Written by: Haim Ravia, Dotan Hammer
The European Data Protection Board (EDPB) has issued new guidelines on the pseudonymization of personal data, emphasizing how it differs from anonymization, yet is still a valuable tool for data controllers to meet their GDPR obligations. According to the guidelines, pseudonymization is the processing of personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information.
The guidelines explain how pseudonymization can help data controllers comply with GDPR principles, including data minimization, confidentiality, and purpose limitation. Pseudonymization reduces risks to data subjects by preventing the attribution of personal data to natural persons during processing. However, the guidelines also emphasize that pseudonymized data remains personal data, unlike anonymized data. This means data subjects retain their rights. The EDPB notes that unauthorized re-identification of pseudonymized data constitutes a personal data breach and must be treated as such.
To ensure effective pseudonymization, the guidelines suggest that controllers define the purpose of pseudonymization, establish a secure “pseudonymization domain” for data processing, remove long-term identifiers while replacing short-term identifiers with pseudonyms, and carefully manage quasi-identifiers that could also lead to identification. Furthermore, the guidelines recommend re-evaluating the effectiveness of pseudonymization when transferring and combining data.
Click here to read the European Data Protection Board’s Guidelines 01/2025 on Pseudonymization.
