GRI

EDPB adopts pseudonymisation guidelines and paves the way to improve cooperation with competition authorities

News Data protection Guidance
Date: 17th Jan, 2025 Source: European Data Protection Board Country: European Union Original Source

Brief

"On 17/01/2025, the European Data Protection Board issued an update regarding EDPB adopts pseudonymisation guidelines and paves the way to improve cooperation with competition authorities". The guidelines clarify the definition and applicability of pseudonymisation and pseudonymised data, providing legal clarifications on its use for GDPR compliance. Additionally, the EDPB adopted a position paper on the interplay between data protection law and competition law, suggesting steps for incorporating market factors into data protection practices and improving cooperation between regulators.

Brussels, 17 January – During its January 2025 plenary meeting, the European Data Protection Board (EDPB) has adopted guidelines on pseudonymisation, as well as a statement on the interplay of competition law and data protection.EDPB clarifies the use of pseudonymisation for GDPR complianceThe GDPR introduces the term ‘pseudonymisation’* and refers to it as a safeguard that may be appropriate and effective to meet data protection obligations. In its guidelines, the EDPB clarifies the definition and applicability of pseudonymisation and pseudonymised data, and the advantages of pseudonymisation.The guidelines provide two important legal clarifications:

Pseudonymised data, which could be attributed to an individual by the use of additional information, remains information related to an identifiable natural person and is therefore still personal data. Indeed, if the data can be linked back to an individual by the data controller or someone else, it remains personal data.
Pseudonymisation can reduce risks and make it easier to use legitimate interests as a legal basis (Art. 6(1)(f) GDPR), as long as all other GDPR requirements are met. Likewise, pseudonymisation can aid in securing compatibility with the original purpose (Art. 6(4) GDPR).

The guidelines also explain how pseudonymisation can help organisations meet their obligations relating to the implementation of data protection principles (Art. 5 GDPR), data protection by design and default (Art. 25 GDPR) and security (Art. 32 GDPR).Finally, the guidelines analyse technical measures and safeguards, when using pseudonymisation, to ensure confidentiality and prevent unauthorised identification of individuals.The guidelines will be subject to public consultation until 28 February 2025, providing stakeholders with the opportunity to comment and allowing for the incorporation of future developments in case law.Interplay between data protection law and competition law: the EDPB’s take on how to improve cooperation between regulatorsDuring the plenary meeting, the EDPB also adopted a position paper on the interplay between data protection law and competition law.The CJEU Meta vs. Bundeskartellamt ruling of 4 July 2023 clearly indicated that data protection and competition authorities are required to work together, in some cases, to achieve effective and coordinated enforcement of data protection and competition law. While these are separate areas of law pursuing different goals in different frameworks, they may in some cases apply to the same entities. It is therefore important to assess situations where the laws may intersect.In this position paper, the EDPB explains how data protection and competition law interact. It suggests steps for incorporating market and competition factors into data protection practices and for data protection rules to be considered in competition assessments. It also provides recommendations for improving cooperation between regulators. For example: authorities should consider creating a single point of contact to manage coordination with other regulators.
EDPB Deputy Chair Zdravko Vukíc said: “As business models evolve, the need to protect personal data is becoming increasingly central. The EDPB promotes coherence among separate but interacting areas of regulation, to ensure the best possible protection of individuals. To this end, we will continue to work together with Competition Authorities to strengthen the ability of Data Protection Authorities (DPAs) to take into account the economic context, and the ability of Competition Authorities to incorporate data protection considerations in their assessments and decisions.”

Note to editors:*’ Pseudonymisation’ is defined in Art. 4 (5) GDPR as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”

Highlights content goes here...

Purpose:

The European Data Protection Board (EDPB) has adopted guidelines on pseudonymisation, as well as a statement on the interplay between competition law and data protection. These guidelines aim to clarify the use of pseudonymisation for General Data Protection Regulation (GDPR) compliance, providing a framework for organisations to ensure the secure processing of personal data.

Effects on Industry:

The adoption of these guidelines is expected to have a significant impact on industries that rely heavily on the processing of personal data. The clarification on pseudonymisation and its applicability will help organisations ensure GDPR compliance, reducing the risk of non-compliance and associated fines. Furthermore, the guidelines will aid in securing compatibility with the original purpose of data processing, making it easier for companies to use legitimate interests as a legal basis.

The interplay between data protection law and competition law position paper is also expected to have a significant impact on industries where competition law and data protection intersect. The recommendations for improving cooperation between regulators and creating a single point of contact will help streamline coordination efforts, ensuring effective and coordinated enforcement of both laws.

Relevant Stakeholders:

The EDPB guidelines and position paper are relevant to various stakeholders, including:

  • Organisations that process personal data, such as companies in the tech industry

  • Data protection authorities (DPAs) responsible for enforcing GDPR compliance

  • Competition authorities responsible for enforcing competition law

  • Consumers who rely on the secure processing of their personal data

Next Steps:

The guidelines will be subject to public consultation until 28 February 2025, providing stakeholders with the opportunity to comment and allowing for the incorporation of future developments in case law. Organisations are advised to review the guidelines carefully and ensure compliance with GDPR regulations.

In terms of implementing the recommendations from the position paper on interplay between data protection law and competition law, authorities should consider creating a single point of contact to manage coordination efforts. This will help streamline communication and ensure effective cooperation between regulators.

Any Other Relevant Information:

The adoption of these guidelines and the position paper on interplay between data protection law and competition law marks an important step in promoting coherence among separate but interacting areas of regulation. The EDPB’s Deputy Chair, Zdravko Vukíc, highlighted the need to protect personal data as business models evolve, ensuring the best possible protection of individuals.

The guidelines and position paper are also notable for their consideration of future developments in case law, demonstrating the EDPB’s commitment to keeping pace with changing regulatory landscapes. As business models continue to evolve, it is essential that organisations stay up-to-date with the latest regulations and guidelines to ensure compliance and maintain trust with consumers.

European Data Protection Board

Quick Insight
RADA.AI
RADA.AI
Hello! I'm RADA.AI - Regulatory Analysis and Decision Assistance. Your Intelligent guide for compliance and decision-making. How can i assist you today?
Suggested
Related Documents
Maintenance of Good Practice Certificate Queries
Date: 4th Feb, 2025 Source: National Health Surveillance Agency (Anvisa) Country: Brazil
News Healthcare & Pharma Guidance
Are your organisation’s edge devices secure?
Date: 5th Feb, 2025 Source: Australian Cyber Security Centre (ACSC) Country: Australia
News Cybersecurity Guidance
How EASA certified Safran’s ENGINeUS 100 electric engine
Date: 4th Feb, 2025 Source: European Union Aviation Safety Agency (EASA) Country: European Union
News Aviation & Aerospace Guidance

Form successfully submitted. One of our GRI rep will contact you shortly

Thanking You!

Click here

Enter your Email

Enter your registered username/email id.

Enter your Email

Enter your email id below to signup.

Enter your Email

Enter your email id below to signup.
Individual Plan
  • Designed for Growing Compliance Teams
$125 / month OR $1250 / year
Features
  • • Coverage for 20 jurisdictions
  • • Monitoring from 500+ regulatory authorities
  • • AI compliance summaries
  • • RaDa.ai : Single-Role
Best for: Researchers, Legal professionals, Academics
Subscribe Now
Enterprise Plan
  • Perfect for Global Enterprises
Contact for Pricing
Features
  • • Custom jurisdictional coverage
  • • Custom monitoring of regulatory authorities
  • • RaDa.ai : Customizable multi-role
  • • Custom reporting and dashboard capabilities
  • • API access for seamless integration
Best for: Law Firms, Corporations, Government Bodies
Contact Sales