The 20 Million Euro Distinction
GDPR Article 83 sets maximum penalties at €20 million or 4% of global annual revenue, whichever is higher, for the most serious violations. The distinction between anonymization and pseudonymization determines whether GDPR applies to a dataset at all — and whether the maximum fine exposure applies.
GDPR Recital 26 defines the anonymization threshold: "The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable." The key phrase: "not or no longer identifiable" — by any means reasonably likely to be used, by the data controller, any processor, or any third party.
GDPR Article 4(5) defines pseudonymization: "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately." Pseudonymized data is explicitly not anonymous — it "can no longer be attributed... without the use of additional information." Pseudonymized data remains personal data under GDPR.
The practical implication: an organization that believes its analytics dataset is "anonymized" (outside GDPR) when it is actually "pseudonymized" (inside GDPR) has incorrect Article 30 ROPA entries, insufficient data subject rights procedures, inadequate retention periods, missing data transfer safeguards for any cross-border analytics processing, and no mechanism to respond to right-to-erasure requests. Each of these deficiencies is an independent GDPR violation.
The CEF Enforcement Signal
The EDPB's 2025 Coordinated Enforcement Framework specifically identified "inefficient anonymisation techniques used as an alternative to deletion" as a recurring compliance failure. This finding signals that DPAs are evaluating anonymization quality, not just the presence or absence of an anonymization step.
The Dutch Data Analytics Company Use Case illustrates the correct approach: a company offering "anonymized" customer datasets to third-party researchers uses Redact method (permanent removal of PII with no token mapping). The resulting dataset has no pathway to re-identification — no key, no token table, no hash preimage — meeting GDPR's Recital 26 threshold. The DPO documents this determination in the DPIA: method used, identifier types covered, irreversibility basis, residual re-identification risk assessment. The dataset is outside GDPR scope. GDPR obligations (including data subject rights, retention limits, and transfer safeguards) do not apply to the third-party research copies.
Method Selection by Compliance Goal
Outside GDPR scope (true anonymization): Use Redact (permanent removal) or Hash (of high-entropy, non-guessable values). Document the anonymization basis. No GDPR obligations apply to the output.
Inside GDPR scope with reduced risk (pseudonymization): Use Replace, Mask, or Encrypt. All GDPR obligations continue to apply. The pseudonymization reduces the risk of harm from unauthorized access but does not remove GDPR scope.
Controlled reversibility (research, audit, discovery): Use Encrypt with client-held keys. GDPR applies. Key custody arrangements must meet EDPB Guidelines 05/2022 key separation requirements. Document the pseudonymization domain.
Sources: