Does pseudonymizing data exempt my company from its obligations under the AVG?

When is data "personal data" under the AVG?

The AVG applies to the processing of personal data. Collecting personal data can be an opportunity and therefore valuable for many businesses. If a company collects personal data, the rules of the AVG apply. What exactly is personal data? In short, something is personal data if it can be directly or indirectly traced back to a person. Think for example:

• NAW;

  
  

• age; or

  
  

• phone number.

  
  

Pseudonymized data may also be covered by the AVG, about which more later. Anonymous data, on the other hand, is not covered by the AVG. This is because anonymous data cannot be traced back to a person. In practice, however, it is often unclear when data is anonymous within the meaning of the AVG. Read a clarification written by us about this here.

The case: HoNoS+ data requested (processed) by NZa

HoNOS, or Health of the Nation Outcome Scales, is a measurement tool that practitioners use to measure the mental health and daily functioning of clients with mental health symptoms. It is a self-administered questionnaire completed by professionals, and addresses various aspects of functioning, such as psychological symptoms, behavior, impairments and social functioning.

In 2023, this data was allowed to be requested once by the Dutch Healthcare Authority (NZa), and practitioners were required to provide it. This served to support the care performance model, which helps predict severity of care and shorten GGZ waiting lists.

Position: HoNOS+ data is personal data so AVG must be met

The plaintiffs in this class action (also known as the "WAMCA" case) believed that the HoNOS+ data is personal data. Processing of this data must therefore comply with the rules of the AVG, and this was not the case, according to the plaintiffs.

The plaintiffs asked the court to declare that the regulation in question is contrary to law, and they claimed that unlawful action would have been taken against both mental health clients and the mental health practitioners involved. In addition, they sought an injunction prohibiting any future collection or processing of this data, and demanded that previously collected data be destroyed.

The NZa, the respondent, disputed that it acted contrary to law.

Judge rules: no personal data!

The court considered whether the data in question could be considered "personal data" within the meaning of the AVG. Article 4 AVG provides the definition of the term: it is any information about identified or identifiable individuals. The court clarified:

• It involves not only directly but also indirectly traceable data.

  
  

• That includes pseudonymized data that, when combined with available additional information, can still lead to identification.

  
  

The judge concluded that this was not the case. In fact, the HoNOS+ data were completely anonymized, according to the judge. Next, the judge looked at whether the anonymous data (the HoNOS+ data) combined with pseudonymized data were indirectly traceable data. Indeed, NWA had access to pseudonymized claims data. The court ruled that the anonymous data combined with already available data also made it very unlikely that the NWA could actually identify individuals. The judge therefore declared the AVG not applicable; the clients' privacy would not be at risk.

Reduce risk of fines by staying up-to-date with applicable privacy laws

When are you dealing with personal data and how do you recognize it? What rules apply when the AVG applies? The AVG remains a complex playing field. It is therefore essential that you are sufficiently informed and thus able to act in accordance with the applicable laws and regulations. After all, the Personal Data Authority can impose hefty fines on companies that do not act in accordance with the AVG.

Court ruling: ECLI:NL:RBMNE:2025:1760.

Read here
the original version of the article on Elferink & Kortier Lawyers' website.