Brussels, 17 January - During its January 2025 plenary meeting, the European Data Protection Board (EDPB) has adopted guidelines on pseudonymisation, as well as a statement on the interplay of competition law and data protection.

EDPB clarifies the use of pseudonymisation for GDPR compliance

The GDPR introduces the term ‘pseudonymisation’* and refers to it as a safeguard that may be appropriate and effective to meet data protection obligations. In its guidelines, the EDPB clarifies the definition and applicability of pseudonymisation and pseudonymised data, and the advantages of pseudonymisation.

The guidelines provide two important legal clarifications:

1. Pseudonymised data, which could be attributed to an individual by the use of additional information, remains information related to an identifiable natural person and is therefore still personal data. Indeed, if the data can be linked back to an individual by the data controller or someone else, it remains personal data.
    
2. Pseudonymisation can reduce risks and make it easier to use legitimate interests as a legal basis (Art. 6(1)(f)  GDPR), as long as all other GDPR requirements are met. Likewise, pseudonymisation can aid in securing compatibility with the original purpose (Art. 6(4) GDPR).

The guidelines also explain how pseudonymisation can help organisations meet their obligations relating to the implementation of data protection principles (Art. 5 GDPR), data protection by design and default (Art. 25 GDPR) and security (Art. 32 GDPR).

Finally, the guidelines analyse technical measures and safeguards, when using pseudonymisation, to ensure confidentiality and prevent unauthorised identification of individuals.

The guidelines will be subject to public consultation until 28 February 2025, providing stakeholders with the opportunity to comment and allowing for the incorporation of future developments in case law.

Interplay between data protection law and competition law: the EDPB’s take on how to improve cooperation between regulators

During the plenary meeting, the EDPB also adopted a position paper on the interplay between data protection law and competition law.

The CJEU Meta vs. Bundeskartellamt ruling of 4 July 2023 clearly indicated that data protection and competition authorities are required to work together, in some cases, to achieve effective and coordinated enforcement of data protection and competition law. While these are separate areas of law pursuing different goals in different frameworks, they may in some cases apply to the same entities. It is therefore important to assess situations where the laws may intersect.

In this position paper, the EDPB explains how data protection and competition law interact. It suggests steps for incorporating market and competition factors into data protection practices and for data protection rules to be considered in competition assessments. It also provides recommendations for improving cooperation between regulators. For example: authorities should consider creating a single point of contact to manage coordination with other regulators.

EDPB Deputy Chair Zdravko Vukíc said: “As business models evolve, the need to protect personal data is becoming increasingly central. The EDPB promotes coherence among separate but interacting areas of regulation, to ensure the best possible protection of individuals. To this end, we will continue to work together with Competition Authorities to strengthen the ability of Data Protection Authorities (DPAs) to take into account the economic context, and the ability of Competition Authorities to incorporate data protection considerations in their assessments and decisions.”

Note to editors:

*’ Pseudonymisation’ is defined in Art. 4 (5) GDPR as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”

The EDPS issues its concept note towards a Digital Clearinghouse 2.0 for a consistent, cooperative and coherent approach to enforcing EU laws regulating digital markets.

Read Blogpost and Concept Note 

Hearing of candidates Bruno Gencarelli, François Pellegrini, Anna Pouliou and Wojciech Wiewiórowski before the Committee on Civil Liberties, Justice and Home Affairs for the appointment of the European Data Protection Supervisor.

The European Data Protection Supervisor is appointed by a joint decision of the European Parliament and the European Council for a five year term. 

Watch livestreaming

Read questions

In October 2022, the EDPS carried out an audit on Frontex’s activities when assisting Member States at the EU external borders in joint operations.  In particular, the EDPS focused on debriefing interviews by Frontex of individuals intercepted while crossing external borders and the Agency’s further use of the information collected in this context. 

Read the press release

We thank you all for your support over the previous year. It has been a true pleasure sharing this journey with you. In 2024, we enjoyed significant achievements. Europrivacy suitability for European accreditation was approved by the European Co-operation for Accreditation (EA), several certification bodies completed their successful Europrivacy accreditation, and the first Europrivacy certifications […]

The post Happy New Year 2025! appeared first on Europrivacy Community.