The European Data Protection Board (EDPB) published, on Tuesday 7 July, guidelines intended to help organisations determine under what conditions data can be considered “securely anonymised”, in order to allow, where “possible and proportionate”, the free and effective use of data while preserving the rights and protection of the persons concerned.
The guidelines set out a framework based on three criteria for verifying whether data are effectively anonymised: the impossibility of isolating a record (no record isolation), the impossibility of establishing links (no linkage) and the impossibility of inferring information about a person (no inference). The no record isolation criterion is considered to be met when the data do not contain a unique combination of attribute values that can be linked to a single person. By way of example, the EDPB mentions the case of a research institute holding a dataset containing individual patient records, including in particular sex, date of birth, postcode and the autoimmune disease affecting the patient. Aggregated data generally meet this criterion. When properly aggregated, they relate to groups of people and no longer contain individual records liable to be isolated.
The no linkage criterion is met when an individual record cannot be linked, with certainty or high likelihood, to another record concerning the same person, including when it comes from another dataset.
Lastly, the no inference criterion is met when no specific and meaningful inference concerning a person can be drawn from the data made available.
When these three criteria are met, the EDPB considers that the data may be regarded as securely anonymous. Otherwise, further analysis is necessary in order to determine whether the data may nevertheless be considered anonymous, notably by checking whether isolated records, possibly combined with linked data, make it possible to identify or distinguish a person.
The guidelines also propose two approaches for this assessment: a contextual approach, which takes account of differences in capabilities between actors likely to identify the person concerned or the data subject, and a simplified approach which, for the sake of simplification, does not take those differences into consideration.
In September 2025, the Court of Justice of the European Union ruled that pseudonymised data should not be considered, in all cases and in relation to every person, as personal data within the meaning of Regulation (EU) 2018/1725, notably where the person concerned is not or is no longer identifiable.
These guidelines, adopted on Tuesday 7 July and now subject to public consultation until 30 October, come as the European Union is examining the ‘Digital Omnibus’ legislative package, which aims in particular to simplify the application of the General Data Protection Regulation (GDPR) (see EUROPE 13897/15).
See the document: https://aeur.eu/f/ms9 (Original version in French by Ana Pisonero Hernández)