Learn about GDPR
Pseudonymisation of personal data
Pseudonymisation of personal data is an additional safeguard that may be appropriate for companies to implement, according to Article 32 of the GDPR. The purpose of pseudonymisation is to reduce the risk of individual identification. For example, it is good to implement pseudonymisation of personal data before the information is shared with a consultant who does not need direct access to the personal data itself in order to carry out the consultancy assignment. Keep in mind that pseudonymised data is not the same as anonymous data.
What does pseudonymisation of personal data mean according to GDPR?
The definition of pseudonymisation is set out in Article 4(5) of the GDPR. In short, pseudonymisation of personal data means replacing a directly identifying personal data with an indirect identification data, so that the personal data can no longer be linked to a specific individual, without the use of supplementary information. For example, a name can be changed to an alias or code.
However, it is important to ensure that the additional information is kept separate from the pseudonymised data. For example, the additional information may be in a customer register or a table indicating that the code belongs to a particular individual. In addition, such supplementary information must be protected by appropriate organisational and technical security measures.
Example of a pseudonymised data
A person has a bus card that has a unique code, to enable the blocking of the card if it is lost. The code itself is not sufficient to identify which individual the card belongs to, but the card issuer has a separate register where they can see who the card belongs to through the code. In such cases, the code constitutes personal data that is pseudonymised.
Subjective and objective personal data
Personal data may have a subjective or objective nature. Generally, subjective personal data is more privacy sensitive than many types of objective personal data, and therefore companies need to process subjective personal data with higher security.
- Examples of objective personal data are name, social security number, e-mail address and home address. It is usually information that directly identify a person.
- Examples of subjective personal data are a diagnosis from a doctor and school grades. It is usually something that describes a person or a characteristic of the person.
What is the difference between anonymous data and pseudonymised personal data?
Once personal data has been anonymised, it is no longer personal data but anonymous data. In such cases, the anonymous data is no longer covered by the GDPR. It may be useful to anonymise personal data instead of pseudonymising it, if a company wants to save some of the data. For example, to see what customers like about the company’s products or services, or to tailor the company’s marketing to the target group. Anonymisation of personal data is an irreversible process.
Pseudonymisation of personal data is however a reversible process. This means that it is possible to restore a pseudonymised data to the original personal data using the supplementary information.
When can pseudonymised personal data be appropriate to use?
Where the legal basis for the processing of personal data is legitimate interest
If a company processes personal data on the legal basis of legitimate interest pursuant to Article 6(1)(f) of the GDPR, it may be useful to carry out pseudonymisation of personal data. Please note that the company needs to perform and document a legitimate interest assessment (LIA) to see if the company really has a legitimate interest, before the processing of personal data is carried out on the basis of this legal basis.
When processing privacy-sensitive or sensitive personal data
The security requirements for the processing are higher, when it concerns privacy-sensitive or sensitive personal data. Therefore, it may be appropriate to process pseudonymised data, as an additional safeguard.
If the data subjects are children
Children have a higher level of protection under the GDPR than adults, and therefore companies need to be extra careful when processing personal data belonging to children. It may be appropriate to take additional technical security measures to protect the personal data. An example of a technical security measure that may be appropriate to use is pseudonymisation of personal data.
Statistical purposes
Pseudonymisation of personal data is beneficial when it occurs in connection with the processing of personal data for statistical purposes. This is because, via pseudonymised data, it is possible to make analyses and draw conclusions about the data, while at the same time it can be done without the risk of identifying individuals. Pseudonymisation of data is, according to Article 89 of the GDPR, an appropriate technical protection measure that should be taken when processing personal data in, inter alia, statistics and research, in order to minimise the risks involved in the processing.
Research purposes
It is only permitted to process personal data for research purposes, if it is not possible to do so with anonymous personal data. In addition, it is common to take additional safeguards, such as pseudonymisation, if it is necessary to process the personal data. According to Article 89 of the GDPR, pseudonymisation of personal data is an example of an appropriate protection measure. It is important to ensure that, in particular, the principle of data minimisation is observed.
Nicknames can be personal data
If you use nicknames in the processing instead of the real name of an individual, it can still be considered personal data. This applies if it is possible to link the information to a specific person. For example, if an employer has a digital list of employees’ qualifications and work performance, but it states a nickname that the other employees understand or can read through the information, the nickname constitutes personal data.
More information about Personal Data
Pictures and films can be personal data
Images and films containing identifiable living individuals may be personal data. The same applies to audio recordings. Therefore, it is important to ensure that photography and filming of individuals takes place in accordance with the GDPR, as it constitutes a processing of personal data. This also means, among other things, that companies need to ensure a legal basis before publishing images or videos of their staff on their website or social media.