LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is the GDPR bar for anonymisation (Recital 26), and why is it so hard to meet?

Data is anonymised only when the subject is no longer identifiable by anyone, directly or indirectly — an absolute standard that's very hard to guarantee.

Recital 26 sets the test: identification must be impossibledirectly or indirectly, and by anyone (including you, the controller, with all the auxiliary data the world might hold). Clear it and the data leaves GDPR scope.

That "by anyone, forever" framing is why true anonymization is so difficult: you're betting against all present and future auxiliary datasets and re-identification techniques. The Netflix and AOL re-identification cases show how often that bet is lost.

Important caveat: everything done before anonymisation is still personal-data processing, and the anonymisation process itself is subject to the GDPR. So you still need a lawful basis, documentation, and safeguards right up to the moment the data becomes truly anonymous.

Go deeper:

From Quiz: PRIVACY / Data Anonymization — k-Anonymity, l-Diversity & Re-identification | Updated: Jul 05, 2026