Jump to

Pseudonymization

What is pseudonymization?

Pseudonymization is processing personal data so it can no longer be attributed to a person without additional information kept separately under technical and organisational safeguards (GDPR Art. 4(5)) — replacing names with user IDs, hashing emails, tokenizing records. The critical point: pseudonymized data is still personal data. Only anonymization — irreversible non-identifiability — takes data outside the law’s scope.

Why it matters anyway

Pseudonymization is the workhorse security measure regulators expect: it mitigates breach impact, supports data-minimisation arguments, helps satisfy security obligations under GDPR Art. 32 and KVKK’s technical-measures catalogue, and strengthens legitimate-interest balancing. In AI pipelines it is the standard pre-processing step before training on user data — but a model trained on pseudonymized records is still trained on personal data, with all legal-basis consequences.

The classification traps

Hashed identifiers are pseudonymous, not anonymous — hashes are consistent and linkable. Aggregates can re-identify when cohorts are small. And “we removed the names” fails the test if combined fields (workplace + role + city) single a person out. Turkish Board practice follows the same substance: reversibility anywhere in the organisation means personal data.

Does pseudonymization allow us to skip consent?

No — it changes the risk profile, not the need for a legal basis. It can, however, tip a legitimate-interest balance in your favour.

Pseudonymized data in a data room — safe to share?

Safer, not safe: sharing still constitutes processing/transfer of personal data; use aggregation or true anonymization for diligence sets where possible.

Related: anonymization, data protection.