How should pseudonymized data be processed correctly? Does transferring such data require a data processing agreement?
ANSWER
The GDPR introduced the concept of pseudonymisation, which means processing personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, referred to as a "key". Put simply, this means using a number or code individual to each person instead of data identifying the person. The basic requirement is that the key with the appropriate identifying data should be stored elsewhere (the GDPR describes this as "additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person"). Thanks to this, even if a leak occurred, an unauthorised person would learn little from such data or the task would be significantly more difficult.
Such information should be viewed from two perspectives — that of the controller and that of the processor.
From the controller's perspective, pseudonymized data are personal data. Recital 26 provides clarification — it states that "personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person (…) To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used (including singling out), either by the controller or by another person to identify the natural person directly or indirectly".
Two key aspects should be noted:
- the possibility of identifying a natural person
- the possibility of such identification by "the controller or another person"
In the case of pseudonymized data, the possibility of identifying a person always exists and, as a result, from the controller's perspective such information always constitutes personal data.
Data entrusted for processing may be pseudonymized or anonymized.
If data have been anonymized in such a way that even the controller will not be able to determine the identity of the data subjects, the matter is very straightforward — "the principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable". As a result, a data processing agreement is not needed. In the case of entrusting processing of pseudonymized personal data, the matter is somewhat more complicated.
It might seem that whether a data processing agreement should be concluded should be based on a risk analysis of the possibility of re-identification by the processor and that, if it is ensured that neither the processor nor any other party will be able to re-identify a person, the absence of entrustment of processing could be considered. However, when entrusting pseudonymized personal data for processing to another entity, it is necessary to ensure that the rights and freedoms of data subjects are not infringed — for example, that such data are not disclosed to other entities, are not combined with other data, are processed fairly, and that their accuracy and currency are maintained, etc. The simplest way to ensure this is to conclude a data processing agreement. Hence the position of supervisory authorities, which hold that every commission of processing on behalf of a controller, even if personal data are pseudonymized, should involve concluding a data processing agreement.


