Many organizations confuse anonymization with pseudonymization. The distinction matters enormously: anonymized data falls completely outside GDPR's scope, while pseudonymized data remains personal data subject to all GDPR obligations. Using the wrong method means either false compliance security or unnecessary regulatory burden.
The Legal Definitions
"Anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable."
GDPR does not apply to anonymous information. The data subject cannot be re-identified. No lawful basis, no consent, no DPA required.
"The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately."
GDPR fully applies to pseudonymized data. Re-identification remains possible. Art. 6 lawful basis required.
The Re-identification Test
The decisive question under GDPR Recital 26 is whether re-identification is reasonably likely given available means, effort, and technology:
- If re-identification requires disproportionate time, cost, and effort that no reasonable actor would expend → likely anonymous
- If re-identification is possible with access to a key, lookup table, or additional dataset → pseudonymized, not anonymous
- If the data is statistically unique enough to allow re-identification via linkage attacks → not sufficiently anonymous
This means: encryption alone does not anonymize data. A decryption key exists. The data is pseudonymized. The same applies to tokenization, hashing with known salt values, and k-anonymity approaches that do not adequately address re-identification risk.
Practical Comparison
| Method | Reversible? | GDPR Status | anonym.plus Operator |
|---|---|---|---|
| Replace with generic label | No | Anonymized — outside GDPR scope | Replace |
| Remove entirely | No | Anonymized — outside GDPR scope | Redact |
| SHA-256 hash (no salt) | No (for most inputs) | Effectively anonymous for complex values; risky for predictable inputs (e.g. phone numbers) | Hash |
| Partial masking (***-***-1234) | No | Depends — may be identifiable if combined with other data | Mask |
| AES-256-GCM encryption | Yes (with key) | Pseudonymized — GDPR applies | Encrypt |
| Tokenization (lookup table) | Yes (with table) | Pseudonymized — GDPR applies | n/a |
When to Use Anonymization vs Pseudonymization
Use anonymization (Replace / Redact / Hash) when:
- Sharing data externally — with AI tools, cloud services, research partners, or third parties
- Long-term archiving where the original PII is no longer needed
- Fulfilling Art. 17 right to erasure requests at the document level
- Creating public datasets, reports, or publications
- Compliance with EU AI Act Art. 10 for training data (requires effective anonymization)
Use pseudonymization (Encrypt) when:
- Internal collaboration where authorized parties need to restore original values
- Clinical trials and medical research where re-linkage may be needed
- Multi-party document editing workflows (encrypt → share → edit → decrypt)
- Temporary processing for a defined purpose where erasure will follow
- Satisfying Art. 25 (Privacy by Design) and Art. 32 (security) as a risk-reduction measure
What Anonymization Actually Unlocks Under GDPR
True anonymization provides significant practical compliance benefits:
- No lawful basis required — anonymous data is not personal data; Art. 6 does not apply
- No data subject rights — no access, erasure, or portability requests apply to the anonymized dataset
- No data transfer restrictions — anonymous data can be transferred to any country without SCCs, adequacy decisions, or other Art. 44 mechanisms
- No DPA required — no Art. 28 Data Processing Agreement needed for processors handling only anonymous data
- No breach notification — Art. 33 breach reporting does not apply to anonymous data leaks
- Research purposes — Art. 89 exemptions are unnecessary once data is truly anonymous
Ready to achieve true anonymization? Read the GDPR anonymization guide →
Frequently Asked Questions
What is the difference between anonymization and pseudonymization under GDPR?
Anonymization makes re-identification effectively impossible — the data exits GDPR scope entirely (Recital 26). Pseudonymization replaces identifiers with codes but re-identification remains possible with additional information — the data stays within GDPR scope (Art. 4(5)).
Is encrypted data anonymized under GDPR?
No. Encrypted data is pseudonymized because a decryption key exists. True anonymization requires that re-identification be effectively impossible. Use Replace, Redact, or Hash operators for true GDPR anonymization.
What operators in anonym.plus produce true anonymization?
Replace (generic label substitution), Redact (removal), and Hash (SHA-256/SHA-512) produce anonymization. The Encrypt operator produces pseudonymization. Mask (partial hide) may or may not be sufficient depending on the remaining data's re-identification risk.
Does pseudonymized data still need a GDPR Data Processing Agreement?
Yes. Pseudonymized data is still personal data. If a processor handles it on your behalf, an Art. 28 DPA is required. Anonymized data does not require a DPA since it falls outside GDPR scope.