Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:


Home / News
SPANISH SUPERVISORY AUTHORITY: Anonymisation and pseudonymisation

SPANISH SUPERVISORY AUTHORITY: Anonymisation and pseudonymisation

Turning a set of personal data into anonymous or pseudonymised information requires the processing of personal data. Anonymisation processing results in a new and unique data set, while pseudonymisation processing results in two new data sets: the pseudonymised information and the additional information which makes it possible to reverse the anonymisation.

Anonymised data sets do not come under the scope of the General Data Protection Regulation (GDPR) (Recital 26), although they may come under the scope of other regulations (e.g., national security, public health, critical infrastructure, etc.). In this case, it is necessary to bear in mind that:

  • The processing activity that produces anonymised data is a processing of personal data, which can be considered to be compatible with the original purposes of processing from which the data are obtained (Opinion 05/2014 on anonymisation techniques, paragraph 2.2.1. – Lawfulness of the Anonymisation Process).
  • The anonymised data set is outside the scope of the GDPR only if it is possible to objectively demonstrate that there is no material ability to associate the anonymised data with a certain natural person, directly or indirectly, whether through the use of other data sets, information, or technical and material measures which may be available to third parties.

In other words, data are considered to be anonymised to the extent that there is no reasonable likelihood that any person may identify the natural person in the data set. Said assessment must take into account the costs of and the amount of time required for re-identification or the technological resources necessary to reverse the anonymisation, taking into consideration both the available technology and technological developments (Recital 26).

Pseudonymised data sets, and the additional information linked to such data set, do fall under the scope of the GDPR, along with the processing that produces them. Hence, a pseudonymised data set is protected by four types of safeguards: firstly, the pseudonymisation processing itself, which should prevent re-identification without the additional information; secondly, the principles and safeguards of the GDPR, which establish restrictions, among other things, regarding the purposes, retention period and disclosure of pseudonymised data; thirdly, the further safeguards included in the processing of pseudonymised data according to the risk to the rights and freedoms of natural persons; and fourthly, deriving from the preceding, the technical and organisational safeguards put in place to prevent personal data breaches from occurring, covering both the pseudonymised set and the additional information.

In contrast, from the perspective of the GDPR, only one type of safeguard applies to an anonymised data set: the robustness of the anonymisation process against possible re-identification. Once the data set is anonymised, there is no longer any obligation to implement the other three types of safeguards, at least from the perspective of data protection regulations.

However, safeguards which may derive from other regulations shall continue to apply (see paragraph 2.2.3 of Opinion 5/2014), and restrictions on processing may be established (for example, by means of conditions included in licenses for use of the anonymised information).

The rights and freedoms of data subjects must be equally protected in both anonymisation processing and pseudonymisation processes. Taking into account that for the anonymised data set, it will not be necessary to comply with the requirements established by the GDPR with regard to restriction of processing, data retention, disclosure and international transfers, or measures to protect confidentiality, the anonymisation processing must be designed and validated considering the protection of the rights indicated above. This requires being able to demonstrate an objective level of quality in anonymisation processing and makes it advisable to determine how the risk of re-identification will change over time.

In any event, if the anonymisation is reversed, the GDPR fully applies to the obligated parties that process the personal data.


Recommended to you

Advanced Research