August 9, 2025
3 min read
Analysis of anonymised data under GDPR reveals that data is considered anonymised when it is “rendered anonymous in such a manner that the data subject is not or no longer identifiable” (GDPR, Recital 26). This standard was clarified by the Article 29 Working Party, which emphasized that anonymisation must be irreversible and that “the risk of re-identification must be negligible” (WP29 Opinion 05/2014).
Key findings:
Anonymisation techniques:
Common methods include aggregation, data masking, and randomization. However, true anonymisation requires that none of these processes leave any possibility for re-identification, even when combined with other accessible datasets (Ohm, 2010).
Legal status:
Anonymised data falls outside the definition of personal data and is therefore not subject to GDPR restrictions (GDPR, Art. 4(1)).
“Information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable” is not personal data (GDPR Recital 26).
Practical challenges:
Researchers argue that absolute anonymisation is rarely achievable due to advances in data analytics and the increasing availability of auxiliary data. Narayanan and Shmatikov (2008) demonstrated that de-identified Netflix viewing records could be re-identified by linking with IMDb ratings.
Risk of re-identification:
The risk increases when datasets are rich or when attackers possess background information. The GDPR requires a “reasonable likelihood” test: if identification is “reasonably likely,” the data should not be considered anonymised.
Pseudonymisation vs. anonymisation:
GDPR distinguishes between the two:
Results indicate:
In summary, anonymised data under GDPR means irreversibly de-identified information, where identifiability is not possible by any means “reasonably likely to be used”. Yet, due to evolving threats, continuous evaluation of anonymisation processes is essential.
