https://www.cnil.fr/fr/lanonymisation-de-donnees-personnelles
including e.g. (via Google Translate)
If these three criteria are not fully met, the data controller who wishes to anonymize a data set must demonstrate, via an in-depth assessment of the identification risks, that the risk of re-identification with reasonable means is zero.
As anonymization and re-identification techniques are subject to regular changes, it is essential for any data controller concerned to carry out regular monitoring to preserve the anonymity of the data produced over time. This watch must take into account the technical means available as well as the other sources of data which can allow to lift the anonymity of the information.