Pseudonymisation: the benefits for companies according to the EDPB Guidelines

published on 19 March 2025 | reading time approx. 3 minutes

The European Data Protection Board (EDPB) recently adopted its ‘Guidelines 01/2025 on Pseudonymisation’, which provide detailed guide on the use of pseudonymisation as a personal data protection measure under the EU Data Protection Regulation No. 679/2016 (the ‘GDPR’). In the following, we will examine the key points for businesses that want to use the pseudonymisation tool, while also taking into consideration privacy compliance.

We should first clarify what we are talking about when we refer to pseudonymisation. The GDPR, in Article 4(5), defines it as a processing of personal data which has the effect of preventing the attribution of that data to a specific individual, unless additional information is held, provided that such additional information is stored separately and subject to technical and organisational measures to ensure that such personal data is not attributed to an identified or identifiable natural person.

This context of foreclosure of data attribution to the data subject, referred to by the Guidelines as the ‘pseudonymisation domain’, is, however, not irreversible (unlike the case of anonymisation), which is why the pseudonymised (or pseudonymised) data remains fully within the scope of the GDPR.

However, let's have a look at the advantages of using this technique correctly, according to the European Committee.

Pseudonymisation, when done effectively, can first and foremost be a good ally in reducing the risks of data breaches, in particular in the following ways:

by preventing the disclosure of direct identifiers of data subjects to some or all of the legitimate recipients of pseudonymised data;
in the case of unauthorised disclosure of or access to genuinely pseudonymised data, reducing the severity of the resulting risk of a breach of confidentiality, as well as reducing the impact on data subjects of the negative consequences of such disclosure or access
reducing the risk of ‘function creep’, i.e. the risk of personal data being further processed in a incompatible manner with the purposes for which they were collected, in compliance with the principles of data minimisation and purpose limitation (Article 5 GDPR).

Moreover, the use of pseudonymisation techniques can mitigate the risks linked to the inaccuracy of the data, reducing the impacts in the event of erroneous attribution of data to other subjects.

It is clear, therefore, that the use of this tool (if wisely supported by technical and legal professionals and by a preliminary assessment of the risks associated with the processing carried out) may constitute a real security measure, capable of reducing the risk of data breach and, consequently, the possible risk of privacy sanctions.

But what are the preliminary assessments that a data controller must make before proceeding with the implementation of pseudonymisation?

According to the EDPB, it will first be necessary to determine the targets to be achieved by this measure in order to define the pseudonymisation domain (a term by which we refer to the perimeter of data attribution preclusion) and to decide which data sets are to be included in it.

A series of technical and legal assessments will also have to be carried out, concerning both the technical safeguards to be implemented and the inherent risk associated with the processing operations performed.

In conclusion, the EDPB's Pseudonymisation Guidelines offer companies a clear roadmap for implementing this data protection measure effectively, for companies (from all sectors) that care about privacy and intend to develop robust data protection internally.

The authors:

Martina Ortillo - Manager

Flavia Salvatore - Associate