Unauthorised Reversal of Pseudonymisation

The GDPR does not recognise many different categories of data. According to the "all or nothing" approach, in principle, all provisions of the GDPR apply equally to all personal data. There are gradations only for special categories of data (Art. 9, 10 GDPR), for data of children (Art. 8 GDPR), for data subject to a special obligation of secrecy [Tile DS.16] and for pseudonymised data.

Pseudonymised data are considered personal data (EC 26 (2) GDPR). However, in the case of pseudonymised data, the attribution to a specific data subject is made more difficult [cf. definition in Art. 4 No. 5 GDPR] in such a way that the risks for the data subject are deemed to be lower (Rec. 28 (1) GDPR).

Pseudonymisation carried out by the controller is particularly protected by the GDPR. The unauthorised reversal of pseudonymisation is considered a specific risk by Rec. 75 and 85 (1) GDPR and thus also a specific infringement by the GDPR.

The following provisions of the GDPR deal with pseudonymisation:

Articles: 4 No. 5, 6 IV e, 25 I, 32 I a, 40 II d and 89 I GDPR.

Recitals: 26 (2), 28, 29, 75; 78 (3), 85 (1) and 156 (3) GDPR.