The benefits of properly pseudonymized data using Anonos BigPrivacy technology

The benefits of properly pseudonymized data using Anonos BigPrivacy technology are highlighted in multiple GDPR Articles, including:

  • Article 6(4) as a safeguard to help ensure the compatibility of new data processing.
  • Article 25(1) as a technical and organizational measure to help enforce data minimization principles and compliance with data protection by design and by default obligations.
  • Articles 32, 33 and 34 as a security measure helping to make data breaches “unlikely to result in a risk to the rights and freedoms of natural persons” thereby reducing liability and notification obligations for data breaches.
  • Article 89(1) as a safeguard in connection with processing for archiving purposes in the public interest; scientific or historical research purposes; or statistical purposes; moreover, the benefits of pseudonymization under this Article 89(1) also provide greater flexibility under:
    • Article 5(1)(b) with regard to purpose limitation;
    • Article 5(1)(e) with regard to storage limitation; and
    • Article 9(2)(j) with regard to overcoming the general prohibition on processing Article 9(1) special categories of personal data.
  • In addition, properly Pseudonymized data is recognized in Article 29 Working Party Opinion 06/2014 as playing “a role with regard to the evaluation of the potential impact of the processing on the data subject...tipping the balance in favour of the controller” to help support Legitimate Interest processing as a legal basis under Article GDPR 6(1)(f). Benefits from processing personal data using Legitimate Interest as a legal basis under the GDPR include, without limitation:
    • Under Article 17(1)(c), if a data controller shows they “have overriding legitimate grounds for processing” supported by technical and organizational measures to satisfy the balancing of interest test, they have greater flexibility in complying with Right to be Forgotten requests.
    • Under Article 18(1)(d), a data controller has flexibility in complying with claims to restrict the processing of personal data if they can show they have technical and organizational measures in place so that the rights of the data controller properly override those of the data subject because the rights of the data subjects are protected.
    • Under Article 20(1), data controllers using Legitimate Interest processing are not subject to the right of portability, which applies only to consent-based processing.
    • Under Article 21(1), a data controller using Legitimate Interest processing may be able to show they have adequate technical and organizational measures in place so that the rights of the data controller properly override those of the data subject because the rights of the data subjects are protected; however, data subjects always have the right under Article 21(3) to not receive direct marketing outreach as a result of such processing.
Learn More

Pre-GDPR Pseudonymization versus GDPR Compliant Pseudonymization

How GDPR compliant pseudonymization requirements have evolved from prior standards:

Picture11-1