ANONYMISATION AND PSEUDONYMISATION OF PERSONAL DATA

This blog post is written by Erik Myrberg, lawyer at Synch

Recital 26 of the GDPR clarifies that the principles of data protection should not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is no longer identifiable. Yet, the same recital states that personal data which have undergone pseudonymisation and which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person. This has led to confusion among some regarding the difference between anonymisation and pseudonymisation.

According to WP29 (an advisory body now replaced by the EDPB) anonymised data is data which previously referred to an identifiable person, but where identification is no longer possible due to the anonymisation. Therefore, anonymisation must prevent any party from singling out an individual otherwise the data is not deemed to be anonymised and thus falls within the definition of personal data according to the GDPR. A common misconception in regard to anonymisation is that handing over data sets with personal data masked or removed would not constitute processing of personal data. This may only be true if the original data sets are either deleted or permanently altered in the same way (and under the circumstances that all personal data is masked or removed from the data sets in such manner that restoration is impossible). In addition, one must also ensure that the data sets cannot be used in combination with other data to identify a natural person, since otherwise the data sets would be considered to contain personal data.

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. According to the GDPR, pseudonymisation can be utilized to enhance the level of security connected with processing personal data. It is worth to keep in mind that pseudonymisation does not result in personal data being anonymized nor losing its status as personal data in accordance with the GDPR.
There are today several different techniques available for both anonymisation and pseudonymisation and the matter of encryption is subject to intense research. It is unfortunately not possible to give any general advice on which technique to use and when, as this needs to be determined on a case-by-case-basis. What can be said is that prior to conducting anonymisation or pseudonymisation, it is recommended to consult with a security expert in order to ensure that the desired result is obtained and to avoid any misunderstandings.
On a final note, both the act of anonymisation and pseudonymisation of personal data are still considered to be processing activities under the GDPR, which necessitates considerations of inter alia the lawfulness of such processing and how to comply with retention times obligated by law. If you have any questions or concerns regarding anonymisation or pseudonymisation, please do not hesitate to contact us.

News and Insights
Blog Posts

Responsibility of online platforms and the regressive opinion of the Advocate General

08/12/2020

This blog post was written by My Byström, lawyer at Synch A comment on the opinion of the Advocate General in joined cases Youtube (C-682/18) and Cyando (C‑683/18) In December, the CJEU is expected to deliver its judgement in the joined cases Youtube and Cyando, where questions regarding the liability of platforms for user uploaded materials have […]

Press release

Synch has acted as legal advisor to Favro

05/01/2022

Synch has acted as legal advisor to Favro in its USD 4.25 million seed funding lead by Practica Capital and Scale capital with participation from Creandum, Inbox Capital, serial entrepreneur Christopher Beselin, and other strategic investors. Favro offers a collaborative planning platform that accelerates growth by bringing more business agility to the future of working-from-anywhere. […]

Blog Posts

Increased possibilities for Companies to enjoy tax relief when implementing qualified employee stock options  

09/12/2021

In the budget bill for 2022, the Swedish government proposes amendments to the regulations on taxation of employee stock options. The proposal eases the fiscal burden for some young businesses which means that more companies can take advantage of the benefits with tax exempt qualified employee stock options. The new rules are proposed to enter into force on 1 January 2022.   As of today, employee stock options have not been taxed as income of employment if certain requirements of the issuing company, and […]

Blog Posts

Blockchain and the law – an introduction 

09/12/2021

More and more people are familiar with the term “blockchain” however not everyone would claim that they get it or be sure what it is supposed to be used for. Blockchain – this amazing and somewhat mystical invention – is generating a gigantic measure of interest in the innovation field among both startups, cryptocurrency enthusiasts, governments, the security industry, the art field and more. It is anticipated to […]

Blog Posts

Are you aware of the new Whistleblower Protection Act? Let Synch help you with WeSynch Whistle!

09/12/2021

Do you remember the GDPR-stress back in 2018? Make sure to be ready this time!  The Directive (EU) 2019/1937 of the European Parliament and the Council on the 23rd of October 2019 (the “Whistleblowing Directive”) lays down the regulatory requirements for the Member States concerning the protection of whistleblowers.  In the light of the Whistleblower Directive, the Swedish Government presented a proposition on the 20th of May 2021 for the implementation […]

Press release

Synch advised All Ears in their latest funding

07/12/2021

Synch acted as legal advisor to All Ears AB in connection with their latest funding round where they raised 50 MSEK. Bonnier Ventures acted as lead investor and also Alfvén & Didrikson participated.. All Ears monitors the new spoken media through media monitoring and social listening services such as TV, radio, podcasts, YouTube and other […]

Press release

Synch assists when a leading IAM player is created

26/11/2021

Synch has assisted SecMaker and its owners in connection with the merger with Pointsharp. The merger creates a leading software provider in identity and access management. Pointsharp, with the support of Main Capital, is on a growth journey to become a leading European supplier in identity and access management. The acquisition of SecMaker is the […]