With the 01/2025 Guidelines, the European Data Protection Board (EDPB) has provided an in-depth analysis of pseudonymization, clarifying its benefits, regulatory requirements, and implementation methods as a technical and organizational measure under the General Data Protection Regulation (GDPR). The most significant aspect of the document is the pragmatic approach adopted by the EDPB, which does not consider pseudonymization a general obligation but rather a measure that, when correctly implemented, can be crucial in meeting various regulatory requirements, from data minimization to processing security.

The definition of pseudonymization and the regulatory framework

Article 4(5) of the GDPR defines pseudonymization as „the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.“

With the adoption of the Guidelines, the EDPB has provided an in-depth interpretation of this definition, developing for the first time a comprehensive framework for the use of this data protection technique. The document fits within a regulatory context where pseudonymization, while not a general obligation, is repeatedly mentioned in the GDPR as an appropriate measure to comply with various data protection requirements.

Specifically, pseudonymization is cited in Recital 28 as a technique to reduce risks for data subjects, in Recital 29 as a security measure, in Article 6(4)(e) as an adequate safeguard in the context of compatibility assessments for further processing, in Article 25 as a technical and organizational measure for privacy by design and by default, in Article 32 as a security measure, and in Article 89 as an appropriate safeguard for processing data for archival purposes, scientific or historical research, and statistical purposes.

The EDPB Guidelines clarify that pseudonymization requires three fundamental actions:

• the modification or transformation of personal data;
• the separation of additional information necessary for identification;
• the application of technical and organizational measures to ensure that the data cannot be attributed to data subjects.

A crucial point emphasized by the EDPB is that pseudonymized data remain personal data, even when the additional information is stored separately.

The significance of the „pseudonymisation domain“

A particularly significant aspect is the introduction of the concept of the „Pseudonymisation Domain,“ defined as the context in which pseudonymization must prevent data from being attributed to specific entities. This represents a conceptual evolution that grants the Data Controller broad discretion in defining the scope of pseudonymization. This scope can include a single organizational unit, a specific external recipient, or all legitimate recipients as defined by the regulations.

This flexibility allows for a risk-based, tailored implementation, moving beyond the „one-size-fits-all“ approach that has sometimes characterized the interpretation of other security measures under the GDPR.

Pseudonymization as an integrative measure in the context of Data protection

The Guidelines clearly emphasize that pseudonymization, while a valuable tool in the Data Controller’s compliance arsenal under the GDPR, should not be considered an isolated or self-sufficient solution. The EDPB highlights that this technique achieves its maximum effectiveness when implemented within a broader ecosystem of complementary measures, following an integrated approach to data protection.

A key principle outlined by the EDPB is that Data Controllers must assess the adequacy of all technical and organizational measures as a whole. This assessment must include a concrete evaluation of pseudonymization’s effectiveness in preventing unauthorized data attribution. The analysis should consider the specific processing context, available technologies, and the resources of potential unauthorized parties who may attempt to re-identify data subjects.

The document provides a detailed analysis of the role of pseudonymization in implementing various GDPR principles and requirements:

• privacy by design and by default (Article 25 GDPR) – pseudonymization is identified as one of the technical and organizational measures that the Data Controller must adopt „both at the time of determining the means of processing and at the time of the processing itself.“ The EDPB differentiates between pseudonymization applied to internal processing and pseudonymization aimed at data transmission to external recipients, offering specific guidance for each scenario;
• legitimate interest-based processing (Article 6(1)(f) GDPR) – the Guidelines clarify that risk reduction through pseudonymization can be a relevant factor in balancing interests. In particular, for sensitive data or data that could lead to significant discrimination, pseudonymization can tilt the balance in favor of the Data Controller’s legitimate interest over the data subject’s interests;
• compatibility of further processing (Article 6(4) GDPR) – the EDPB confirms that pseudonymization is an „adequate safeguard“ in evaluating the compatibility of further processing beyond the original purpose. A particularly interesting aspect is the analysis of cases where pseudonymization can enable the compatibility of statistical analysis or scientific research with initial commercial or administrative objectives;
• transfers to third countries (Article 44 et seq. GDPR) – the Guidelines highlight pseudonymization as a supplementary measure for international data transfers, aligning with the 01/2020 Recommendations. The EDPB sets strict conditions for pseudonymization to be considered effective, including ensuring that the authorities in the third country do not have, nor can reasonably obtain, the additional information needed for re-identification.

A particularly crucial element is the interaction between pseudonymization and processing security under Article 32 GDPR. The Guidelines clarify that effective pseudonymization can mitigate the severity of data breaches, potentially reducing notification obligations under Articles 33 and 34 GDPR. However, the EDPB stresses that such an evaluation must be based on a thorough analysis of the actual robustness of the pseudonymization techniques implemented.

Practical recommendations for implementing pseudonymization

In light of the EDPB Guidelines, it is advisable to establish a systematic approach to implementing pseudonymization, taking into account both technical and organizational aspects. A structured strategy should begin with the preparation of a programmatic document that clearly defines the specific objectives of pseudonymization within the processing context. This document should also establish the „Pseudonymisation Domain,“ identifying the entities—whether individuals, organizational units, or external recipients—that must not be able to re-identify the pseudonymized data. Additionally, it should include a comprehensive mapping of information flows related to both pseudonymized data and additional identifying information, governance procedures for authorizing, executing, and documenting de-pseudonymization when necessary, as well as criteria for periodically reviewing the strategy.

The EDPB distinguishes between different pseudonymization techniques, particularly cryptographic algorithms and lookup tables. It recommends the use of one-way cryptographic functions, such as HMAC or MAC, over reversible encryption algorithms, as they provide stronger resistance to re-identification attempts, even in cases of key compromise. Therefore, data controllers should carefully select robust encryption algorithms, implement secure key management procedures, and establish mechanisms for periodically renewing cryptographic parameters. In cases where lookup tables are used, they should be physically and logically segregated, access to them should be strictly controlled, advanced logging systems should be deployed to track every access attempt, and, where appropriate, tables should be fragmented across different systems. It is also crucial to document the comparative assessment that led to the selection of a specific technique over another, ensuring that the decision aligns with the processing risk assessment.

A particularly significant aspect highlighted by the Guidelines is the need to properly manage quasi-identifiers, which, while not direct identifiers, could enable re-identification when used individually or in combination. To address this risk, data controllers should conduct a systematic analysis of datasets, classifying attributes based on their potential for identification and performing a quantitative assessment of re-identification risks. Based on this analysis, appropriate techniques such as generalization, suppression, or randomization should be implemented, documenting the rationale behind the chosen mitigation strategies.

Another key consideration in the implementation of pseudonymization is the need to ensure transparency for data subjects and establish procedures for exercising their rights. Privacy notices should be updated to include dedicated sections explaining the purpose of pseudonymization, the categories of data affected, and the entities with access to pseudonymized data or additional identifying information. Additionally, documented procedures should be put in place to facilitate data subject rights, particularly in cases where the data subject is able to provide their pseudonym, requires assistance in identifying it, or where Article 11 of the GDPR applies, limiting certain rights.

The robustness of pseudonymization measures should also be subject to regular review. A program of periodic testing should be implemented to assess the effectiveness of pseudonymization techniques, including penetration tests to evaluate resistance to re-identification, simulations of attacks using publicly available information, and assessments of effectiveness in data breach scenarios, with all results recorded in a structured reporting system. The Guidelines also emphasize that unauthorized reversal of pseudonymization constitutes a data breach that may require notification to supervisory authorities and communication to data subjects. As a result, it is essential to update data breach management procedures by including specific criteria for assessing the severity of breaches involving pseudonymized data, implementing accelerated response protocols in cases of compromised pseudonymization secrets, and preparing specific notification templates for incidents related to pseudonymized data. It is also advisable to conduct regular training exercises simulating breach scenarios, particularly those involving unauthorized re-identification, the compromise of additional information, and linkage attacks using data from different sources.

By integrating these elements into a data protection management system, data controllers can maximize the effectiveness of pseudonymization as a security measure while ensuring full compliance with the EDPB’s recommendations.

Conclusions

The EDPB 1/2025 Guidelines represent a significant contribution to the evolving interpretation of pseudonymization, filling an interpretative gap that, since the GDPR’s entry into force, had left Data Controllers without clear reference points. This document provides practical support for professionals, offering operational guidance to implement this essential security measure and navigate the regulatory complexities of the sector.

The EDPB’s pragmatic approach is particularly noteworthy, as it moves away from an abstract and rigid view of pseudonymization and embraces a contextualized and flexible perspective based on risk analysis. This approach allows Data Controllers to tailor their interventions according to the specific characteristics of their data processing activities, avoiding pre-packaged solutions that may not only be ineffective but also disproportionate to the intended objectives.

The introduction of the „Pseudonymisation Domain“ is a particularly valuable innovation, as it enhances the role of the Data Controller in defining the scope of pseudonymization. This aligns with the principle of accountability, as it grants Data Controllers the discretion to determine which entities should be prevented from attributing pseudonymized data to individuals, while also maintaining responsibility for their decisions.

In light of these considerations, it is advisable for Data Controllers to critically review their existing pseudonymization practices, ensuring their alignment with the EDPB’s recommendations and implementing corrective measures if necessary. Particular attention should be given to documenting key evaluations, including the definition of the Pseudonymisation Domain, the chosen transformation techniques, and the measures in place to manage additional identifying information, as this documentation serves as the foundation of accountability.

Moreover, pseudonymization should be recognized as a versatile tool that can help fulfill multiple regulatory requirements, both as part of privacy by design and by default and as a security measure. This is particularly relevant for international data transfers, where pseudonymization—if implemented in accordance with the EDPB’s specific conditions—can serve as a supplementary measure to ensure a level of protection equivalent to that within the EU, helping to address the challenges raised by the Schrems II ruling.