Privacy Corner

On 4 September 2025, the Court of Justice of the European Union (CJEU) ruled in the case European Data Protection Supervisor (EDPS) v Single Resolution Board (SRB) (C-413/23 P). The judgement contains significant clarifications related to the processing of pseudonymised data. In principle, the judgement clarifies very important questions about when pseudonymised data still constitutes personal data, as well as how the duty to provide information applies in connection with such data. In formal terms, the judgement relates to the rules on obligations under Regulation (EU) 2018/1752, which regulates the processing of personal data for EU institutions, but in practice these are completely parallel to the principles in the GDPR, so the transfer value is great.

The pseudonymisation of personal data has long been a controversial topic. In particular, there has been a discussion about the threshold to be applied for information to be indirectly identifiable back to an individual. Some believe the threshold is very low - that any possibility of identification counts, which can provide an almost objective approach to whether pseudonymised information is personal data. Others have argued that a risk-based and relative approach is better. 

Despite the fact that the CJEU's decision opens up a number of practical questions for the way forward (which we will touch on later in the article), the decision entails a fundamentally important clarification related to the relative nature of the concept of personal data. This may be of great importance for the data controller's and the data recipient's future processing of (personal?) data. 

The case arose following a dissolution of the Spanish bank Banco Popular in 2017. The SRB collected comments from affected shareholders and creditors as part of a "right to be heard" process. In this process, SRB pseudonymised these comments, and then shared the pseudonymised comments with the consulting firm Deloitte for analytical purposes. Only SRB had access to the numerical codes that could link the comments to the identities of the people who had submitted them. 

Several of the affected participants complained to the European Data Protection Authorities about SRB's failure to identify Deloitte as a recipient of personal data in its privacy policy. The EDPS found that SRB had not complied with its obligations under Regulation (EU) 2018/1752, which regulates the processing of personal data by EU institutions. The decision was later overturned by the General Court of the EU in 2023, before the EDPS appealed the case to the European Court of Justice. The CJEU's decisions establish several important principles relating to the scope of the concept of personal data, which may have significance far beyond the specific case. 

The SRB was the controller of the personal data. When the case was brought before the European Court of Justice, the EDPS argued that Deloitte was the data processor for SRB. It almost seems odd that this had not been argued before, as data processors are generally identified with data controllers (you'd think that SRB would know whether Deloitte was their data processor or an independent data controller, but the world is not always like that). But the defence was rejected by the court anyway because it had not been raised previously. This is purely procedural law - you can't appeal something that hasn't been raised before. Nevertheless, this has led to a strange situation, where the judgement does not consider what role Deloitte had and how this would have affected the assessments. Very few people have commented on this. Where this has been discussed, I have so far only seen it argued that Deloitte was considered to be an independent data controller and that the relativity assessment can only be used where the recipient is an independent data controller. Peter Craddock has written more about this, see link.

In the case, the CJEU firstly states that comments that reflect the sender's point of view are, by their very nature, information that "relates to" the individual, irrespective of factors relating to the purpose or effect of the comments. The CJEU emphasises that personal opinions are inherently and closely related to their sender, and therefore necessarily constitute personal data if the sender can be identified. This is by no means surprising and shows that employee surveys, customer feedback, whistleblowing reports and similar material that reflects the sender's views should actually be considered personal data. 

One of several important aspects of the judgement is the clarification of when and how information requirements should be assessed. The CJEU ruled that the obligation to inform data subjects of the relevant recipients of personal data arises at the time of collection and should be assessed from the controller's point of view. The Court's reasoning is that the obligation to provide such information is a natural part of the legal relationship between the data subject and the controller, and that the obligation must generally be fulfilled at the time of collection of personal data. This means that controllers need to be transparent and clear about planned data sharing even when the data is later pseudonymised. 

This is not necessarily a ground-breaking clarification in isolation but seen in the context of the clarifications related to the concept of personal data in connection with pseudonymisation, the clarification of where the transparency and information requirements are placed could be of great importance to the controller. 

The decision further confirms that a contextual and risk-based approach must be adopted when assessing the concept of personal data in connection with pseudonymisation. Furthermore, the Court clarifies the important principle that pseudonymisation may, under certain circumstances, render data non-personal to a recipient if the recipient cannot re-identify the individuals in light of "all the means that might reasonably be expected to be used". 

In this context, the Court states that pseudonymised data must not always be considered as personal data. Furthermore, the Court highlights that where effective measures prevent the data subject from being identified using the pseudonymised data and the recipient is not in a position to re-identify the data subject through the use of "any means that could reasonably be expected to be used", the data subject is not identifiable to the relevant data recipient. In that case, from a practical point of view, for the data recipient, the data received does not constitute "personal data" under the data protection regulations - so that the recipient's handling of the data does not constitute processing of personal data within the meaning of the regulations.

The CJEU's position on the issue of pseudonymised data shows a willingness to adopt a more pragmatic approach to the interpretation of the GDPR, and at the same time parks the much-debated question of whether pseudonymised data always constitutes personal data. 

From a legal perspective, this constitutes a fundamental and important clarification of the interpretation of the data protection regulations, where the court applies a relative concept of personal data rather than an absolute interpretation. However, it must be emphasised that on a general basis, the European Court of Justice does not go further than allowing for specific assessments of pseudonymised data, so that the consequences of the ruling do not entail any automaticity in how pseudonymised data is assessed against the concept of personal data. 

Furthermore, the decision does not contain any anonymisation test and/or other practical measures that can be implemented and used by (potential) data controllers in the event of uncertainty as to whether received data is sufficiently pseudonymised for the recipient's processing not to be covered by the data protection regulations. In this respect, the legally important clarification opens up a number of practical challenges for the future. We will come back to this. 

In its ruling on the relative nature of the concept of personal data, the CJEU relies heavily on recital 16 of Regulation (EU) 2018/1752 (corresponding to recital 26 of the GDPR), which forms part of the framework for when data should be considered personal data - and when data can be considered anonymous. 

Among other things, the Court emphasises that the wording of the preamble will lose its practical significance if pseudonymised data must always be regarded as personal data for all parties. By referring to the preamble, the Court emphasises that the assessment of whether data is personal must be made contextually - the decisive factor is what means can reasonably be expected to be used by the specific processor to identify individuals. In this respect, the Court uses the preamble to support a more nuanced approach than the absolute personal data concept argued by the EDPS, so that the same set of data can have different legal status depending on the recipient's actual possibilities for re-identification. 

Despite the fact that the decision itself provides little guidance as to the specific situations in which pseudonymised data is sufficiently anonymised to not be re-identifiable by the recipient, the CJEU's assessment of the content of the preamble provides some guidance on the factors that will be of importance. 

In paragraphs 75-87 of the judgement, the Court emphasises - based on the preamble - that the assessment of identifiability must take into account all the means that might reasonably be expected to be used by the controller or "another person" to identify the person directly or indirectly. When assessing whether means can reasonably be expected to be used, the Court states that "all objective factors" must be taken into account, such as the cost and time required for identification, and taking into account available technology at the time of processing and technological developments. The decision suggests that broad and very specific assessments must be made of the possibility that pseudonymised data can reasonably be re-identified, either by the data recipient itself or for the data recipient with the help of other persons and available technology. 

In this context, the Court also emphasises that pseudonymised data may be considered personal data again if it is made available to third parties who have the means of re- identification, and that the risk of identification can only be considered negligible when identification is prohibited by law, requires disproportionate effort, or is not practicable. 

In paragraphs 81-87 of the decision, the Court draws on previous case law, including Breyer (C-572/14), to emphasise that data that is inherently impersonal may nevertheless be linked to identifiable individuals when the controller has the legal and/or technical means to obtain additional information from others. In this respect, the Court uses the Breyer case, among others, to illustrate the relative nature of the concept of personal data, in that the relativity of the concept can also lead to information that is initially and in isolation sufficiently anonymised being linked to identifiable persons and thus constituting personal data. The Court thus seems to use the Breyer case, among others, to illustrate an opposite situation - i.e. where data was initially impersonal but was personalised through additional information - to emphasise the relative and concrete nature of the assessment. 

The ruling is likely to have several important practical consequences for organisations' processing of personal data. 

Regarding transparency and information requirements, the CJEU emphasises that controllers - at the time of collection - must inform data subjects about the disclosure of personal data to third parties, regardless of whether the controller plans to pseudonymise the personal data before sharing. This means that controllers' privacy notices must be sufficiently clear and informative in relation to potential data sharing, including where the data to be shared in the future is shared in pseudonymised forms. In practice, this will mean that data controllers have obligations related to identifying categories of data recipients at the collection stage even if data will be pseudonymised before sharing. 

Furthermore, the CJEU's decision suggests that very concrete and context-specific assessments must be made regarding the recipient's ability to take measures to re-identify pseudonymised data. 

For example, a dataset may be considered not re-identifiable for one recipient but re-identifiable for another, depending on the means and other information available to the specific recipient. The outcome of such specific assessments will, in light of the CJEU's decision, be decisive for whether the data sharing and the recipient's dealings with the data are covered by the data protection regulations. 

This could lead to complexity for organisations when sharing and receiving data, as each data sharing will have to be assessed individually. In addition, complex supply chains and constant technological development can make it challenging for a data controller to assess who, from time to time, has the "means" available to re-identify pseudonymised data. There will probably also be differences in different social spheres. For example, there is case law that the ability to re-identify within the marketing sphere is great because this type of actor collects data from many sources. At the same time, one can imagine a different conclusion in research. It is also thought-provoking that, in general, there is a good deal of research showing that a great deal of pseudonymised data can be compiled, also with the help of public sources. There will be a lot of discussion about this in the future. 

Companies that now want to define pseudonymised personal data as "non-personal data" should at least thoroughly document that the data cannot reasonably re-identify individuals. Such assessments should also take into account changes in technology and contract terms. 

The next step in the context of the decision is likely to be more practical guidance from EU data protection institutions and national supervisory authorities on how to assess pseudonymised data going forward. It is natural to think that there may be operational criteria for anonymisation, as well as practical examples of what will - and will not - be included in the assessment topic "means that can reasonably be expected to be used" for re-identification of pseudonymised data in different cases. Such practical guidance could also include guidance on contractual measures that can be used to reduce the risk of re-identification, as well as examples of when effective controls reduce residual identifiability to a sufficiently low level. 

While the decision provides some important clarifications, it also emphasises the need for guidance from the authorities. Personally, I would very much like a clarification of whether they consider that it "only" applies to independent data controllers. And let's not forget that the EDPB supported the EDPS in his interpretation of the regulations. I am not entirely unfamiliar with the possibility that we may receive such guidance that will "pull down" the significance of the judgement. 

It will also be interesting to see whether the decision will make it easier to share pseudonymised data between data controllers and recipients of data, or whether the clarifications will lead to such major practical consequences related to assessments and documentation that the practical consequences will limit the potential benefits of the clarifications.