• Mehr als 3 Millionen Wörter Inhalt
  • |
  • info@itmedialaw.com
  • |
  • Tel: 03322 5078053
ITMediaLaw - Rechtsanwalt Marian Härtel
Warenkorb
Plugin Install : Cart Icon need WooCommerce plugin to be installed.
  • en English
  • de Deutsch
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Kurzberatung
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
ITMediaLaw - Rechtsanwalt Marian Härtel
Home Data protection Law

GDPR and Pseudonymization: A Surprising Ruling by the ECJ

5. June 2023
in Data protection Law, EU law
Reading Time: 4 mins read
0 0
A A
0
dsgvo 3589608 1280
Key Facts
  • The European Court ruled that the GDPR does not apply to pseudonymized data that has no direct personal reference.
  • It must no longer be possible to assign pseudonymized data to an identifiable person without additional information.
  • The ruling could have far-reaching consequences for companies and their data protection practices.
  • Technical and organizational risk mitigation measures are necessary to respond to data protection regulations.
  • The EDPS decided not to use remedial powers as the SRB had taken measures to ensure data protection.
  • Recommendation to the SRB: Data protection declarations should cover all potential data recipients and data processing.
  • The ruling emphasizes the need to ensure transparency with regard to data processing and the identity of recipients.

Introduction

Content Hide
1. Introduction
2. What is pseudonymization?
3. Key points of the ruling
4. Impacts and recommendations
5. Conclusion and outlook: Data protection and pseudonymization in practice

The application of the General Data Protection Regulation (GDPR) to pseudonymized data is a controversial topic that generates much debate in the legal and data protection community. Pseudonymized data is data where identifiers have been removed or replaced to prevent or make it significantly more difficult to identify the data subjects. However, the question of whether this data qualifies as personal data within the meaning of the GDPR is controversial.

Recently, the Court of Justice of the European Union (CFI) issued a surprising ruling that calls into question previous legal practice and is causing a stir. In a decision that many consider unexpected, the court ruled that the GDPR does not apply when it comes to pseudonymized data that has a relative personal reference. This means that the data has been processed in such a way that it can no longer be directly assigned to a specific person without additional information.

The court went further and found that the GDPR does not apply even if the data recipient has no means of re-identification. In other words, if the recipient of the data is not able to attribute the pseudonymized data to a specific person, this data is not covered by the GDPR. This ruling represents a significant change in the interpretation and application of the GDPR and could have far-reaching effects on the data protection practices of companies and organizations.

What is pseudonymization?

Pseudonymization is a process in which personal data are processed in such a way that they can no longer be assigned to a specific data subject without additional information. This is often achieved by replacing identifying elements in the data with artificial identifiers or pseudonyms. This additional information needed for identification must be kept separately and be subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

A good example of such a practice is the use of truncated IP addresses in tools such as Google Analytics. In this case, the IP address that could provide a direct link to a specific user is shortened or “masked” to prevent the identification of the user. While this protects the user’s privacy, it also presents a challenge for the application of the GDPR.

The question is whether such pseudonymized data, such as truncated IP addresses, should be considered personal data in the sense of the GDPR. The recent ECJ ruling suggests that this is not the case if the recipient of the data has no possibility of re-identification. This could mean that companies using techniques such as IP masking may not have to comply with the full requirements of the GDPR.

However, it is important to emphasize that this is a complex and rapidly evolving area of law. Companies should therefore ensure that they regularly keep abreast of the latest developments and rulings and adapt their data protection practices accordingly.

Key points of the ruling

The court found that the data shared by the SRB with Deloitte could be considered pseudonymized data because the consultation phase responses were personal data and the SRB shared the alphanumeric code that allowed the responses received during the registration phase to be linked to those received during the consultation phase.

It was also found that Deloitte was a recipient of personal data of the complainants within the meaning of Article 3 No. 13 of Regulation 2018/1725. The fact that Deloitte is not mentioned in the SRB’s privacy statement as a potential addressee of the personal data collected and processed by the SRB as a controller in the context of the consultation procedure constitutes a violation of the data protection principles set forth in Art. 15 para. 1(d) of Regulation 2018/1725 constitutes a duty to provide information.

Impacts and recommendations

Despite the identified breach, the EDPS decided not to make use of his remedial powers under Article 58(2). 2 of Regulation 2018/1725, as the SRB had put in place technical and organizational measures to mitigate risks to the right of individuals to the protection of their data in the context of the procedure concerning the right to be heard.

However, the EDPS recommended the SRB to ensure in future procedures concerning the right to be consulted that its privacy statements cover the processing of personal data during both the registration and consultation phases and that they include all potential recipients of the data collected in order to comply with the information obligation towards data subjects pursuant to Article 15 of Regulation 2018/1725.

Conclusion and outlook: Data protection and pseudonymization in practice

This ruling by the ECJ underscores the importance of data protection in all aspects of data processing, including sensitive areas such as bank processing. It emphasizes the need for all parties involved, including external consultants, to comply with data protection rules and ensure transparency to data subjects regarding the processing of their personal data and the identity of the recipients of that data.

The ruling also shows that the EDPS is willing to take pragmatic decisions when organizations take measures to mitigate risks, even if they have violated data protection rules. However, it is clear that such breaches should be taken seriously and avoided to ensure public confidence in compliance with data protection rules.

It remains to be seen how this ruling will affect the future application of the GDPR. However, it emphasizes the need to comply with data protection regulations in all aspects of data processing and to respect the rights of data subjects.

Overall, this case shows that the topic of data protection, and in particular the application of the GDPR to pseudonymized data, continues to be a dynamic and complex field that requires constant attention and adaptation. It is an important notice for all organizations that process personal data and emphasizes the need to comply with data protection regulations in all aspects of data processing and to respect the rights of data subjects.

Tags: CustomizationEntscheidungenGeneral Data Protection RegulationGoogleIP addressJudgmentsLegal fieldPersonal dataPrivacyRegulation

Weitere spannende Blogposts

Supreme Federal Courts on Mastodon

Supreme Federal Courts on Mastodon
2. March 2023

Since yesterday, the offerings of the Federal Court of Justice, the Federal Administrative Court, the Federal Fiscal Court, the Federal...

Read moreDetails

OLG Cologne on the identification of affiliate links

Attention: Affiliates on YouTube, gaming websites and other networks
7. November 2022

On the question of whether and how affiliate links on websites must be identified, there have already been several decisions...

Read moreDetails

Federal Cartel Office v. Facebook: Full text

LG Munich: Data protection consent on dating platform
7. November 2022

The Bundeskartellamt's decision against Facebook garnered some criticism, which begins with the question of the Bundeskartellamt's jurisdiction. But also elementary...

Read moreDetails

Legal pearls for the weekend

Legal pearls for the weekend
7. November 2022

Apparently everyone is too warm today. The exciting verdicts are out this week and I'm also too hot in the...

Read moreDetails

The ‘Blue Pencil Test’ in German Law – Application and Significance from the Perspective of an IT Lawyer

The ‘Blue Pencil Test’ in German Law – Application and Significance from the Perspective of an IT Lawyer
13. May 2023

What is the "Blue Pencil Test"? In my daily work as an IT lawyer, it is not uncommon for me...

Read moreDetails

BGH decides on Wikipedia and museum photographs

ECJ: Advocate General assesses sampling as copyright infringement
7. November 2022

And another BGH decision today, shortly before Christmas. However, it is not really a surprise ;) Thus, the latter ruled...

Read moreDetails

AI in startups: More than just text generators

ai generated g63ed67bf8 1280
2. October 2023

Last week it was a bit quieter here on the blog. The reason is that I was on the road...

Read moreDetails

Google doesn’t have to remove illegal search results worldwide

Publication of sales advertisements and classification as a trader
25. September 2019

The ECJ has ruled that Google is not obliged to make a delisting in all versions of its search engine,...

Read moreDetails

Pay by invoice via Klarna

7. November 2022

Since today I have integrated the provider "Klarna" as a payment option here on the site. Klarna is an extra...

Read moreDetails
e1b22941 8541 4953 98a5 7858790f09a7 20191530

Public subsidies

29. March 2025

Definition and objective of public funding Public funding is financial support provided by government institutions at federal, state or European...

Read moreDetails
Fiduciary Out

Fiduciary Out

16. October 2024
Limitation

Limitation

16. October 2024
Bootstrapping

Bootstrapping

27. June 2023
Dissent

Dissent

16. October 2024

Podcast Folgen

Rechtliche Risiken bei langen Entwicklungszeiten und der Stornierung von Crowdfundingspielen

Rechtliche Risiken bei langen Entwicklungszeiten und der Stornierung von Crowdfundingspielen

20. April 2025

In dieser Episode erörtern wir die rechtlichen Herausforderungen, denen Spieleentwickler bei der Finanzierung durch Crowdfunding gegenüberstehen. Wir beleuchten die Verpflichtungen...

7c0b449a651fe0b81e5eec2e23515012 2

Urheberrecht im Digitalen Zeitalter

22. December 2024

In dieser aufschlussreichen knapp 20-minütigen Podcast-Episode von und mit mir wird das komplexe Thema des Urheberrechts im digitalen Zeitalter beleuchtet....

Digitale Souveränität: Europas Weg in eine selbstbestimmte digitale Zukunft

Digitale Souveränität: Europas Weg in eine selbstbestimmte digitale Zukunft

12. November 2024

In dieser spannenden Episode des itmedialaw.com Podcasts tauchen wir tief in das hochaktuelle Thema der digitalen Souveränität ein. Vor dem...

Das Metaverse – Rechtliche Herausforderungen in virtuellen Welten

Das Metaverse – Rechtliche Herausforderungen in virtuellen Welten

25. September 2024

In dieser faszinierenden Episode tauchen wir tief in die rechtlichen Aspekte des Metaverse ein. Als Rechtsanwalt und Technik-Enthusiast beleuchte ich...

  • Privacy policy
  • Imprint
  • Contact
  • About lawyer Marian Härtel
Marian Härtel, Rathenaustr. 58a, 14612 Falkensee, info@itmedialaw.com

Marian Härtel - Rechtsanwalt für IT-Recht, Medienrecht und Startups, mit einem Fokus auf innovative Geschäftsmodelle, Games, KI und Finanzierungsberatung.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
  • en English
  • de Deutsch
Kostenlose Kurzberatung