關(guān)于假名化的012025號(hào)指南- Guidelines 012025 on Pseudonymisation_第1頁(yè)
關(guān)于假名化的012025號(hào)指南- Guidelines 012025 on Pseudonymisation_第2頁(yè)
關(guān)于假名化的012025號(hào)指南- Guidelines 012025 on Pseudonymisation_第3頁(yè)
關(guān)于假名化的012025號(hào)指南- Guidelines 012025 on Pseudonymisation_第4頁(yè)
關(guān)于假名化的012025號(hào)指南- Guidelines 012025 on Pseudonymisation_第5頁(yè)
已閱讀5頁(yè),還剩80頁(yè)未讀, 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說(shuō)明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡(jiǎn)介

Adopted-versionforpublicconsultation1

Guidelines01/2025onPseudonymisationAdoptedon16January2025

Adopted-versionforpublicconsultation3

EXECUTIVESUMMARY

TheGDPRdefinestheterm‘pseudonymisation’forthefirsttimeinEUlawandreferstoitseveraltimesasasafeguardthatmaybeappropriateandeffectiveforthefulfilmentofcertaindataprotectionobligations.

Asperthatdefinition,pseudonymisationcanreducetheriskstothedatasubjectsbypreventingtheattributionofpersonaldatatonaturalperson

s1

inthecourseoftheprocessingofthedata,andintheeventofunauthorisedaccessoruse.

Applyingpseudonymisation,controllerscanthusretaintheoptiontoanalysethedata,and,optionally,tomergedifferentrecordsrelatingtothesameperson.Pseudonymisationcanalsoandoftenwillbesetupsothatitispossibletoreverttotheoriginaldata.Thus,controllerscanprocesspersonaldatainoriginalforminsomestagesoftheprocessing,andinpseudonymisedforminothers.

Pseudonymiseddata,whichcouldbeattributedtoanaturalpersonbytheuseofadditionalinformation,istobeconsideredinformationonanidentifiablenaturalperson

,2

andisthereforepersonal.Thisstatementalsoholdstrueifpseudonymiseddataandadditionalinformationarenotinthehandsofthesameperson.Evenifalladditionalinformationretainedbythepseudonymisingcontrollerhasbeenerased,thepseudonymiseddatacanbeconsideredanonymousonlyiftheconditionsforanonymityaremet.

TheGDPRdoesnotimposeageneralobligationtousepseudonymisation.Theexplicitintroductionofpseudonymisationisnotintendedtoprecludeanyothermeasuresofdataprotection(Rec.28GDPR).Itistheresponsibilityofthecontrollertodecideonthechoiceofmeansformeetingitsobligationshavingregardtotheaccountabilityprinciple.Dependingonthenature,scope,contextandpurposesofprocessing,andtherisksinvolvedinit,controllersmayneedtoapplypseudonymisationinordertomeettherequirementsofEUdataprotectionlaw,inparticularinordertoadheretothedataminimisationprinciple,toimplementdataprotectionbydesignandbydefault,ortoensurealevelofsecurityappropriatetotherisk.Insomespecificsituations,UnionorMemberStatelawmaymandatepseudonymisation.

TheriskreductionresultingfrompseudonymisationmayenablecontrollerstorelyonlegitimateinterestsunderArt.6(1)(f)GDPRasthelegalbasisfortheirprocessingprovidedtheymeettheotherrequirementsofthatsubparagraph;contributetoestablishingcompatibilityoffurtherprocessingaccordingtoArt.6(4)GDPR;orhelpguaranteeanessentiallyequivalentlevelofprotectionfordatatheyintendtoexport.

Finally,thecontributionofpseudonymisationtodataprotectionbydesignanddefault,andtheassuranceofalevelofsecurityappropriatetoriskmaymakeothermeasuresredundant–eventhoughpseudonymisationalonewillnormallynotbeasufficientmeasureforeither.

Controllersshouldestablishandpreciselydefinetheriskstheyintendtoaddresswithpseudonymisation.Theintendedreductionofthoserisksconstitutestheobjectiveofpseudonymisationwithintheconcreteprocessingactivity.Controllersshouldshapepseudonymisationinawaythatguaranteesthatitiseffectiveinreachingthisobjective.

1Foradefinitionofwhatitmeanstoattributedatatoanaturalpersonsee

paragraph17.

Preventionofattributiondoesnotimplyanonymityofthedata.

2Rec.26GDPR.

Adopted-versionforpublicconsultation4

Controllersmaydefinethecontextinwhichpseudonymisationistoprecludeattributionofdatatospecificdatasubjects.Thiscontextwillbecalledthepseudonymisationdomainintheseguidelines.Thepseudonymisationdomaindoesnothavetobeall-encompassing,butmayberestrictedtodefinedentities,mostoftentothesetofallauthorisedrecipientsofthepersonaldatathatwillprocessthedataforagivenpurpose.Theeffectivenessofpseudonymisationintheimplementationofdata-protectionprinciplesorintheassuranceofalevelofsecurityappropriatetotheriskishighlydependentonthechoiceofthepseudonymisationdomainanditsisolationfromadditionalinformationthatallowstheattributionofpseudonymiseddatatospecificindividuals.

Thus,pseudonymisationisasafeguardthatcanbeappliedbycontrollerstomeettherequirementsofdataprotectionlawand,inparticular,todemonstratecompliancewiththedataprotectionprinciplesinaccordancewithArt5(2)GDPR.Theseguidelineswillhelpcontrollerstochooseeffectivetechniquesforthemodificationoforiginaldata,toprotectpseudonymiseddatafromunauthorisedattribution,andtomanageuserrightswhenprocessingpseudonymiseddata.

Controllersmustalwaysbearinmindthatpseudonymiseddata,whichcouldbeattributedtoanaturalpersonbytheuseofadditionalinformation,remainsinformationrelatedtoanidentifiablenaturalperson,andthusispersonaldata(Rec.26GDPR).Therefore,theprocessingofsuchdataneedstocomplywiththeGDPR,includingtheprinciplesoflawfulness,transparency,andconfidentialityunderArt.5GDPR,andtherequirementsofArt.6GDPR.Controllersmustmaintainanappropriatelevelofsecuritybyimplementingfurthertechnicalandorganisationalmeasures.Finally,controllersmustensuretransparency,andneedtofacilitatetheexerciseofthedatasubjectrightssetoutinChapterIIIoftheGDPR,unlesstheexceptionprovidedforinArt.11(2)and12(2)GDPRapplies.

Adopted-versionforpublicconsultation5

TableofContents

Executivesummary 3

1Introduction 7

2Definitionsandlegalanalysis 9

2.1Legaldefinitionofpseudonymisation 9

2.2Objectivesandadvantagesofpseudonymisation 10

2.2.1Riskreduction 10

2.2.2Analysisofpseudonymiseddataandplannedattribution 11

2.3Pseudonymisationdomainandavailablemeansforattribution 12

2.4Meetingdata-protectionrequirementsusingpseudonymisation 13

2.4.1Pseudonymisationasaneffectivemeasurefordataprotectionbydesignandbydefault 13

2.4.2Ensuringalevelofsecurityappropriatetotherisk 15

2.4.3Pseudonymisationasasupplementarymeasureforthirdcountrydatatransfers 16

2.5Transmissionofpseudonymiseddatatothirdparties 17

2.6Implicationsfortherightsofthedatasubjects 19

2.7Unauthorisedreversalofpseudonymisation 19

3Technicalmeasuresandsafeguardsforpseudonymisation 20

3.1Pseudonymisingtransformation 20

3.1.1Structureofthepseudonymisingtransformation 20

3.1.2Typesofpseudonymisingtransformations 21

3.1.3Modificationoforiginaldatanecessaryfortheobjectivesofpseudonymisation 22

3.1.4Pseudonymisationinthecourseofdatacollection 23

3.2Technicalandorganisationalmeasurespreventingunauthorisedattributionofpseudonymised

datatoindividuals 24

3.2.1Preventingreversalofthepseudonymisingtransformation 24

3.2.2Securingthepseudonymisationdomain 25

3.3Linkingpseudonymiseddata 25

3.3.1Controllingthescopeforthelinkageofpseudonymiseddata 26

3.3.2Linkingdatapseudonymisedbydifferentcontrollers 27

3.4Summaryofproceduresforpseudonymisation 29

Annex-ExamplesoftheApplicationofPseudonymisation 31

Example1:Dataminimisationandconfidentialityininternalanalysis 31

Example2:Separationoffunctionsallowingfordataminimisation,purposelimitation,and

confidentiality 32

Example3:Dataminimisationandpurposelimitationinthecourseofexternalanalysis 34

Example4:Safeguardingidentity-confidentialityandaccuracy 36

Adopted-versionforpublicconsultation6

Example5:Secondaryuseforresearch 37

Example6:Reductionofconfidentialityrisks 39

Example7:Riskreductionasafactorinthebalancingofinterests,andascertainmentofcompatibility

ofpurposes 40

Example8:Riskreductionjustifyingfurtherprocessing 42

Example9:Supplementarymeasure 43

Example10:Grantingaccessrightstopseudonymiseddata 45

Glossary 45

Adopted-versionforpublicconsultation7

TheEuropeanDataProtectionBoard

HavingregardtoArticle70(1)(e)oftheRegulation2016/679/EUoftheEuropeanParliamentandoftheCouncilof27April2016ontheprotectionofnaturalpersonswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata,andrepealingDirective95/46/EC,(hereinafter“GDPR”),

HavingregardtotheEEAAgreementandinparticulartoAnnexXIandProtocol37thereof,asamended

bytheDecisionoftheEEAjointCommitteeNo154/2018of6July201

83,

HavingregardtoArticle12andArticle22ofitsRulesofProcedure,

HASADOPTEDTHEFOLLOWINGGUIDELINES

1INTRODUCTION

1.Theseguidelinesintendtoclarifytheuseandbenefitsofpseudonymisationforcontrollersandprocessors.

2.TheGDPRdefinestheterm‘pseudonymisation’forthefirsttimeinEUlawandreferstoitseveraltimesasasafeguardthatmaybeappropriateandeffectiveforthefulfilmentofdataprotectionobligations.EUandMemberStatelawisrelyingonthatdefinitionwhenrequiringorrecommendingtheuseofpseudonymisation,see,e.g.,Art.17(1)(g)ofRegulation(EU)2023/2854orArt.44(3)oftheEuropeanCommission’sProposalforaRegulationontheEuropeanHealthDataSpac

e4.

3.Art.4(5)GDPRdefinespseudonymisationasamannerofprocessingwithprescribedeffectsandcallsforcertainmeasuresbywhichthoseeffectsaretobeachieved.

4.Thedesiredeffectofpseudonymisationistocontroltheattributionofpersonaldatatospecificdatasubjectsbydenyingthisabilitytosomepersonsorparties.TheGDPRdoesnotspecifywhothosepersonsorpartiesaretobe,leavingit–absentspecificrequirementsbyotherEUorMemberStatelaw–tothecontroller’sdecision.Recital29makesclearthat,whenthepseudonymisationiscarriedoutwithinthesamecontroller,theeffectsmightbeconfinedtospecificpartsofthecontroller’sorganisation.

5.Therearethreeactionscontrollersshouldtaketoachievethedesiredeffect.First,theyneedtomodifyor

transform5

thedata.Second,theyneedtokeepadditionalinformationforattributingthepersonaldatatoaspecificdatasubjectseparately,i.e.separatefromthosewhoaretobepreventedfromachievingsuchanattribution.Last,theyneedtoapplytechnicalandorganisationalmeasurestoensurethatthepersonaldataarenotattributedtoanidentifiedoridentifiablenaturalperson.Inparticular,theyneedtopreventtheunauthoriseduseofthe

3Referencesto“MemberStates”madethroughoutthisdocumentshouldbeunderstoodasreferencesto“EEAMemberStates”.

4See

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52022PC0197.

5Theguidelinesusetheterms“transform”and“transformation”torefertoamodificationofthedataforpseudonymisationandfitnessforsubsequentprocessinginpseudonymisedform.

Adopted-versionforpublicconsultation8

additionalinformationtheycontrolandcontroltheflowofpseudonymiseddatatotheextentpossible.

6.Pseudonymisationasatechnicalmeasurefortheprotectionoftheprivacyofindividualshasbeenaroundforalongtime.Thecommonunderstandingofpseudonymisationinvolvesthereplacementofidentifiersofindividualsbypseudonyms.Inthisprocess,thepseudonymsaretobechoseninawaythattheydonotrevealtheidentityoftheindividualtheyareassignedto.ThelegaldefinitionpresentedbytheGDPRdiffersfromthatunderstandinginthreesignificantways.

7.First,thelegaldefinitiontakesamorecomprehensiveviewoftheeffectofpseudonymisation.Itshallnolongerbepossibletoattributethepersonaldatatoaspecificdatasubjectwithouttheuseofadditionalinformation.Thisrequiresalookatallpartsofthepersonaldata,notonlythepseudonyms.

8.Second,itdoesnotevenexplicitlyrequirethereplacementofdirectidentifier

s6

bypseudonyms.Itisclearthatdirectidentifiersneedtoberemovedfromdataifthosedataarenottobeattributedtoindividuals.Moreover,Art.4(5)GDPRprovidesfortheretentionofadditionalinformationthatallowsattributionofthedatatoindividuals.Duringattribution,alinkwillbemadebetweenthedataorpartsthereoftoidentifiersoftheindividuals.Thislinkwillusually,butnotnecessarily,startwithpseudonymsinsertedintothedata,preciselywiththeaimofallowingforattributioninauthorisedcircumstances.

9.Third,itrequiresmorethanjustthetransformationofdata.Itrequiresadditionaltechnicalandorganisationalmeasurestoensurethatthepersonaldataarenotattributedtoanidentifiedoridentifiablenaturalperson.Typicallysuchmeasureslimitaccesstotheretainedadditionalinformation(e.g.keysortablesofpseudonyms),andcontroltheflowofpseudonymiseddata.

10.Theseguidelineswillfirsthaveacloserlookatthelegaldefinitionofpseudonymisationandthetermsusedtherein.Whatisattribution?Whatistobeconsideredadditionalinformation?Akeyaspectevolvingfromthisanalysisarethemanyoptionsforcontrollerstotailortheirpseudonymisationprocessestotheobjectivestheyintendtoachieve.Theguidelinesintroduceanewconcept,calledpseudonymisationdomain,tocaptureoneaspectofthatfreedom:todeterminewhoshouldbeprecludedfromattributingthepseudonymiseddatatoindividuals.

11.Inasecondstep,theguidelinesshowhowcontrollersandprocessorscanusepseudonymisationtomeetdata-protectionrequirements.Whilepseudonymisationisapowerfulandrelevantmeasure,thedocumentshowsthatitwillalwaysneedtobecomplementedbyfurthermeasures.TheGuidelineshighlightthebenefitsofpseudonymisation.Theyshowinparticularhowpseudonymisationservesasameasurefordataprotectionbydesignandbydefault,andasameasurecontributingtoensuringalevelofsecurityappropriatetotheriskofprocessing.Atleastinthelattercase,theeffectofpseudonymisationwillhavetobemeasuredagainstthecapabilitiesofpersonsorpartiesactingwithoutauthorisation.

12.Inathirdpart,theguidelineswilllookattheimplementationofpseudonymisation.Howshouldpersonaldatabetransformedtopseudonymiseit?Howshouldunauthorisedattributionbeprevented?Howshoulddifferentpseudonymiseddatasetsbelinked,andhowcouldsuchlinkagebecontrolled?

6Seethedefinitionofthistermintheglossary.

Adopted-versionforpublicconsultation9

13.Oftenitisimportanttolookbeyondtheconfinesoftheorganisationofasinglecontrollerpseudonymisingthedata.Personaldataisfrequentlypseudonymisedbeforeitissharedwithothercontrollersortoprocessorstolimittherisksinvolvedinthatsharing.Pseudonymiseddatacomingfromdifferentcontrollersmightneedtobebroughttogetherandlinked.Or,incontrast,differentdatasetsneedtobepseudonymisedinawaythatassuresthattheycannotbelinked.

14.Theguidelinesclosewithasummaryofproceduresforpseudonymisation,whichispresentednotasaprescription,butasguidanceforthestepscontrollersandprocessorscouldtaketoensurethatthepseudonymisationtheyimplementiseffective.

15.Annexedtotheguidelines,thereaderswillfindseveralexamplesshowingtheuseof

pseudonymisationtolimitrisksfordatasubjectsinreallifescenarios.

2DEFINITIONSANDLEGALANALYSIS

2.1Legaldefinitionofpseudonymisation

16.PseudonymisationisdefinedinArt.4(5)GDPRas“theprocessingofpersonaldatainsuchamannerthatthepersonaldatacannolongerbeattributedtoaspecificdatasubjectwithouttheuseofadditionalinformation,providedthatsuchadditionalinformationiskeptseparatelyandissubjecttotechnicalandorganisationalmeasurestoensurethatthepersonaldataarenotattributedtoanidentifiedoridentifiablenaturalperson.”

17.Toattributedatatoaspecific(identified)personmeanstoestablishthatthedatarelatetothatperson.Toattributedatatoanidentifiablepersonmeanstolinkthedatatootherinformationwithreferencetowhichthenaturalpersoncouldbeidentified.Suchalinkcouldbeestablishedonthebasisofoneorseveralidentifiersoridentifyingattributes.

18.Pseudonymisationgenerallyrequirestheapplicationofapseudonymisingtransformation.Thisisaprocedurethatmodifiesoriginaldatainawaythattheresult—thepseudonymiseddata—cannotbeattributedtoaspecificdatasubjectwithoutadditionalinformation.Thepseudonymisingtransformationmayandregularlydoesreplacepartoftheoriginaldatawithoneorseveralpseudonyms—newidentifiersthatcanbeattributedtodatasubjectsonlyusingadditionalinformation.Fordetails,seesection

3.1.1.

TheseguidelineswillcallcontrollersthatusepseudonymisationasasafeguardandmodifyoriginaldataaccordingtoArt.4(5)GDPRpseudonymisingcontrollers.Similarterminologyisusedforprocessors.

19.Additionalinformationisinformationwhoseuseenablestheattributionofpseudonymiseddatatoidentifiedoridentifiablepersons.Thegeneration,oruseofadditionalinformationisaninherentpartofthepseudonymisingtransformation.

20.Itincludesinformationthatisretainedaspartofthepseudonymisationprocessforconsistentpseudonymisationofdifferentitemsofpersonaldatarelatingtothesamedatasubjectandinformationthatiskepttobeusedforlaterreversalofpseudonymisation.Suchadditionalinformationmayconsistoftablesmatchingpseudonymswiththeidentifyingattributestheyreplace.Itmayalsoconsistofcryptographickeys.Additionalinformationkeptbyapseudonymisingcontrollerorprocessormustbesubjecttotechnicalandorganisationalmeasurestoensurethatthepersonaldataarenotattributedtoanidentifiedoridentifiablenaturalperson.Inparticular,theadditionalinformationisnottobedisclosedtoorusedbypersonsprocessing

Adopted-versionforpublicconsultation10

thepseudonymiseddata.SuchadditionalinformationmayitselfbepersonaldataandsoalsosubjecttotheGDPR.

21.Additionalinformationmayalsoexistbeyondtheimmediatecontrolofthepseudonymisingcontrollerorprocessor.Thepseudonymisingcontrollerorprocessorshouldtakesuchinformationintoaccountintheassessmentoftheeffectivenessofpseudonymisationtotheextentsuchinformationcanreasonablybeexpectedtobeavailable.Forexample,informationfrompubliclyaccessiblesources,suchaspostsinasocialmediaoranonlineforum,maycontributetotheattributionofpseudonymiseddatatodatasubjects.Thisassessmentwillhelpdetermineifanyfurthermeasuresneedtobeimplementedtoavoidattribution.

22.Pseudonymiseddata,whichcouldbeattributedtoanaturalpersonbytheuseofadditionalinformation,istobeconsideredinformationonanidentifiablenaturalperson

,7

andisthereforepersonal.Thisstatementalsoholdstrueifpseudonymiseddataandadditionalinformationarenotinthehandsofthesameperson.Ifpseudonymiseddataandadditionalinformationcouldbecombinedhavingregardtothemeansreasonablylikelytobeusedbythecontrollerorbyanotherperson,thenthepseudonymiseddataispersonal.Evenifalladditionalinformationretainedbythepseudonymisingcontrollerhasbeenerased,thepseudonymiseddatabecomesanonymousonlyiftheconditionsforanonymityaremet.

23.Pseudonymisationisatechnicalandorganisationalmeasurethatallowscontrollersandprocessorstoreducetheriskstodatasubjectsandmeettheirdata-protectionobligations,forexampleunderArt.25or32GDPR.Therefore,ifacontrollerprocessespersonaldataandappliespseudonymisationintheprocess,thenthelegalbasisfortheprocessingofthepersonaldataextendstoallprocessingoperationsneededtoapplythepseudonymisingtransformation.

24.UnionorMemberStatelawmayrequirepseudonymisationofpersonaldatafortheprocessingofpersonaldatainspecificsituations,e.g.whenprovidingforalegalbasisunderArt.6(1)(c)or(e)GDPRinaccordancewithArt.6(3)GDPR,orasafurtherconditioninaccordancewithArt.9(4)GDPR.Insuchcases,thelawmayalsolaydownspecificrequirementsthepseudonymisationprocessoroutputhastomeet,ortheobjectivesitshouldachieve.

25.Whensuchspecificmandatesforpseudonymisationareabsent,controllersthemselvesmaydefinetheobjective

s8

thatpseudonymisationshouldachieve.Thoseobjectivesmaybeconnectedwiththeprocessingtheyintendtoperformthemselvesorwithanysubsequentprocessingofthepseudonymiseddatabyrecipientsofthosedata.

2.2Objectivesandadvantagesofpseudonymisation

26.InaccordancewithRec.28GDPR,pseudonymisingdatareducesrisksfordatasubjectswhileallowinggeneralanalysis.

2.2.1Riskreduction

27.Pseudonymisationreducesconfidentialityriskswhendoneeffectively,whichpresumesthattheadditionalinformationreferredtoinparagraph

20

aresubjecttothemeasuresprovidedinArt.

7Rec.26GDPR.

8Theseguidelinesdistinguishbetweenthe

purposeoftheprocessingofpersonaldataaccordingtoArt.5(1)(b)

GDPR,andtheobjectiveofasafeguardlike

pseudonymisationemployedduringthatprocessing,whichconsists

inacertainaspectofthefulfilmentofdata

protectionobligations.

Adopted-versionforpublicconsultation11

4(5)GPDR.Itdoessointwoways.First,itpreventsthedisclosureofdirectidentifiersofdatasubjectstosomeoralllegitimaterecipientsofthepseudonymiseddata.Second,intheeventofunauthorizeddisclosureoraccesstodatathathasbeeneffectivelypseudonymised,pseudonymisationcanreducetheseverityoftheresultingconfidentialityriskandtheriskofnegativeconsequencesofsuchdisclosureoraccesstothedatasubjects,providedthatthepersonstowhomthedataisdisclosedarepreventedfromaccessingadditionaldata.

28.Pseudonymisationcanreducerisksoffunctioncreep,i.e.theriskthatpersonaldataisfurtherprocessedinamannerthatisincompatiblewithpurposesforwhichitwascollected.Thisisbecauseprocessorsorpersonsactingundertheauthorityofthecontrolleroroftheprocessor,whohaveaccesstothepseudonymiseddata,arenotabletousethosedataforpurposeswhosefulfilmentrequiresattributiontothedatasubjects.Inparticular,thisconcernspurposeswhosefulfilmentrequiresanydirectinteractionwiththedatasubjects.

29.Finally,dependingonthetechniquesused,assigningwidelydifferingpseudonymstopersonswithverysimilaridentifyingattributes,maynotonlyenhanceconfidentiality,butalsoreduceriskstoaccuracyofthedatabyreducingtheriskofincorrectlyattributingdataorobjectstothewrongdatasubjects

.9

30.Theeffectivenessoftheimplementationofpseudonymisationdeterminestheextentofthereductionofrisksforthedatasubjectsandthebenefitsthecontrollersmayderivefromit,includingthefulfilmentofdata-protectionobligationsaccordingtoArt.24,25and32GDPR,seesections

2.4.1

and

2.4.2

below.

2.2.2Analysisofpseudonymiseddataandplannedattribution

31.Pseudonymiseddatacanoftenbeusefullyanalysedsince,inlargepart,theinformationcontentoftheoriginaldatacanstillbeevaluated.Moreover,theinsertionofpseudonymsenablesthelinkageofvariousrecordsofpseudonymiseddatarelatingtothesamepersonwithouttheneedtouseadditionalinformation

.10

32.Aftertheanalysishasbeenperformed,pseudonymisationmaybepartiallyorcompletelyreversedby

a.identifyingthedatasubject,

b.linkingpseudonymisedtooriginaldata,or

c.reconstitutingoriginaldatafrompseudonymiseddata

usingadditionalinformationkeptbythecontrollerforthatpurpose(plannedattribution).Thisreversalshouldbeperformedbypersonsspecificallyauthorisedforthispurpose,asperRec.29GDPR.Underthesameconditions,pseudonymisationmayalsobereversedinindividualcasesduetosingularcircumstancesapplyingtothem,whilecontinuingtoprocessthebulkofthedatabydefaultinapseudonymisedmanner.SeeExample3intheannex.

9SeeExample4intheannex

10Suchlinkagemightberequiredandlawfulonlyundercertainconditions.However,controllerscanshapethepseudonymisationtransformationinawaythatlimitstheabilitytolinkvariousitemsofpseudonymiseddataaccordingly,

溫馨提示

  • 1. 本站所有資源如無(wú)特殊說(shuō)明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒(méi)有圖紙預(yù)覽就沒(méi)有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫(kù)網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。

最新文檔

評(píng)論

0/150

提交評(píng)論