anonym.legal
Bumalik sa BlogGDPR & Pagsunod

GDPR Anonymization vs. Pseudonymization...

Ang company ay nag-claim na ang kanilang data ay 'anonymized' para ma-escape ang GDPR. Ang regulator ay nag-find na ito ay 'pseudonymized' lang.

April 20, 20268 min basahin
GDPR anonymization pseudonymizationArticle 4 recital 26personal data scope20 million EUR fineanonymization compliance determination

Ang Critical Distinction Ang European Regulators

Ang anonymization at pseudonymization ay sound technically similar pero legally very different under GDPR.

Anonymization (Article 4(1) — walang GDPR application):

  • Ang data ay modified such na re-identification ay impossible, irreversible, at technically infeasible
  • Walang secret key, walang reverse mapping
  • Walang additional information ay maaaring mag-enable ng re-identification
  • Result: Hindi ito personal data anymore; GDPR ay nag-walang apply

Pseudonymization (Article 4(11) — GDPR fully applies):

  • Ang direct identifiers ay nag-replace with codes/hashes/encrypted values
  • Ang re-identification ay still possible using secret key o additional information
  • Ang processing ay nangangailangan ng safeguards, access logs, DPA, DPIA
  • Result: Ito ay personal data under GDPR; lahat ng protections ay mandatory

Ang €20M case study (German regulator):

Ang company ay nag-process ng customer records para sa analytics. Ang process:

  1. Remove customer names → replace with hash
  2. Remove email addresses → replace with hash
  3. Keep device IDs, transaction amounts, timestamps

Ang company ay nag-claim na ito ay 'anonymous' dahil walang direct identifiers. Ang regulator ay nag-investigate at nag-find na:

  • Ang hash ay deterministic (same name → same hash) — nag-enable ng re-identification through brute force
  • Ang combination ng device ID + transaction amount + timestamp ay unique para sa 85% ng customers
  • Ang company ay technically capable na mag-reverse ang hash dahil sila ay may hashing algorithm

Ang regulator's ruling: Ito ay pseudonymization, hindi anonymization. Ang company ay kailangan ng:

  • Data Protection Impact Assessment
  • Lawful basis documentation
  • Data Processing Agreement with processors
  • Right-to-erasure deletion procedures
  • Access logs at audit trail

Ang company ay nag-fail sa lahat ng requirements. Ang fine: €20 million.

Ang lesson: Ang true anonymization ay irreversible at impossible. Kung ang company ay may ability or intent to reverse, ito ay pseudonymization at GDPR ay applies in full.

Mga Kaugnay na Artikulo

GDPR & Pagsunod

Japan My Number: Verhoeff & APPI

63% of generic tools fail My Number detection in Japanese documents. My Number uses Verhoeff algorithm — the most complex national ID checksum in Asia.

GDPR & Pagsunod

HDPA Greece: AFM & AMKA Detection

Greek AFM detected with 52% accuracy by generic tools. HDPA issued 89 decisions in 2024 — up 162% from 2022. Tourism and maritime sectors face distinct.

GDPR & Pagsunod

NAIH Hungary: TAJ-Szám and Adóazonosító Jel

Hungarian NER accuracy is 67% vs. EU average 82% — NAIH's 2024 assessment. TAJ-szám weighted checksum and adóazonosító jel detection gaps.

Handa nang protektahan ang iyong data?

Simulan ang anonymization ng PII gamit ang 285+ uri ng entidad sa 48 wika.

Simulan ang Libreng PagsubokTingnan ang Mga Tampok