I. Introduction
Anonymization is a critical concept in data protection law, particularly when determining whether certain datasets fall within the scope of “personal data.” The Turkish data protection legislation defines anonymization as “anonymization is the process of rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data” and it states that “to anonymize the personal data, personal data shall be rendered impossible to relate to identified or identifiable person, even through using appropriate techniques in respect of the recording medium and relevant field of activity, such as recovery of data by the data controller, recipient or recipient groups and matching data with other data.”
The legal assessment of whether anonymized data is still personal data becomes nuanced when the data is transferred between two parties and the transferor party can still identify the person behind the data while the transferred party cannot. This article aims to discuss this issue.
II. Views of Various Data Protection Authorities on the Matter
For the sake of discussion, it is assumed that the data transferor party removes the identification aspects of the personal data and transfers the remaining data points to the transferred party. In this relationship, the transferred party has no other means to identify the person(s) behind the data it receives; however, the data transferor party still has this ability. This means that the data is subjectively anonymized (the data is unidentifiable only by the transferred party but could still be linked to an individual by the transferor party) as opposed to being objectively anonymized (the data is rendered irreversibly unidentifiable by anyone).
This is a highly controversial issue globally. One view on the matter states that as long as data transferor has the information that “the data corresponds to a data subject, this transfer of data is not an anonymous transfer (because data transferor has control over the content of the data = objectively this data is not anonymous) while the other states that it is an anonymous data transfer (because the data transferred party will never be able to determine who this data belongs to = subjectively anonymous data).
Although there is no decision from the Turkish Data Protection Authority (“Turkish DPA”) on this debate, the European Data Protection Supervisor (“EDPS”) and the Irish DPA consider that there is a transfer of personal data unless there is objective anonymization, while the UK DPA and the Court of Justice of the European Union (“CJEU”) consider that there is no transfer of personal data in the case of subjective anonymization.
Based on the definition of pseudonymization in the GDPR, for personal data to be pseudonymized, it must be treated in such a way that it is no longer possible to attribute the information to a specific data subject without the use of separate additional information. Thus, it must be theoretically possible to link this information and the additional information. However, the European Data Protection Board (“EDPB”), in its Guidelines 01/2025 on pseudonymisation, adopted on 16 January 2025, states that “if pseudonymised data and additional information could be combined having regard to the means reasonably likely to be used by the controller or by another person, then the pseudonymised data is personal. Even if all additional information retained by the pseudonymising controller has been erased, the pseudonymised data becomes anonymous only if the conditions for anonymity are met.”
On the other hand, the relevant rulings of the CJEU clearly point out that there needs to be a link between the one with such additional information and the controller. For example, in the Breyer Judgement, it is stated that “the fact that the additional data necessary to identify the user of a website are held not by the online media services provider, but by that user’s internet service provider does not appear to be such as to exclude that dynamic IP addresses registered by the online media services provider constitute personal data within the meaning of Article 2(a) of Directive 95/46. However, it must be determined whether the possibility to combine a dynamic IP address with the additional data held by the internet service provider constitutes a means likely reasonably to be used to identify the data subject.” In the concrete case, as long as data transferor does not share any additional information with the data transferred party, there will be no link between such additional information and the data importer.
Additionally, in the case numbered T-557/20 - SRB v. EDPS, the General Court stated that “It must be stated that, in the revised decision, the EDPS concluded that the fact that the SRB held additional information enabling the authors of the comments to be re-identified was sufficient to conclude that the information transmitted to Deloitte was personal data, while acknowledging that the identification data received during the registration phase had not been communicated to Deloitte.
Accordingly, it is apparent from the revised decision that the EDPS merely examined whether it was possible to re-identify the authors of the comments from the SRB’s perspective and not from Deloitte’s.
It is apparent from paragraph 45 of the judgment of 19 October 2016, Breyer (C‑582/14, EU:C:2016:779), cited in paragraph 92 above, that it was for the EDPS to determine whether the possibility of combining the information that had been transmitted to Deloitte with the additional information held by the SRB constituted a means likely reasonably to be used by Deloitte to identify the authors of the comments.
Therefore, since the EDPS did not investigate whether Deloitte had legal means available to it which could in practice enable it to access the additional information necessary to re-identify the authors of the comments, the EDPS could not conclude that the information transmitted to Deloitte constituted information relating to an ‘identifiable natural person’ within the meaning of Article 3(1) of Regulation 2018/1725.”
In parallel with the General Court's decision above, the CJEU made similar assessments in the Scania judgment. In the relevant judgment, the CJEU stated that “"When third parties reasonably have the means to link a VIN to an identified or identifiable natural person—which it is up to the referring court to verify—that VIN constitutes personal data for them.” and "the concept of “processing” under Article 4(2) of the GDPR (…) encompasses any form of enabling access to a VIN by the data controller when that VIN makes it possible to identify a natural person.”
Lastly, in the case numbered C-413/23 P, which is the appeal of case numbered T-557/20 mentioned above, CJEU determined that “Accordingly, provided that such technical and organisational measures are actually put in place and are such as to prevent the data in question from being attributed to the data subject, in such a way that the data subject is not or is no longer identifiable, pseudonymisation may have an impact on whether or not those data are personal.”
III. Views of Turkish Authorities
As mentioned above, the Turkish DPA has not made a decision on anonymization directly. However, the Turkish Data Protection Board (the “Board”) and the Banking Regulation and Supervision Agency (the “BRSA”) have concluded in various decisions that personal data does not lose its personal data features when processed or transferred by hashing or masking.
In its decision dated 20/05/2020 and numbered 2020/404, the Board stated that “biometric data do not lose their characteristics as biometric data when stored using the hash method; therefore, in the absence of explicit consent, biometric data may only be processed in accordance with the conditions set out in the laws specified in Article 6 of the Law”. It can therefore be concluded that the Board interpreted the hash method as a technical measure.
According to Circular 2022/1 of BRSA regarding “Sharing of Information that are Considered as Secret” it is stated that “Transferring confidential data to the other party in an encrypted form, or implementing access controls to prevent unauthorised access, constitutes a "technical measure". Claiming that the recipient was prevented from learning the content of the transferred data through the implementation of these technical measures does not mean that the confidential data was not shared with the other party. On the contrary, the confidential information is deemed to have been shared.”. Therefore, although the Turkish DPA does not have a clear view on the matter, certain authorities in other sectors, such as BRSA – banking, consider anonymization as only objective anonymization and not subjective.
IV. Conclusion
Anonymization is not a binary concept—it exists on a spectrum between subjective and objective standards. Given the regulatory uncertainty and divergent interpretations across jurisdictions, organizations should be vary of the technical and organizational measures regarding personal data.
Accordingly, if the data transferred party has no reasonable means to associate the pseudonymized data transferred by the data transferor with an identified or identifiable natural person, it may be assumed that this data does not constitute personal data for the data transferred party. In other words, if the data transferred party has no legal means available to it which could, in practice, enable it to access the additional information necessary to re-identify the data transferor’s data subjects and if the data transferred party has no way of combining the information provided to it with additional information held by data transferor, it can be concluded that there is no transfer of personal data.
However, it is recommended that the agreement signed with the data transferred party should include a statement that the relevant transfer does not constitute a transfer of personal data. The measures suggested in paragraph 114 of the EDPB guidance should also be considered. These can be listed as follows: (i) Whenever the pseudonymization domain is to consist of a defined set of recipients, the responsibilities of all parties involved should be defined by an arrangement, preferably in contractual form. (ii) Those arrangements should reflect the need to keep the pseudonymized data within the pseudonymization domain, and to limit the inflow of or access to information that might allow attribution of pseudonymized data to data subjects, including among the recipients. (iii) Whenever relevant, the arrangements should regulate the process to be followed when assumptions about the pseudonymization domain need to be adapted. (iv) It should be noted that such arrangements on their own are not sufficient to ensure a proper separation of the pseudonymization domain from additional data without corresponding effective enforcement.
