Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
Pseudonymisation under Article 4(5) GDPR is the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information — provided that such additional information is kept separately.
What is pseudonymisation?
Important: pseudonymised data remain personal data — the GDPR continues to apply. Anonymisation, by contrast, renders data non-personal (the GDPR no longer applies), but requires irreversibility.
EDPB Guidelines 01/2025 on pseudonymisation: concrete recommendations on hashing, encryption, and token-based pseudonymisation. Recommended separation of keys + data.
Practical example
Practical examples:
- Employee personnel number instead of names in performance reports
- Hash-based cookie tracking instead of direct email mapping
- Test database with Faker tools instead of live data
- Token-based patient IDs in research databases
Frequently asked questions
Pseudonymisation = anonymisation?
No. Pseudonymisation is reversible (with a key), anonymisation must be irreversible. The EDPB scrutinises anonymisation claims strictly.
Is pseudonymisation sufficient as a TOM under Article 32?
Pseudonymisation is explicitly named as a protective measure (Article 32(1)(a)). However: it is not sufficient for particularly sensitive processing — additional encryption is recommended.
When is pseudonymisation mandatory?
Implicitly for high-risk processing (Article 35 DPIA obligation), for research (Article 89). Supervisory authority recommendation: by default in test environments.