During its January 2025 plenary meeting, the European Data Protection Board (EDPB) adopted guidelines on pseudonymisation, as well as a statement on the interplay of competition law and data protection.
Pseudonymisation
The GDPR refers to the term “pseudonymisation” as a safeguard that may be appropriate and effective to meet data protection obligations. The EDPB has made two clarifications:
- Pseudonymised data, which could be attributed to an individual by using additional information, remains information related to an identifiable natural person and is therefore still personal data. If the data can be linked back to an individual by the data controller or someone else, it remains personal data.
- Pseudonymisation can reduce risks and make it easier to use legitimate interests as a legal basis (Article 6(1)(f)), if all other GDPR requirements are met. Likewise, pseudonymisation can help to comply with the original purpose (Article 6(4)).
The guidelines also explain how pseudonymisation can help organisations meet their obligations relating to the implementation of data protection principles (Article 5), data protection by design and default (Article 25) and security (Article 32).
Finally, the guidelines cover confidentiality and preventing unauthorised identification of individuals.
The EDPB is consulting on the guidelines. The consultation ends on 28 February 2025.
Data protection and competition law
The EDPB also adopted a position paper on the interplay between data protection law and competition law.
The CJEU’s ruling in Meta vs. Bundeskartellamt showed that data protection and competition authorities are often required to work together to achieve effective and coordinated enforcement of data protection and competition law. Although these are separate areas of law pursuing different goals in different frameworks, they may in some cases apply to the same entities. As a result, it is important to assess situations where the laws may intersect.
In its position paper, the EDPB explains how data protection and competition law interact. It suggests steps for incorporating market and competition factors into data protection practices and for data protection rules to be considered in competition assessments. It also provides recommendations for improving cooperation between regulators. For example, authorities should consider creating a single point of contact to manage coordination with other regulators.
Report on right of access
The European Data Protection Board has also adopted a report on data controllers’ implementation of the right of access. It summarises the outcome of a series of coordinated national actions carried out in 2024 by European regulators under the Coordinated Enforcement Framework (CEF).
Several challenges were identified. One was the lack of documented internal procedures to handle access requests. In addition, inconsistent and excessive interpretations of the limits to the right of access were also observed, such as overreliance on certain exceptions to automatically refuse access requests. Regulators also noted the barriers that individuals could encounter when exercising their right of access, such as formal requirements or being requested to provide excessive identification documents. For each challenge identified, the report provides a list of non-binding recommendations to be considered by data controllers and regulators.
Despite the challenges, two thirds of participating regulators evaluated the level of compliance of responding controllers from ‘average’ to ‘high’. One important factor identified as having an impact on the level of compliance was the volume of access requests received by controllers, as well as the size of the organisation. More specifically, large-sized controllers or controllers receiving more requests were more likely to achieve a higher level of compliance than small organisations with less resources. Positive findings were observed across Europe. These include the implementation of best practices by controllers, such as user-friendly online forms enabling individuals to submit an access request easily as well as self-service systems to allow individuals to autonomously download their personal data in a few clicks and at any time.
The CEF is a key action of the EDPB under its 2024-2027 Strategy, aimed at streamlining enforcement and cooperation among regulators. The CEF 2025 action will be on the implementation of the right to erasure.
