General Data Protection Regulation ("GDPR") introduced a new definition, unknown to the earlier provisions regulating the protection of personal data, i.e. "pseudonymisation". Our experience shows that despite the definition provided in the Article 4 point 5 of the GDPR, a significant group of entrepreneurs do not know what it means exactly and what it involves in practice. In this article, we will try to explain doubts related to pseudonymisation as simply as possible.
According to the definition included in the GDPR, pseudonymisation is:
What does the above definition mean in practice? Well, in short - specific information is replaced by other signs.
The simplest and the most typical example is replacement of the name and surname of a given person with an ID number or a pseudonym. At the same time, we only store numbers (i.e. pseudonymised data) and the "key to decipher them", i.e. a list with names and surnames and numbers assigned to them. Without a list with a key, you cannot "decrypt" pseudonymized data (in this case, numbers), i.e. assign them to specific persons. As can be seen from the above, pseudonymisation is a reversible process (as opposed to the anonymisation of personal data).
Why is pseudonymisation applied? To make it difficult to identify a particular person.
The GDPR provides explicitly that pseudonymisation may be one of the data protection mechanisms. Due to the fact that it is a mean of securing personal data, it should be take into account that pseudonymised data and information allowing to decode them cannot be stored in one place or transferred together to other entities. In the process of data pseudonymisation, the roles and tasks should be divided accordingly - that is, it should be determined who will generate, for example, ID numbers, who will store data to reverse the pseudonymisation, etc.
Pseudonymisation of personal data and the conclusion of a contract for entrusting the processing of personal data.
Let's move on to the issue that in practice raises the most doubts among entrepreneurs: if we provide our subcontractor with pseudonymised personal data (e.g. only with ID numbers), do we have to conclude a contract of entrustment with this entity? Our experience shows that the answer is: "we do not have to". Then the argument goes: "after all the subcontractor only gets numbers, he cannot assign them to specific persons, i.e. there is no entrusting of the processing of personal data in this case."
Unfortunately, the above answer is not correct. Recital 26 of the GDPR clearly states that pseudonymised data which may be attributed to a natural person using additional information should be considered as personal data. Moreover, recital 75 of the GDPR provides that the risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular where the processing may give rise to unauthorised reversal of pseudonymization.
What are the consequences?
All personal data protection regulations should apply to pseudonymised personal data. In particular, if the pseudonymized data is transferred to a subcontractor, it should be considered as a processor and enter into a contract with him to entrust data processing. The legal doctrine indicates that the lack of information necessary to identify a particular person does not mean that the pseudonymous data ceases to be personal data. The situation is different in case of anonymisation - as a result of this irreversible process, we no longer have personal data.
What conclusions results from the above comments?
July 2nd, 2019 r., attorney-at-law Agnieszka Rapcewicz