Identification, Pseudonymization, and Anonymization
Home » The GDPR » Main Concepts » Identification, Pseudonymization, and Anonymization

Bud P. Bruegger (ULD)

Acknowledgements: Parts of the underlying research and writing have been conducted as part of the Forum Privatheit project which has received funding from the German Federal Ministry of Education and Research (BMBF). Discussions with and feedback on an extended version from Marit Hansen, Harald Zwingelberg and Benjamin Bremert, all ULD, and Jessica Schroers, KU Leuven, were very helpful and helped improve the content. Jessica Schroers also reviewed this shortened version of the document.

The final version of this document was validated by Hans Graux, guest lecturer on ICT and privacy protection law at the Tilburg Institute for Law, Technology, and Society (TILT) and at the AP Hogeschool Antwerpen. President of the Vlaamse Toezichtscommissie (Flemish Supervisory Committee), which supervises data protection compliance within Flemish public sector bodies.

Objective and Outline

This section describes pseudonymization and anonymization according to the GDPR and how to implement it.

Both, pseudonymization and anonymization are related concepts. In particular, they are both defined in terms of identification. For this reason, both topics are discussed in a single section and the first subsection analyses the concrete technical meaning of identification.

More detailed analysis

The present guidelines constitute a summary of a far more detailed analysis of the same concepts[1]. These guidelines aim at focusing mostly on practical issues, leaving it to the more detailed analysis to derive the findings from the text of the GDPR[2] and provide a rational for the presented conceptualization.



1The full detailed analysis is available from

2Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereafter GDPR.

Skip to content