ANONYMISATION AND PSEUDONYMISATION OF PERSONAL DATA

This blog post is written by Erik Myrberg, lawyer at Synch

Recital 26 of the GDPR clarifies that the principles of data protection should not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is no longer identifiable. Yet, the same recital states that personal data which have undergone pseudonymisation and which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person. This has led to confusion among some regarding the difference between anonymisation and pseudonymisation.

According to WP29 (an advisory body now replaced by the EDPB) anonymised data is data which previously referred to an identifiable person, but where identification is no longer possible due to the anonymisation. Therefore, anonymisation must prevent any party from singling out an individual otherwise the data is not deemed to be anonymised and thus falls within the definition of personal data according to the GDPR. A common misconception in regard to anonymisation is that handing over data sets with personal data masked or removed would not constitute processing of personal data. This may only be true if the original data sets are either deleted or permanently altered in the same way (and under the circumstances that all personal data is masked or removed from the data sets in such manner that restoration is impossible). In addition, one must also ensure that the data sets cannot be used in combination with other data to identify a natural person, since otherwise the data sets would be considered to contain personal data.

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. According to the GDPR, pseudonymisation can be utilized to enhance the level of security connected with processing personal data. It is worth to keep in mind that pseudonymisation does not result in personal data being anonymized nor losing its status as personal data in accordance with the GDPR.
There are today several different techniques available for both anonymisation and pseudonymisation and the matter of encryption is subject to intense research. It is unfortunately not possible to give any general advice on which technique to use and when, as this needs to be determined on a case-by-case-basis. What can be said is that prior to conducting anonymisation or pseudonymisation, it is recommended to consult with a security expert in order to ensure that the desired result is obtained and to avoid any misunderstandings.
On a final note, both the act of anonymisation and pseudonymisation of personal data are still considered to be processing activities under the GDPR, which necessitates considerations of inter alia the lawfulness of such processing and how to comply with retention times obligated by law. If you have any questions or concerns regarding anonymisation or pseudonymisation, please do not hesitate to contact us.

Nyheter
Publikationer

Sara Sparring is recognized in the 2020 edition of Expert Guides: Women in Business Law

15/10/2020

Synch’s Sara Sparring is recognized in the 2020 edition of Expert Guides: Women in Business Law as one of the world’s leading female legal practioners advising on business law, within the practice area Trademark. The world’s legal market has been researched by Expert Guides for more than 25 years and thereby considered as one of the most […]

Pressmeddelanden

SYNCH HAR AGERAT LEGAL RÅDGIVARE TILL KEBNI AB (PUBL) I SAMBAND MED BOLAGETS BYTE AV NAMN OCH VARUMÄRKE FRÅN ASTG

15/09/2020

Synch har agerat legal rådgivare till KebNi AB (publ) i samband med bolagets byte av namn och varumärke från ASTG (Advanced Stabilized Technologies Group) till KebNi. Arbetet har inkluderat framtagande av varumärkesstrategi samt ändring av bolagsnamn. Synch har därutöver haft ett nära samarbete med namnbyrån Eqvarium AB. KebNi AB är verksamt inom satellitkommunikation och precisionströmsensorer och investerar i och […]

Pressmeddelanden

Synch har agerat legal rådgivare till Open Payments Europe AB i samband med bolagets nyligen genomförda finansiering

04/09/2020

Synch har agerat legal rådgivare till Open Payments Europe AB i samband med bolagets nyligen genomförda finansiering, med Industrifonden som huvudinvesterare, om 30 miljoner kronor. Även befintliga investerare, bland annat Brightly Ventures, Luminar Ventures och en rad ängelinvesterare, har deltagit i investeringen. Open Payments, som är ett fintech-bolag licensierade av Finansinspektionen, har byggt en öppen […]

Okategoriserad Pressmeddelanden

Synch assisterar KebNi vid listbyte till Nasdaq First North Growth Market

02/09/2020

Synch Advokat AB har biträtt KebNi AB (publ) (”KebNi” eller ”Bolaget”) vid dess listbyte från NGM  till First North. KebNi har erhållit godkännande för upptagande till handel på Nasdaq First North Growth Market med första dag för handel den 25 augusti 2020. KebNis aktie har innan listbytet handlats på NGM. KebNi AB är verksamt inom […]

Okategoriserad Pressmeddelanden

Synch är ny juridisk partner till Breed Ventures

27/08/2020

Vi har glädjen att meddela att Synch är ny juridisk partner till Breed Ventures, i dess strävan att alstra morgondagens entreprenörer och ledare. Breed Ventures grundades för att hjälpa ledande befattningshavare och startup-grundare med de utmaningar som de möter vid utvecklingen av nya verksamheter och främjandet av innovation. Breed Ventures är en supportorganisation som hjälper […]

News

SCHREMS II – AT A GLANCE

17/08/2020

Introduction and summary As you may have already seen, everybody seems to be talking about the “Schrems II” judgement – but what does the decision mean and what is the discussion about? In short, the judgement has the following effects for organisations transferring personal data to countries outside of the EU/EEA: · The EU – […]