Skip to content
Regulatory15 Jul 20268 min read

Anonymised or Still Personal Data? The EDPB's New Three-Part Test

Removing names, email addresses and customer numbers does not necessarily make a dataset anonymous. The EDPB's new draft guidance provides a structured way to test whether individuals can still be isolated, linked or inferred from the remaining information.

The practical approach

  • Decide exactly who the data is intended to be anonymous for.
  • Test the data against record-isolation, linkage and inference risks.
  • Document the methods, assumptions, external datasets and technical capabilities considered.
  • Reassess anonymity when technology, access arrangements or available information changes.

The distinction between anonymous and personal data has major operational consequences. Information that is genuinely anonymous falls outside the GDPR. It may therefore be reused, analysed and shared without the same data-protection obligations that apply to personal data. But if an organisation incorrectly labels identifiable information as anonymous, it may process or disclose personal data without the necessary lawful basis, transparency, security or individual-rights procedures.

On 7 July 2026, the European Data Protection Board adopted draft Guidelines 02/2026 on Anonymisation, open for public consultation until 30 October 2026. The document updates the Article 29 Working Party’s 2014 opinion and responds to developments in technology, artificial intelligence, EU case law and modern data-sharing environments.

The guidance introduces a practical framework built around three questions:

  1. Can an individual record be isolated?
  2. Can it be linked to other information?
  3. Can meaningful information about an individual be inferred?

The answers must be assessed in context, from the perspective of the organisations and people who may realistically have access to the data and the means to identify someone.

Infographic: the EDPB's three-part anonymisation test — no record isolation, no linkage, no inference — shown beside a pseudonymised patient dataset that still allows individual records to be distinguished.

1. Anonymous data is more than data without names

Under the GDPR, information is anonymous where it does not relate to an identified or identifiable natural person. The EDPB divides that assessment into two questions: does the information relate to a natural person, and is that person identified or identifiable? If the answer to either question is no, the information may be anonymous. Information can relate to a person because of its content, purpose or effect, even where the connection is not immediately obvious.

Removing obvious identifiers is therefore only a starting point. A dataset containing dates of birth, postcodes, employment details, medical conditions, location histories or unusual behavioural patterns may still allow someone to distinguish an individual from everyone else. Several ordinary attributes can become identifying when combined. A year of birth combined with a small postcode area, job title, workplace and rare medical condition may narrow the possibilities to one person.

The relevant question is not simply whether the person’s name appears in the file. It is whether somebody can distinguish and treat that person differently using means reasonably likely to be used.

2. Data can be anonymous for one organisation but personal for another

One of the most significant parts of the draft guidance is its emphasis on perspective. The EDPB recognises that the same information may be personal data for one entity but anonymous for another. A controller may hold the original customer database and a coded research dataset. Because it can connect the codes to its customers, the research data remains personal from that controller’s perspective. An independent recipient may receive only a carefully protected extract and have no realistic access to the identifying information. Depending on the circumstances, the same extract may be anonymous from that recipient’s perspective.

The assessment should therefore begin with a practical question: for whom is the information intended to be anonymous? Where information is intended for public release, the relevant perspectives may include everybody capable of accessing it. Where it is shared with a restricted research partner, the assessment may focus on the sender, recipient and other entities that could realistically obtain the data or assist with identification.

This does not mean that organisations can declare information anonymous merely by giving it to somebody who does not currently know the identities. The assessment must also consider whether the recipient could obtain additional information, transfer the dataset to another entity or use available technical and legal means to identify people.

3. Identifiability does not have to be reduced to zero

Absolute impossibility is not the GDPR standard. According to the EDPB, the chance of identification does not have to be zero for information to be anonymous. Instead, the likelihood of a person being successfully distinguished must be insignificant in reality.

That assessment should consider objective factors including the information already available to the relevant entity; other datasets that could realistically be obtained; the cost and time required for identification; the technical knowledge and computing resources available; legal powers or channels for obtaining additional information; current technology and reasonably foreseeable developments; the value of identifying the individuals; security measures restricting access to the dataset; and the possibility of unauthorised access or malicious action.

Depending on the circumstances, relevant entities may include recipients, employees, business partners, investigative journalists, law-enforcement bodies, intelligence agencies, unethical companies and cybercriminals. The guidance does not require every possible attacker to be assessed in every case. It does require organisations to look beyond the idealised behaviour of authorised and law-abiding recipients where the actual circumstances create a realistic risk of unauthorised identification.

4. The first criterion: No Record Isolation

The No Record Isolation criterion asks whether the data contains a unique combination of attributes relating to one individual. The criterion is met where the dataset does not allow one person’s record to be isolated from the others.

The more detailed a record becomes, the more likely it is to be unique. Risk generally increases where data has many fields or attributes; precise dates rather than broader periods; exact locations rather than larger areas; rare diagnoses, occupations or behaviours; long histories connected to one person; small population groups; or unusual combinations of otherwise common attributes.

The EDPB gives an example of patient records containing sex, full date of birth, postcode and medical condition. Even without names, the combinations may be unique, allowing each patient record to be isolated. Aggregation can reduce this risk, but only where it genuinely removes individual records. Simply deleting the name column will not satisfy the test where the remaining data still creates a unique fingerprint.

5. The second criterion: No Linkage

The No Linkage criterion asks whether a record in the dataset can be connected to a record relating to the same person in another dataset. Linkage can occur through direct identifiers, such as a repeated customer number, but it can also occur by comparing combinations of attributes: dates and times, postcodes or locations, device characteristics, transaction values, employment information, demographic combinations, behavioural patterns, public registers, social-media information, or previously leaked and commercially available datasets.

A dataset may appear anonymous when reviewed in isolation but become identifiable once matched against an external source. The assessment must therefore include more than the contents of the proposed anonymous file. Organisations should map other data that recipients, employees, partners or potential attackers could realistically access. Adding inaccurate or “noisy” values is not automatically sufficient: noisy data may still reveal information in unexpected ways, and the effectiveness of a linkage attack depends heavily on the other information available.

6. The third criterion: No Inference

The No Inference criterion considers whether somebody can derive specific and meaningful information about an individual from the data. An inference may be drawn from record-level information, aggregate statistics, external datasets or information about the anonymisation process itself. The criterion is met where no specific and meaningful inference can be drawn. An inference is specific where it relates to one identified or identifiable person. It is meaningful where it may affect that person’s rights or interests, depends on the dataset and could not simply be obtained from general knowledge or broad population statistics.

Detailed location tracks with direct identifiers removed may still reveal where a person lives and works. Inference risks can also arise from aggregate data: group statistics may expose an individual where the group is small, one value is already known or an outlier dominates the result.

Artificial intelligence increases the practical importance of this criterion. The guidance recognises that models and synthetic data may be prompted or queried with additional information to produce new information about a particular individual. Where the result is specific and meaningful, anonymity may be compromised.

7. Passing and failing the three tests

The EDPB’s framework should not be reduced to a simplistic checklist. Where all three criteria are satisfied, the information may be regarded as anonymous. Where one or more criteria are not satisfied, the information is not automatically personal data in every case. Further analysis is required to determine whether the identified weakness actually allows a person to be singled out or meaningfully identified using means reasonably likely to be used.

This distinction matters because a unique record may not always identify a person. A randomly generated record in a synthetic dataset might be unique without corresponding to a real individual. Equally, a dataset may appear to pass a surface-level test while remaining identifiable through information controlled by a recipient or accessible through an external source.

8. Contextual or simplified assessment?

The guidelines provide two ways to apply the framework. The contextual approach assesses anonymity separately for each relevant entity, considering the specific data, resources, legal powers, technical abilities and additional information available to that entity. This reflects the full legal test but can become complex. The simplified approach does not distinguish between the capabilities of different entities. It takes a more conservative position and may treat information as personal even where it could legally be anonymous for a particular recipient.

The EDPB says the simplified approach can provide greater confidence and convenience, although it is not a separate legal standard. Organisations can also begin with the simplified approach and use contextual analysis to refine the result. For public datasets, the simplified approach may be the more manageable starting point. For controlled disclosures to a defined recipient, the contextual approach may allow a more precise assessment, provided that access controls, recipient capabilities and possible onward transfers are properly examined.

9. Contracts cannot create anonymity on their own

A contract may prohibit a recipient from attempting to identify people, combining datasets or transferring information to another party. Those restrictions can reduce risk, but the EDPB says a contractual prohibition should not be treated in the same way as a legal impossibility. Contracts should complement technical measures, and their practical effect must be reliable, verifiable and enforceable. Parties can breach, ignore or later revise contractual terms.

A defensible arrangement may combine strong access controls; segregation from identifying datasets; encryption and key separation; query restrictions; output controls; logging and monitoring; independent testing; prohibitions on re-identification; restrictions on onward disclosure; and audit and enforcement rights. A clause stating that data is anonymous does not make it anonymous.

10. The anonymisation process is still subject to GDPR

Anonymous information may fall outside the GDPR, but creating it normally involves processing personal data. The EDPB states that the anonymisation process must have an Article 6 lawful basis. Where the source data includes special-category personal data, an Article 9 condition must also apply.

Controllers must also meet applicable transparency obligations and should explain that personal data will be processed to produce anonymous information. They should not describe data as anonymous, de-identified or de-personalised where individuals remain identifiable. Anonymisation is not a device for retrospectively curing processing that was unlawful from the outset.

11. Mixed datasets remain a compliance risk

An anonymisation method may protect most people in a dataset while leaving certain outliers identifiable. The EDPB says a dataset as a whole should only be considered anonymous where re-identification risk is insignificant for all included individuals. Where a dataset contains a mixture of anonymous and personal information and the two parts are not processed separately, the entire dataset should be treated as containing personal data and therefore as being within the scope of the GDPR.

Outliers therefore deserve particular attention: the only person above a certain age, a single employee in a particular location, one patient with a rare condition, a uniquely high salary or transaction, an individual with an unusual movement pattern, or a person whose history contains an exceptional event. Testing averages alone can conceal the people who face the greatest re-identification risk.

12. Anonymity is not a permanent status

An assessment may be valid today and fail later. New public datasets, data breaches, cheaper computing power and improved artificial-intelligence tools can make previously impractical identification methods realistic. The EDPB therefore recommends periodically reassessing the likelihood of re-identification. If the likelihood ceases to be insignificant, the previously anonymous information should again be treated as personal data.

A security incident may also change the result. If anonymity depended on a lookup table, key or original dataset remaining confidential, disclosure of that information can make identification possible. The affected organisation may then need to consider its obligations under Articles 33 and 34 GDPR. Review triggers should include a security breach; a new recipient or use case; public release of a related dataset; changes to access permissions; an acquisition or data combination; new re-identification research; significant advances in AI or computing; changes to the anonymisation technique; and any planned onward transfer or publication.

13. What good anonymisation evidence looks like

The EDPB expects adequate documentation of both the anonymisation process and the testing performed on the resulting dataset. Documentation should be retained after the process is complete so the organisation can demonstrate GDPR compliance and the effectiveness of the anonymisation itself.

A practical evidence pack should include the purpose of anonymisation; the source datasets and data categories; the intended recipients and relevant perspectives; the lawful basis for the anonymisation process; the techniques applied; data removed, generalised, aggregated or altered; tests for record isolation; external datasets considered during linkage testing; inference and attack scenarios; assumptions about technology, cost and access; security and contractual controls; test results and residual risks; approval and review dates; and events that trigger reassessment. The evidence should explain why identification is unlikely in practice rather than merely state that direct identifiers were removed.

A 90-day readiness plan

From inventory to evidence in one quarter
Weeks 1–4: Find every “anonymous” datasetSearch data inventories, analytics platforms and research systems; identify datasets labelled anonymous, de-identified or aggregated; record who holds the original identifiable information; map recipients, users and onward disclosures; separate genuinely anonymous data from pseudonymised personal data.
Weeks 5–8: Apply the three testsTest whether individual records can be isolated; identify external data that could enable linkage; examine meaningful inference and repeated-query risks; review outliers and small groups; decide whether to use the contextual or simplified approach.
Weeks 9–12: Strengthen and documentReduce precision or aggregate data where necessary; separate keys, lookup tables and source records; add technical and contractual recipient controls; document the assessment and residual risk; set reassessment dates and event-based review triggers.

Common pitfalls

  • “We removed names and email addresses.” Indirect attributes may still isolate or identify people.
  • “The recipient does not know who the records belong to.” The recipient may be able to obtain or combine additional information.
  • “Every value has been slightly changed.” Noise and inaccuracy do not necessarily prevent successful linkage or inference.
  • “The contract prohibits re-identification.” Contracts can support anonymity but cannot replace effective technical safeguards.
  • “Only one unusual record is identifiable.” A dataset may remain personal where anonymisation fails for even a small number of individuals.
  • “It was anonymous when we created it.” Technology and available information change, so re-identification risk must be reassessed.
  • “Anonymisation means the GDPR never applied.” The process of converting personal data into anonymous information remains a processing activity under the GDPR.

What to do next

Begin by locating every dataset your organisation currently calls anonymous. For each one, identify the intended recipients, the original information retained elsewhere and the additional datasets that could realistically be used for identification. Then test the information against the EDPB’s three criteria: No Record Isolation, No Linkage and No Inference.

The objective is not simply to remove identifiers. It is to create and retain evidence showing that identification is insignificant in reality for every relevant entity and remains so as technology and access conditions change. The guidelines remain draft guidance under public consultation. Organisations should monitor the final version and revisit their anonymisation assessments where the EDPB changes or clarifies its position.

This article is for general information only and does not constitute legal advice. Specific advice should be obtained for the organisation, dataset, intended recipients and jurisdictions involved.

Sources: EDPB Guidelines 02/2026 on Anonymisation (adopted 7 July 2026, public consultation until 30 October 2026); Article 29 Working Party Opinion 05/2014 on anonymisation techniques.