{"id":17940,"date":"2025-03-26T08:00:30","date_gmt":"2025-03-26T08:00:30","guid":{"rendered":"https:\/\/letslaw.es\/?p=17940"},"modified":"2025-03-06T09:44:51","modified_gmt":"2025-03-06T09:44:51","slug":"edpb-pseudonymization-comply-gdpr","status":"publish","type":"post","link":"https:\/\/letslaw.es\/en\/edpb-pseudonymization-comply-gdpr\/","title":{"rendered":"What is pseudonymisation? The EDPB clarifies the use of pseudonymisation for GDPR compliance"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">In the digital era, where information is an invaluable asset, privacy has become an unavoidable priority. The General Data Protection Regulation (GDPR) was introduced to establish a framework for protecting personal data, but compliance can be complex.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In this article, we discuss an essential tool that helps navigate the GDPR with confidence: pseudonymisation.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">The term &#8220;pseudonymisation&#8221; under the GDPR<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Pseudonymisation is defined in Article 4(5) of the GDPR as <\/span><i><span style=\"font-weight: 400;\">the processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person<\/span><\/i><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Essentially, <\/span><b>pseudonymisation involves modifying personal data so that individuals cannot be directly identified<\/b><span style=\"font-weight: 400;\"> without the use of separately stored and secured additional information. The document <\/span><i><span style=\"font-weight: 400;\">Guidelines 01\/2025 on Pseudonymisation<\/span><\/i><span style=\"font-weight: 400;\">, adopted on 16 January 2025, aims to clarify the use and benefits of pseudonymisation for controllers and processors.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The EDPB highlights that pseudonymisation is not a magical solution for GDPR compliance but rather a tool within a broader set of measures. The document emphasises that pseudonymisation can <\/span><b>reduce risks for data subjects by preventing the attribution of personal data to individuals<\/b><span style=\"font-weight: 400;\"> during processing and in cases of unauthorised access or use.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To achieve effective pseudonymisation, data controllers must follow three key actions:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Modify or transform the data<\/b><span style=\"font-weight: 400;\">: this involves altering the original data in such a way that it cannot be directly attributed to an individual.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Keep additional information separate<\/b><span style=\"font-weight: 400;\">: the data required to link pseudonymised data to an individual must be stored separately and protected by technical and organisational measures.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Implement technical and organisational measures<\/b><span style=\"font-weight: 400;\">: robust measures must be put in place to prevent the unauthorised attribution of personal data to an identified or identifiable natural person.<\/span><\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">Difference between pseudonymisation and anonymisation<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">It is crucial to understand the distinction between pseudonymisation and anonymisation, as they are often confused. Pseudonymisation, as previously mentioned, does not render data anonymous. Pseudonymised data remains personal data because <\/span><b>there is still a possibility of identifying the individual through additional information<\/b><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Anonymisation, on the other hand, is an irreversible process that completely <\/span><b>removes the possibility of identifying the individual<\/b><span style=\"font-weight: 400;\">. Anonymised data is no longer subject to GDPR regulations as it is no longer considered personal data.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The EDPB emphasises that pseudonymised data, which could be attributed to an individual using additional information, should still be considered information about an identifiable person and, therefore, personal data. This remains true even if the pseudonymised data and the additional information are held by different parties.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Examples of pseudonymisation in practice<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">To better understand how pseudonymisation works in practice, here are some examples:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Pseudonymisation in medical research<\/b><span style=\"font-weight: 400;\">: a hospital wants to share patient data for a study on the effectiveness of a new treatment. It pseudonymises the data by replacing names and identification numbers with unique codes while keeping a secure key that allows re-identification if necessary to provide relevant information to patients.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Internal data analysis<\/b><span style=\"font-weight: 400;\">: a company wants to analyse employee data to improve working conditions. It pseudonymises the data by replacing names with codes so that analysts cannot directly identify employees, although the HR department can do so if specific measures need to be taken.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Protecting victims of gender-based violence<\/b><span style=\"font-weight: 400;\">: victims of gender-based violence may request the pseudonymisation of their identifying data to ensure their safety.<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Pseudonymisation is a valuable tool for protecting privacy when processing personal data. However, it is essential to understand that it is not a foolproof solution and does not replace other security measures and GDPR compliance requirements. It must be implemented thoughtfully, assessing risks and applying appropriate technical and organisational measures to ensure the security of additional information and the protection of data subjects&#8217; rights.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">At Letslaw we are <\/span><a title=\"digital lawyers\" href=\"https:\/\/letslaw.es\/en\/digital-lawyers\/\"><span style=\"font-weight: 400;\">experts in digital law<\/span><\/a><span style=\"font-weight: 400;\"> and can provide you with the legal advice you need.<\/span><\/p>\n<div class=\"cyp_post_formulario\"><h2>Contact Us<\/h2>\n<div class=\"wpcf7 no-js\" id=\"wpcf7-f3074-o1\" lang=\"es-ES\" dir=\"ltr\" data-wpcf7-id=\"3074\">\n<div class=\"screen-reader-response\"><p role=\"status\" aria-live=\"polite\" aria-atomic=\"true\"><\/p> <ul><\/ul><\/div>\n<form action=\"\/en\/wp-json\/wp\/v2\/posts\/17940#wpcf7-f3074-o1\" method=\"post\" class=\"wpcf7-form init wpcf7-acceptance-as-validation\" aria-label=\"Formulario de contacto\" novalidate=\"novalidate\" data-status=\"init\">\n<fieldset class=\"hidden-fields-container\"><input type=\"hidden\" name=\"_wpcf7\" value=\"3074\" \/><input type=\"hidden\" name=\"_wpcf7_version\" value=\"6.1.5\" \/><input type=\"hidden\" name=\"_wpcf7_locale\" value=\"es_ES\" \/><input type=\"hidden\" name=\"_wpcf7_unit_tag\" value=\"wpcf7-f3074-o1\" \/><input type=\"hidden\" name=\"_wpcf7_container_post\" value=\"0\" \/><input type=\"hidden\" name=\"_wpcf7_posted_data_hash\" value=\"\" \/><input type=\"hidden\" name=\"_wpcf7_recaptcha_response\" value=\"\" \/>\n<\/fieldset>\n<div class=\"campo_nombre\" style=\"width:100%\"> <span class=\"wpcf7-form-control-wrap\" data-name=\"your-name\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-text wpcf7-validates-as-required datos-contacto2\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"Name\" value=\"\" type=\"text\" name=\"your-name\" \/><\/span><\/div>\n<div class=\"campo_telefono\" style=\"width:100%\"> <span class=\"wpcf7-form-control-wrap\" data-name=\"your-phone\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-tel wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-tel datos-contacto2\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"Phone\" value=\"\" type=\"tel\" name=\"your-phone\" \/><\/span><\/div>\n<div class=\"campo_email\" style=\"width:100%\"> <span class=\"wpcf7-form-control-wrap\" data-name=\"your-email\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email datos-contacto2\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"Email\" value=\"\" type=\"email\" name=\"your-email\" \/><\/span><\/div>\n<div class=\"campo_asunto\" style=\"width:100%\"> <span class=\"wpcf7-form-control-wrap\" data-name=\"your-asunto\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-text wpcf7-validates-as-required datos-contacto2\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"Subject\" value=\"\" type=\"text\" name=\"your-asunto\" \/><\/span><\/div>\n<div class=\"campo_mensaje\" style=\"width:100%\"> <span class=\"wpcf7-form-control-wrap\" data-name=\"your-mensaje\"><textarea cols=\"40\" rows=\"10\" maxlength=\"2000\" class=\"wpcf7-form-control wpcf7-textarea wpcf7-validates-as-required datos-contacto2\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"Message\" name=\"your-mensaje\"><\/textarea><\/span><\/div>\n<input class=\"wpcf7-form-control wpcf7-hidden\" value=\"\" type=\"hidden\" name=\"cyp_form_url\" \/>\n<input class=\"wpcf7-form-control wpcf7-hidden\" value=\"cyp_zonaweb\" type=\"hidden\" name=\"zonaweb\" \/>\n<span class=\"wpcf7-form-control-wrap recaptcha\" data-name=\"recaptcha\"><span data-sitekey=\"6LfbCuUpAAAAAGu5f0__hms_y9Kscc_NCNdDGnEJ\" class=\"wpcf7-form-control wpcf7-recaptcha g-recaptcha\"><\/span>\r\n<noscript>\r\n\t<div class=\"grecaptcha-noscript\">\r\n\t\t<iframe loading=\"lazy\" src=\"https:\/\/www.google.com\/recaptcha\/api\/fallback?k=6LfbCuUpAAAAAGu5f0__hms_y9Kscc_NCNdDGnEJ\" frameborder=\"0\" scrolling=\"no\" width=\"310\" height=\"430\">\r\n\t\t<\/iframe>\r\n\t\t<textarea name=\"g-recaptcha-response\" rows=\"3\" cols=\"40\" placeholder=\"Aqu\u00ed la respuesta de reCAPTCHA\">\r\n\t\t<\/textarea>\r\n\t<\/div>\r\n<\/noscript>\r\n<\/span>\n<div style=\"width:100%\">\n<p class=\"form-input-check\" style=\"color:#444444 !important;padding:0px !important;margin:0px !important;font-size:12px !important;margin-bottom:15px !important\">\nBy clicking on \"Send\" you accept our <a href=\"https:\/\/letslaw.es\/en\/privacy-policy\/\" target=\"_blank\">Privacy Policy<\/a> - <a href=\"javascript:\/\/\" class=\"cyp_legal_popup_ingles\">+ Info<\/a>\n<\/p>\n<p class=\"form-input-check\" style=\"color:#444444 !important;padding:0px !important;margin:0px !important;font-size:12px !important\">\n<span class=\"wpcf7-form-control-wrap\" data-name=\"checkbox-173\"><span class=\"wpcf7-form-control wpcf7-checkbox wpcf7-exclusive-checkbox\"><span class=\"wpcf7-list-item first last\"><label><input type=\"checkbox\" name=\"checkbox-173\" value=\"\" \/><span class=\"wpcf7-list-item-label\"><\/span><\/label><\/span><\/span><\/span> I agree to receive outlined commercial communications from LETSLAW, S.L. in accordance with the provisions of our <a href=\"https:\/\/letslaw.es\/en\/privacy-policy\/\" target=\"_blank\">Privacy Policy<\/a> - <a href=\"javascript:\/\/\" class=\"cyp_legal_popup\">+ Info<\/a>\n<\/p>\n<\/div>\n<div class=\"vc_col-sm-12 botton-datos-contacto\"><input class=\"wpcf7-form-control wpcf7-submit has-spinner\" type=\"submit\" value=\"Send\" \/><\/div><input type='hidden' class='wpcf7-pum' value='{\"closepopup\":false,\"closedelay\":0,\"openpopup\":false,\"openpopup_id\":0}' \/><div class=\"wpcf7-response-output\" aria-hidden=\"true\"><\/div>\n<\/form>\n<\/div>\n<div>","protected":false},"excerpt":{"rendered":"<p>The GDPR came in to establish a protection framework for our personal data, but compliance with it can be complex. <\/p>\n","protected":false},"author":60,"featured_media":17944,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[258],"tags":[],"class_list":["post-17940","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-digital-law"],"_links":{"self":[{"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/posts\/17940","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/users\/60"}],"replies":[{"embeddable":true,"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/comments?post=17940"}],"version-history":[{"count":3,"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/posts\/17940\/revisions"}],"predecessor-version":[{"id":17941,"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/posts\/17940\/revisions\/17941"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/media\/17944"}],"wp:attachment":[{"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/media?parent=17940"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/categories?post=17940"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/letslaw.es\/en\/wp-json\/wp\/v2\/tags?post=17940"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}