Although there are no explicit GDPR encryption requirements, the regulation does require you to enforce security measures and safeguards.

The GDPR repeatedly highlights encryption and pseudonymization as “appropriate technical and organizational measures” of personal data security (GDPR Article 32).

GDPR defines pseudonymization as:

‘pseudonymization’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Databunker meets the definition of pseudonymization by encrypting and storing user personal data separately from the application database. When a user object is saved in Databunker, a random user token is generated, serving as a pseudonymized user identity.

To comply with cross-border transfers or when saving application logs, it is recommended to replace user identities (such as email or name) with the user token generated by Databunker. This ensures that the user is not directly identifiable, and this approach is compatible with Schrems II, addressing the requirements for data transfers outside the European Economic Area (EEA).