Misunderstanding 2: Pseudonymised Data

March 20, 2018

In the blog series "The 7 biggest misunderstandings about the GDPR" we settle the 7 most frequently heard misunderstandings. The last blog post explained that the General Data Protection Regulation (GDPR) applies to the processing of personal data. But when we talk about pseudonymised data, many people think that the GDPR does not apply. This is a misunderstanding.

Eric Arthur Blair?

Have you ever heard of Eric Arthur Blair? He is better known under his pseudonym: George Orwell, writer of the famous book 1984. A pseudonym is a false name or alias that clearly deviates from someone's real name and that can be used to shield your identity whenever you face publicity - as some writers do.


As said, a pseudonym can be an alias: a name other than the one in your passport. Such a 'pseudonym' does not need to be a real name, but can also have a different form. They can be all kinds of identifiers such as student number, IP address, membership number of the sports club, gamer's user name or bonus card number. Each of these data acts as a pseudonym of the person behind the alias. A pseudonym is therefore information about an identifiable natural person. Therefore, pseudonymised data qualify as personal data; with the conclusion that the GDPR applies to the processing of these data.


Take the passenger list of an airline company. It contains names, addresses and passport numbers of passengers and their travel history. The file therefore also contains unique data: a passenger can be identified directly by name. The file contains valuable information that company analysts would like to use for commercial purposes (What are popular destinations? When do passengers prefer to fly? etc.). On the other hand, the information on passengers says a lot about passengers and it is not desirable that many airline employees know which passenger is flying where and when. Pseudonymisation offers a solution.

In case of pseudonymisation, the passenger data (name, address, passport number) is stored in one file and the travel history in the other file. In addition, each passenger is given a passenger number (P8705), so this data is added to the dataset. By separating passenger data and travel history, it is possible to find which passenger belongs to which passenger number in one file. In the other file, you can find which travel behaviour belongs to which passenger number. It is of course important (and also required in the GDPR) that these files are kept separately. In this way, the travel data can be analyzed without each employee knowing the true identity of the passenger. This limits the dissemination of sensitive information within the company and improves the protection of passengers' personal data.

In order to keep the two files separate, the GDPR requires technical and organisational security measures. An example of a technical measure is that a system needs to be logged in by means of two factor authentication before the passenger data file can be viewed. An example of an organisational measure is to ensure that the number of people within the airline with access to both files is very limited. This could be for example only the manager IT and his assistant.

What follows in the blog series

Last week we already discussed the misunderstandings around personal data. In the upcoming posts of this blog series we will discuss the following topics:

  • Register of processing operations
  • Data Protection Officer (FG)
  • Privacy Impact Assessment (PIA)
  • Covenants
  • Consent

Do you want clarity about what the GDPR exactly means for your organisation? Then keep an eye on our blog page in the coming weeks and read/learn how you can solve these misunderstandings about the GDPR.