Overview
Personal Data Destruction, Anonymization, and Pseudonymisation Guideline — Third: Pseudonymisation is a technical safeguard used to reduce the risk of identifying individuals while preserving the usability of personal data.
This Guideline describes how pseudonymisation transforms direct identifiers into coded references, clarifies its legal status as personal data, distinguishes it from anonymization, and outlines when Controllers must apply pseudonymisation, including disclosures, research activities, and statistical processing. It also introduces commonly used pseudonymisation techniques that help Controllers comply with PDPL requirements while protecting data subject privacy.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Third: Pseudonymisation
Pseudonymisation is defined as the process of transforming primary identifiers that reveal the identity of the data subject into codes that render the direct identification of the data subject infeasible without the use of additional data or information. Such additional data or information shall be maintained separately and subjected to adequate technical and administrative controls to ensure that it cannot be definitively linked to the data subject.
Pseudonymised data is considered personal data because it may be used, in one way or another, to identify a specific individual “Pseudonymisation” serves as a protective measure for personal data and is deemed an appropriate technical safeguard against the risks associated with personal data processing. However, its effectiveness in safeguarding personal data is not equivalent to that of “anonymization”. One example of Pseudonymisation is substituting one or more of the data subject's PII elements. For instance, the name is substituted with a symbol (such as a reference number).
Pseudonymisation shall be applied whenever personal data, including personal data linked to an individual other than the data subject, is disclosed. In such instances, the personal data of the individual shall be Pseudonymised to ensure their privacy. Pseudonymisation shall also be applied when personal data is collected or processed for scientific, research, or statistical purposes without the data subject's consent, provided that such Pseudonymisation does not compromise the purpose for which the data is being processed.
Examples of Anonymization and Pseudonymisation Techniques:
Technical measures employed to anonymize and Pseudonyms personal data vary depending on the specific data being processed and the Controller's regulations. These measures must be regularly reviewed and updated to ensure that the data cannot be linked to a specific data subject.
Examples of Commonly Used Techniques:
- Data Generalization: The substitution of specific attributes with more generalized values. For instance, aggregating ages into age bands (20-30, 30-40) rather than using precise age values.
- Data Aggregation: The consolidation of individual data points into a range, group, or category, for instance, recording only the birth year instead of the full birthdate. It should ensured that the aggregated data cannot be used to infer information about specific individuals.
- Data Encryption: The process of transforming personal data into a secure code using robust cryptographic algorithms. Cryptographic keys must be stored securely and separately from the encrypted data.
- Data Masking: The application of data masking techniques to conceal or obscure specific data elements.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Pseudonymisation Overview
Definition and Transformation Process
Pseudonymisation is the process of transforming primary identifiers that directly reveal the identity of the data subject into codes or symbols, in a manner that prevents direct identification without the use of additional data or information.
Any additional data or information required to re-identify the data subject must be kept separately and protected by appropriate technical and administrative controls, ensuring that it cannot be definitively linked to the data subject without authorization.
Legal Status of Pseudonymised Data
Pseudonymised data continues to be classified as personal data, as it may still be used, directly or indirectly, to identify a specific individual. Pseudonymisation functions as a technical safeguard that reduces risks associated with personal data processing, however it does not provide the same level of protection as anonymization.
While it limits exposure and misuse, its effectiveness depends on the robustness of the separation, controls, and security measures applied to the additional identifying information.
Required Application and Permitted Use Cases
Pseudonymisation shall be applied whenever personal data is disclosed, including cases where the data relates to an individual other than the data subject, in order to protect individual privacy.
It may also be applied when personal data is collected or processed for scientific, research, or statistical purposes without the data subject’s consent, provided that such pseudonymisation does not compromise the purpose for which the data is being processed and appropriate safeguards remain in place.
Examples of Anonymization and Pseudonymisation Techniques
Purpose and Ongoing Effectiveness
Technical measures used for anonymization and pseudonymisation vary depending on the nature of the personal data being processed and the regulatory obligations applicable to the Controller. These measures are intended to prevent the identification of data subjects and reduce privacy risks during processing, disclosure, or analysis.
Controllers are required to regularly review and update the applied techniques to ensure that the data cannot be linked to a specific data subject, taking into account technological developments and emerging re-identification risks.
