Pseudonymisation and anonymization of health data: what are the consequences of the EDPB’s new guidelines?

I. EDPB Guidelines: Clarifications about anonymization and pseudonymization

The EDPB/ICO guidelines, published on January 16, 2025¹, provide clarification on the concept of pseudonymization as set out in the GDPR, accompanied by numerous practical examples. Firstly, it should be noted that pseudonymization is defined in Article 4(5) of the GDPR² as: “The processing of personal data in such a manner that personal data can no longer be attributed to a specific individual without the use of supplementary information, provided that such supplementary information is kept separately and is subject to technical and organizational measures to ensure that personal data is not attributed to a identified or identifiable person.”

In summary, pseudonymization consists of protecting personal data by modifying/obscuring it so that it can no longer be attributed to a person without resorting to additional information.  Recourse to pseudonymization for one’s data processing does in no way exempt one from the application of the GDPR. Indeed, pseudonymized data remains personal data because it can be associated with its holder (natural person) who may be re-identified using additional information³.

Counter to anonymization, the “anonymized” data⁴ renders the re-identification of a person impossible, which means that this data loses its status as “personal data” and thus falls outside the scope of the GDPR, which would not apply in this case.

Here, the key point to remember is that pseudonymization is a “reversible” process, while anonymization is “irreversible”.

The EDPB guidelines also emphasize the use of pseudonymisation, which reduces the risks concerning confidentiality, particularly in the event of unauthorized access to data. It allows data controllers and processors to continue processing data while concealing the identity of the individuals concerned⁵.

II. The stakes of pseudonymization: a central element of data protection.

The main challenge of this process lies in its ability to reduce the risks of personal data breaches while allowing organizations to process sensitive data such as health data. According to the EDPB, pseudonymization should not be viewed as a single solution, but as a complement to other security measures, thereby enabling compliance with the principles and obligations of the GDPR, such as data minimization and the principle of default security⁶.

In the healthcare sector, pseudonymization is essential to protect health data while enabling research and analysis without compromising patient confidentiality. It is particularly employed when data is shared between multiple organizations, such as in the context of research or statistical studies: “The application of pseudonymisation in health data processing contexts can reduce risks to the rights of individuals while allowing necessary data analysis for research or statistical purposes”.

The EDPB guidelines provide numerous examples of pseudonymization application, notably in the healthcare sector, to assist organizations in implementing this technique while complying with GDPR obligations. Consider an EDPB example concerning a laboratory for analyses: before analyzing patients’ samples⁷, this laboratory pseudonymizes all personal data (identity, contact details, test details). This personal data is transformed into pseudonyms and encoded using QR codes, which are then attached to the test tubes containing the samples.

This approach offers several advantages. Firstly, because it ensures there is no confusion, even in the case of patients with similar names (e.g., homonyms), through the assignment of unique pseudonyms. Secondly, it clearly separates personal data from pseudonymized data, allowing only the latter to be used in the context of transaction analysis. This not only enables the automation of result notifications, but also minimizes the risks of human error and identity confusion.

Another concrete example of reducing confidentiality risks is found in the case of a large university hospital which analyzes treatment data in order to optimize its service portfolio and billing procedures⁸. The objective here is to allow administrative staff – non-medical – to access sensitive data while enabling them to provide feedback to healthcare managers in the event of irregularities.

To that end, the data is also pseudonymized, which prevents any identification of patients by administrative staff. Only the data necessary for analysis is transmitted, accompanied by a ciphered identifier for each patient. This method ensures that personnel – who do not have access to medical systems – cannot deduce the health condition of a particular patient. Thus, even in a mid-level security environment, this approach effectively reduces the risks of confidentiality.

It is important to specify that a medium-level security environment corresponds in this example to the administrative environment, which differs from the higher-level security environment, corresponding to areas related to medical care.

III. Guidelines: What are the consequences for healthcare professionals?

Healthcare professionals and their data controllers will need to adjust their practices to comply with the new EDPB guidelines. This implies the implementation of technical and organizational measures to ensure that pseudonymized data cannot be attributed to patients without authorization. Among the actions to be taken, one can cite:

The implementation of strict access controls.

The use of appropriate and state-of-the-art pseudonymization techniques, such as encryption;

The separation of supplementary information enabling the linking of pseudonymized data to its holders (patients)⁹.

Furthermore, the selection of the “pseudonymization domain” will be crucial to ensure that the data cannot be linked to a patient except in authorized situations and only by individuals possessing the necessary information: “Controllers must define a pseudonymization domain in which attribution of data to a specific data subject is prevented”.

Finally, it is important to emphasize that a purported pseudonymization, wrongly qualified as anonymization, can expose an organization to litigation, refusal of processing or even sanctions by the authorities (CNIL). This is what JCDecaux experienced, which saw its request before the Council of State being rejected, as the company was requesting the annulment for abuse of power of deliberation no. 2015-255 by which the CNIL had refused to grant it authorization to implement a processing with the final purpose of testing a quantitative methodology for estimating pedestrian flows on the Champs-Élysées in Paris. The CNIL here considered that the envisaged data processing did not allow the data to be rendered anonymous, despite the “salting” and “hashing” techniques proposed by JCDecaux (Decision of February 8, 2017 no. 393714)¹⁰.

Another example is that of Qwant, which was reminded of its legal obligations by the CNIL, as the data transmitted to its partner Microsoft was not anonymized but pseudonymized, contrary to what the company’s privacy policy stated in 2019¹¹.

Finally, in its deliberation SAN-2024-013 of September 5, 2024, the CNIL also noted that “the restricted training considers that the data processed by CEGEDIM SANTE until 2022 are pseudonymized and not anonymized”¹². Consequently, due to its non-compliance – among other things – with obligations related to the processing of pseudonymized data, particularly the absence of prior authorization for the management of its health data warehouse, CEGEDIM SANTE was sanctioned in the amount of €800,000.

In summary, a precise understanding of the distinction between pseudonymization and anonymization is essential to ensure compliance with the GDPR and to avoid the risks of data breaches or significant penalties from supervisory authorities.

IV – What is the legal difference between pseudonymization and anonymization in the processing of personal data?

One of the major contributions of the EDPB guidelines 2025 lies in the clarification of the distinction between pseudonymisation and anonymisation, not only from a technical but also a legal perspective.

Pseudonymisation, as defined in Article 4 § 5 of the GDPR, involves the fact that personal data remains indirectly identifiable, provided that supplementary information is available. These data therefore retain their status as personal data and are subject to the entire GDPR. To this end, any re-identification (even theoretical) obliges the data controller to respect the personal data protection policy: the principles of purpose limitation, minimization, security, information, etc.

Anonymization, conversely, assumes that no identification is possible – even indirectly – in an irreversible manner. As the EDPB points out, this implies the objective impossibility for anyone, including the data controller or a third party, to attribute the data to a data subject. An anonymized data element falls outside the scope of the GDPR.

Let us take a concrete example: a medical database used for a European research project is pseudonymized if researchers have a patient code and another entity separately holds the correspondence with the actual identity. However, if the data is rendered anonymous through aggregation (age in bracket, general pathology, without any identifying information) and no link can be re-established, then it is truly anonymized.

The common mistake of professionals is to qualify a database as “anonymized” when it is only pseudonymized. This confusion exposes to significant legal risks, as illustrated by the CNIL in several decisions, notably the CEGEDIM Santé (SAN-2024-013) case mentioned above. It can lead to administrative sanctions, or restrictions on the use of research or innovation projects.

V – What strategy to adopt to secure processing of health data according to the EDPB recommendations?

The new guidelines from the EDPB invite healthcare sector actors to adopt a graduated and documented approach to pseudonymisation and anonymisation, integrated from the design of the processing (privacy by design).

First requirement: the clear identification of the type of data processed – directly identifiable data (name, social security number), indirectly identifiable data (age, medical history, location), or aggregated data. Based on this analysis, it is crucial to determine whether the data can be rendered anonymous (and therefore outside the scope of GDPR), or whether it must be pseudonymized with all imposed guarantees.

Second requirement: the choice of pseudonymization techniques. The EDPB insists on the use of robust, documented, and regularly updated methods. Simple hashing of an identifier, without pseudonymization domain management or separation of supplementary information, is insufficient. The combined use of salting, asymmetric encryption, and access control is recommended.Third requirement: processing governance. The controller must define who can access pseudonymized data, under what conditions, with what limitations. The EDPB calls for the implementation of regular GDPR audits, transparent documentation (register of processing, impact assessments) and systematic data minimization policies.

Essential legal support to secure your health data processing operations.

The publication of the EDPB’s 2025 guidelines marks a turning point in the regulation of health data processing. As pseudonymisation becomes an indispensable technical and legal requirement, professionals in the sector must exercise heightened vigilance.

The stakes are twofold: to ensure strict compliance with the GDPR and to avoid confusion between pseudonymized data and anonymized data, which would expose the entity to sanctions or regulatory blockages. Mastery of these concepts, their technical impacts, and their legal scope is now indispensable for any actor processing personal data in the healthcare sector.

Our law firm assists healthcare facilities, digital solutions publishers, research organizations and independent professionals in implementing processing strategies compliant with European requirements. From processing audits to drafting Data Protection Impact Assessments (DPIAs), through the validation of pseudonymization methods or the management of relationships with the CNIL, we intervene at every stage to legally secure your projects.

Do not hesitate to contact us for tailored support regarding GDPR compliance and health data processing.

Sources :

1. https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2025/guidelines-012025-pseudonymisation_en – CEPD/EDPB, Lines Guiding 01/2025 on Pseudonymisation ↩︎
2. https://eur-lex.europa.eu/eli/reg/2016/679/oj?locale=fr – Regulation (EU) No 2016/679 on the protection of personal data (GDPR) ↩︎
3. https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2025/guidelines-012025-pseudonymisation_en – EPD/EDPB, Lines of Guidance 01/2025 on Pseudonymisation, page 3, “Pseudonymised data, which could be attributed to a natural person by the use of additional information, is to be considered information on an identifiable natural person, and is therefore personal.” ↩︎
4. https://www.cnil.fr/fr/technologies/lanonymisation-de-donnees-personnelles#:~:text=L’anonymisation%20rend%20impossible%20l,de%20respecter%20sa%20vie%20priv%C3%A9e – CNIL, l’anonymisation de données personnelles ↩︎
5. https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2025/guidelines-012025-pseudonymisation_en – CEPD/EDPB, Guidelines 01/2025 on Pseudonymisation, page 3, “[…] pseudonymisation can reduce the risks to the data subjects by preventing the attribution of personal data to natural persons1 in the course of the processing of the data, and in the event of unauthorised access or use.” ↩︎
6. Ibid, page 13, “Pseudonymisation may be employed by controllers and processors as one of several technical and organisational measures in order to implement data-protection principles according to Art. 25(1) GDPR, in particular data minimisation and confidentiality.” ↩︎
7. Ibid, page 36, example 4 ↩︎
8. Ibid, page 39-40, example 6 ↩︎
9. Ibid, page 12, “[…] [Controllers] subject the additional information to technical and organisational measures to ensure that the pseudonymised data cannot be attributed to data subjects by persons operating within that context. This means in particular that additional information that would enable attribution is kept separate from it.” ↩︎
10. https://www.legifrance.gouv.fr/ceta/id/CETATEXT000034017907/ – Council of State, 10th – 9th Joint Chambers, 08/02/2017, 393714, “The CNIL, which, contrary to what the company submits […] has therefore not tainted its decision with an error of law or an error of assessment in considering, in light of all the means enabling the identification of the person holding the data transmitted, as prescribed by Article 2 of the law of 6 January 1978, that the identical objectives of the data collection by the company JCDecaux France were incompatible with anonymisation of the information collected.” ↩︎
11. https://www.cnil.fr/fr/qwant-cnil-traitement-des-donnees-personnelles-rappel-obligations-legales – CNIL, QWANT : The CNIL believes that the search engine processes personal data and addresses it with a reminder of its legal obligations, “In its decision, the president of the CNIL recalled that, despite the strong precautions taken in 2019 to avoid re-identification of individuals, the dataset transmitted to MICROSOFT was not anonymized but only pseudonymized.” ↩︎
12. https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000050202759 – CNIL, Délibération SAN-2024-013 du 5 septembre 2024 (CEGEDIM SANTE) ↩︎