Pseudonymisation of personal data – what does it mean?

« News 02 july 2019

General Data Protection Regulation ("GDPR") introduced a new definition, unknown to the earlier provisions regulating the protection of personal data, i.e. "pseudonymisation". Our experience shows that despite the definition provided in the Article 4 point 5 of the GDPR, a significant group of entrepreneurs do not know what it means exactly and what it involves in practice. In this article, we will try to explain doubts related to pseudonymisation as simply as possible.

zdjęcie_24

According to the definition included in the GDPR, pseudonymisation is:

  1. the processing of personal data,
  2. in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information,
  3. provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

What does the above definition mean in practice? Well, in short - specific information is replaced by other signs.

The simplest and the most typical example is replacement of the name and surname of a given person with an ID number or a pseudonym. At the same time, we only store numbers (i.e. pseudonymised data) and the "key to decipher them", i.e. a list with names and surnames and numbers assigned to them. Without a list with a key, you cannot "decrypt" pseudonymized data (in this case, numbers), i.e. assign them to specific persons. As can be seen from the above, pseudonymisation is a reversible process (as opposed to the anonymisation of personal data).

Why is pseudonymisation applied? To make it difficult to identify a particular person.

The GDPR provides explicitly that pseudonymisation may be one of the data protection mechanisms. Due to the fact that it is a mean of securing personal data, it should be take into account that pseudonymised data and information allowing to decode them cannot be stored in one place or transferred together to other entities. In the process of data pseudonymisation, the roles and tasks should be divided accordingly - that is, it should be determined who will generate, for example, ID numbers, who will store data to reverse the pseudonymisation, etc.

Pseudonymisation of personal data and the conclusion of a contract for entrusting the processing of personal data.

Let's move on to the issue that in practice raises the most doubts among entrepreneurs: if we provide our subcontractor with pseudonymised personal data (e.g. only with ID numbers), do we have to conclude a contract of entrustment with this entity? Our experience shows that the answer is: "we do not have to". Then the argument goes: "after all the subcontractor only gets numbers, he cannot assign them to specific persons, i.e. there is no entrusting of the processing of personal data in this case."

Unfortunately, the above answer is not correct. Recital 26 of the GDPR clearly states that pseudonymised data which may be attributed to a natural person using additional information should be considered as personal data. Moreover, recital 75 of the GDPR provides that the risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular where the processing may give rise to unauthorised reversal of pseudonymization.

What are the consequences?

All personal data protection regulations should apply to pseudonymised personal data. In particular, if the pseudonymized data is transferred to a subcontractor, it should be considered as a processor and enter into a contract with him to entrust data processing. The legal doctrine indicates that the lack of information necessary to identify a particular person does not mean that the pseudonymous data ceases to be personal data. The situation is different in case of anonymisation - as a result of this irreversible process, we no longer have personal data.

What conclusions results from the above comments?

  1. Pseudonymised personal data are still personal data even when we received them without information allowing them to be "decoded". We apply the provisions of the GDPR and other legal acts related to the protection of personal data to pseudonymised data. In particular, no provisions of the GDPR exclude in this case the obligation to conclude a contract of entrustment with the processor that processes such data.
  2. Pseudonymisation is one of the means to secure data. However, it cannot be stated that this is always a sufficient measure. It should be assessed in a particular situation whether it will provide adequate protection. Certainly, the data pseudonymisation process will help to increase their protection.

July 2nd, 2019 r., attorney-at-law Agnieszka Rapcewicz

   Our site uses cookies. We use cookies to enable proper operation of our website, to keep anonymous statistics and other analytical activities depicting the way users use the website. By continuing to use the website, you agree to their storage or use.

The user can independently change the conditions for storing cookies in the web browser he uses. More information, in particular regarding the processing of personal data, can be found in the Privacy Policy available here.