Key References:
- GDPR Art. 4(5) on definition
- GDPR Arts. 25, 32
- Recitals 26, 28, 29, 78, 156.
Art. 4(5) Key elements (definition of pseudonymisation):
- Personal data that can no longer be attributed to a specific data subject, UNLESS
- additional information, that is kept separately, is used.
- Separation of additional information is by design as part of technical and organisational measure to ensure data subject is not identified or identifiable.
Art. 25 on Data protection by design and default:
- Data protection principles require embedding privacy into products. This includes technical and organisational measures such as pseudonymisation of personal data.
Art. 32 on Security of processing:
- Controllers and processors should consider pseudonymisation of personal data as a security measure.
Recital 26 on Anonymous data:
- GDPR applies to Pseudonymised data. Pseudonymisation of personal data is a design and security measure whereby personal data does not point to a specific data subject until additional information, available to the controller or processor, is added to the pseudonymised data.
- GDPR does not apply to Anonymous data. Anonymous information is personal data rendered anonymous in such a manner that the data subject is no longer identifiable.
Recital 28 on Pseudonymised data:
- Pseudonymisation of personal data is recommended as it reduces risks for data subjects and can help controllers and processors to meet their GDPR obligations.
