When do anonymized and pseudonymized data qualify as personal data?

The General Data Protection Regulation (EU) 2016/679 (GDPR) has the concept of “personal data” as its central point of reference. If the data does not constitute personal data, the GDPR does not apply.

What is personal data?

Personal data: any information relating to an identified or identifiable natural person (“data subject”); A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

What if the identifier is missing?

Then the GDPR no longer applies. How can an identifier be missing?

For example, through “pseudonymization”: the processing of personal data in such a way that the personal data can no longer be linked to a specific data subject without the use of additional data, provided that this additional data is kept separately and technical and organizational measures are taken to ensure that the personal data is not linked to an identified or identifiable natural person.

The EU Court ruled on this in its judgment EDPS/GAR (T-557/20) on April 26, 2023. For the sake of completeness, it should be noted that this concerns Regulation (EU) 2018/1725, the “EU GDPR.” The definitions of personal data and pseudonymization are identical to those in the GDPR.

What is important?

It is important that pseudonymized data had been provided to a processor by the controller. The processor was unable to link this data to a natural person. The European Data Protection Supervisor was of the opinion that the pseudonymized data was identifiable, because the GAR was able to do so, even though the processor was not.

The EDPS took the position that, since the data could be traced back to natural persons at the controller’s end, there was no need to investigate whether this was also the case at the processor’s end.

However, the EU Court ruled that in order to determine whether personal data is involved, it must also be examined whether the processor could trace the data back to natural persons.

What needs to be taken into account?

In order to determine whether a natural person is identifiable, all means that can reasonably be expected to be used by the controller or by another person to identify the natural person directly or indirectly, such as selection techniques, must be taken into account. In order to determine whether it is reasonable to expect that means will be used to identify the natural person, all objective factors must be taken into account, such as the costs and time required for identification, taking into account the technology available at the time of processing and technological developments.

The Court has pointed out that this would not have been the case if the identification of the data subject had been prohibited by law or impracticable in practice, for example because it would have required an excessive effort in terms of time, cost, and manpower, so that the risk of identification would have appeared negligible in reality (judgment of October 19, 2016, Breyer, C‑582/14, EU:C:2016:779, paragraph 46).

In other words

If personal data has been effectively pseudonymized and the processor who received the personal data can no longer identify the data subject, it ceases to be personal data for the purposes of that processing.

Do you have any questions about this article or about privacy law? Our specialized lawyers are happy to assist you. Please contact us by email, telephone, or the contact form for a confidential and non-binding initial consultation.