The benefits of properly pseudonymized data using Anonos BigPrivacy technology

The benefits of properly pseudonymized data using Anonos BigPrivacy technology are highlighted in multiple GDPR Articles, including:

  • Article 6(4) as a safeguard to help ensure the compatibility of new data processing;
  • Article 25 as a technical and organizational measure to help enforce data minimisation principles and compliance with data protection by design and data protection by default obligations;
  • Article 32 as an encouraged security measure; and
  • Article 89(1) as a safeguard in connection with processing for archiving purposes in the public interest; scientific or historical research purposes; or statistical purposes; moreover, the benefits of pseudonymization under this Article 89(1) also provide greater flexibility under:
    • Article 5(1)(b) with regard to purpose limitation;
    • Article 5(1)(e) with regard to storage limitation; and
    • Article 9(2)(j) with regard to overcoming the general prohibition on processing Article 9(1) special categories of personal data.
  • In addition, properly pseudonymized data is recognized in WP29 Opinion 06/2014 as playing “a role with regard to the evaluation of the potential impact of the processing on the data subject...tipping the balance in favour of the controller” to help support Legitimate Interest processing as a legal basis under Article GDPR 6(1)(f). Benefits from processing personal data using Legitimate Interest as a legal basis under the GDPR include, without limitation:
    • Under Article 17(1)(c), if a data controller shows they “have overriding legitimate grounds for processing” supported by technical and organizational measures to satisfy the balancing of interest test they have flexibility in complying with Right to be Forgotten requests.
    • Under Article 18(1)(d), a data controller has flexibility in complying with claims to restrict the processing if they can show they have technical and organizational measures in place so that the rights of the data controller properly override those of the data subject.
    • Under Article 20(1), data controllers using Legitimate Interest processing are not subject to the right of portability, which applies only to consent based processing.
    • Under Article 21(1), a data controller using Legitimate Interest processing may be able to show they have adequate technical and organizational measures in place so that the rights of the data controller properly override those of the data subject; however, a data subject always has the right under Article 21(3) to not receive direct marketing outreach as a result of such processing.
Learn More

Pre-GDPR Pseudonymization versus GDPR Compliant Pseudonymization

How GDPR compliant pseudonymization requirements have evolved from prior standards:

Picture11-1