GDPR Learning Hub

Menu
  • Buy GDPR-courses
  • Learn about the GDPR
  • Download free checklists
  • Take free quizzes
  • Buy GDPR Templates

Information about GDPR

Anonymised data is not personal data

Anonymised data is not personal data and is therefore not covered by the GDPR. This applies, however, provided that the personal data has been anonymised in accordance with the three criteria laid down by the European Data Protection Authorities. 

What is the definition of anonymised data?

The definition of anonymised data, is personal data which, through the use of technology, has been rendered anonymous in such a way that it is no longer possible to identify an individual through the data. Anonymised data is not personal data and is therefore not covered by the GDPR. Anonymous data is data that cannot be used to identify a person, either directly or indirectly, or in combination with other data. 

What is personal data?

When it is possible to link a data to a natural living person, it constitutes personal data. The company processing the data must comply with the GDPR if the data belongs to an individual within the EU/EEA area. 

Personal data may have a subjective or objective nature and some personal data is more important than others. The more important the personal data, the higher the security requirements for its processing. Common examples of personal data are:

  • Surname(s) and first name(s)
  • Date of birth
  • Personal identification number
  • Phone number
  • Images, films and sound recordings that can identify an individual.

Does the GDPR apply to the process of anonymising personal data?

Yes, GDPR applies to the process of anonymisation of personal data. This means that anonymisation of the personal data itself must, among other things, be based on a legal basis in order to be lawful. This applies even if the anonymised data is not personal data. Furthermore, data subjects have the right to receive information about the anonymisation process, as their personal data will then be processed. However, the GDPR does not apply to data that has been anonymised. In addition, the controller who anonymises personal data must comply with the other rules of the GDPR in the anonymisation process. 

Anonymisation may allow data to continue to be stored

There are several advantages to anonymising personal data, as anonymised data is not personal data, but it is not always easy or possible to conduct. According to the GDPR, companies may only process personal data for the purpose for which they were collected. 

However, the company may want to save certain data in order to, for example, improve its service or product, for marketing purposes or similar. By anonymising personal data, the company can continue to store the anonymised data.

Criteria to be met in order for the information to be considered anonymous

The following is a description of the three (3) criteria that must be met in order for information to be considered anonymous according to the European Data Protection Authorities: 

1. Singling out

For data to be considered anonymous, it shall not be possible to distinguish information about the data subject. This means that it should not be possible to identify, single out or isolate an individual in a set of data, even if the individual’s name is not included. 

  • Key question: Is it possible to identify an individual through the data set?
  • Example: If a full name appears in a list, which also contains information about the individual’s age, place of residence and work role, and the company replaces the name with a number, it does not necessarily mean that the data has been anonymised. A combination of, for example, information that “a 52-year-old man, who lives in the town with postal code 123 45 and works as a school principal”, may be sufficient to distinguish the individual, especially in a smaller geographical area. 

2. Linkability

It must also not be possible to link different datasets to an individual, even if the individual is not directly identified by the individual data. 

  • Key question: Is it possible to link datasets with or to each other that can lead to the identification of an individual?
  • Example: A person buys a bus card that has a unique card number. The purpose of the unique card number is for the holder to be able to block the card and order a new one through a code, if it is lost. In order for the card issuer to issue a new card to the right person, they have a database with the names of cardholders who registered their cards. In other words, it is possible to link the card number, code and registry to an individual, which means that the card number is a personal data with linkability. These are examples of pseudonymised personal data (not anonymised personal data). 

3. Inference

It should not be possible, either directly or indirectly, to derive information about an individual or to draw conclusions about an individual with a high probability or predictability, from the data in question.

  • Key question: Is it possible to draw probable conclusions about individuals?
  • Example: The data must not lead to conclusions being drawn about individuals. For example, information in a data set that “men over the age of 65 living in a given municipality” always have a certain disease, may lead to conclusions that an individual with these characteristics is likely to suffer from such a disease. 

Learn more about Personal Data

Pseudonymised personal data is not the same as anonymised data

Once personal data has been anonymised, it is no longer personal data. Unlike pseudonymised personal data, which constitutes a technical security measure to protect personal data, and still constitutes personal data. For example, pseudonymised personal data is a code that replaces a name in a registry list, and the name that the code represents appears in a separate list. In other words, some additional information is needed for the pseudonymised data to be attributed to a natural person.

Want to learn more?

Read more
Scroll to Top