Code of Conduct on the use of GDPR compliant Pseudonymisation

General Data Protection Regulation (GDPR)
Draft for a Code of Conduct on the use of GDPR compliant pseudonymisation


The aim of this Code of Conduct (CoC) is to describe specific rules of conduct for pseudonymisation in conformity with data protection requirements in accordance with Art. 40 para. 2 lit. d of the General Data Protection Regulation (GDPR).

Pseudonymisation protects data subjects from unwanted identification and is an implementation of the principle of data minimisation from Art. 5 para. 1 lit. b GDPR. It constitutes a technical and organisational protection measure in accordance with Art. 25, 32 GDPR. Nevertheless, it also influences the lawfulness of the processing of personal data, as Art. 6 para. 4 lit. e GDPR shows. It thus fulfils both a protective and an enabling function. According to its legal definition, pseudonymisation is characterised by the fact that personal data are processed in such a way that these data can no longer be attributed to a specific person without additional information (cf. Art. 4 No. 7 GDPR).

Even though a direct personal reference is possible within the scope of a pseudonymisation but must be prevented by means of technical or organisational measures apart from a desired disclosure. The GDPR does not contain any technical or organisational information on how a pseudonym can be created, nor does it provide information on possible protective measures regarding the created pseudonym. For this purpose, this Code of Conduct defines both procedural as well as organisational and technical requirements, which enable both controllers and processors to implement the pseudonymisation in a practical way.

1.1 Scope of application

This CoC applies to controllers or processors regardless of their industry or sector if they pseudonymise personal data themselves in accordance with the requirements of the GDPR or are responsible for the use of pseudonymisation of personal data. The CoC's statements apply independently of the internal organisational and task distribution of the controller or processor.

Controllers or processors who use pseudonymised data in their services or products may join this CoC in order to prove that the pseudonyms used were created in accordance with the rules defined herein.

As a rule, controllers and processors will carry out data processing that relates to pseudonymisation as well as data processing that is in no way related to pseudonymisation. Even if data processing takes place in connection with pseudonymisation, it is to be assumed that not all data processing is subject to the GDPR or is to be subject to this CoC, especially in the case of internationally active controllers or processors. In this respect, controllers and processors can decide for themselves which pseudonymisation processes are to be subjected to this CoC. In the case of those products, services or other data processing that fall back on pseudonyms that originate from pseudonymisation processes that were subject to this CoC, this fact must be pointed out transparently.

1.2 Definitions of CoC terms

  • Pseudonymisation means pseudonymisation in the sense of Art. 4 No. 5 GDPR: 'pseudonymisation' [means] the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
  • According to Art. 4 No. 5 GDPR, the additional information is the only information with which the connection of a pseudonym to the person represented can be established. Depending on the pseudonymisation method, the additional information can be a direct assignment or an assignment rule.
  • A pseudonym is a string of characters that replaces a person's identity data and thus represents that person.
  • The pseudonymisation method describes the technical-organisational process by which a pseudonym is generated.
  • Specialist managers are all persons or departments within a company or a public body who are not responsible for the organisation of the entire processing activity, but who only design individual sub-areas in compliance with data protection regulations (such as the proper pseudonymisation of personal data).
  • The Specialist Responsible for Pseudonymisation (SRP) are all persons or departments within a company or a public body who are responsible for the design of the pseudonymisation process in accordance with data protection regulations, at least in the form of a supervisory and advisory function.