Personal Data Anonymization in Poland - Rules and Methods

What anonymization means legally, how the 2025 CJEU ruling in C-413/23 P (SRB) changed the standard, and how the Article 29 WP methodology meets Polish DPA enforcement reality.

Anonymization is a process applied to personal data that completely removes it from the scope of the GDPR. This is precisely why it is the most frequently declared but least frequently achieved measure in organizations. For compliance (GRC) teams, data protection teams, DPOs, and lawyers, the problem isn't a lack of techniques - there are more than enough of those. The issue is that the legal standard against which the effectiveness of these techniques is assessed has just changed, and most internal procedures are still being compared to an outdated benchmark. This article clarifies three things: what anonymization is in a legal (rather than a marketing) sense, what the 2025 CJEU ruling changed, and how the Article 29 Working Party's methodology relates to the realities of enforcement by the Personal Data Protection Office (UODO).

1. Starting point - Anonymization Under the GDPR

The entire data protection regime is based on a single concept - "personal data." Recital 26 of the GDPR stipulates that data protection rules do not apply to anonymous information - that is, information that does not relate to an identified or identifiable natural person - or to data that has been anonymized in such a way that the person is no longer identifiable. However, the key criterion is that of identifiability, as set forth in the same recital: it is assessed taking into account "all means likely to be used" - by the controller or any other person - considering the cost, time, available technology, and its future development. This is not an absolute test ("whether re-identification is even conceivable at all"), but a test of reasonable likelihood. This distinction will be significant in Chapter 2 of this article. Neither the GDPR nor the Polish Personal Data Protection Act contains a definition of "anonymization." In practice, a working definition is used: an irreversible process that prevents information from being attributed to a specific individual. The only statutory reference in Poland appears in the Act on Open Data and the Reuse of Public Sector Information, which describes anonymization in the context of ISP data as the transformation of information so that it no longer refers to an identifiable natural person.

Anonymization vs. Pseudonymization of the data - greatest challenge for many organizations

This distinction is not merely academic - it determines whether the GDPR applies at all. Pseudonymization (Article 4(5) of the GDPR) is a processing operation after which the data cannot be attributed to a person without the use of additional information, while the data itself still remains personal data; that additional information is stored separately and subject to technical and organizational measures that prevent its attribution to a specific person. Pseudonymization enables safer processing within GDPR compliance. Recital 28 identifies it as a risk-mitigation measure, not as a means of exempting data from the regulation. Its defining characteristic is reversibility. Both pseudonymization and anonymization serve privacy protection, but they produce different legal effects. Anonymization is irreversible, and that is precisely why it removes data from the scope of the GDPR, but only if both direct and indirect identifiers have been removed, including any direct identifiers that could point to a specific person. The most common and costly mistake is classifying a dataset as "anonymous" when it is, in fact, pseudonymized. The consequences can be significant: if the GDPR still applies, this mistake results in an incorrect legal basis for processing, an incorrect retention period, a failure to fulfill information obligations, and an incorrect assessment of whether a data breach has occurred. The myth that simply masking an identifier "anonymizes" data is a prime example of this, for example when only the identifier itself is hidden.

2. A Moving Target - the CJEU Ruling in EDPS v. SRB (C-413/23 P)

On September 4, 2025, the Court of Justice of the European Union (CJEU) issued a judgment in Case C-413/23 P (EDPS v. Single Resolution Board, SRB), setting aside the General Court's earlier judgment. This is the first ruling in which the CJEU has explicitly confirmed that sufficiently strongly pseudonymized data may constitute personal data for the original controller, while at the same time not constituting personal data for a recipient who is unable to reverse the pseudonymization or identify individuals by other means. Facts of the case: The SRB, acting as the controller, collected comments from Banco Popular's shareholders and creditors, assigned alphanumeric codes to them, removed directly identifying data, and transferred the data to Deloitte. The decryption key remained exclusively with the SRB. Three key points relevant to anonymization practice: - Identifiability is relative and context-dependent. Whether data constitutes personal data depends on whether a specific recipient can reasonably identify individuals - taking into account technical, organizational, and legal measures, as well as "methods for which there is a reasonable likelihood of use." The same dataset may therefore be personal for one entity and non-personal for another. - Opinions and views constitute personal data because they are associated with an identified or identifiable individual; thus, the data pertains to the author of the statement. - The obligation to provide information is assessed at the time of data collection, from the controller's perspective. Subsequent pseudonymization or anonymization does not render the lack of information about recipients lawful, and the use of data for other purposes does not remove prior obligations to provide information to the data subjects.

Why this complicates matters rather than simplifying them

The ruling is sometimes interpreted as liberalizing ("it is easier to classify data as non-personal"). For compliance purposes, the opposite is true - it introduces contextuality that must be documented. In some cases, the same dataset may be classified differently depending on the recipient and the information at their disposal. The status of the data ceases to be a property of the dataset and becomes a function of the relationship: who receives it, what else they have, and what the applicable legal and contractual restrictions are. Added to this is a tension within EU law. EDPB Guidelines 01/2025 on pseudonymization assume that pseudonymized data remains personal data even when the recipient does not have the information needed for re-identification - which stands in clear contradiction to the logic of the SRB ruling. The EDPB's guidelines on anonymization, scheduled for early 2026, are still under development. In practice, this means that the operational reference point for anonymization techniques remains a document from a decade ago - Opinion 05/2014. It is also worth noting guidance from the Information Commissioner's Office and ICO practice. It is important not to treat anonymity as a fixed attribute. Therefore, any procedure that assumes "anonymity" is a permanent, binary, and context-independent characteristic of a dataset is currently inconsistent with current case law. The status should be assessed on a per-disclosure-scenario basis and periodically reviewed.

3. Methodological Core - Opinion 05/2014 of the Article 29 Working Party

Despite its age, Opinion 05/2014 remains the most useful technical framework - in part because its findings were reiterated in the 2018 Polish document by the Ministry of Digital Affairs, "Open Data - Security Standards." The opinion's most important thesis: anonymization is a risk-based process, not the application of a specific algorithm. Such an anonymization process requires a prior risk analysis, an analysis of the effectiveness of methods, and an assessment of the specific dataset - not merely the selection of a single technique. In research, anonymization should cover the entire project, not only the stage of publishing results. Effectiveness is measured by resistance to three types of re-identification attacks: - Singling out - whether it is possible to isolate records relating to a single individual. - Linkability - whether it is possible to link at least two records concerning the same individual (within a single dataset or across datasets). - Inference - whether it is possible, with a high degree of probability, to infer the value of an attribute based on the others. A dataset is considered anonymous only when, with reasonable probability, none of these three threats is effective, and only in certain circumstances can the data be regarded as truly anonymous, with the goal being to prevent the identification of a specific individual so that the data cannot be attributed to a particular person. The fact that a technique neutralizes one threat does not mean it neutralizes the others. Anonymization processes must be tailored to the purpose of processing and the characteristics of the dataset.

Two groups of data and techniques

Randomization - anonymization techniques can generally be divided into masking and synthetic approaches, and in practice also include masking, pseudonymization and generalization, though their effectiveness depends on context; the randomization and generalization discussed below are practical methods from this group, and randomization introduces uncertainty to break the strong link between the data and the individual: - adding noise (perturbation of values that introduces random disturbances into the dataset); - permutation (shuffling attributes among records); - differential privacy - controlled, measurable addition of noise with a formal guarantee of a privacy budget. Limitation: Randomization reduces the reliability of the data and lowers data precision, but does not eliminate the "uniqueness" of a record - each record still comes from a single person, so identification and association are still possible. Generalization - reduces detail to obscure individuality; generalization involves replacing precise values with more general ones, e.g., when full addresses are replaced by ZIP codes: - Aggregation/k-anonymity - each record is indistinguishable from at least k-1 others within a set of quasi-identifiers; - l-diversification - forces the diversification of sensitive values within each group (protects against inference that k-anonymity does not prevent); - t-proximity - further requires that the distribution of a sensitive attribute within a group be close to the distribution in the entire dataset. Limitation: generalization alone "does not ensure effective anonymization in all cases" and requires an advanced quantitative approach to prevent linking and inference. The lesson remains the same: one does not simply "choose an anonymization technique"; rather, one designs a process and assesses the residual risk with respect to all three threats, within the specific context of data disclosure, using the method suited to that disclosure scenario.

4. The Polish Context - What "In Poland" Really Means

To be fair, most of the regulations governing anonymization are EU-wide. What is specific to Poland is primarily the enforcement stance of the UODO and several sector-specific regulations - and that is precisely where the real game of interpretation and risk plays out. The UODO's sector-specific inspections for 2026 explicitly cover anonymization. According to the published plan, the inspections will cover, among others, entities maintaining a Public Information Bulletin (BIP) - the manner of data processing in connection with maintaining the BIP will be examined, "in particular with regard to data anonymization and the disclosure of the proceedings of municipal council sessions." For the public sector and local government entities, this is not a theoretical issue - it is a designated area of oversight. The UODO's position from July 2025 - anonymization does not end with obscuring a person's first and last name. The President of the UODO pointed out that the nature of handwritten text may allow for the identification of an individual - in the context of handwritten election protests published on the Supreme Court's website, in which other data had been obscured. In 2017, errors in the anonymization of documents by the Government Legislation Center were also revealed. This serves as a practical reminder that editing fields does not equate to their anonymization, and a feature not provided for in the form can sometimes serve as a quasi-identifier. The systemic context is provided by the Supreme Audit Office (NIK) report "Personal Data Protection Without Protection in Local Governments," which highlights the systemic nature of irregularities in JST. The Personal Data Protection Office's (UODO) audit plan for 2026 clearly references these findings. Sector-specific regulations impose their own regimes. These include the anonymization of court rulings prior to publication, restrictions on the disclosure of public information (the privacy of natural persons as a statutory limit on access), and specific requirements for medical data. In practice, this requires maintaining data confidentiality even at the technical levels of a document. It is in these areas that the "Polish" aspect of the topic becomes tangible and takes on significance - not in the definition of anonymization itself.

5. What This Means Operationally for Organizations

Treat anonymization as a documented process, not as the purchase of a tool. Proof of compliance is not a software invoice, but a re-identification risk assessment: what quasi-identifiers remain, which external datasets are actually accessible, what the "motivated intruder" model is, what risk threshold was adopted, and why. Its implementation also requires organizational decisions, and manual data anonymization is labor-intensive and time-consuming. Properly conducted processing of personal data supports compliance but also increases customer trust in how their data is managed. Determine the context of disclosure, as it determines the status. Following the SRB ruling, the same data transformation yields a different legal outcome in the case of open publication (any recipient, any auxiliary data) than when transferred to a controlled environment with contractual and technical restrictions. Publication in the Public Information Bulletin (BIP) is the most demanding scenario - data "circulates" indefinitely and is indexed. Data made available or published should therefore also be assessed in light of future sharing. If the data is transformed too extensively, it becomes less useful, so a balance must be struck between security and the analytical value of anonymized data. Anonymity is time-limited. A dataset that is anonymous today may become identifiable after a new external dataset is published. Build in review triggers (e.g., when the scope of the data changes, new public sources emerge, or technology changes). New technologies can affect the effectiveness of the anonymization process, so they require periodic re-evaluation. Link this to the rest of the accountability documentation. The anonymization assessment should inform the DPIA and the ROPA and demonstrate compliance with Article 5(2) of the GDPR. The supervisory authority (UODO) evaluates not declarations, but the ability to demonstrate compliance. Incorrect classification of data may lead to sanctions and high fines for violations. The most common pitfalls worth adding to your checklist: - hashing as "anonymization" - the hash function is reversible via a dictionary attack or brute force, especially for data with low entropy (PESEL, email, phone number); this is pseudonymization, not anonymization; - "redacted" PDF, from which text can be copied or the layer beneath the graphic recovered; data held in the file or its technical layers may still enable identification (apparent anonymization); - metadata of files and documents (author, paths, revision history); employee data and sensitive data - such as information about sexual preferences - also require special caution; - small cells and outliers - a single outlier may still be identifiable despite aggregation; - handwritten signatures, stamps, and handwriting style as non-obvious quasi-identifiers; - recordings (sessions of collegial bodies) in which personal data is mentioned. Contractual and organizational controls are important - but they do not make data anonymous to external parties. Under the SRB, restrictions imposed on the recipient may reduce identifiability on the recipient's side and affect the classification of data in that relationship. However, this is a relational argument, not proof of irreversible anonymization. Do not confuse the two in the activity log.

**Revelio** automates the detection of personal data in unstructured documents, including hidden quasi-identifiers a form does not anticipate, and data buried in metadata or PDF layers. **Nocturno** handles the actual anonymization using proven techniques (k-anonymity, l-diversity, t-closeness, differential privacy) and assesses re-identification risk against the three threats from Opinion 05/2014 - singling out, linkability and inference - so that anonymization becomes a documented process rather than a mere declaration.

Three principles that should endure any change in guidelines: Assume pseudonymization by default until you document irreversibility with respect to extraction, linking, and inference in the given context of disclosure. The burden of proof lies with the controller. Do not start compliance with a list of techniques - start with an assessment of identifiability and the disclosure scenario; the legal basis and the assessment of the scope of personal data protection change only when the data cannot be identified at all as relating to a natural person, and the technique is a tool subordinate to that assessment, not a substitute for it. Keep an eye on two sources - the EDPB's upcoming guidelines on anonymization and the reactions of national authorities to the SRB's guidance. The benchmark against which you measure your procedures is not yet stable - and it is better to design processes that are resilient to shifts in that benchmark rather than tailored to a single, temporary interpretation, because the goal remains to protect the privacy of natural persons so that the data is not linked to the specific individual to whom it originally pertained. This material is for informational and analytical purposes only and does not constitute legal advice. The classification of a specific dataset requires an assessment within the actual context of its processing and disclosure.