European Data Protection Board: Guidelines 1/2025 on pseudonymisation published, in public consultation until 28 February 2025.

The European Data Protection Board (EDPB) has published Guidelines 01/2025 on pseudonymisation for public consultation.

Reiterating the definition of "pseudonymization" contained in Article 4 of the GDPR, the EDPB recalled that pseudonymization can be partially or completely reversed, making the data referring to the natural person again identifiable (and therefore "personal"). This can be done by association, by linking the pseudonymized data to the original data or by tracing back to the original identification data through the use of additional information held by the controller for this purpose.

In addition, Guidelines 1/2025 highlight, among other things, that:

• pseudonymization can help to meet data protection requirements, such as data protection by design and by default, security and additional measures for international transfers of personal data.
• in the case of disclosure to third parties, the controller must assess whether the risk reduction achieved by pseudonymisation for internal processing still exists;
• the data controller must inform data subjects about pseudonymisation processes involving their personal data and how such data can be used to identify them;
• any breach of security that leads to some sort of reverse engineering of the data and re-identification constitutes a breach of personal data (data breach).

Regarding the technical measures and safeguards for pseudonymization, the EDPB pointed out that to implement pseudonymization, controllers should:

• determine the objectives they intend to achieve with this measure, to define the domain of pseudonymization;
• decide what data should be processed; and
• determine certain information, such as which attributes will be pseudonymized, the pseudonymization method to be used, and who will execute and store it.

It will be possible to participate in the public consultation until 28 February 2025.