{"id":53172,"date":"2026-07-10T16:39:05","date_gmt":"2026-07-10T14:39:05","guid":{"rendered":"https:\/\/www.eh.at\/?p=53172"},"modified":"2026-07-10T17:27:26","modified_gmt":"2026-07-10T15:27:26","slug":"anonymous-for-whom-the-edpbs-new-framework-for-anonymisation-under-the-gdpr","status":"publish","type":"post","link":"https:\/\/www.eh.at\/en\/anonymous-for-whom-the-edpbs-new-framework-for-anonymisation-under-the-gdpr\/","title":{"rendered":"Anonymous for whom? The EDPB\u2019s new framework for anonymisation under the GDPR"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"53172\" class=\"elementor elementor-53172\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-dfd1411 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"dfd1411\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-863ebe9\" data-id=\"863ebe9\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e1bbe59 elementor-widget elementor-widget-text-editor\" data-id=\"e1bbe59\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>10.07.2026<br \/><em><a href=\"https:\/\/www.eh.at\/en\/team\/gernot-fritz\/\">Gernot Fritz<\/a>, <a href=\"https:\/\/www.eh.at\/en\/team\/tanja-pfleger\/\">Tanja Pfleger<\/a><\/em><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0efde70 elementor-widget elementor-widget-text-editor\" data-id=\"0efde70\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Anonymisation promises significant advantages. Once information has been successfully anonymised, it no longer qualifies as personal data and falls outside the scope of the GDPR. It may therefore be used, shared and analysed with considerably greater freedom.<\/p><p>But when is data truly anonymous? Removing names and other direct identifiers is rarely enough. Data may still reveal individuals through combinations of attributes, links with other datasets or inferences drawn from aggregate information. Advances in artificial intelligence and data analytics have made that assessment even more complex.<\/p><p>On 7 July 2026, the European Data Protection Board adopted its new <a href=\"https:\/\/www.edpb.europa.eu\/system\/files\/2026-07\/edpb_guidelines_202602_anonymisation_v1_en_0.pdf\" target=\"_blank\" rel=\"noopener\">Guidelines 02\/2026 on Anonymisation<\/a> for public consultation. They replace neither the GDPR\u2019s legal test (Recital 26 GDPR) nor the need for a case-by-case assessment. Yet they substantially update the approach taken in the Article 29 Working Party\u2019s 2014 Opinion and provide a detailed legal and technical framework for determining whether information has been successfully anonymised.<\/p><p>The central message is clear: anonymity is not an abstract property of a dataset. It must be assessed in its specific context, from the perspective of the entities that may have access to the data and by reference to the means they are reasonably likely to use.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ac8b001 elementor-widget elementor-widget-heading\" data-id=\"ac8b001\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Anonymous data as the mirror image of personal data<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-224fc8c elementor-widget elementor-widget-text-editor\" data-id=\"224fc8c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The starting point of the Guidelines is the GDPR&#8217;s legal test set out in Recital 26 GDPR: information is anonymous where it does not relate to an identified or identifiable natural person.<\/p><p>The assessment therefore consists of two questions:<\/p><ol><li>Does the information relate to a natural person?<\/li><li>Is that person identified or identifiable?<\/li><\/ol><p><br \/>If either question is answered in the negative, the information is anonymous from the relevant perspective.<\/p><p>The first part of the test is broader than it may initially appear. Information may relate to a person by reason of its content, purpose or effect. It may be directly about an individual, used to evaluate or influence them, or capable of affecting their rights and interests.<\/p><p>This includes information that appears, at first sight, to relate only to an object, organisation or group, e.g. vehicle data may relate to the driver or information about a house may relate to its owner. Aggregate information may relate to individual members of the group if further processing allows conclusions to be drawn about them.<\/p><p>The second part asks whether the individual can be distinguished from others in a relevant context and consequently treated differently. Identification does not require knowledge of the person\u2019s civil identity or name. A person may already be identified where they can be persistently recognised, profiled or singled out, even if their real-world identity remains unknown.<\/p><p>This is particularly relevant for online identifiers, device fingerprints and pseudonymous user IDs. A digital advertising provider that can distinguish the same user across websites and select advertisements for that user is processing information relating to an identified or identifiable person, even if it does not know the person\u2019s name. Such data is, hence, pseudonymised, not anonymous.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6fa28a9 elementor-widget elementor-widget-heading\" data-id=\"6fa28a9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Anonymity depends on perspective<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-eb2a3d7 elementor-widget elementor-widget-text-editor\" data-id=\"eb2a3d7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The most important conceptual element of the Guidelines is that the same information may be personal data for one entity and anonymous for another.<\/p><p>The decisive question is therefore not simply whether the data is anonymous, but: anonymous for whom?<\/p><p>The relevant perspectives will generally include the entities for whom the information is intended to be anonymous. If a company wishes to use anonymised data internally, the assessment must take the company\u2019s own capabilities into account. If the data is to be transferred to an independent research organisation, the recipient\u2019s perspective will also be relevant. If data is made publicly available, the range of potentially relevant entities may be considerably broader. Where identification by the recipient is realistically likely, the data may be personal not only for the recipient but also indirectly for the transferring controller.<\/p><p>The EDPB derives this relative approach primarily from recent CJEU case law, including EDPS v SRB. Information that remains identifiable for the transferring controller may nevertheless be anonymous for an independent recipient that has no reasonably likely means of identifying the individuals.<\/p><p>This does not mean, however, that every GDPR obligation can be assessed exclusively from the recipient\u2019s perspective. In EDPS v SRB, the CJEU held that the controller\u2019s transparency obligations had to be determined from the controller\u2019s perspective at the time the data was collected. Since the information constituted personal data for the controller at that time, the controller was required to inform data subjects about its recipients, irrespective of whether the data might later be anonymous for those recipients.<\/p><p>The applicable perspective may thus depend not only on the entities involved, but also on the specific GDPR obligation under consideration.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5d98f5b elementor-widget elementor-widget-heading\" data-id=\"5d98f5b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">No independent perspective for processors<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-df7ac5a elementor-widget elementor-widget-text-editor\" data-id=\"df7ac5a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The Guidelines introduce an important qualification for processors.<\/p><p>Where an entity processes information on behalf of a controller, the personal nature of the data must be assessed from the controller\u2019s perspective. A processor cannot argue that information is anonymous for it merely because it does not possess the additional information needed to identify the data subjects.<\/p><p>For example, if a retailer sends coded extracts from its customer database to an analytics provider acting on its instructions, the data remains personal for the analytics provider if the retailer can identify the customers. The provider must therefore be treated as a processor and comply with the corresponding GDPR obligations.<\/p><p>The position may be different where the recipient acts independently as controller and determines its own purposes and means. If a hospital transfers data to an independent research institute and the institute has no reasonably likely means of identifying the patients, the data may be anonymous for the institute even though the hospital retains identifying information.<\/p><p>The distinction between a processor and an independent recipient is therefore not merely a matter of contractual classification. It may determine the perspective from which identifiability must be assessed and, ultimately, whether the recipient processes personal or anonymous data.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5bffb12 elementor-widget elementor-widget-heading\" data-id=\"5bffb12\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">\"Means reasonably likely to be used\" \u2013 a broad and dynamic test<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c83855c elementor-widget elementor-widget-text-editor\" data-id=\"c83855c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Individuals do not need to be absolutely impossible to identify for data to qualify as anonymous. According to the CJEU and the EDPB, the likelihood of identification must instead be insignificant in reality.<\/p><p>This requires an assessment of all means reasonably likely to be used. The term \u201cmeans\u201d is interpreted broadly. It may include:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c34d2c8 elementor-icon-list--layout-traditional elementor-list-item-link-full_width elementor-widget elementor-widget-icon-list\" data-id=\"c34d2c8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"icon-list.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-icon-list-items\">\n\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">consulting publicly available information;<\/span>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">combining the data with another dataset;<\/span>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">using search engines or social media;<\/span>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">applying statistical or technical analyses;<\/span>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">decrypting protected information;<\/span>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">acquiring additional data from another party;<\/span>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">instructing a third-party specialist to carry out re-identification; or<\/span>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">transferring the data to another entity that possesses the relevant identification capabilities.<\/span>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5f80250 elementor-widget elementor-widget-text-editor\" data-id=\"5f80250\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The controller must therefore consider not only what a recipient can do on its own, but also potential chains of means involving several parties.<\/p><p>Relevant factors include the nature and granularity of the data, the availability of additional information, access restrictions, the costs and time required for identification, the technology available at the time and reasonably foreseeable technological developments.<\/p><p>The possible actors are equally broad. Depending on the circumstances, the assessment may need to consider intended recipients, rogue employees, investigative journalists, law enforcement authorities, intelligence agencies, unethical companies or cybercriminals.<\/p><p>Not every conceivable attacker must automatically be included in every assessment. Yet the EDPB clearly rejects an analysis limited to the intended, law-abiding recipient where unauthorised access or onward transfer represents a concrete and realistic scenario.<\/p><p>For example, a company publishing a dataset online may not need to account for the capabilities of foreign intelligence agencies. It may, however, need to consider cybercriminals or unethical competitors if those actors could realistically obtain and exploit the data.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-03e74de elementor-widget elementor-widget-heading\" data-id=\"03e74de\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Lack of motivation is not a reliable safeguard<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e78b9cb elementor-widget elementor-widget-text-editor\" data-id=\"e78b9cb\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Controllers should exercise caution when relying on the assumption that no one would be interested in identifying the individuals.<\/p><p>According to the EDPB, motivation is difficult to assess objectively and may change over time. Identification may also result from negligence, accident, coercion or purposes that were not anticipated when the data was released.<\/p><p>The potential value of re-identified information may be relevant, but this value is not limited to money. Information may be useful for profiling, litigation, surveillance, journalism, discrimination or other forms of influence.<\/p><p>The relevant question is therefore not merely whether the intended recipient currently plans to identify anyone. It is whether identification using the available means is realistically likely in the relevant context.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c0ccce4 elementor-widget elementor-widget-heading\" data-id=\"c0ccce4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Legal and contractual restrictions<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-136e21b elementor-widget elementor-widget-text-editor\" data-id=\"136e21b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>A legal prohibition may reduce the likelihood that particular means will be used. As a general rule, entities may be expected to comply with the law.<\/p><p>The EDPB does not, however, treat illegality as an absolute safeguard. The assumption of compliance may be rebutted where there is concrete evidence that the prohibition is ineffective, insufficiently enforced or regularly circumvented. This may be relevant, for example, where data is accessible to actors outside the effective reach of EU law or where comparable systems have previously been compromised.<\/p><p>Contractual restrictions receive even less weight. A contractual prohibition on re-identification may support an anonymisation concept, but does not itself make the data anonymous. Contracts may be amended, ignored or breached and are generally binding only on the contracting parties.<\/p><p>Their value is complementary \u2014 they support, but do not substitute for, effective technical and organisational measures.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-005ac86 elementor-widget elementor-widget-heading\" data-id=\"005ac86\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Two approaches: contextual or simplified<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b0a4869 elementor-widget elementor-widget-text-editor\" data-id=\"b0a4869\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>To translate the legal test into practice, the Guidelines offer two approaches.<\/p><p>Under the <strong>contextual approach<\/strong>, the controller identifies the relevant entities and examines the means reasonably likely to be used by each of them. This reflects the full legal standard and allows data to be classified differently depending on the recipient\u2019s actual capabilities.<\/p><p>Its advantage is precision. Its disadvantage is complexity. The controller must understand the data environment, the relevant actors, their access to additional information and potential chains of cooperation or disclosure. Missing one relevant capability may result in a false conclusion that the data is anonymous.<\/p><p>The <strong>simplified approach<\/strong> disregards differences between the relevant entities. The controller effectively asks whether re-identification is possible without limiting the analysis to the capabilities of a specific recipient.<\/p><p>The EDPB also suggests combining both approaches. A controller may begin with the simplified approach. If no realistic identification technique exists even in theory, the data may safely be treated as anonymous. If potential techniques are identified, the controller may move to the contextual approach and assess whether those techniques are reasonably likely to be used by the relevant entities.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-98f9045 elementor-widget elementor-widget-heading\" data-id=\"98f9045\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">The three technical criteria<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2b22b16 elementor-widget elementor-widget-text-editor\" data-id=\"2b22b16\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Whichever approach is used, the same three criteria serve are at the centre:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-36dfbcf elementor-icon-list--layout-traditional elementor-list-item-link-full_width elementor-widget elementor-widget-icon-list\" data-id=\"36dfbcf\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"icon-list.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-icon-list-items\">\n\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">No Record Isolation;<\/span>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">No Linkage; and<\/span>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">No Inference.<\/span>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-eff5c5d elementor-widget elementor-widget-text-editor\" data-id=\"eff5c5d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>If all three criteria are met, the data may safely be considered anonymous under either assessment approach. If one or more criteria are not met, this does not automatically mean that the data is personal. It triggers a further analysis of whether the identified weakness actually enables an individual to be singled out or otherwise identified with sufficient accuracy and reliability.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-580223c elementor-widget elementor-widget-heading\" data-id=\"580223c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">No Record Isolation<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-26dddd4 elementor-widget elementor-widget-text-editor\" data-id=\"26dddd4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The criterion is met where the data does not contain a unique combination of attributes relating to a single individual. A name or unique identifier is not required to violate it: a sufficiently detailed combination of age, location, profession or medical condition may be enough to isolate one record from all others.<\/p><p>Record uniqueness does not automatically reveal a person\u2019s identity, but it allows that individual to be singled out and treated differently. The Guidelines illustrate this with a patient dataset containing sex, date of birth, postcode and diagnosis: every record in the dataset is unique, and the criterion is therefore violated.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8b516c4 elementor-widget elementor-widget-heading\" data-id=\"8b516c4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">No Linkage<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ea00ce8 elementor-widget elementor-widget-text-editor\" data-id=\"ea00ce8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The criterion is violated where records relating to the same individual can be connected across datasets or contexts \u2014 even without exact matches. A combination of approximate attributes such as location, age or transaction patterns may be sufficient.<\/p><p>A board game shop, for instance, erases direct customer identifiers from its purchase records. The criterion is still violated if the purchase combinations can be matched to a public website where users list the games they own \u2014 connecting the two datasets identifies the individuals.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0648638 elementor-widget elementor-widget-heading\" data-id=\"0648638\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">No Inference<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-379872e elementor-widget elementor-widget-text-editor\" data-id=\"379872e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The No Inference criterion is met where no specific and meaningful inference can be drawn about an identifiable individual from the data. An inference is specific if it relates to a single person; it is meaningful if it affects that person&#8217;s rights or interests and could not merely be derived from general population-level knowledge.<\/p><p>Not every prediction about an individual violates the criterion. A model predicting a loan applicant&#8217;s default risk based on historical patterns does not make that dataset personal if the applicant was never included in it.<\/p><p>The outcome is different where the inference reveals information about someone whose data contributed to the dataset. A company publishing aggregate salary figures for six engineers \u2014 five in one team at \u20ac480,000 and a total wage bill of \u20ac550,000 \u2014 effectively discloses that the sixth engineer earns \u20ac70,000, even though only aggregate data was published.<\/p><p>Data does not therefore become anonymous merely because individual records have been transformed into aggregate statistics, model parameters or synthetic outputs.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-67d7ff1 elementor-widget elementor-widget-heading\" data-id=\"67d7ff1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">A failed criterion is not the end of the assessment<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9e409fa elementor-widget elementor-widget-text-editor\" data-id=\"9e409fa\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The three criteria are deliberately demanding. Yet the EDPB emphasises that failure to satisfy one criterion does not automatically establish that the data is personal.<\/p><p>The decisive question remains whether the relevant technique enables an individual to be distinguished from others and treated differently with sufficient accuracy and reliability.<\/p><p>An isolated record, for example, may be unique within the dataset but contain no attributes that can be connected to an external person. Similarly, a linkage technique may generate several possible matches without allowing any one person to be identified with sufficient confidence.<\/p><p>The controller must therefore assess false positives, false negatives and the precision of the result. A speculative or unreliable guess will generally not be enough. Conversely, identification does not require mathematical certainty if the result is sufficiently reliable to support differentiated treatment of the individual.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d4b7810 elementor-widget elementor-widget-heading\" data-id=\"d4b7810\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Anonymisation itself remains subject to the GDPR<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8656dcf elementor-widget elementor-widget-text-editor\" data-id=\"8656dcf\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Anonymisation is a processing operation. Until the process has successfully produced anonymous data, the GDPR continues to apply.<\/p><p>The controller therefore requires a legal basis under Article 6(1) GDPR and, where special-category data is involved, an exemption under Article 9(2) GDPR. Where anonymisation forms part of the same processing activity and serves the same purpose as the preceding processing, the EDPB considers that the legal basis will generally coincide with that used for the preceding operation.<\/p><p>Immediate anonymisation, combined with deletion of the original data, may also reduce the impact on data subjects and support a controller relying on legitimate interests. Anonymisation does, however, not automatically cure an unlawful collection or incompatible use of personal data.<\/p><p>Controllers must also comply with their transparency obligations. Privacy notices should explain that personal data will be processed to produce anonymous information that will subsequently fall outside the GDPR.<\/p><p>Terms such as \u201canonymous\u201d, \u201cde-identified\u201d or \u201cde-personalised\u201d should not be used where individuals remain identifiable. In many cases, \u201cpseudonymised\u201d will be the legally correct description.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-39effcc elementor-widget elementor-widget-heading\" data-id=\"39effcc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Documentation and periodic reassessment<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b81c0fd elementor-widget elementor-widget-text-editor\" data-id=\"b81c0fd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>A conclusion that data is anonymous must be capable of being demonstrated.<\/p><p>Controllers should document the source data, the applied anonymisation techniques, the relevant entities and perspectives, the additional information considered, the possible identification techniques, the assessment against the three criteria and the reasons why the remaining likelihood of identification is considered insignificant.<\/p><p>This documentation should be retained even after the anonymisation process has been completed.<\/p><p>Anonymity is also not necessarily permanent. New data sources, advances in computing power, more effective linkage methods or changes in access rights may turn previously anonymous information into personal data.<\/p><p>The EDPB therefore recommends periodic reassessment where appropriate. The frequency and extent of that review will depend on the sensitivity and structure of the data, the manner in which it is used or disclosed and the speed at which relevant technology and external data sources are developing.<\/p><p>Security incidents may require an immediate reassessment. If anonymity depended on supplementary information remaining confidential and that information is compromised, previously anonymous data may become identifiable. The affected entity may then need to determine its role under the GDPR and assess whether the incident triggers the notification obligations under Articles 33 and 34 GDPR.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a514a91 elementor-widget elementor-widget-heading\" data-id=\"a514a91\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Mixed datasets remain within the GDPR<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b64c351 elementor-widget elementor-widget-text-editor\" data-id=\"b64c351\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>An anonymisation process may be effective for most, but not all, individuals in a dataset. Outliers, rare characteristics or highly detailed records may remain identifiable even where the majority of records are adequately protected.<\/p><p>According to the Guidelines, a dataset as a whole should only be considered anonymous if the likelihood of re-identification is insignificant for every individual included in it.<\/p><p>Where anonymous and personal portions cannot be processed separately, the dataset must be treated as containing personal data and remains within the scope of the GDPR. An average or overall low re-identification risk is therefore insufficient if individual records remain exposed.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2b9bf38 elementor-widget elementor-widget-image\" data-id=\"2b9bf38\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"1023\" height=\"15\" src=\"https:\/\/www.eh.at\/wp-content\/uploads\/2026\/04\/Trennstreifen_gruen_Blog.png\" class=\"attachment-full size-full wp-image-52149\" alt=\"Abstrakte, diagonale Linien in unterschiedlichen Gr\u00fcnt\u00f6nen\" srcset=\"https:\/\/www.eh.at\/wp-content\/uploads\/2026\/04\/Trennstreifen_gruen_Blog.png 1023w, https:\/\/www.eh.at\/wp-content\/uploads\/2026\/04\/Trennstreifen_gruen_Blog-300x4.png 300w, https:\/\/www.eh.at\/wp-content\/uploads\/2026\/04\/Trennstreifen_gruen_Blog-768x11.png 768w\" sizes=\"(max-width: 1023px) 100vw, 1023px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a2fb543 elementor-widget elementor-widget-heading\" data-id=\"a2fb543\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Conclusion<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d562cff elementor-widget elementor-widget-text-editor\" data-id=\"d562cff\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The new Guidelines provide a more differentiated account of anonymisation than the frequently used assumption that data is either personal for everyone or anonymous for everyone.<\/p><p>Their entity-specific approach creates opportunities. Information may, under certain conditions, be personal for the originating controller but anonymous for an independent recipient. This may facilitate research, data sharing and other forms of secondary use without subjecting the recipient\u2019s subsequent independent processing to the GDPR.<\/p><p>At the same time, relying on this approach requires a sophisticated assessment of roles, access rights, additional information and realistic chains of identification. Data transferred to a processor remains personal where the controller can identify the individuals. Data released to an independent recipient may still be personal if that recipient can obtain identification capabilities through third parties. Contractual promises not to re-identify will rarely be sufficient on their own.<\/p><p>The three criteria of No Record Isolation, No Linkage and No Inference provide a useful structure for the technical analysis. They do not, however, reduce anonymisation to a checklist. Controllers must evaluate actual identification techniques, the quality and reliability of their results and the context in which the data will be used.<\/p><p>For organisations, anonymisation should therefore be treated as an ongoing governance process rather than a one-off technical operation. It requires coordination between legal, data, security and technical teams, supported by clear documentation and periodic reassessment.<\/p><p>The reward is considerable: properly anonymised information may be used outside the constraints of the GDPR. But the threshold remains demanding. Calling data anonymous does not make it so.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cbe759b elementor-widget elementor-widget-text-editor\" data-id=\"cbe759b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><em>We support clients in designing anonymisation strategies, assessing re-identification risks and establishing governance frameworks for the legally compliant use and sharing of data.<\/em><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>10.07.2026Gernot Fritz, Tanja Pfleger Anonymisation promises significant advantages. Once information has been successfully anonymised, it no longer qualifies as personal data and falls outside the scope of the GDPR. It may therefore be used, shared and analysed with considerably greater freedom. But when is data truly anonymous? Removing names and other direct identifiers is rarely [&hellip;]<\/p>\n","protected":false},"author":21,"featured_media":53167,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[235],"tags":[1073,1074,758],"group":[],"area":[],"location":[],"systype":[],"class_list":["post-53172","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-legal-update-en","tag-anonymous","tag-edpb","tag-gdpr"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/posts\/53172","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/comments?post=53172"}],"version-history":[{"count":10,"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/posts\/53172\/revisions"}],"predecessor-version":[{"id":53184,"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/posts\/53172\/revisions\/53184"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/media\/53167"}],"wp:attachment":[{"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/media?parent=53172"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/categories?post=53172"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/tags?post=53172"},{"taxonomy":"group","embeddable":true,"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/group?post=53172"},{"taxonomy":"area","embeddable":true,"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/area?post=53172"},{"taxonomy":"location","embeddable":true,"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/location?post=53172"},{"taxonomy":"systype","embeddable":true,"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/systype?post=53172"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}