The processing of personal data triggers high regulatory requirements and associated risks for affected organizations. ly managing these data protection risks costs money and human resources. What entrepreneur wouldn’t want a superpower that could simply make the problem of data protection disappear? The good news is that this superpower exists. It’s called anonymization. In this article, you’ll learn when it works, how to use it, and what you need to keep in mind.
When do I need this superpower?
To understand when anonymization can help with managing data protection risks, we first need to understand when data protection law applies. This is always the case when controllers, i.e., companies or public authorities, process personal data. According to Art. 4 No. 1 GDPR, personal data is information relating to an identified or identifiable natural person. This data is processed when it is collected, stored, retrieved, modified, or used in any other way. If you succeed in removing the link between the information and a natural person so that it is only data without personal reference, you have literally tackled the problem of data protection at its root and solved it. In this case, data protection law no longer applies. This makes anonymization the ultimate tool for data protection management.
The crucial question: When is a person identifiable?
The crux of the matter for the effectiveness of your superpower is the identifiability of data subjects. Lawyers have been arguing about this practically since data protection law came into existence. But now this problem could be solved. The dispute is about whether it is sufficient that, from the perspective of the controller, it is no longer possible to assign a date to a natural person (relative approach) or whether it must be impossible for anyone in the world to establish the personal reference (absolute approach). This becomes relevant when data is transferred to third parties without the identifying information. One example is the transfer of a list of measured values that are assigned to specifically named individuals without naming those individuals because the name column has been removed beforehand. According to the absolute theory, the measured values would also be personal data for the recipient because the further controller could establish the personal reference. According to the relative theory, this would not be the case because the recipient cannot do so.
A landmark ruling by the European Court of Justice (ECJ) on September 4, 2025 (case “SRB,” C-413/23 P) provided clarity here and confirmed the relative approach. The personal reference therefore depends on the view of the individual controller. The ECJ clarified that if a company transfers pseudonymized data to a third party who does not have the means (nor any legal right of access to additional knowledge from the sender) to identify the individuals behind the data, then this data is anonymous to the recipient. This means that the recipient can use the data without being subject to the strict rules of the GDPR, thereby strengthening the superpower of anonymization.
The pseudonymization trap
Caution! The superpower of anonymization is easily confused with its “little brother,” pseudonymization. This is a dangerous trap. In pseudonymization, identifiers (such as names) are simply replaced by codes or IDs. The key difference to anonymization is that the controller still has the key and can reassign the information to the natural person. For example, if a human resources department prints work schedules with only employee numbers and no names, it may not be clear to every colleague who the people on the list are. However, the company can easily find this out by looking at the human resources management software. The data on the list is then not anonymous for the company, but only pseudonymous. Data protection law therefore continues to apply with all its rights and obligations. Pseudonymization does not have the superpower of its big sister. Only when the personal reference is removed so thoroughly that re-identification is no longer possible with normal effort do we speak of true anonymization.
The paradox: anonymization as data processing
It sounds strange, but it’s true. Removing personal references from data and anonymizing it is a form of processing personal data and must be treated in accordance with all the rules of data protection law and, above all, justified. This requires, above all, a legal basis in accordance with Art. 6 GDPR in order to process data in such a way that it no longer falls under the GDPR. In practice, this can often be justified as follows:
- Legitimate interest (Art. 6(1)(f) GDPR): The company’s interest in using the data for analysis often outweighs the interests of the data subjects, as anonymization protects their privacy.
- Compatibility of purposes (Article 6(4) GDPR): Anonymization is classified as “further processing,” which must be compatible with the original purpose of collection.
- Compliance with the obligation to erase (Art. 17 GDPR): Instead of physically destroying data, anonymization can be used as a means of complying with the obligation to erase, as the personal reference is removed.
Anonymization in practice
There are a variety of scenarios in which controllers can use data without needing to know to which natural person this data originally referred. Anonymization can thus enable scientific research and thereby contribute directly to the value creation of a company or society as a whole. However, there are also cases in which the complete or partial removal of personal references is a legal requirement. This is particularly the case when there are claims for access to information, but the controller is obliged to protect the interests of third parties by removing the (personal) reference to them.
Data subject requests pursuant to Art. 15 GDPR
This superpower becomes particularly urgent when it comes to requests for information and data copies. Data subjects are entitled to a “copy of the data” (Art. 15 (3) GDPR). This requires the provision of a faithful and intelligible reproduction of the data, which in practice can often mean the disclosure of extensive data sets containing countless emails and other documents. But be careful: the right to a copy must not affect the rights and freedoms of other persons (Art. 15 (4) GDPR). This means that the applicant’s data must first be found within the short one-month period specified in Art. 12 (3) GDPR. To ensure that the rights of third parties are not infringed by the provision of the data, it must also be processed in such a way that information relating to these third parties is no longer recognizable. In concrete terms, this means deliberately blacking out, for example, the names of colleagues, telephone numbers, etc., so that no reference to third-party data remains. At the same time, of course, the context must be preserved. Despite the blacking out, the copy must contain enough information for the data subject to be able to classify their own data in a meaningful way.
Requests to authorities under the Freedom of Information Act (IFG)
Targeted blacking out or anonymization can also be critical for public authorities in fulfilling their mandate. For example, under the Freedom of Information Act (IFG), citizens have a right to access official information. Public authorities must therefore make files accessible. However, this right reaches its limits when personal data of third parties or trade and business secrets are involved. This information must be removed before the right can be fulfilled. The method of choice is anonymization. By blacking out names or addresses, access to official information is made possible and the fundamental rights of third parties are preserved.
Access to files in criminal or administrative proceedings
Whether in fine proceedings or in classic administrative proceedings, anyone who inspects files receives documents containing the data. In many cases, knowledge of this data is not necessary, so that here too, file contents must be blacked out and references to individuals must be removed through anonymization before access to files can be granted. This is the only way for the authority to ensure that only the data relevant to the proceedings remains visible to the applicant, while third-party information is protected.
Implementation in business practice
Even if you realize that you can only achieve your goal through anonymization or are legally obliged to do so, a lot can still go wrong during implementation. In the digital world, it is not enough to simply place a black bar over the text. Many programs only cover the text visually when blacking it out, but do not remove it technically. The result is embarrassing and expensive data breaches: with just a few clicks, the supposedly blacked-out text can often be made visible again. In addition, metadata is often forgotten – information in the file properties that can reveal who created the document, when, or what was in earlier versions.
For the superpower of anonymization to be effective, it must be used in the right places and with the right technology. On the one hand, this means meaningful integration into corporate or government processes. Interfaces provide data and documents, intelligent software identifies areas relevant for blacking out, and humans in the loop control the process and help with edge cases. The result is an intelligent data protection workflow that creates legal certainty and leverages synergies. A win-win for data protection and those responsible. This makes anonymization the key to legally compliant and value-adding data use and creates the conditions for legally compliant data protection processes.
