The EDPB released new guidelines on pseudonymisation and a position paper on data protection and competition law to strengthen GDPR compliance.
In January 2025, the European Data Protection Board (EDPB) made a significant regulatory announcement during its plenary meeting, by adopting new pseudonymisation guidelines, as well as issuing a position paper on the interplay between data protection and competition law. These initiatives are designed to strengthen GDPR compliance and clarify the use of pseudonymisation. In doing so, the EDPB aims to offer practical guidance for organizations navigating the complex digital landscape while ensuring that privacy remains at the forefront of data processing practices. The EDPB also aims to foster improved cooperation between European DPAs and competition authorities.
EDPB guidelines state that pseudonymized data is still personal data and requires continued data protection, but pseudonymization can reduce risks and support legitimate data processing.
The newly adopted guidelines provide essential legal clarifications on the concept of pseudonymisation as introduced in the GDPR. They emphasize that pseudonymised data—despite being processed to obscure the direct identifiers relating to data subjects—remains personal data if it can be linked back to an identifiable natural person using additional information. This important distinction underscores the continued need for good data protection measures even when pseudonymisation techniques have been applied. In addition, the guidelines highlight how pseudonymisation can reduce risks and facilitate the use of legitimate interests as a legal basis for data processing, in line with Article 6(1)(f) of the GDPR, while ensuring compatibility with the original purposes of data collection as required by Article 6(4).
Pseudonymisation is defined in Article 4(5) of the GDPR as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures.”
Pseudonymisation guidelines adopted by the EDPB explain how the process improves data protection and security.
In addition to the clarifications provided , the guidelines explain how pseudonymisation supports the implementation of key data protection principles. By aiding compliance with the requirements of data protection by design and default (Article 25 GDPR) and enhancing security measures (Article 32 GDPR), pseudonymisation serves as a valuable tool for organizations. The guidance also delves into technical measures and safeguards designed to ensure confidentiality and prevent unauthorized re-identification, thereby reinforcing the overall integrity of data protection practices within the framework of the GDPR.
Stakeholders have until February 28, 2025 to provide feedback on the pseudonymisation guidelines.
With the public consultation for the pseudonymisation guidelines open until 28 February 2025, stakeholders have a valuable opportunity to contribute their views and help shape the future of data protection policy in Europe. This not only enhances the effectiveness of the guidelines but also reinforces the EDPB’s commitment to continuous improvement in regulatory practices. For organizations aiming to balance innovation with compliance, these developments are a step forward in promoting data security and regulatory compliance.
The EDPB has also recommended increased coordination between data protection and competition authorities, suggesting a single point of contact for inter-regulatory coordination.
The EDPB has also published a position paper, addressing the interplay between data protection law and competition law. Referencing the CJEU Meta vs. Bundeskartellamt ruling of July 2023, the position paper calls for a more coordinated approach between data protection and competition authorities. In addition, it highlights the importance of incorporating market and competition factors into data protection practices. The EDPB also suggests that data protection rules should be considered during competition assessments. One practical recommendation is the establishment of a single point of contact to manage inter-regulatory coordination, thereby which would streamline the enforcement process, ensuring that both legal frameworks work in tandem to protect consumers and maintain fair competition.
EDPB Deputy Chair Zdravko Vukíc emphasized collaboration between DPAs and competition authorities to address challenges posed by rapid technological advancements.
The EDPB Deputy Chair, Zdravko Vukíc emphasized that, as business models evolve in an increasingly digital environment, the protection of personal data is becoming even more critical. Vukíc stressed that fostering a collaborative regulatory landscape, where DPAs and Competition Authorities can share insights and coordinate actions, is key to addressing the challenges posed by rapid technological advancements. By integrating economic and privacy considerations, the EDPB’s initiatives pave the way for a more holistic approach to regulation that benefits both businesses and individuals.
