What is the difference between absolute anonymization and factual anonymization?
Absolute anonymization means no one — not even the data controller — can ever restore the personal reference. Factual anonymization means re-identification is theoretically possible but practically infeasible given current technology and resources.
Absolute anonymization:
- The personal reference is permanently destroyed
- No key, no mapping, no technical means exist to reverse it
- Even the organization that anonymized the data cannot undo it
- Rarely achievable in practice
Factual anonymization:
- Re-identification is theoretically possible but would require disproportionate effort
- The effort needed exceeds what any reasonable attacker would invest
- Considered sufficient under most data protection frameworks
- Must be regularly re-evaluated as technology advances
Why this distinction matters:
Under GDPR and revDSG, data that is either absolutely OR factually anonymized falls outside the scope of data protection regulation — the source states the data protection laws do not apply to both forms. The practical question is almost always about factual anonymization: what counts as "sufficient" effort to make re-identification disproportionate is debated and evolving, because advances in computing power, AI, and available datasets can turn factually anonymous data back into re-identifiable data over time. Because a controller cannot know what extra knowledge a third party holds, it must structurally ensure no de-anonymization is possible regardless of such side knowledge.
Tip: Think of it like shredding a document — cross-cut shredding (factual anonymization) makes reconstruction impractical, while incineration (absolute anonymization) makes it impossible.
Go deeper:
Data anonymization (Wikipedia) — anonymization operations and the residual re-identification risk.