The aim of this Code of Conduct (CoC) is to describe specific rules of conduct for pseudonymisation in conformity with data protection requirements in accordance with Art. 40 para. 2 lit. d of the General Data Protection Regulation (GDPR).
Pseudonymisation protects data subjects from unwanted identification and is an implementation of the principle of data minimisation from Art. 5 para. 1 lit. b GDPR. It constitutes a technical and organisational protection measure in accordance with Art. 25, 32 GDPR. Nevertheless, it also influences the lawfulness of the processing of personal data, as Art. 6 para. 4 lit. e GDPR shows. It thus fulfils both a protective and an enabling function. According to its legal definition, pseudonymisation is characterised by the fact that personal data are processed in such a way that these data can no longer be attributed to a specific person without additional information (cf. Art. 4 No. 7 GDPR).
Even though a direct personal reference is possible within the scope of a pseudonymisation but must be prevented by means of technical or organisational measures apart from a desired disclosure. The GDPR does not contain any technical or organisational information on how a pseudonym can be created, nor does it provide information on possible protective measures regarding the created pseudonym. For this purpose, this Code of Conduct defines both procedural as well as organisational and technical requirements, which enable both controllers and processors to implement the pseudonymisation in a practical way.
1.1 Scope of application
This CoC applies to controllers or processors regardless of their industry or sector if they pseudonymise personal data themselves in accordance with the requirements of the GDPR or are responsible for the use of pseudonymisation of personal data. The CoC's statements apply independently of the internal organisational and task distribution of the controller or processor.
Controllers or processors who use pseudonymised data in their services or products may join this CoC in order to prove that the pseudonyms used were created in accordance with the rules defined herein.
As a rule, controllers and processors will carry out data processing that relates to pseudonymisation as well as data processing that is in no way related to pseudonymisation. Even if data processing takes place in connection with pseudonymisation, it is to be assumed that not all data processing is subject to the GDPR or is to be subject to this CoC, especially in the case of internationally active controllers or processors. In this respect, controllers and processors can decide for themselves which pseudonymisation processes are to be subjected to this CoC. In the case of those products, services or other data processing that fall back on pseudonyms that originate from pseudonymisation processes that were subject to this CoC, this fact must be pointed out transparently.