The Italian Authority participated in the drafting of the document

Pseudonymized data are always personal data. This is stated in the Guidelines on pseudonymization adopted during the last plenary session of the European Data Protection Board (EDPB), in whose drafting the Data Protection Supervisor participated as co-rapporteur.

The Guidelines are now available for public consultation until February 28, after which they will be adopted in their final version.

According to the definition provided by the GDPR, pseudonymization is a measure that allows personal data not to be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational security measures.

The EDPB clarifies that pseudonymized data are always personal data, even if the information necessary to identify a person is kept separate. In fact, if the data can be traced back to natural persons by the data controller or others, they remain personal data and are therefore subject to the obligations dictated by the GDPR.

The guidelines also indicate the scope and advantages of pseudonymization: it is a measure of risk reduction and effective application of the principles of data protection according to the paradigm of privacy by design.

The Board document also examines the technical measures and safeguards, in the use of pseudonymization, to ensure the confidentiality of information and avoid unauthorized identification of data subjects. Pseudonymization – the European Committee highlights – facilitates the use of legitimate interest as a legal basis for processing, provided that all other requirements of the GDPR are met and the compatibility with the original purpose of further processing is verified.

https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/10095854