The question of whether data is anonymous, and therefore outside the scope of the GDPR, has become increasingly important in a world of constant data re-use, time-consuming data subject access requests and innovative projects typically involving AI.
An update to the 2014 Article 29 Working Party’s Opinion (“WP Opinion”) was therefore long overdue given legal and technological developments but the EDPB has now published its draft Guidelines on anonymisation (“Draft Guidelines”).
Key changes
The Draft Guidelines largely confirm the direction of travel set by CJEU case law (including in Breyer (“Breyer”) and in the 2025 EDPS v SRB (“SRB”) judgement), but several refinements will have practical consequences for organisations:
- Whether the natural person is “identified or identifiable”. The GDPR applies to information relating to an identified or identifiable person, directly or in combination with other information. Recital 26 requires considering all means “reasonably likely” to identify an individual, including cost, time and the state of technology. The Draft Guidelines flesh out the “means reasonably likely to be used” test, structuring the Breyer/SRB formulation into objective factors. Notably, they caution against treating an entity’s “lack of motivation” to re-identify as relevant for controllers, as the motivation of individuals can be difficult to assess or demonstrate objectively and may change over time.
- Test for inference data. The WP Opinion’s three criteria for determining identifiability: singling out, linkability and inference substantively survive, relabelled as No Record Isolation, No Linkage and No Inference. The key development is a granular test for inference which is met if no specific and meaningful inference can be drawn from the given data.
- Clarification on the standard of anonymisation. The most significant shift from the WP Opinion is the move to a relative, entity-specific standard. The WP Opinion assessed risk by reference to the controller “or any other person”, stressing that effective anonymisation required eliminating all means of re-identification, including destroying raw identifiers. Following SRB, the Draft Guidelines explain that identifiability can differ between recipients. Essentially, where identifying information is kept separately and effective measures prevent attribution, a recipient may treat the data as anonymous even though it remains personal for the discloser. However, this helpful clarification is heavily caveated as between controllers and processors, with the EDPB making clear that whether the given data is personal for a processor should be assessed by reference to the controlling entity’s original perspective, meaning it is likely to remain personal data.
- Contextual v simplified approach. The Draft Guidelines give controllers two ways to assess anonymisation. The contextual approach applies the full legal test by asking whether each relevant party can identify individuals, taking account of their actual capabilities. The simplified approach is more conservative, with the EDPB explaining that by treating data as non-anonymous even where it would be anonymous for some parties, organisations can take advantage of an easier approach that provides great certainty of compliance (yet with the comfort of the contextual approach to sense-check the analysis).
- Relevance of legal prohibitions. According to Breyer and repeated in SRB (with no precursor in the WP Opinion), the “means” to identify someone do not need to be considered where identification is prohibited by law. The Draft Guidelines go further, introducing a rebuttable presumption that compliance can be displaced by evidence of poor compliance practices or evidence that the gains from being in breach of the legal prohibition might outweigh the cost, effort and risk and distinguish a legal prohibition from a merely complementary contractual one.
Our take
Anonymisation remains a complex area of compliance, but the direction of travel is unmistakable: anonymisation is no longer a single, universal state but a question to be asked separately for each recipient of your data. This brings the EDPB’s position somewhat closer to the ICO (see our previous blog post) and is good news for organisations structuring flows to third party controllers who genuinely cannot re-identify individuals. However, it is less helpful in respect of processors and raises the evidential bar where you rely on a legal prohibition, or a recipient's supposed lack of interest in re-identifying someone.
It is also encouraging to note that the EDPB has made an effort to make its guidance more accessible and informed (as per the Helsinki Statement): the Draft Guidelines offer a simplified vs contextual approach (set out above) and include a diagram to help organisations assess whether data is anonymised.
The Draft Guidelines, which are open for consultation until 30 October 2026, are a strong signal of where regulatory interpretation is heading. Organisations should be considering where they can take advantage of the CJEU’s more pragmatic approach, as endorsed in the Draft Guidelines, including in their contractual arrangements.

/Passle/5badda5844de890788b571ce/SearchServiceImages/2026-07-14-11-09-35-409-6a5618ef3b3a0bc7a472d324.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2026-07-13-20-00-45-029-6a5543edab2597f8777d7270.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2026-06-29-10-16-32-639-6a4246003b479fecf5f620b0.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2026-06-25-18-41-32-015-6a3d765c156241708eb3f9e8.jpg)