European Data Protection Board: New guidelines on pseudonymization
Pseudonymization should guarantee data protection. A new guideline from European data protection experts shows exactly how this can be implemented.
(Image: BABAROGA/Shutterstock.com)
The European Data Protection Board (EDPB) adopted new guidelines on pseudonymization at its plenary meeting on 16 January. In it, the EDPB explains the definition of pseudonymization and pseudonymized data and how they can be applied. The EDPB is the umbrella organization of the national European data protection authorities and the European Data Protection Supervisor.
Background: The General Data Protection Regulation (GDPR) mentions pseudonymization as a possible measure to ensure data protection. For pseudonymization, existing data is changed – so that names and other identifying details can be replaced by pseudonyms. This protects privacy while the data can still be analyzed or used.
Pseudonymization can also be reversed: for example, a table is created with the real data and the associated pseudonyms – This table is then used as additional information to determine the identity of a person. Those responsible in companies and authorities therefore generally protect this table in particular and control access to it.
Videos by heise
The guideline
According to the EDPB, the guidelines contain two important legal clarifications:
- Pseudonymized data is still personal data. This is because the data can be assigned to an identifiable natural person with additional information.
- Pseudonymization can reduce risks and facilitate the use of legitimate interests as a legal basis if all other requirements of the GDPR are met. In addition, pseudonymization can help to ensure compatibility with the original purpose.
The guidelines also show how pseudonymization can help organizations to implement certain requirements of the GDPR. In addition, the guidelines analyze technical measures and safeguards to ensure that individuals cannot be identified by unauthorized individuals. An appendix provides examples of the use and benefits of pseudonymization.
Approval from Berlin
The Berlin Commissioner for Data Protection and Freedom of Information, Meike Kamp, welcomes the EDPB's guidelines on pseudonymization. This comes as little surprise, as Kamp played a leading role in the development of the guidelines.
"Pseudonymization offers an effective way of preserving the confidentiality of personal data," says Kamp. "At the same time, it enables further processing of data that would otherwise not be allowed due to the risks involved. In times of digitalization, effective pseudonymization can help to minimize the risks of data processing and strengthen people's trust in the protection of their data. I am therefore very pleased that the European Data Protection Board has now issued guidelines on the application of this important technical and organizational measure. I hope that this will provide more legal certainty for companies and other organizations that rely on pseudonymization."
The guidelines can be downloaded from the EDPB website. Interested parties can still comment on them publicly until February 28.
(str)
