Quiz Entry - updated: 2026.07.05
Why is pseudonymised data still treated as personal data under the GDPR?
Because the de-identification is reversible — re-identification is merely harder, not impossible — so the full GDPR still applies.
Pseudonymisation lowers risk but doesn't break the link to a person. Re-identification stays possible through three routes even without the key:
- Isolating records — individuals may still be singled out via unique attributes introduced or left in by the pseudonymization.
- Establishing links — the same pseudonym used consistently for one person, or shared attributes across datasets, re-connects records.
- Making inferences — an attacker deduces a real identity from the dataset itself or from other databases sharing the same pseudonymized attribute.
Because identity can be restored, pseudonymous data is still personal data — you must comply with every GDPR rule when using it. This is the single most common misconception: people treat "pseudonymized" as if it meant "anonymized." It doesn't.
Go deeper:
GDPR Recital 26 (gdpr-info.eu) — states pseudonymised data remains personal if attribution is possible.
Pseudonymization (Wikipedia) — why re-identification stays possible without the key.