Survey for Submission of Allegations

The European Data Protection Committee has published the Guidelines 01/2025 on Pseudonymisation for public consultation at https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2025/guidelines-012025-pseudonymisation_en

The scientific community is invited to submit their allegations. The European Data Protection Board press release states:

"The guidelines provide two important legal clarifications:

Pseudonymised data, which could be attributed to an individual by the use of additional information, remains information related to an identifiable natural person and is therefore still personal data. Indeed, if the data can be linked back to an individual by the data controller or someone else, it remains personal data.

Pseudonymisation can reduce risks and make it easier to use legitimate interests as a legal basis (Art. 6(1)(f)  GDPR), as long as all other GDPR requirements are met. Likewise, pseudonymisation can aid in securing compatibility with the original purpose (Art. 6(4) GDPR).

The guidelines also explain how pseudonymisation can help organisations meet their obligations relating to the implementation of data protection principles (Art. 5 GDPR), data protection by design and default (Art. 25 GDPR) and security (Art. 32 GDPR). Finally, the guidelines analyse technical measures and safeguards, when using pseudonymisation, to ensure confidentiality and prevent unauthorised identification of individuals."

In our opinion, it is essential to express the opinion of the scientific and research community in the field of health data research insofar as:

1.- 1.- It does not modify or contribute to the criteria established in the Opinion 5/2014 on anonymisation. 

2.- The document seems to make the concept of pseudonymisation objective regardless of the circumstances of the data user or the secure processing environment. In this way, and unless we have misinterpreted the wording, data integrated in a secure environment could be considered pseudonymised even if there are tools that prevent the user of the system or a third party from accessing or re-identifying the data. 

3.-The interplay of this position with the European Health Data Space Regulation can have severe consequences. Article 66 (3) establishes anonymisation by default for processing electronic health data for secundary uses. Pseudonymised data processing is only allowed if the health data user has sufficiently demonstrated that the purpose of processing cannot be achieved with anonymised data. What will happen to the EHDS if, due to the EDPB criteria, anonymisation becomes extremely difficult?  

This survey was proposed by the research professor Ricard Martínez Martínez and in no case does it express the opinion of Microsoft or the University of Valencia

To send us your allegations, please fill in this questionnaire https://forms.office.com/e/XdNc2DnyDX?origin=lprLink