If A pseudonymises personal data of person Z and sends it to B, is it personal data from B’s perspective, even if B is never allowed to get additional information [=AddInfo] allowing the identification of Z? The EDPB suggests “yes” in its latest guidance on pseudonymisation.
Based on the definition of pseudonymisation under the GDPR, for personal data [=PD] to be pseudonymous, it must be treated in such a way that attribution of the information to a specific data subject [=DS] is no longer possible without the use of separate AddInfo – so it must be possible in theory to link that information and the AddInfo.
Per the EDPB in para. 22 of its guidance: “If pseudonymised data and [AddInfo] could be combined having regard to the means reasonably likely to be used by the controller or by another person, then the pseudonymised data is personal. Even if all [AddInfo] retained by the pseudonymising controller has been erased, the pseudonymised data becomes anonymous only if the conditions for anonymity are met”.
Not quite. The Breyer, Scania and IAB Europe judgments of the CJEU clearly point out that there needs to be a link between the one with such AddInfo and the controller. It’s not just any random third party.
60: “For pseudonymisation to be an effective security measure, […] the controller needs to design the pseudonymisation procedure in such a way that [AddInfo] is required for attribution that goes beyond what the selected actors possess or could obtain with reasonable effort.”
Wait – if the AddInfo is something that the actors *could not obtain with reasonable effort*, then why is it even personal data from those actors’ perspective? See Recital 26 of the GDPR + CJEU case law.
77: “Art. 11 GDPR recognises that the controller may be able to demonstrate that it is not in a position to identify the data subject, including in pseudonymised data it holds. This may be the case if the controller does not have (or no longer has) access to [AddInfo] allowing attribution, is demonstrably unable to lawfully obtain such information and is demonstrably unable to reverse the pseudonymisation with the assistance of another controller.”
That’s not entirely true. Art. 11(1) GDPR actually says this:
“If the purposes for which a controller processes [PD] do not or do no longer require the identification of a [DS] by the controller, the controller shall not be obliged to maintain, acquire or process [AddInfo] in order to identify the [DS] for the sole purpose of complying with this Regulation.”
So this is ONLY applicable if the controller processes PD of an *identified* DS to start with and that the DS ceases to be identified. The reference to acquiring AddInfo shows that the “identifiable” condition still applies – so Recital 26 + Breyer apply.
Pseudonymisation is useful & important, but A’s pseudonymous data can be anonymous data for B. Just document it carefully!
Link to guidance: Guidelines 01/2025 on Pseudonymisation | European Data Protection Board