Anonymization and Pseudonymization

The terms ‘anonymization’ and ‘pseudonymization’ are more often than not used wrongfully or in a mistakable context.

That is why a quick reference to the EU General Data Protection Regulation (EU-GDPR) and the Federal Data Protection Act (BDSG) is in order.

Federal Data Protection Act (BDSG) §3 Sec. 9 Special types of personal data

Special types of personal data comprise indicators of racial or ethnic origin, political views, religious or philosophical convictions, labour union membership, health or sexuality.

Federal Data Protection Act (BDSG) §3 Sec. 6 Anonymization

Anonymization entails an alteration of personal data in such a way that particular indicators of personal or material circumstances can no longer – except with a disproportionate amount of effort with respect to time, cost and labour – be correlated with a specific or determinable natural person.

Federal Data Protection Act (BDSG) §3 Sec. 6a Pseudonymization

Pseudonymization entails the substitution of names and other distinguishing marks with tokens so that a determination of the person concerned is precluded or made substantially more difficult.

The more a system is trusted, the better the condition for compliance.
Prof. Dr. jur. Bernd Lutterbeck

TU Berlin, FB Recht und Informatik (2006)

The anonymization of personal data, in particular when “special types of personal data” need to be administrated, would constitute optimal protection of the concerned patients/study participants.

In most clinical or medical daily routines, anonymization may not be applicable because follow-up examinations, data from follow-up studies, questionnaires or telemedical data have to remain traceable to the very same person over and over again. Only in this way, event history data on disease and therapy can be documented, illustrated and analysed in a practice-oriented manner. The attending physician assumes that he will be able to address the patient with their full name and not with a cryptic and meaningless patient number.

Admittedly, there is no pseudonymization procedure that provides the same degree of protection as anonymization. But there are processes which can attain a comparable level of security. If patient data has been pseudonymized at multiple instances, for example, we call that factual anonymization.

Such protection is attained through technical and organizational measures, associated standard operating procedures, and a level of system transparency, which give each interested physician or patient the opportunity to track and comprehend the employed procedure. Only if the technology is understood, trust can be built and an assessment undertaken as to whether one will be a party to residual risk or not. If the technology is understood, suggestions for improvement can be developed and implemented which make the system more secure and further reduce residual risk.


For many years, Serrala Cloud Solutions has been developing software in which pseudonymization or anonymization plays a decisive role.

We are aware of requirements presented by ethics commissions and data protection agencies, and we affirm the quality of our software through a validation of our systems in close cooperation with our customers. Our customers get to understand the software which they have commissioned because transparency creates trust and opens up pathways for steady improvement. That is the only way to ensure a sustainable prevention of (un)premeditated attacks on data worthy of protection.

This inspired the work entitled

G3P – Good Privacy Protection Practice in Clinical Research: Principles of Pseudonymization and Anonymization

Transparency and quality management play essential roles in the development of our Healthcare Software. Our ISO 9001 QM system, provision for ISO Norm 27001, and welcome audits performed by our customers produce unmistakable evidence to this effect.

For further questions we are always prepared to support you with detailed information.