Guidelines on Pseudonymisation (and on anonymisation)

Pseudonymisation has become a key concept in data protection law, particularly under the EU's General Data Protection Regulation (GDPR). It serves as a safeguard to protect personal data while allowing for its further processing.

1. What is pseudonymisation?

Pseudonymisation is defined in Article 4(5) of the GDPR as:

“the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”

The key characteristics of pseudonymisation are as follows:

• pseudonymised data remains personal data, i.e. the requirements of data processing shall be applicable to such data,

• it allows controllers to further use the data and merge data sets regarding the same person but at the same time to provide better protection to the individual,

• pseudonymisation is a reversible process from a technical perspective, i.e. it is possible to attribute the data to a specific data subject and process the data further in this form.

2. Guidelines on pseudonymisation (and on anonymisation)

The European Data Protection Board (EDPB) has just released its guidelines on pseudonymisation: EDPB Guidelines 01/2025 on Pseudonymisation (adopted January 16, 2025). On this occasion, it is worth looking at what other guidelines are available to controllers and processors to help them use pseudonymisation techniques (and since these two concepts are often discussed together, anonymisation techniques) in their daily operations.

Guidelines and opinions issued in the European Union:

• Autoriteit Persoonsgegevens (Dutch DPA): Data pseudonymisation

• AEPD (Spanish DPA): Anonymisation and pseudonymisation (October 2021)

• ENISA (EU´s cybersecurity agency): “Report on Pseudonymisation Techniques and Best Practices” (December 2019). (The Report is also available in Italian and in French.)

• AEPD (Spanish DPA): Introduction to the hash function as a personal data pseudonymisation technique (October 2019)

• Data Protection Commission (Ireland): Guidance on Anonymisation and Pseudonymisation (June 2019).

• AEPD(Spanish DPA): 10 misunderstanding related to anonymisation

• AEPD(Spanish DPA): K-anonymity as a privacy measure

• ISO/IEC 20889:2018: Privacy enhancing data de-identification terminology and classification of techniques (November 2018, reviewed and confimred in 2024)

• Article 29 Working Party (predecessor of the EDPB): Opinion 05/2014 on Anonymisation Techniques. (April 2014)

Guidelines and opinions issued worldwide:

• ASEAN Guide on Data Anonymisation (January 2025)

• Roundtable of G7 Data Protection and Privacy Authorities: Reducing identifiability in cross-national perspective: Statutory and policy definitions for anonymization, pseudonymization, and de-identification in G7 jurisdictions (October 2024)

• Saudi Data & AI Agency: Personal Data Destruction, Anonymization, and Pseudonymisation Guideline (August 2024)

• Personal Data Protection Commission (Singapore): Guide to Basic Anonymisation (July 2024)

• NIST: De-Identifying Government Datasets: Techniques and Governance (September 2023)

• ICO´s Draft anonymisation, pseudonymisation and privacy enhancing technologies guidance (February 2022)

• Office of the Australian Information Commissioner: Australian Privacy Principle 2 — Anonymity and pseudonymity (July 2019)

• Jersey Office of the Information Commissioner: Guidance on Anonymisation and Pseudonymisation