I didn’t mean to imply what actually happens with the data, only what you can do with the data. Just in my practice dealing with gdpr we always move from hash to tokens because you cannot prove the data is anonymous with hashes, but you can with tokens (as long as you prove you truncate association table frequently enough or discard it on the fly).