Pseudonymization of data
2. July 2021

Do you know how to pseudonymize customer data?

When data is pseudonymized, the risk of misuse is lower and the law allows for broader use.  The strict requirements of the GDPR are then only applicable to a limited extent. For example, you may use pseudonymized data for analyses, customer or employee surveys or tracking your website visitors.

How to pseudonymize data – and how to use pseudonymized data

In everyday business, data is processed and required at many points.  For most processes, so-called personal data is an indispensable component. The data protection requirements resulting from the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG for short) have to be observed in every case. 

One step towards improving data protection in an organization is the anonymization and pseudonymization of data.

What does pseudonymization or anonymization of data mean?

According to the GDPR, personal data are characterized by the fact that they allow an inference to an identified or identifiable natural person. Pseudonymization prevents this inference: The data no longer refer to a specific natural person.

In this context, it is irrelevant how the inference is possible in the first place. May it be the name, address, or any other information that may get assigned to a natural person. Possible interferences may be:

  • physical,
  • physiological,
  • genetic,
  • psychological,
  • cultural,
  • economic or
  • social features.

While the GDPR itself does not explicitly state what is meant by the term anonymization, the Federal Data Protection Act provides a precise definition:

§ 3 para. (6) BDSG defines anonymization as “the alteration of personal data in such a way that the individual information about personal or factual circumstances can no longer be attributed to a specific or identifiable natural person, or can only be attributed to a specific or identifiable natural person with a disproportionate amount of time, cost and effort.”

In contrast, § 3 para. (6a) BDSG defines pseudonymization as “the replacement of the name and other identifying characteristics by a mark for the purpose of excluding or significantly complicating the identification of the data subject.” 

The definition gets underpinned by § 4 para. (5) of the GDPR. There, pseudonymization is “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”

The main difference between the two measures is that anonymization as a measure is an irreversible Pseudonymization, on the other hand, is reversible. Thus, the personal reference can get restored using suitable techniques.

Examples of data anonymization und pseudonymization

What sounds merely theoretical is highly relevant in the practical implementation to ensure compliance with data protection requirements. 

Examples from practice include:

  • complete deletion of names and addresses for orders or purchases 
  • replacement of names and addresses with key figures that can be assigned using a separate key
  • assignment of a personnel number to employees in the company system
  • assignment of a matriculation number to students in the university system

Is the GDPR applicable despite pseudonymization and anonymization?

Whether the GDPR is still relevant despite pseudonymization and anonymization is often questioned. Here, there is also the option that the provisions of the GDPR can be waived if the personal data are only sufficiently anonymized or pseudonymized. 

However, it is true that anonymization and pseudonymization themselves already constitute data processing within the meaning of the GDPR. Admittedly, both measures serve data protection itself. Nevertheless, all activities that provide for the use of data are to be understood as data processing. Consequently, there must also be a legal basis for these measures. However, a legal basis can usually be assumed by citing one of the reasons from Art. 6 of the GDPR.

Important to know: If the personal data has been subjected to processing in such a way that it can be classified as pseudonymized or anonymized, it no longer falls within the scope of protection of the GDPR. The following applies: Only those data that allow a concrete personal reference are covered by the GDPR.

Challenges and opportunities around data anonymization and pseudonymization

Whenever compliance issues are involved, pseudonymization or anonymization of data is a good way to minimize data protection risks for the company. Of course, this presupposes that the measures themselves are carried out in compliance with the law. Here, the comments already made above about data processing apply without restriction. 

Companies must also be aware that pseudonymization or anonymization of personal data is only conducive to compliance if it is not used as a substitute measure, but as an accompanying measure in addition to all other data protection measures that are mandatory for the company as part of compliance. 

Pseudonymization of data also offers other advantages for companies. These include, for example:

  • support in the implementation of data protection obligations
  • reduction of the technical-organizational need for protection
  • simplified balancing of interests according to art. 6 para. (1) lit. f of the GDPR

What is the value of data after pseudonymization or anonymization?

For companies, dealing with personal data is usually unavoidable. Frequently, the data even has a measurable value in relation to the company’s own marketing. This raises the question for decision-makers and those responsible as to what extent pseudonymized or anonymized data can provide any added value at all if it cannot be used in a targeted manner.

In fact, the malus attached to the pseudonymization of data is completely unjustified. Even pseudonymized or anonymized data can be used in a compliant manner within a company – for example, for analyses and statistics that provide useful value even without a concrete reference to a natural person.
Incidentally, the improved data protection and the associated privileges themselves can also be regarded as direct added value. They contribute to the fact that, for example, the greater the degree of pseudonymization, the greater the weighting of the company’s interests when it comes to balancing according to the GDPR.

08. July 2021
lawpilots Wins Comenius Award with E-learning for Compliance Training of Employees
03. May 2021
lawpilots is now participating in the German Accelerator Program for Southeast Asia.
lawpilots GmbH Recht. Einfach. Verstehen. lawpilots bietet innovative & praxisnahe E-Learnings Anonym hat 4,64 von 5 Sternen 2175 Bewertungen auf ProvenExpert.com