EDPB’s Draft Guidelines 01/2025 on Pseudonymisation – 17 January 2025

Key Highlights

Definition and Scope: Pseudonymisation involves processing personal data such that it can no longer be attributed to a specific data subject without additional information, which must be kept separately and protected by technical and organizational measures. Importantly, pseudonymised data remains classified as personal data under the GDPR.

Pseudonymisation Domain: The guidelines introduce the concept of a ‘pseudonymisation domain,’ referring to an environment where only pseudonymised data is processed, and individuals within this domain lack access to the additional information required for re-identification. This framework emphasizes the necessity of isolating pseudonymised data from identifying information to enhance data protection.

Benefits for GDPR Compliance: Pseudonymisation serves as an effective tool for adhering to several GDPR principles, including data minimisation, confidentiality, and purpose limitation. It also plays a crucial role in facilitating lawful data processing, particularly when relying on legitimate interests as a legal basis.

Technical Measures and Safeguards: The EDPB outlines essential technical measures for effective pseudonymisation, such as Pseudonymising Transformation (modifying original data to prevent attribution to specific individuals without additional information, ensuring that direct identifiers are removed or replaced) and Preventing Unauthorised Attribution (implementing safeguards to protect against re-identification, including securing pseudonymisation keys and managing quasi-identifiers).

Distinction from Anonymisation: The guidelines reiterate that pseudonymised data differs from anonymised data; pseudonymised data can still be re-identified with additional information, whereas anonymised data is stripped of identifiable elements irreversibly. Therefore, pseudonymised data remains subject to GDPR obligations.

These guidelines aim to assist organisations in implementing pseudonymisation effectively, thereby enhancing data protection measures and ensuring compliance with GDPR requirements.

Allegiance Law’s Perspective

The EDPB’s Draft Guidelines on Pseudonymisation signal a clear expectation for organisations to integrate robust data protection techniques into their processing activities. For businesses handling sensitive personal data—especially in sectors like healthcare, finance, or technology—pseudonymisation is no longer optional but a cornerstone of GDPR compliance.

At Allegiance Law, we recommend the following immediate actions (i) Assess Current Practices in reviewing existing data processing activities to identify opportunities for implementing or improving pseudonymisation techniques, (ii) strengthening technical Safeguards in ensuring pseudonymisation keys and related information are securely managed, with strict access controls and encryption measures in place, (iii) update Policies and training by revising data protection policies to reflect pseudonymisation requirements and train staff on maintaining pseudonymisation domains effectively, and (iv) engage vendors by auditing third-party processors to verify their pseudonymisation capabilities and update Data Processing Agreements (DPAs) to align with EDPB expectations.

We are actively supporting clients in (i) designing pseudonymisation frameworks tailored to their data environments, (ii) conducting risk assessments to prevent re-identification, (iii) integrating pseudonymisation into legitimate interest assessments (LIAs), and (iv) preparing consultation feedback to address practical implementation challenges in the EDPB’s draft.

The consultation period for these guidelines offers a critical window to shape their final form. We encourage organisations to act swiftly to align with these expectations while contributing to a balanced regulatory framework.

Read the full EDPB’s Draft Guidelines 01/2025 on Pseudonymisation here