Recital 28

1The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. 2The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection….

Recital 29

1In order to create incentives to apply pseudonymisation when processing personal data, measures of pseudonymisation should, whilst allowing general analysis, be possible within the same controller when that controller has taken technical and organisational measures necessary to ensure, for the processing concerned, that this Regulation is implemented, and that additional…

Privacy by Design

…“Privacy by Design”. Legislation leaves completely open which exact protective measures are to be taken. As an example, one only need name pseudonymisation. No more detail is given in recital 78 of the regulation. At least in other parts of the law, encryption is named, as well as anonymisation of…

Recital 156

…processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist (such as, for instance, pseudonymisation of the data). 4Member States should provide for appropriate safeguards for the processing of personal data for archiving purposes in the public interest, scientific or…

Recital 85

1A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage…

Recital 75

…loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial…

Recital 26

1The principles of data protection should apply to any information concerning an identified or identifiable natural person. 2Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. 3To determine…

Art. 40 GDPR – Codes of conduct

…the collection of personal data; the pseudonymisation of personal data; the information provided to the public and to data subjects; the exercise of the rights of data subjects; the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility…

Art. 89 GDPR – Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

…in order to ensure respect for the principle of data minimisation. 3Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. 4Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes…

Art. 32 GDPR – Security of processing

…measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data…