On 16 Jan 2025 the European Data Protection Board published its Guidelines 01/2025 on pseudonymisation, marking the first comprehensive guidance on this data protection measure since the implementation of GDPR.
The guidelines provide two important legal clarifications:
1. Pseudonymised data, which could be attributed to an individual by the use of additional information, remains information related to an identifiable natural person and is therefore still personal data. Indeed, if the data can be linked back to an individual by the data controller or someone else, it remains personal data.
2. Pseudonymisation can reduce risks and make it easier to use legitimate interests as a legal basis, as long as all other GDPR requirements are met. Likewise, pseudonymisation can aid in securing compatibility with the original purpose.
The guidelines also explain how pseudonymisation can help organisations meet their obligations relating to the implementation of data protection principles (Art. 5 GDPR), data protection by design and default (Art. 25 GDPR) and security (Art. 32 GDPR).
Finally, the guidelines analyse technical measures and safeguards, when using pseudonymisation, to ensure confidentiality and prevent unauthorised identification of individuals.
Organizations have until 28 February 2025 to submit feedback on the guidelines through the EDPB's public consultation process.
The final version will establish binding interpretations for data protection authorities across the European Economic Area.
