ANONYMISATION AND PSEUDONYMISATION OF PERSONAL DATA

This blog post is written by Erik Myrberg, lawyer at Synch

Recital 26 of the GDPR clarifies that the principles of data protection should not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is no longer identifiable. Yet, the same recital states that personal data which have undergone pseudonymisation and which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person. This has led to confusion among some regarding the difference between anonymisation and pseudonymisation.

According to WP29 (an advisory body now replaced by the EDPB) anonymised data is data which previously referred to an identifiable person, but where identification is no longer possible due to the anonymisation. Therefore, anonymisation must prevent any party from singling out an individual otherwise the data is not deemed to be anonymised and thus falls within the definition of personal data according to the GDPR. A common misconception in regard to anonymisation is that handing over data sets with personal data masked or removed would not constitute processing of personal data. This may only be true if the original data sets are either deleted or permanently altered in the same way (and under the circumstances that all personal data is masked or removed from the data sets in such manner that restoration is impossible). In addition, one must also ensure that the data sets cannot be used in combination with other data to identify a natural person, since otherwise the data sets would be considered to contain personal data.

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. According to the GDPR, pseudonymisation can be utilized to enhance the level of security connected with processing personal data. It is worth to keep in mind that pseudonymisation does not result in personal data being anonymized nor losing its status as personal data in accordance with the GDPR.
There are today several different techniques available for both anonymisation and pseudonymisation and the matter of encryption is subject to intense research. It is unfortunately not possible to give any general advice on which technique to use and when, as this needs to be determined on a case-by-case-basis. What can be said is that prior to conducting anonymisation or pseudonymisation, it is recommended to consult with a security expert in order to ensure that the desired result is obtained and to avoid any misunderstandings.
On a final note, both the act of anonymisation and pseudonymisation of personal data are still considered to be processing activities under the GDPR, which necessitates considerations of inter alia the lawfulness of such processing and how to comply with retention times obligated by law. If you have any questions or concerns regarding anonymisation or pseudonymisation, please do not hesitate to contact us.

News and Insights
Blog Posts

Responsibility of online platforms and the regressive opinion of the Advocate General

08/12/2020

This blog post was written by My Byström, lawyer at Synch A comment on the opinion of the Advocate General in joined cases Youtube (C-682/18) and Cyando (C‑683/18) In December, the CJEU is expected to deliver its judgement in the joined cases Youtube and Cyando, where questions regarding the liability of platforms for user uploaded materials have […]

Blog Posts

New standard contractual clauses for data transfers between EU and non-EU countries and how it affects your business

01/10/2021

As of September 27th, 2021, companies and organisations relying on Standard Contractual Clauses (SCCs) to transfers personal data outside the EU/EAA must use the new set of Standard Contractual Clauses (2021 SCCs) for all new contracts. Background All companies that transfer personal data outside the EU/EAA must ensure that the level of protection of natural […]

Press release

Synch has assisted 1 Bil Kredit Syd AB

30/09/2021

Synch has assisted 1 Bil Kredit Syd AB (“Fordonskrediten”) with its application to obtain a license from the Swedish Financial Supervisory Authority to commence consumer credit mediation services. Fordonskrediten is a company that is building a unique platform for mediation of credits to consumers and companies for the purchase of vehicles. The platform will reduce […]

Press release

Synch has advised Colzyx AB regarding financing from the EIC Fund

24/09/2021

Synch has advised Colzyx AB regarding a convertible loan from the European Innovation Council Fund. Colzyx has received financing from EIC Fund for its business to develop innovative wounds care and antimicrobial products. Colzyx’s invention WOUNDCOM accelerates wound healing and has defined antibacterial effects against all bacteria tested so far, including multidrug resistant bacteria, which […]

Press release

Synch has acted as legal advisor for Redstone Investment Group SA

24/08/2021

Synch has acted as legal advisor for Redstone Investment Group SA in their sale of Electric Fuel Infrastructure Sweden 2 AB (“eFuel”) to DistIT AB (publ) (“DistIT”). eFuel is one of the largest companies in Sweden within the electric car charging sector with a market share of approximately 30% of all delivered charging boxes. For […]

Press release

Synch is proud to announce that Sara Sparring is included in the list of Top 250 Women in IP

17/08/2021

Managing IP revealed this year’s 2021 edition of leading female intellectual property practitioners in private practice. Synch is proud to announce that Sara Sparring is included in the list of Top 250 Women in IP from more than 30 jurisdictions and different regions of the world. Synch is also delighted to announce that Sara Sparring […]

Press release

Synch has assisted ValidAlpha AB

16/08/2021

Synch has assisted ValidAlpha AB with its application to register its first fund ValidOne with the Swedish Financial Supervisory Authority as an alternative investment fund. ValidAlpha is an AI-driven proprietary trading company specializing in high-frequency trading on multiple global markets. The company´s mission is to generate superior risk-adjusted returns through the use of cutting edge […]