Can't find what you're looking for? Try the search bar!
Good to read about the EDPB promoting pseudonymisation in Seoul, but let’s be honest: their guidelines on the topic need serious updating further to the CJEU’s SRB judgment. Yes, they do say the opposite of SRB: 22. Pseudonymised data, which could be attributed to a natural person by the use of additional information, is to […]
The ruling of the Court of Justice of the European Union (CJEU) of yesterday, 4 September 2025, in the EDPS v SRB case is significant – never mind the naysayers. It is the first time that the CJUE has clearly, explicitly said that if a dataset initially contains personal data but is pseudonymised, and that […]
Interestingly mixed reactions to the CJEU’s SRB ruling. Some: “nothing new!”. Others: “finally, relative nature of personal data confirmed!”. Why? The Court stated in unambiguous terms (paras. 77 + 86) that pseudonymised data can be non-personal data for a recipient if the technical and organisational measures of the pseudonymisation are effective and prevent access by […]
First look at SRB, on what is “personal data” and the relative nature of the concept. This part is all about how to determine if information relates to an “identifiable” natural person. The EU Court of Justice stresses the importance, in the case of pseudonymisation, of technical and organisational measures (TOMs) “to ensure that the […]
SRB: relative concept of personal data confirmed. [EDIT: the judgment is out and our webinar replay is linked to below] Here is a key excerpt from the press release: the Court of Justice has confirmed […] that pseudonymised data must not be regarded as constituting, in all cases and for every person, personal data for […]
Does training of AI systems involve the processing of personal data, and is it permitted under the GDPR? These were the two fundamental questions that I have already looked into in two previous articles: On the date of that second article, the Cologne Higher Regional Court (the Oberlandesgericht Köln – the Cologne HRC) delivered a […]
The European Commission’s announcement that it will consider simplifying regulatory regimes, notably in relation to data and technology, seems to open Pandora’s box. Is it a chance to draw lessons from what works well and what works less well? In this series on “Better Regulation” in relation to the digital economy, I will be exploring […]
My reading right now – the ICO recognising (unlike the EDPB) the relative nature of personal data and the moving scale of identifiability. This guidance on Pseudonymisation & Anonymisation looks more promising than what the EDPB had published! Link: https://lnkd.in/eN7DacRV GDPR privacy data protection
Understanding what is and is not personal data is fundamental to the proper interpretation and enforcement of the most famous data protection law, the GDPR. If no personal data are being processed, the GDPR simply does not apply. Some have considered that “personal data” is an absolute concept, i.e. information can be “in and of […]
If A pseudonymises personal data of person Z and sends it to B, is it personal data from B’s perspective, even if B is never allowed to get additional information [=AddInfo] allowing the identification of Z? The EDPB suggests “yes” in its latest guidance on pseudonymisation. Based on the definition of pseudonymisation under the GDPR, […]
