail situations in which the pseudonymisation process can lead to anonymisation (i.e. where data is no longer considered personal). However, the guidelines emphasise that pseudonymised data and additional information that are not in the hands of the same person will remain personal data if pseudonymised data and additional information could be combined by means that are "reasonably likely" to be used by the controller or any other person. The EDPB does not go on to explain what is meant by "reasonably likely". 

The guidelines are clear, however, that even if all additional information retained by a controller were erased, the remaining pseudonymised data could only be considered anonymous if all the conditions for anonymity were met. 

Addressing the same topic, on 5 February 2025, the Advocate General of the Court of Justice of the European Union (CJEU) issued its Opinion in the case C 413/23 P European Data Protection Supervisor (EDPS) v Single Resolution Board (SRB). 

In its Opinion, the Advocate General considered the question of whether pseudonymised data can be personal data in the hands of the recipient. The Advocate General decided that, if a recipient has "reasonable means" to re-identify data subjects, for example, by obtaining additional information by available legal means, it could be considered processing personal data. However, the Advocate General concluded that, if the risk of re-identification by reasonable means is "non-existent" or "insignificant" by the recipient, then the data may not be automatically considered personal data. "Non-existent", following the Breyer case, means as prohibited by law or practically impossible, for instance if it requires a disproportionate effort in terms of time, cost and manpower (see our previous article for further information).

Where does this leave us?

The Advocate General's Opinion provides welcome clarification for organisations that are recipients of pseudonymised data and have virtually no practical, technical or legal means of obtaining additional information to re-identify data subjects, as this will mean that they are unlikely to be processing personal data. The EDPB stops short, in its guidelines, of clarifying what is meant by a controller or another party being able to combine additional and pseudonymised data by "reasonably likely" means, therefore making its position less certain. 

However, the CJEU may yet provide further clarification on when pseudonymised data may cease to be considered personal data in its binding judgment in the EDPS v SRB case (in which it is expected to follow the Advocate General's Opinion).