Anonymous for whom? The EDPB’s new framework for anonymisation under the GDPR

Anonymisation promises significant advantages. Once information has been successfully anonymised, it no longer qualifies as personal data and falls outside the scope of the GDPR. It may therefore be used, shared and analysed with considerably greater freedom.

But when is data truly anonymous? Removing names and other direct identifiers is rarely enough. Data may still reveal individuals through combinations of attributes, links with other datasets or inferences drawn from aggregate information. Advances in artificial intelligence and data analytics have made that assessment even more complex.

On 7 July 2026, the European Data Protection Board adopted its new Guidelines 02/2026 on Anonymisation for public consultation. They replace neither the GDPR’s legal test (Recital 26 GDPR) nor the need for a case-by-case assessment. Yet they substantially update the approach taken in the Article 29 Working Party’s 2014 Opinion and provide a detailed legal and technical framework for determining whether information has been successfully anonymised.

The central message is clear: anonymity is not an abstract property of a dataset. It must be assessed in its specific context, from the perspective of the entities that may have access to the data and by reference to the means they are reasonably likely to use.

Anonymous data as the mirror image of personal data

The starting point of the Guidelines is the GDPR’s legal test set out in Recital 26 GDPR: information is anonymous where it does not relate to an identified or identifiable natural person.

The assessment therefore consists of two questions:

  1. Does the information relate to a natural person?
  2. Is that person identified or identifiable?


If either question is answered in the negative, the information is anonymous from the relevant perspective.

The first part of the test is broader than it may initially appear. Information may relate to a person by reason of its content, purpose or effect. It may be directly about an individual, used to evaluate or influence them, or capable of affecting their rights and interests.

This includes information that appears, at first sight, to relate only to an object, organisation or group, e.g. vehicle data may relate to the driver or information about a house may relate to its owner. Aggregate information may relate to individual members of the group if further processing allows conclusions to be drawn about them.

The second part asks whether the individual can be distinguished from others in a relevant context and consequently treated differently. Identification does not require knowledge of the person’s civil identity or name. A person may already be identified where they can be persistently recognised, profiled or singled out, even if their real-world identity remains unknown.

This is particularly relevant for online identifiers, device fingerprints and pseudonymous user IDs. A digital advertising provider that can distinguish the same user across websites and select advertisements for that user is processing information relating to an identified or identifiable person, even if it does not know the person’s name. Such data is, hence, pseudonymised, not anonymous.

Anonymity depends on perspective

The most important conceptual element of the Guidelines is that the same information may be personal data for one entity and anonymous for another.

The decisive question is therefore not simply whether the data is anonymous, but: anonymous for whom?

The relevant perspectives will generally include the entities for whom the information is intended to be anonymous. If a company wishes to use anonymised data internally, the assessment must take the company’s own capabilities into account. If the data is to be transferred to an independent research organisation, the recipient’s perspective will also be relevant. If data is made publicly available, the range of potentially relevant entities may be considerably broader. Where identification by the recipient is realistically likely, the data may be personal not only for the recipient but also indirectly for the transferring controller.

The EDPB derives this relative approach primarily from recent CJEU case law, including EDPS v SRB. Information that remains identifiable for the transferring controller may nevertheless be anonymous for an independent recipient that has no reasonably likely means of identifying the individuals.

This does not mean, however, that every GDPR obligation can be assessed exclusively from the recipient’s perspective. In EDPS v SRB, the CJEU held that the controller’s transparency obligations had to be determined from the controller’s perspective at the time the data was collected. Since the information constituted personal data for the controller at that time, the controller was required to inform data subjects about its recipients, irrespective of whether the data might later be anonymous for those recipients.

The applicable perspective may thus depend not only on the entities involved, but also on the specific GDPR obligation under consideration.

No independent perspective for processors

The Guidelines introduce an important qualification for processors.

Where an entity processes information on behalf of a controller, the personal nature of the data must be assessed from the controller’s perspective. A processor cannot argue that information is anonymous for it merely because it does not possess the additional information needed to identify the data subjects.

For example, if a retailer sends coded extracts from its customer database to an analytics provider acting on its instructions, the data remains personal for the analytics provider if the retailer can identify the customers. The provider must therefore be treated as a processor and comply with the corresponding GDPR obligations.

The position may be different where the recipient acts independently as controller and determines its own purposes and means. If a hospital transfers data to an independent research institute and the institute has no reasonably likely means of identifying the patients, the data may be anonymous for the institute even though the hospital retains identifying information.

The distinction between a processor and an independent recipient is therefore not merely a matter of contractual classification. It may determine the perspective from which identifiability must be assessed and, ultimately, whether the recipient processes personal or anonymous data.

"Means reasonably likely to be used" – a broad and dynamic test

Individuals do not need to be absolutely impossible to identify for data to qualify as anonymous. According to the CJEU and the EDPB, the likelihood of identification must instead be insignificant in reality.

This requires an assessment of all means reasonably likely to be used. The term “means” is interpreted broadly. It may include:

The controller must therefore consider not only what a recipient can do on its own, but also potential chains of means involving several parties.

Relevant factors include the nature and granularity of the data, the availability of additional information, access restrictions, the costs and time required for identification, the technology available at the time and reasonably foreseeable technological developments.

The possible actors are equally broad. Depending on the circumstances, the assessment may need to consider intended recipients, rogue employees, investigative journalists, law enforcement authorities, intelligence agencies, unethical companies or cybercriminals.

Not every conceivable attacker must automatically be included in every assessment. Yet the EDPB clearly rejects an analysis limited to the intended, law-abiding recipient where unauthorised access or onward transfer represents a concrete and realistic scenario.

For example, a company publishing a dataset online may not need to account for the capabilities of foreign intelligence agencies. It may, however, need to consider cybercriminals or unethical competitors if those actors could realistically obtain and exploit the data.

Lack of motivation is not a reliable safeguard

Controllers should exercise caution when relying on the assumption that no one would be interested in identifying the individuals.

According to the EDPB, motivation is difficult to assess objectively and may change over time. Identification may also result from negligence, accident, coercion or purposes that were not anticipated when the data was released.

The potential value of re-identified information may be relevant, but this value is not limited to money. Information may be useful for profiling, litigation, surveillance, journalism, discrimination or other forms of influence.

The relevant question is therefore not merely whether the intended recipient currently plans to identify anyone. It is whether identification using the available means is realistically likely in the relevant context.

Legal and contractual restrictions

A legal prohibition may reduce the likelihood that particular means will be used. As a general rule, entities may be expected to comply with the law.

The EDPB does not, however, treat illegality as an absolute safeguard. The assumption of compliance may be rebutted where there is concrete evidence that the prohibition is ineffective, insufficiently enforced or regularly circumvented. This may be relevant, for example, where data is accessible to actors outside the effective reach of EU law or where comparable systems have previously been compromised.

Contractual restrictions receive even less weight. A contractual prohibition on re-identification may support an anonymisation concept, but does not itself make the data anonymous. Contracts may be amended, ignored or breached and are generally binding only on the contracting parties.

Their value is complementary — they support, but do not substitute for, effective technical and organisational measures.

Two approaches: contextual or simplified

To translate the legal test into practice, the Guidelines offer two approaches.

Under the contextual approach, the controller identifies the relevant entities and examines the means reasonably likely to be used by each of them. This reflects the full legal standard and allows data to be classified differently depending on the recipient’s actual capabilities.

Its advantage is precision. Its disadvantage is complexity. The controller must understand the data environment, the relevant actors, their access to additional information and potential chains of cooperation or disclosure. Missing one relevant capability may result in a false conclusion that the data is anonymous.

The simplified approach disregards differences between the relevant entities. The controller effectively asks whether re-identification is possible without limiting the analysis to the capabilities of a specific recipient.

The EDPB also suggests combining both approaches. A controller may begin with the simplified approach. If no realistic identification technique exists even in theory, the data may safely be treated as anonymous. If potential techniques are identified, the controller may move to the contextual approach and assess whether those techniques are reasonably likely to be used by the relevant entities.

The three technical criteria

Whichever approach is used, the same three criteria serve are at the centre:

If all three criteria are met, the data may safely be considered anonymous under either assessment approach. If one or more criteria are not met, this does not automatically mean that the data is personal. It triggers a further analysis of whether the identified weakness actually enables an individual to be singled out or otherwise identified with sufficient accuracy and reliability.

No Record Isolation

The criterion is met where the data does not contain a unique combination of attributes relating to a single individual. A name or unique identifier is not required to violate it: a sufficiently detailed combination of age, location, profession or medical condition may be enough to isolate one record from all others.

Record uniqueness does not automatically reveal a person’s identity, but it allows that individual to be singled out and treated differently. The Guidelines illustrate this with a patient dataset containing sex, date of birth, postcode and diagnosis: every record in the dataset is unique, and the criterion is therefore violated.

No Linkage

The criterion is violated where records relating to the same individual can be connected across datasets or contexts — even without exact matches. A combination of approximate attributes such as location, age or transaction patterns may be sufficient.

A board game shop, for instance, erases direct customer identifiers from its purchase records. The criterion is still violated if the purchase combinations can be matched to a public website where users list the games they own — connecting the two datasets identifies the individuals.

No Inference

The No Inference criterion is met where no specific and meaningful inference can be drawn about an identifiable individual from the data. An inference is specific if it relates to a single person; it is meaningful if it affects that person’s rights or interests and could not merely be derived from general population-level knowledge.

Not every prediction about an individual violates the criterion. A model predicting a loan applicant’s default risk based on historical patterns does not make that dataset personal if the applicant was never included in it.

The outcome is different where the inference reveals information about someone whose data contributed to the dataset. A company publishing aggregate salary figures for six engineers — five in one team at €480,000 and a total wage bill of €550,000 — effectively discloses that the sixth engineer earns €70,000, even though only aggregate data was published.

Data does not therefore become anonymous merely because individual records have been transformed into aggregate statistics, model parameters or synthetic outputs.

A failed criterion is not the end of the assessment

The three criteria are deliberately demanding. Yet the EDPB emphasises that failure to satisfy one criterion does not automatically establish that the data is personal.

The decisive question remains whether the relevant technique enables an individual to be distinguished from others and treated differently with sufficient accuracy and reliability.

An isolated record, for example, may be unique within the dataset but contain no attributes that can be connected to an external person. Similarly, a linkage technique may generate several possible matches without allowing any one person to be identified with sufficient confidence.

The controller must therefore assess false positives, false negatives and the precision of the result. A speculative or unreliable guess will generally not be enough. Conversely, identification does not require mathematical certainty if the result is sufficiently reliable to support differentiated treatment of the individual.

Anonymisation itself remains subject to the GDPR

Anonymisation is a processing operation. Until the process has successfully produced anonymous data, the GDPR continues to apply.

The controller therefore requires a legal basis under Article 6(1) GDPR and, where special-category data is involved, an exemption under Article 9(2) GDPR. Where anonymisation forms part of the same processing activity and serves the same purpose as the preceding processing, the EDPB considers that the legal basis will generally coincide with that used for the preceding operation.

Immediate anonymisation, combined with deletion of the original data, may also reduce the impact on data subjects and support a controller relying on legitimate interests. Anonymisation does, however, not automatically cure an unlawful collection or incompatible use of personal data.

Controllers must also comply with their transparency obligations. Privacy notices should explain that personal data will be processed to produce anonymous information that will subsequently fall outside the GDPR.

Terms such as “anonymous”, “de-identified” or “de-personalised” should not be used where individuals remain identifiable. In many cases, “pseudonymised” will be the legally correct description.

Documentation and periodic reassessment

A conclusion that data is anonymous must be capable of being demonstrated.

Controllers should document the source data, the applied anonymisation techniques, the relevant entities and perspectives, the additional information considered, the possible identification techniques, the assessment against the three criteria and the reasons why the remaining likelihood of identification is considered insignificant.

This documentation should be retained even after the anonymisation process has been completed.

Anonymity is also not necessarily permanent. New data sources, advances in computing power, more effective linkage methods or changes in access rights may turn previously anonymous information into personal data.

The EDPB therefore recommends periodic reassessment where appropriate. The frequency and extent of that review will depend on the sensitivity and structure of the data, the manner in which it is used or disclosed and the speed at which relevant technology and external data sources are developing.

Security incidents may require an immediate reassessment. If anonymity depended on supplementary information remaining confidential and that information is compromised, previously anonymous data may become identifiable. The affected entity may then need to determine its role under the GDPR and assess whether the incident triggers the notification obligations under Articles 33 and 34 GDPR.

Mixed datasets remain within the GDPR

An anonymisation process may be effective for most, but not all, individuals in a dataset. Outliers, rare characteristics or highly detailed records may remain identifiable even where the majority of records are adequately protected.

According to the Guidelines, a dataset as a whole should only be considered anonymous if the likelihood of re-identification is insignificant for every individual included in it.

Where anonymous and personal portions cannot be processed separately, the dataset must be treated as containing personal data and remains within the scope of the GDPR. An average or overall low re-identification risk is therefore insufficient if individual records remain exposed.

Abstrakte, diagonale Linien in unterschiedlichen Grüntönen

Conclusion

The new Guidelines provide a more differentiated account of anonymisation than the frequently used assumption that data is either personal for everyone or anonymous for everyone.

Their entity-specific approach creates opportunities. Information may, under certain conditions, be personal for the originating controller but anonymous for an independent recipient. This may facilitate research, data sharing and other forms of secondary use without subjecting the recipient’s subsequent independent processing to the GDPR.

At the same time, relying on this approach requires a sophisticated assessment of roles, access rights, additional information and realistic chains of identification. Data transferred to a processor remains personal where the controller can identify the individuals. Data released to an independent recipient may still be personal if that recipient can obtain identification capabilities through third parties. Contractual promises not to re-identify will rarely be sufficient on their own.

The three criteria of No Record Isolation, No Linkage and No Inference provide a useful structure for the technical analysis. They do not, however, reduce anonymisation to a checklist. Controllers must evaluate actual identification techniques, the quality and reliability of their results and the context in which the data will be used.

For organisations, anonymisation should therefore be treated as an ongoing governance process rather than a one-off technical operation. It requires coordination between legal, data, security and technical teams, supported by clear documentation and periodic reassessment.

The reward is considerable: properly anonymised information may be used outside the constraints of the GDPR. But the threshold remains demanding. Calling data anonymous does not make it so.

We support clients in designing anonymisation strategies, assessing re-identification risks and establishing governance frameworks for the legally compliant use and sharing of data.