Yes, effective anonymization of personal data is possible, but only when the identification of a natural person is no longer possible using means that are reasonably likely to be used. Merely removing a name, surname, or PESEL number does not yet constitute anonymization. In many cases, the data can still enable identification of a person by combining it with other information.
Anonymization requires the use of appropriate technical and organizational measures, as well as an assessment of the risk of re-identification. It is precisely the possibility of reconstructing someone’s identity that determines whether data is still subject to GDPR. This article explains the difference between anonymization and pseudonymization, when data ceases to be personal data, and which anonymization methods are currently considered effective.
From the article you will learn that:
Anonymization of personal data is the process of permanently and irreversibly transforming data in such a way that identifying a natural person is no longer possible using means that are reasonably likely to be used. Properly anonymized data ceases to be personal data and is not subject to GDPR.
Practice shows that one of the biggest problems for organizations is confusing anonymization with pseudonymization. However, according to the position of the European Data Protection Board (EDPB), pseudonymized data remains personal data, because it is possible to reassign it to a specific individual using additional information kept separately.
Anonymization is different. Data can be considered effectively anonymized only when identification is not possible using means that are reasonably likely to be used. Properly carried out anonymization means that further processing of such information is no longer subject to GDPR.
| Feature | Anonymization | Pseudonymization |
|---|---|---|
| Possibility of identification | No | Yes |
| Is GDPR applicable | No | Yes |
| Reversibility | No | Yes |
| Personal data | No | Yes |
From a legal perspective, anonymization is possible. In practice, however, achieving permanent and irreversible anonymization is increasingly difficult. European data protection authorities have long emphasized that assessing anonymization effectiveness must take into account not only the dataset itself, but also available technologies, the possibility of combining data with other sources, and the real risk of re-identification.
This means that removing names, surnames, or PESEL numbers is usually not sufficient. In many cases, identification may be possible based on seemingly neutral information such as age, place of residence, job position, or event history.
Effective anonymization should be based on a combination of several technical and organizational methods, in particular:
A key element is conducting a re-identification test, i.e. attempting to answer whether a person with reasonable resources could re-establish the identity of the data subject.
In practice, effective anonymization usually requires the use of several methods at once. The choice of techniques depends on the type of data, the purpose of further use, and the risk of re-identification.
Anonymization is currently at the center of attention of European data protection authorities. In 2025, the EDPB published guidelines on pseudonymization, emphasizing the need to distinguish it from anonymization and noting that pseudonymized data generally remains personal data.
At the same time, the EDPB has initiated broader work on anonymization and pseudonymization, organizing dedicated consultation events focused on how new technologies affect the ability to identify individuals.
The President of the Personal Data Protection Office (UODO) also currently places particular emphasis on the correctness of anonymization processes. This topic has been highlighted in recent events and presentations organized by UODO, pointing to the growing importance of proper anonymization in both public and private sectors.
Effective anonymization is possible, but it requires much more than removing basic identifiers. The modern approach presented by the EDPB, national supervisory authorities, and European case law is based on assessing the real risk of re-identification. In practice, this means the need to apply multi-layered technical methods and regularly verify whether technological developments have reduced the effectiveness of previously applied anonymization mechanisms.
Organizations should remember that the boundary between anonymization and pseudonymization is crucial. Only data that has been effectively and irreversibly anonymized ceases to be subject to GDPR requirements. In all other cases, it should be assumed that the data remains personal data and that the full data protection regime under European law applies.
We support organizations in assessing anonymization effectiveness, preparing procedures, and conducting GDPR compliance audits.
If data has been effectively and irreversibly anonymized, it is no longer personal data under GDPR. It can therefore be used for statistical analysis or training AI models without applying GDPR provisions. However, it is crucial to demonstrate that the risk of re-identification is negligible.
The assessment should be carried out by the data controller, preferably in cooperation with experts in data protection, information security, and risk analysis. In more complex projects, an independent audit is advisable.
Not always. As technology evolves and new data sources emerge, the risk of re-identification may increase. Therefore, organizations should periodically verify the effectiveness of applied methods.
This is particularly difficult. Biometric data is inherently unique and often allows identification even after other information has been removed. In practice, very advanced anonymization methods are required.
Yes. The higher the level of anonymization, the greater the risk of losing detail and accuracy. Organizations must strike a balance between privacy protection and data utility.
Proper anonymization should be irreversible. If identifying an individual is still possible, then it is pseudonymization or insufficient anonymization.
The most common errors include limiting anonymization to removing direct identifiers, failing to perform re-identification tests, ignoring the possibility of linking datasets, and not conducting periodic effectiveness assessments.
Yes, but not every modification method leads to anonymization. It depends on whether, after applying appropriate methods, identification of a specific individual or device is still possible. In many cases, partial masking results only in pseudonymization.
A good practice is to prepare documentation describing the applied anonymization methods, the re-identification risk assessment, the results of re-identification tests, and the justification for why the data does not allow identification of individuals. Such documentation can serve as important evidence in case of a supervisory authority inspection.
Sources