'What's in a name?': EDPB publishes draft guidelines on pseudonymization

On 16 Jan., the European Data Protection Board adopted its Guidelines 01/2025 on Pseudonymisation. They are open to consultation until 28 Feb.

Pseudonymization requires data that would allow information to be attributed to identified or identifiable individuals to be held separately and securely. This allows organizations to make use of pseudonymized data in a way that poses fewer risks to individuals.

The guidelines set out the legal and technical requirements the EDPB considers necessary for pseudonymization to be effective. The guidelines also contain an Annex of 10 worked examples, three of which relate to use of medical data for purposes other than direct care, underlining the importance of the guidelines to that sector. A further example relates to use of customer data to identify correlations between items purchased without engaging in profiling, meaning the guidelines will also be of interest to those involved in marketing and advertising technology, among others.

A case is pending before the Court of Justice of the European Union on whether the disclosure of masked data to a processor, where only the controller can attribute data to identifiable individuals, should amount to pseudonymous or anonymous data. Spoiler alert: the guidelines jump the gun on this topic. However, it is difficult to interpret the guidelines without the case — or without the much-trailed but not yet available EDPB guidelines on anonymization.

What is effective pseudonymization?