The organization must establish and maintain a documented procedure for implementing pseudonymisation and other privacy-enhancing techniques when processing personal data. These measures aim to minimize the risk of identifying individuals during data processing, sharing, or disclosure.

The procedure should include the following key requirements:

• Replace, mask, or remove identifiers and data elements that could reveal an individual’s identity.
• Ensure re-identification is possible only under authorized and controlled conditions.
• Apply pseudonymisation methods appropriate to the level of risk and the nature of processing activities.
• Document and regularly review pseudonymisation procedures and safeguards to confirm effectiveness.
• Ensure consistent application across all systems and processing operations to maintain confidentiality, integrity, and security of personal data.

When personal data is collected from sources other than the individual, including publicly available sources, the organization must ensure transparency, fairness, and lawful processing and disclosure.

• Inform the data subject within a reasonable time after collection, including the categories and sources of data.
• Ensure the processing or disclosure serves a specific, lawful purpose and is limited to the minimum data necessary.
• Take appropriate measures to protect the privacy and rights of all individuals.
• Confirm that any disclosure of publicly available data complies with applicable laws and does not breach data protection requirements.
• Notification is not required if the individual already has the information, disclosure is impractical or excessive, or processing occurs under legal, confidentiality, or public interest obligations.

The above conditions do not apply if the data subject already has the information, disclosure is impossible or disproportionate, the data is collected under legal or confidentiality obligations, or processed by a public authority for security, judicial, or public interest purposes.

Henkilötietojen pseudonymisointi tarkoittaa tietojen käsittelemistä niin, että tietoja ei voida enää suoraan yhdistää tiettyyn rekisteröityyn käyttämättä lisätietoja.