On 26 April 2023, the General Court of the European Union (EGC) issued its judgment in case T-557/20 (judgment of 26 April 2023, SRB v EDPS, T-557/20, EU:T:2023:219) and at the same time made a statement about the distinction between pseudonymised data and anonymous data.
In essence, the court dealt with the question of whether pseudonymised data transferred to third parties should continue to be regarded as personal data, even if the recipient has no way of decrypting this data.
Pseudonymised data is personal data that can only be attributed to a specific person with the addition of further information. Such data therefore relate to an identifiable person and thus are personal. Therefore, these data are subject to European data protection law.
Anonymised data, on the other hand, are data that do not allow any attribution, even with the addition of further information. With such data, it is therefore not possible to draw conclusions about the identity of the person concerned. For this reason, they are not subject to data protection law.
The distinction between pseudonymised and anonymised data can be difficult to make in individual cases. It often happens that companies have information that makes it practically impossible to re-identify the person concerned. However, in such cases the authorities are often of the opinion that re-identification is possible with the addition of information from third parties, so that only pseudonymisation can be assumed.
Read the full article here
