According to the GDPR, pseudonymization is defined as: “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” Pseudonymized data is not anonymous, but it is not directly identifiable either. Through it, data is separated from direct identifiers, so linking the identity of the data subject to the data itself is not possible without additional information. In order for the process to be efficient, this additional information will be kept separately.
For a while, there was a misconception that pseudonymized data was exempt from the GDPR, which is false. The regulation is more relaxed for those who used such data protection measures, but it still applies.
Pseudonymized data presents a reduced risk for the data subject, but alone it is not sufficient to exempt the controller from the GDPR. Furthermore, Recital 26 states “Personal data which have undergone pseudonymization, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.”
Pseudonymizzation is an important factor of privacy by design, along with encryption for instance. Also, if the controller deletes the directly identifiable data instead of holding it separately, the data that remains is automatically unidentifiable. As a result, data subject rights such as access or rectification no longer apply. However, for this exemption to be applied, the controller needs to be able to demonstrate that it is impossible to identify a data subject.