view all news & events
07/15/2026

Guidelines on the Anonymisation of Personal Data – European Data Protection Board (EDPB) Launches Public Consultation

On 7 July 2026, the EDPB published its long-awaited Guidelines on the anonymisation of personal data (“Guidelines”). These Guidelines are currently in draft form and are expected to be adopted following the public consultation process, which is open until 30 October 2026.

 

What is this about?

The key criterion for the application of the General Data Protection Regulation (“GDPR”) is the processing of personal data (“PD”). This concept is defined broadly in Article 4(1) GDPR. According to Recital 26, sentence 5 GDPR, the principles of data protection do not apply to anonymous information. Consequently, the GDPR does not apply to information that does not relate to an identified or identifiable natural person. Existing links between information and an identifiable individual can be removed through anonymisation.

Although this fundamental distinction in data protection law already existed before the GDPR came into force, determining when information has been anonymised to a legally sufficient standard remains both a technical and legal challenge in practice.

The former Article 29 Working Party had already addressed this issue in its respective Opinion from 2014. Over the past ten years, the Court of Justice of the European Union (CJEU) has also issued several judgments on the subject (see, for example, most recently the SRB decision).

 

Key Content of the Guidelines

The EDPB aims to provide greater clarity in distinguishing between anonymous information and personal data by establishing a practical assessment framework.

According to the EDPB, the three key criteria are No Record Isolation, No Linkage, and No Inference (see paragraphs 52 et seq. of the Guidelines).

The first criterion, No Record Isolation, requires that a dataset does not contain any attributes capable of identifying an individual. Considered on its own, the data must not constitute personal data.

The second criterion, No Linkage, builds on the first. It requires that the dataset cannot be linked to another dataset in a way that would enable the identification of a natural person.

The third criterion, No Inference, requires that no conclusions about a specific individual can be drawn from the available data. Such conclusions or inferences must also not be possible through the combination of the data with reasonably available additional information. In practical terms, it must not be possible to re-identify a natural person through analysis, linkage, or statistical inference.

These three criteria interact with one another and may be satisfied to varying degrees. What matters is that, when assessed as a whole, the information has been effectively anonymised (see paragraph 53 of the Guidelines).

 

What Happens Next?

The EDPB invites all interested stakeholders to participate in the public consultation until 30 October 2026. As discussions are currently ongoing at EU level regarding the GDPR-related provisions of the Digital Omnibus Act-which also focus (or have focused) on the concept of personal data-we expect a significant number of submissions.

In our view, the Guidelines represent an important step towards making the GDPR's requirements and the relevant case law on anonymisation more practical and easier to apply.

We will also publish an analysis once the final version of the Guidelines has been adopted.

    Share

  • LinkedIn
  • XING