Anonymisation and pseudonymisation
Anonymisation and pseudonymisation are two concepts which are sometimes confused. Anonymous information is a data set which does not relate to an identified or identifiable natural person (Recital 26 of the GDPR), whereas pseudonymised information is a set of data that can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person (Article 4.5).
Turning a set of personal data into anonymous or pseudonymised information requires the processing of personal data. Anonymisation processing results in a new and unique data set, while pseudonymisation processing results in two new data sets: the pseudonymised information and the additional information which makes it possible to reverse the anonymisation.
Anonymised data sets do not come under the scope of the General Data Protection Regulation (GDPR) (Recital 26), although they may come under the scope of other regulations (e.g., national security, public health, critical infrastructure, etc.). In this case, it is necessary to bear in mind that:
- The processing activity that produces anonymised data is a processing of personal data, which can be considered to be compatible with the original purposes of processing from which the data are obtained (Opinion 05/2014 on anonymisation techniques WP246 paragraph 2.2.1. Lawfulness of the Anonymisation Process).
- The anonymised data set is outside the scope of the GDPR only if it is possible to objectively demonstrate that there is no material ability to associate the anonymised data with a certain natural person, directly or indirectly, whether through the use of other data sets, information, or technical and material measures which may be available to third parties.
In other words, data are considered to be anonymised to the extent that there is no reasonable likelihood that any person may identify the natural person in the data set. Said assessment must take into account the costs of and the amount of time required for re-identification or the technological resources necessary to reverse the anonymisation, taking into consideration both the available technology and technological developments (Recital 26).
Pseudonymised data sets, and the additional information linked to such data set, do fall under the scope of the GDPR, along with the processing that produces them. Hence, a pseudonymised data set is protected by four types of safeguards: firstly, the pseudonymisation processing itself, which should prevent re-identification without the additional information; secondly, the principles and safeguards of the GDPR, which establish restrictions, among other things, regarding the purposes, retention period and disclosure of pseudonymised data; thirdly, the further safeguards included in the processing of pseudonymised data according to the risk to the rights and freedoms of natural persons; and fourthly, deriving from the preceding, the technical and organisational safeguards put in place to prevent personal data breaches from occurring, covering both the pseudonymised set and the additional information.
In contrast, from the perspective of the GDPR, only one type of safeguard applies to an anonymised data set: the robustness of the anonymisation process against possible re-identification. Once the data set is anonymised, there is no longer any obligation to implement the other three types of safeguards, at least from the perspective of data protection regulations.
However, safeguards which may derive from other regulations shall continue to apply (see paragraph 2.2.3 of Opinion 5/2014), and restrictions on processing may be established (for example, by means of conditions included in licenses for use of the anonymised information).
The rights and freedoms of data subjects must be equally protected in both anonymisation processing and pseudonymisation processes. Taking into account that for the anonymised data set, it will not be necessary to comply with the requirements established by the GDPR with regard to restriction of processing, data retention, disclosure and international transfers, or measures to protect confidentiality, the anonymisation processing must be designed and validated considering the protection of the rights indicated above. This requires being able to demonstrate an objective level of quality in anonymisation processing and makes it advisable to determine how the risk of re-identification will change over time.
In any event, if the anonymisation is reversed, the GDPR fully applies to the obligated parties that process the personal data.
Additional materials on anonymisation are available on the Innovation and Technology microsite on the AEPD website, including: