Anonymisation and pseudonymisation: effectively implementing data protection and sensible data use

What does anonymisation mean in the context of data protection?

It means processing data in such a way that it can no longer be attributed to a specific individual. According to Recital 26 of the GDPR, a dataset is only considered anonymised if it is impossible to identify the person, or if doing so would require a disproportionate amount of effort.

This means that neither the controller nor a third party should be able to identify a person, either directly or indirectly. Anonymous data is generally not considered to be personal data.

When is anonymisation used?

Anonymisation is particularly relevant in contexts where data is to be used for statistical, scientific or analytical purposes without retaining any personal references. Typical use cases are:

• Scientific studies
• Development of AI models
• Analysis and market research
• Transfer to external partners (e.g. for benchmarking or public relations)
• Anonymisation techniques

Anonymisation techniques

There are various technical approaches available for effectively anonymising personal data. The following methods are among the most common, and they can be combined or adapted depending on the application.

Generalisation

This involves converting specific data values into broader categories. Example: An exact age (e.g. 42 years) is converted into an age group (e.g. 40–50 years). This reduces the possibility of re-identification by third parties.

Randomisation

Randomisation involves inserting random noise into sensitive data. This preserves statistical trends while devaluing individual data points. Techniques such as 'differential privacy' use this method systematically.

Other methods

In addition to well-established methods such as generalisation and randomisation, there are other proven anonymisation techniques that can be combined as required, depending on the intended use.

• K-anonymity: Each data record is indistinguishable from at least k-1 other data records. The larger k is, the more likely true anonymity is achieved.
• Suppression: Complete removal of certain data fields.
• Aggregation: Combining multiple data records to produce averages or frequencies.

Requirements for effective anonymisation

Anonymisation is only considered sufficient if re-identification is only possible with disproportionate effort, even by comparison with other data sets. The state of the art plays a decisive role here. New technical processes may, under certain circumstances, render previously anonymous data personally identifiable again.

For this reason, appropriate protective mechanisms must also be implemented to effectively and sustainably prevent re-identification. When assessing anonymisation, the context of data use must also be considered, including the possibility of potential attackers gaining access to the data.

Does anonymisation constitute deletion under the GDPR?

Under certain circumstances, anonymisation may fulfil the obligation to delete data, provided it is irreversible and permanent, and the personal reference is permanently removed.

Is a DPIA required before anonymisation?

Yes, in many cases: a DPIA is particularly recommended when sensitive data is used or new technologies are processed on a large scale. This assessment helps identify risks early on and plan appropriate protective measures. Additionally, a DPIA can help verify the effectiveness of anonymisation.

Typical challenges in anonymisation

Despite its advantages, anonymisation presents numerous practical and strategic challenges. The most important problem areas are listed below:

• Re-identification through external data sources
• Loss of data quality with strong anonymisation
• Technical complexity and lack of standards
• The dynamic nature of anonymisation means that what is anonymous today may be re-identifiable tomorrow.

What does pseudonymisation mean in the context of data protection?

Pseudonymisation is defined in Art. 4(5) of the GDPR. It involves replacing identifiers (e.g. name or email address) with a pseudonym (e.g. a random ID). The link to the person is retained via a separate assignment record. It is important to note that pseudonymised data is still considered personal data and therefore its processing requires a legal basis under data protection law. Pseudonymisation is therefore primarily a security measure.

How does pseudonymisation work?

Typical methods are:

• Tokenisation: Replacing data with random character strings that cannot be traced back to third parties.
• Hashing (with salt): one-way conversion of data into encrypted data with an additional random component for security.

The information linking the pseudonym to the original value must be secured technically and organisationally (e.g. encryption, access restrictions and separate storage).

Examples of applications of pseudonymisation

In practice, pseudonymisation is used in many industries to effectively protect personal data while ensuring it remains usable. The following examples illustrate typical areas of application:

• Health studies with controlled access to identity data
• Internal data analysis with simultaneous protection of privacy
• Order processing by external service providers

Pseudonymisation as a technical protection measure

The GDPR recognises pseudonymisation as an effective technical and organisational measure (TOM) in accordance with Article 32. 32. It mitigates risks for data subjects without rendering data unusable for legitimate purposes.

The limits and risks of pseudonymisation

A recent ruling demonstrates how the assessment of pseudonymisation can vary significantly depending on the context of use. In its decision of 26 February 2025 (Ref.: 128 OWiLG 1/24), the Regional Court of Hanover ruled that pseudonymised data could effectively be anonymous to contract processors if the recipient had no means or motive to identify the data subjects.

In this particular case, an automotive group transferred pseudonymised employee data to a US monitor. The data protection authority considered this to be a violation of the GDPR. However, the court rejected this accusation, ruling that, since the monitor had no access to the individuals' identities and no re-identification was intended, the effect of the pseudonymisation was virtually the same as anonymisation. While the court did not rule on whether complete anonymisation had actually taken place, it overturned the authority's decision.

With pseudonymisation, the personal reference is retained, meaning that the data remains subject to the GDPR's provisions. Therefore, it is crucial that the management of assignment data is implemented particularly securely to prevent unauthorised re-identification. This is because linking to additional information or external data sources could enable the subsequent identification of the data subject.

Anonymisation vs. pseudonymisation

Which method is appropriate in which situation?

• Anonymisation: When data is to be used permanently, without personal references, by third parties or made available to the public.
• Pseudonymisation: When data is to be processed internally but personal references cannot be removed.
• It may be possible to use a combination of both methods, e.g. pseudonymisation for initial processing and anonymisation for subsequent steps/final deletion.

Conclusion: Data protection compliant and data use friendly.

Anonymisation and pseudonymisation are strategic tools for implementing data protection 'by design', not just technical details. Using both methods correctly reduces risks, strengthens customer trust and meets regulatory requirements without having to forego data-based innovation.

Companies should familiarise themselves with the procedures, analyse their possible applications, and document their technical and organisational implementation. We are happy to support you in this process.

We provide a range of services relating to anonymisation and pseudonymisation

As a specialist management consultancy for data protection, we provide comprehensive support for the implementation of solutions that comply with data protection regulations. Our services include:

• Consulting and project support in the selection and introduction of suitable procedures and tools
• Creation or review of guidelines for data protection-compliant anonymisation and pseudonymisation
• Conducting risk analyses and threshold value checks, particularly to determine the need for a data protection impact assessment (DPIA)
• Technical and organisational implementation recommendations for the secure separation and storage of pseudonymisation keys
• Training for specialist departments, data protection officers and IT teams to raise awareness of typical pitfalls and practical issues
• Audit and quality control of existing anonymisation processes

Contact us if you want to ensure that your data processing is both legally compliant and cost-effective.