Authors: Marco Almada, Juliano Maranhao and Giovanni Sartor 

(5) ‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

I. General overview

Art. 4 no. 5 introduces the concept of “pseudonymisation”, which consists in processing personal data in such a way as to restrict the possibility of attributing such data to the data subjects concerned. Pseudonymisation transforms a set of personal data into a new set of data — the pseudonymised data — which can be attributed to the data subjects only through the use of further data, that are kept separately and are subject to technical and organisational measures to prevent their unauthorised or unlawful use. The term pseudonymisation derives from pseudonym (literally, false name), which refers to the fact that those data items that could be used to identify the data subject (such as the name, personal identification codes and so forth) must be removed, being substituted with data from which the data subject can no longer be identified (the pseudonym, in a broad sense). For instance, the data that enable the identification of the data subject can be encrypted, so that such data can only be recovered from the pseudonym (the encrypted data) by using a decryption key. The data that enable identification are to be stored separately and only be retrieved when reidentification is needed for legitimate purposes.

Pseudonymisation must be clearly distinguished from anonymisation. Anonymised data no longer qualify as personal data, since they can no longer be linked to the data subjects; therefore, they do not fall within the scope of the GDPR. On the contrary, pseudonymised data can still be linked to the data subjects (by using the further data that enable reidentification); therefore, they remain personal data, subject to the GDPR’s requirements.

Various provisions, such as Art. 25 para. 1 and Art. 32 para. 1 lit. a, mention pseudonymisation as a way to address data protection risks and comply with data protections principles such as data minimisation (Art. 5 para. 1 lit. c). Pseudonymisation can also be considered a mitigating factor for administrative sanctions under Art. 83 para. 2 lit. d, thus reducing legal risks for data controllers and processors. No provisions in the GDPR strictly prescribe pseudonymisation; thus, the decision on whether to pseudonymise personal data rests within the discretion of data controllers and processors. However, failure to pseudonymise personal data may expose the controller to civil liability under Art. 82, for failing to fully implement the GDPR requirements.

II. Legal context and historical developments

Neither the DPD nor the CoE’s Convention 108 explicitly address pseudonymisation.[1] However, the Art. 29 WP discussed the distinction between anonymised and pseudonymised data, as well as the techniques for pseudonymisation and the corresponding advantages and risks.[2]

The eIDAS regulation[3] establishes that, if so allowed by Member State law, natural persons can identify themselves through pseudonyms in electronic transactions. Pseudonyms can be used for authentication under eIDAS instead of a person’s name or identification number as long as the trust service provider is able to re-identify that person if needed.[4] This conception of a pseudonym resembles Art. 4 no. 5 of the GDPR, since both regulations view pseudonyms as aliases that can be used for referring to a person. However, eIDAS pseudonyms may not qualify as GDPR pseudonyms, since under eIDAS there is no requirement that the identification of the person on the basis of the pseudonym be impossible without additional information.

[…]

[1]Tosoni, ‘Art. 4(5)’, in Kuner/Bygrave/Docksey, p. 134.

[2]In particular, see ‘Opinion 05/2014 on Anonymisation Techniques’ (Brussels: Article 29 Data Protection Working Party, 2014), pp. 20-22.

[3]Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.

[4]For ensuring interoperability between the identification systems of different Member States, identification systems share between themselves – but not with the identifying counterparts – information such as the name associated with a given pseudonym. It has been argued that this sharing introduces a tension between the role of pseudonyms in the eIDAS and the Regulation: Tsakalakis/Stalla-Bourdillon/O’Hara, ‘What’s in a Name: The Conflicting Views of Pseudonymisation under EIDAS and the General Data Protection Regulation’, in Open Identity Summit 2016: October 13–14, 2016, Rome, Italy, pp. 167–174.