EDPB Clarifies Pseudonymization, Urges Competition and Privacy Watchdog Cooperation
The European Data Protection Board (EDPB) Friday clarified the use of pseudonymized data for EU General Data Protection Regulation compliance. Comments on the guidelines are due Feb. 28.
Sign up for a free preview to unlock the rest of this article
The GDPR defines pseudonymization as processing personal data in such a way that it can no longer be attributed to a specific data subject without using additional information, provided that additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data isn't attributed to an identified or identifiable natural person, the EDPB noted.
The guidelines specify that pseudonymized data, which could be attributed to an individual via additional information, remains data related to an identifiable person and, therefore, is still personal data. In addition, it noted pseudonymization can reduce risks and make it easier to use legitimate interest as a legal basis for processing personal data as long as all other GDPR rules are met.
The board also issued a position paper on the interaction of competition and data protection law. It suggested steps for incorporating market and competition factors into privacy practices and said data protection rules should be considered in antitrust assessments. The paper also recommended ways to boost cooperation among regulators, such as by creating a single point of contact to manage coordination among them.