Pseudonymisation is a data protection technique defined in Article 4(5) of the GDPR whereby personal data is processed so that it can no longer be attributed to a specific data subject without the use of additional information. This additional information must be kept separately and subject to technical and organisational measures to ensure non-attribution. Common techniques include replacing identifiers with tokens, hash values, or reference codes.
Pseudonymisation is explicitly recognised by the GDPR as an appropriate safeguard that can reduce risks to data subjects and help controllers and processors meet their data protection obligations. Importantly, pseudonymised data remains personal data under the GDPR because re-identification is possible with the additional information. It differs from anonymisation, where re-identification is no longer reasonably possible, placing the data outside the scope of the GDPR entirely.