...
There are different understandings of pseudonymised data in Estonian law. For example, the Data Protection Inspectorate has drawn attention to the need to amend section 7 of the Human Genes Research Act. It reads: “The provisions regulating the processing of personal data do not apply to the processing of pseudonymised tissue samples, pseudonymised descriptions of DNA and pseudonymised descriptions of state of health if such tissue samples, descriptions of DNA and descriptions of state of health are processed as a set of data and on the condition that the set of data to be processed contains DNA samples, descriptions of DNA or descriptions of state of health of at least five gene donors at a time.” However, Recital 26 of the GDPR states that pseudonymised personal data should be considered information on an identifiable natural person. Thus, pseudonymised genetic or health data cannot be classified as non-personal data to which neither the GDPR nor the Personal Data Protection Act apply.
3.
...
3.1. Causes and timing of data pseudonymisation
According to the GDPR, pseudonymisation enhances the security of the processing of personal data and data protection by design. The principle of minimisation must be respected: if the processing does not require the identification of the data subject, the processing of personalised data is not justified. Thus, pseudonymisation does not only concern the transmission of personal data but also the work of a research institution or a research project to reduce the number of researchers who can identify individuals based on the data.
...
Personal data should be pseudonymised as soon as possible. For example, in a research project with several partners abroad, this should be done immediately after data collection and before starting the analysis or transferring the data to project partners.
3.
...
3.2. Pseudonymisation entities
As stated in the 2019 guidelines “Pseudonymisation techniques and best practices”by the European Union Agency for Cybersecurity (ENISA), a pseudonymisation entity can be either a data controller, a data processor or a trusted third party. However, the responsibility for the security of data processing always rests with the controller.
Pseudonymisation is certainly necessary in the case of a joint study between several institutions. For example, two or more partners may be joint controllers, but they must agree that the research institution collecting the personal data pseudonymises the data before transferring them to the joint controllers. In this way, the principles of minimisation and security in data processing are respected. Similarly, the personal data may be pseudonymised by the processor (e.g. the survey company) before transferring the data to the research institution.
3.
...
3.3. Methods of data pseudonymisation
When setting up an institution- or project-based pseudonymisation policy, the ENISA guidelines on pseudonymisation techniques and best practices, which recommend a risk-based approach to the choice of pseudonymisation method, can be used. The risks considered include potential attacks on pseudonymised datasets, the sensitivity of the data, the availability of the data and the need to protect the data.
...