Pseudonymised is not anonymous — the difference that decides everything
“We only store anonymised data” is the most common false claim in privacy policies. If anyone, anywhere, can re-link it to you, the GDPR still applies in full.
The line matters because everything hangs on it: truly anonymous data is outside the GDPR entirely; pseudonymised data — identifiers swapped for codes, with a key existing somewhere — remains personal data with every right and duty attached (Art. 4(5), Recital 26). The test: could you be re-identified “by means reasonably likely to be used”, by the company or anyone else? Hashed emails: pseudonymous (the same email always hashes the same — that is a linking key, which is exactly why ad platforms use them). “Anonymised” location traces: notoriously re-identifiable — a handful of points singles most people out. Small-group statistics: the village with one 90-year-old is not anonymous about her. Genuinely anonymous: aggregated counts over large groups with no path back. Why companies blur it: “anonymous” sounds like no rules apply. When a policy claims anonymisation, the questions that expose the truth: “Is any key or linkable identifier retained? Could you re-identify me if legally required to?” A yes to either = pseudonymous = your rights apply. Pseudonymisation is still good — the GDPR rewards it as a security measure (Art. 32); it reduces breach harm. It just is not an exit from the law, and claiming it is one is a transparency violation worth citing.
Verified against the sources above on 18 July 2026. Information, not legal advice.