European data regulators release updated pseudonymisation guidelines for 2025

The European Data Protection Board (EDPB) published its Guidelines 01/2025 on pseudonymisation on January 16, 2025, marking the first comprehensive guidance on this data protection measure since the implementation of GDPR. The guidelines provide detailed technical specifications for organizations processing personal data within the European Economic Area.

According to the EDPB document, pseudonymisation represents a significant safeguard that controllers can implement to meet various data protection obligations. The guidance defines pseudonymisation as the processing of personal data in a manner preventing attribution to specific individuals without additional information kept separately under strict technical controls.

The newly released guidelines establish that pseudonymised data remains personal data under GDPR Article 4(5), even when the additional information enabling re-identification is held by different entities. This interpretation carries substantial implications for cross-border data transfers and internal data processing workflows.

The EDPB guidance introduces the concept of a "pseudonymisation domain" - the controlled environment where organizations must prevent data attribution to specific individuals. This domain encompasses the technical systems, organizational processes, and personnel involved in data processing activities.

For cryptographic implementations, the guidelines specify that controllers must employ either cryptographic one-way functions like Message Authentication Codes (MACs) or encryption algorithms with sufficient entropy in their secret parameters. The EDPB notes that lookup tables represent an alternative approach, though they require secure storage of potentially large sets of personal data.

The document outlines three primary mechanisms for pseudonymisation: person pseudonyms maintaining consistent identifiers across all processing, relationship pseudonyms varying by context, and transaction pseudonyms changing with each interaction. Each mechanism serves different risk mitigation purposes while enabling specific types of data analysis.

The guidelines establish strict requirements for the protection of "pseudonymisation secrets" - the cryptographic keys or lookup tables enabling re-identification. Organizations must implement technical and organizational measures ensuring these secrets remain inaccessible to unauthorized parties within the pseudonymisation domain.

For cross-border transfers, the EDPB mandates that pseudonymisation can serve as a supplementary measure only when the data importer neither possesses nor can obtain the additional information needed for re-identification. The guidance specifically addresses scenarios involving data transfers to countries lacking adequate data protection standards.

Regarding data subject rights, the guidelines clarify that individuals maintain their GDPR access and portability rights for pseudonymised data unless the controller demonstrates an inability to identify the data subject under Article 11. Controllers must facilitate these rights while maintaining the security of the pseudonymisation system.

The document provides ten detailed implementation examples, ranging from internal analysis scenarios to cross-border transfer cases. These examples illustrate practical applications of pseudonymisation in healthcare, employment, and commercial contexts.

Organizations have until February 28, 2025, to submit feedback on the guidelines through the EDPB's public consultation process. The final version will establish binding interpretations for data protection authorities across the European Economic Area.

The EDPB emphasizes that pseudonymisation alone does not ensure GDPR compliance, but rather serves as one component of a comprehensive data protection strategy. Controllers must evaluate the effectiveness of their pseudonymisation measures against specific processing contexts and risks.

Industry experts note the guidelines' practical significance. According to Phil Lee, Managing Director at Digiphile, the guidance presents complex technical requirements that may challenge organizations implementing pseudonymisation in commercial environments.

The publication arrives amid increasing regulatory scrutiny of international data flows and growing emphasis on technical data protection measures. Organizations processing personal data within the EEA must now evaluate their pseudonymisation practices against these detailed requirements.