EDPB 2025: Pseudonymization Guidelines Explained
Updated for 2026
What Changed in January 2025
The European Data Protection Board issued Guidelines 01/2025 in January 2025. The topic: pseudonymization. The main point is short. Pseudonymized files are still personal files. They stay inside the scope of the law. Many teams had assumed they were outside it. The new guidelines say no.
If your org holds the key to undo the process, the rules still apply to you.
The Pseudonymization Domain
The guidelines add one new idea: the pseudonymization domain. This is the group of parties who can link a pseudonymized item back to a real person.
Any party in that group is covered by the law. If you hold the key — or can work it out — you are in that group. All rules apply.
Two Terms. One Gap.
These two terms are not the same.
True anonymization cannot be undone. No party can reverse it — now or later. Truly anonymized files fall outside the scope of the law.
Pseudonymization can be undone. A key, a lookup table, or a side file can bring back the original values. Those items stay inside the law for any party that holds the key.
Three tool types that produce pseudonymized — not anonymized — output:
- Token systems: swap PII for fixed tokens and keep a lookup table
- Encrypt tools: lock PII values and keep the unlock key
- Format-preserving encryption tools
Hashing is closer to true anonymization — but only when inputs are hard to guess. For short names or common ID codes, lookup attacks can undo the hash. The EDPB flags this risk. Hashing easy-to-guess values may not count as true anonymization.
Steps for DPOs
Review each file set labeled "anonymized." Ask: can any party undo this? If yes, it is pseudonymized. The law still applies.
Files that must stay outside the law's scope — analytics, archives, research totals — need steps that cannot be undone. Options: permanent redaction, masking with no-recovery values, or hashing of hard-to-guess inputs. Log the method and your reason for it.
Files where the process must be undoable — research re-contact, audit trails, legal hold — must be labeled as pseudonymized personal files. Keep all legal duties. Log key custody using the EDPB key rules.
The five-method framework maps onto this split. Replace, Mask, and Encrypt produce pseudonymized output. Redact and Hash (hard-to-guess inputs only) can reach true anonymization — subject to completeness review.
Check what your tools actually produce. A product sold as an "anonymization" tool may put out pseudonymized items if it keeps any lookup or key. Our GDPR compliance guide covers all classification rules. Our security compliance overview explains the technical controls DPOs must log. For tool guidance, see our anonymization presets and audit guide.