EDPB Adopts Guidelines on Pseudonymisation and Statement on Data Protection Cooperation
On January 17, 2025, the European Data Protection Board (EDPB) convened in Brussels and adopted new guidelines on pseudonymisation, along with a statement addressing the relationship between competition law and data protection. The guidelines clarify the concept of pseudonymisation as outlined in the General Data Protection Regulation (GDPR). Pseudonymisation is identified as a safeguard that can assist organizations in meeting their data protection obligations, while also emphasizing that pseudonymised data, which can still be linked to individuals with additional information, is still considered personal data.
The EDPB’s guidelines provide two key legal clarifications. First, pseudonymised data remains classified as personal data if it can be attributed to an identifiable individual through additional information. Second, the use of pseudonymisation can lower risks and facilitate the use of legitimate interests as a legal basis for processing, provided that all other GDPR requirements are satisfied. The guidelines also describe how pseudonymisation can support organizations in adhering to data protection principles, ensuring data protection by design and default, and enhancing security.
Additionally, the guidelines address technical measures and safeguards necessary for maintaining confidentiality and preventing unauthorized identification of individuals. The EDPB has opened the guidelines for public consultation until February 28, 2025, allowing stakeholders to provide feedback and consider any future developments in case law.
Alongside the guidelines, the EDPB issued a position paper on the interplay between data protection law and competition law. The paper highlights the necessity for cooperation between data protection and competition authorities, especially following the CJEU ruling in the Meta vs. Bundeskartellamt case. The EDPB suggests steps for integrating market and competition factors into data protection practices and vice versa, recommending the establishment of a single point of contact to enhance coordination among regulators.
