Anonymization in law firms: a GDPR guide that preserves attorney-client privilege

A law firm is one of the organizations with the highest density of special-category personal data per square meter: health, union affiliation, sexual orientation, criminal records, financial data. The combination of attorney-client privilege and GDPR places reinforced obligations on firms, but also offers a strong argument: when data is correctly anonymized, many legal frictions disappear. This guide explains when and how to anonymize in law firms.

What data a typical firm handles

A typical firm handles daily:

• Client files with all personal, financial, and family information.
• Pleadings detailing facts, evidentiary documents, and third-party data.
• Rulings and decisions from all jurisdictions.
• Contracts, wills, and legal instruments from clients and third parties.
• Communications with opposing parties and their representatives.
• Expert, medical, and financial reports submitted as evidence.
• Staff data and opposing parties’ data, if the firm focuses on labor or HR matters.

To the GDPR’s own particularities, we add the duty of attorney-client privilege regulated in the Code of Ethics of the local bar association and in the Organic Law of the Judiciary, which obliges the lawyer to keep secret all facts and information they learn by reason of their profession.

When anonymization is essential in a law firm

Several recurring situations demand real anonymization:

1. Publishing rulings and decisions on the firm’s website

Many firms publish judicial successes for marketing. If a ruling is uploaded with the client’s data, even to show a judicial victory, personal data is being processed without legal basis.

Rule: only anonymized rulings should be published, removing not only names but also contextual data allowing re-identification (small locality, specific date, specific company).

2. Sharing a case with a colleague for consultation

Consulting with colleagues is legitimate, but if a complete file is sent by email or messaging with all personal data, a transfer is being made without legal basis.

Rule: consulting cases with colleagues requires prior anonymization of the file unless there is a documented engagement or co-defense relationship.

3. Training and lectures

Using real cases in internal training, lectures, or publications is a common and useful practice. But cases must remain completely anonymized.

Rule: anyone giving a professional talk with real cases must ensure no attendee (let alone an internet search) can re-identify the client by cross-referencing data.

4. Sending files to experts or witnesses

The medical, financial, or technical expert usually does not need all the client’s personal data to issue their report. Sending without redaction is a questionable data transfer.

Rule: when sending a file to an expert, it should contain only the data necessary for their function. Family data, tangential financial data, or non-pertinent personal data should be anonymized.

5. Archiving closed cases

When a case closes, the firm has retention obligations (professional liability limitation periods) but also minimization obligations. Keeping data indefinitely in clear is excessive.

Rule: after matter closure, assess whether the file should be archived with all data (by reason of professional liability, 10 years from last action) or whether anonymization is appropriate for statistical use or internal case law.

6. Disclosure to opposing party or third parties

In proceedings with multiple parties (class actions, mediation, arbitration), documents containing data of third parties not directly involved should be anonymized before their transfer.

Types of data that must be anonymized in pleadings and rulings

A pleading or a ruling contains many levels of identifiable data:

Direct identifiers of parties and representatives

• Names and surnames
• National ID, passport
• Address
• Bar membership number of the lawyer and representative

Identifiers of mentioned third parties

• Witnesses
• Experts
• Family members of the client or opposing party
• Employees, coworkers, neighbors

Contextual identifiers

• Exact location of the events
• Exact date of the events
• Employer company
• Medical center
• License plates
• Policy or bank account number

Especially sensitive data

• Medical diagnoses
• Details of violence, abuse, discrimination
• Sexual orientation
• Union or political affiliation
• Criminal records

Anonymizing a ruling for publication on the firm’s website requires attending to all these levels.

Case-law criteria on anonymization in the legal sector

Authorities and courts have consolidated specific criteria:

• Rulings published in public databases: they apply automatic anonymization, but there have been cases of re-identification by context, especially in small courts or unique topics. Firms should not rely solely on the origin’s automatic anonymization.
• Publication on firm websites: firms must apply their own anonymization; using the database version does not exempt liability if re-identification occurs from contextual data the firm adds.
• AI searches and queries: if a firm uploads files to an AI system (ChatGPT, Claude) for analysis, it must pre-anonymize unless the provider meets a GDPR processing agreement with EU data.
• Transfer to experts: authorities have sanctioned complete transfers of medical histories to experts when anonymized reports plus specific questions would have sufficed.

Recommended workflow for a firm

1. Written internal policy on what is anonymized and when, approved by the managing partner or firm DPO.
2. Anonymized templates for recurring uses (marketing, training, consultations).
3. Automated tool that processes rulings and pleadings before leaving the firm for any use other than judicial process.
4. Training for the whole team — lawyers, associates, administration — on what real anonymization is and what it is not.
5. Register of anonymizations to demonstrate diligence in case of a complaint.

Interaction with attorney-client privilege

Attorney-client privilege is stricter than GDPR: it requires keeping secret even when GDPR would allow communicating data (e.g., administrative requests). The combined framework generates practical rules:

• Privilege does not impede anonymization; on the contrary, anonymization is the best way to reuse information (internal case law, training) without breaching privilege.
• Anonymizing a document does not release from the duty of secrecy over facts: the lawyer cannot recount an anonymous case if the facts are so unique they allow re-identifying the client.
• Exceptions to privilege (judicial requests, money laundering laws) do not exempt from GDPR: data transferred to the court remains personal and its processing must be documented.

Frequently asked questions

Can I publish rulings I won on my website for marketing?

Yes, but fully anonymized. It is not enough to replace “John Doe” with “J.D.”; any contextual data allowing identification (small locality, specific company, exact date, singular amount) must be removed.

Do I have to anonymize pleadings I submit to court?

No. Filing before a judicial body is covered by procedural legal basis; what must be anonymized is subsequent dissemination for other purposes (website, training, consultation).

Must I use a processing agreement with experts I send files to?

Yes, whenever you send them personal data for their professional service. The processing agreement documents who is controller and who is processor, and is required in authority inspections.

Can I use ChatGPT or other LLMs to analyze a client’s pleading?

Only if you pre-anonymize the pleading or if the provider signs a GDPR processing agreement with EU servers (OpenAI Enterprise, Anthropic Trust Center, Google Vertex in EU). The free or consumer version of these services does not allow sending client personal data without breaching GDPR.

How long should I retain client files?

At least 10 years from the last action, for professional liability limitation and bar code of ethics. Beyond that, consider anonymization for internal statistical use.

Conclusion

Anonymization in law firms is not an additional burden: it is a tool that allows reusing accumulated knowledge (internal case law, training, marketing) without violating attorney-client privilege or GDPR. Firms that professionalize their anonymization flow reduce risks, publish with confidence, and work better with external collaborators.

If you manage a firm or work in a legal advisory, try anonimiza.do to automate the anonymization of rulings, pleadings, and files. It recognizes European identifiers and generates an auditable log of the procedure.