Pseudonymisation, Aggregation and Anonymisation
Pseudonymisation, Aggregation and Anonymisation
What is "pseudonymisation"?
Data is pseudonymised if it can no longer be assigned to a specific person without the addition of additional information. This can be achieved in particular by replacing the name of the data subject with an identifier.
The term is legally defined in the GDPR in Article 4 No. 5. According to this, "pseudonymisation is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the addition of further information, provided that such additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data are not attributed to an identified or identifiable natural person;".
It is possible to pseudonymise data in many different ways. Ultimately, it will always be a matter of establishing a pseudonym so that it is no longer possible for the data controller to attribute it to the data subject, but certain individuals will still have access to a "key" to be able to attribute an identifiable individual to the pseudonym.
The assignment of a pseudonym can be done by the following persons:
- by the responsible person him/herself
- by a third party
- by the data subject himself/herself by means of a freely chosen identification number
What is "aggregation"?
Aggregated data are data where, for example, data from different persons have been combined and thus a "data group" has been created. However, this does not necessarily lead to anonymisation.
It can happen that an aggregation actually makes it impossible to establish a reference to a person, so that the data is also anonymised at the same time and therefore no longer falls under the protection of the data protection regulations.
However, this is not necessarily the case with every aggregation. It remains a question of the individual case whether the aggregation leads to anonymisation or whether pseudonymised/personal data continue to exist.
What is "anonymisation"?
Anonymous data is not covered by the provisions of the GDPR.
Contrary to what the word suggests, anonymity does not already exist if no names are collected or names are subsequently deleted. Rather, according to the legislator's idea, anonymised data should not have any personal reference to the data. This would not necessarily be the case with the mere deletion of the name of the data subject if he or she is still identifiable on the basis of the other data.
The GDPR does not refer to "anonymised data" in its regulations. However, this term is used in recital 26 of the GDPR.
According to this, the fifth and sixth sentences state: "The principles of data protection should not apply to anonymous information, i.e. information which does not relate to an identified or identifiable natural person, or personal data which has been rendered anonymous in such a way that the data subject cannot be identified or can no longer be identified. This Regulation therefore does not concern the processing of such anonymous data, including for statistical or research purposes."
The GDPR thus assumes a concept of anonymisation according to which there may no longer be any reference to a person .
In times before the GDPR, the BDSG aF was applicable. Here, it was still provided that anonymisation could still be spoken of if the data could only be assigned to a specific or identifiable person (de facto anonymity) with a disproportionately large effort in terms of time, costs and manpower. This characteristic is now (arguably) no longer decisive. Or at any rate, the effort required to establish an assignment to a person is not and should not be the primary characteristic for deciding whether one can speak of anonymisation or not. Ultimately, a case-by-case examination will be necessary here as well. Relevant case law on this is still awaited.
Complete (absolute) anonymisation can therefore not be assumed in certain cases. This also applies in cases in which the data-processing agency itself can actually no longer establish a personal reference. After all, it often cannot be ruled out that the person concerned cannot establish a personal reference to himself or herself. Nor can it often be ruled out that a reference to a person cannot somehow be made with time-consuming research work. It is therefore all the more important to specify in detail how anonymisation is to be achieved in order to find out whether it is really no longer possible to establish a reference to a person. Unfortunately, there is no formula for this (yet).