ANONYMISATION AND PSEUDONYMISATION OF PERSONAL DATA

This blog post is written by Erik Myrberg, lawyer at Synch

Recital 26 of the GDPR clarifies that the principles of data protection should not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is no longer identifiable. Yet, the same recital states that personal data which have undergone pseudonymisation and which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person. This has led to confusion among some regarding the difference between anonymisation and pseudonymisation.

According to WP29 (an advisory body now replaced by the EDPB) anonymised data is data which previously referred to an identifiable person, but where identification is no longer possible due to the anonymisation. Therefore, anonymisation must prevent any party from singling out an individual otherwise the data is not deemed to be anonymised and thus falls within the definition of personal data according to the GDPR. A common misconception in regard to anonymisation is that handing over data sets with personal data masked or removed would not constitute processing of personal data. This may only be true if the original data sets are either deleted or permanently altered in the same way (and under the circumstances that all personal data is masked or removed from the data sets in such manner that restoration is impossible). In addition, one must also ensure that the data sets cannot be used in combination with other data to identify a natural person, since otherwise the data sets would be considered to contain personal data.

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. According to the GDPR, pseudonymisation can be utilized to enhance the level of security connected with processing personal data. It is worth to keep in mind that pseudonymisation does not result in personal data being anonymized nor losing its status as personal data in accordance with the GDPR.
There are today several different techniques available for both anonymisation and pseudonymisation and the matter of encryption is subject to intense research. It is unfortunately not possible to give any general advice on which technique to use and when, as this needs to be determined on a case-by-case-basis. What can be said is that prior to conducting anonymisation or pseudonymisation, it is recommended to consult with a security expert in order to ensure that the desired result is obtained and to avoid any misunderstandings.
On a final note, both the act of anonymisation and pseudonymisation of personal data are still considered to be processing activities under the GDPR, which necessitates considerations of inter alia the lawfulness of such processing and how to comply with retention times obligated by law. If you have any questions or concerns regarding anonymisation or pseudonymisation, please do not hesitate to contact us.

News and Insights
Press release

Synch – Intergiro

5 hours ago

Synch has delivered a contract management solution over its digital platform WeSynch to Intergiro Intl AB (publ), a Fintech which is redesigning corporate banking from zero. Intergiro offers a digital alternative to the hassle and stress of opening a bank account, built for the 2.5 million businesses born each year in Europe. Its mission is to […]

Press release

Synch has acted as legal advisor to Lingio AB

20/03/2020

Synch has acted as legal advisor to Lingio AB when the company raises capital in its first financing round amounting to SEK 17 million. Almi Invest acted as lead investor in the round where Add Value and Austrian venture fund Calm/Storm Ventures participated together with renowned angel investors. Lingio has been developed to tackle the […]

Blog Posts

Covid-19; kan force majeure tillämpas?

13/03/2020

This blog post is written by Anders Hellström and Josefin Skyttedal, lawyers at Synch Med anledning av den snabba spridningen av Coronaviruset, är det många som undrar över hur virusets spridning kan påverka deras affärsverksamhet. Särskilt kan detta gälla om effekterna av viruset medför eller utgör hinder mot att uppfylla avtal. Möjligheten att uppfylla åtaganden […]

Press release

Synch has acted as legal advisor to Mavenoid AB

06/03/2020

Synch has acted as legal advisor to Mavenoid AB in its recent A round investment of $8 million. New investor Mosaic Ventures together with existing investors Creandum and Point Nine Capital acted as lead investors. Shahan Lilja, Founder and CEO of Mavenoid comments on the transaction and assistance by Synch: ”Synch understands the nuances of […]

Press release

Mathilda Nordmark and Sara Sparring received excellent feedback in the World Trademark Review

25/02/2020

Congratulations to Sara Sparring, Mathilda Nordmark and the Trademark-team for the excellent feedback from trademark specialist on the market. The WTR 1000 is the only guide exclusively dedicated to identifying the world’s leading trademark legal services providers. In WTR 1000 2020 Synch is highlighted as: “If you’re looking for a modern and technology-focused firm, Synch […]

Blog Posts

The Consumer’s Right of Withdrawal

14/02/2020

This blog post was written by Veronica Uddsten, lawyer at Synch Businesses compete not only with their goods and services but also with their sales terms. By giving customers e.g. the possibility to return products if not satisfied, companies may become more attractive. In this blog post in our series on consumer protection, we will examine […]