ARTICLE
18 November 2025

EDPS v SRB: CJEU's Contextual Approach To Pseudonymised Data

F
Fieldfisher

Contributor

Fieldfisher logo

Fieldfisher Belgium is a leading firm, providing a full range of legal services and alternative solutions to our local and international clients on European, international and Belgian law.

Our lawyers consistently excel in high profile cases and are highly ranked by Chambers Europe and Legal 500. We always strive to obtain the best possible outcome for our clients and achieve their business objectives. With more than 60 lawyers, our firm offers high-level professional consultancy, integrating varied professional experience with sector specializations.

Fieldfisher Belgium is member of Fieldfisher, a European law firm with market leading practices in many of the world's most dynamic sectors.

Explore Firm Details
In the ever-evolving landscape of EU data protection law, the boundaries of what constitutes "personal data" and the practical implications of pseudonymisation have long been subjects of debate and uncertainty.
Belgium Privacy
Nathalie Poupaert and Naomi Capelle

In the ever-evolving landscape of EU data protection law, the boundaries of what constitutes "personal data" and the practical implications of pseudonymisation have long been subjects of debate and uncertainty. The recent decision of the Court of Justice of the European Union ("CJEU") in Case C-413/23 P – EDPS v SRB aims to shed some light on these concepts.

Background: The SRB, Deloitte, and the Pseudonymised Dataset

The Single Resolution Board ("SRB"), an EU body tasked with managing the orderly resolution of failing banks, found itself at the heart of a data protection debate following the collapse of Banco Popular Español in 2017. In the aftermath, the SRB sought to determine whether former shareholders and creditors ("affected stakeholders") were entitled to compensation. As part of this process, stakeholders were invited to submit comments during a consultation phase. These comments were pseudonymised before being transmitted to Deloitte, which had been engaged to assess the effects of the resolution. Importantly, the SRB retained the re-identification key, ensuring that only it could link the pseudonyms back to real individuals.

Several stakeholders, concerned about the sharing of their comments with Deloitte, lodged complaints with the European Data Protection Supervisor ("EDPS"), the authority overseeing data protection compliance for EU institutions. The EDPS upheld the complaints, finding that the pseudonymised dataset remained "personal data" and that the SRB had breached its transparency obligations.

The Legal Journey: From General Court to CJEU

The SRB challenged the EDPS's decision before the General Court. The General Court partially annulled the EDPS's findings, holding that the concept of "identifiability" must be assessed from the recipient's perspective. In other words, Deloitte, as the recipient, did not have the realistic or lawful means to re-identify the affected stakeholders in the dataset. This approach echoed the Court of Justice of the EU ("CJEU") ruling in Breyer (C-582/14)., which emphasised a relative, context-driven assessment of identifiability.

The EDPS appealed to the CJEU. In his February 2025 Opinion, the Advocate General ("AG") supported the recipient-focused approach but stressed that the SRB's transparency obligations towards data subjects persisted, regardless of Deloitte's inability to re-identify the individuals. On 4 September 2025, the CJEU delivered its decision.

Key questions

1. Are comments personal data?

The CJEU began by reaffirming the broad definition of "personal data" under EU law. Personal data encompasses any information relating to an identified or identifiable natural person, whether factual or opinion-based, and regardless of whether the link to the data subject arises from the content, purpose, or effect of the data.

In this case, the comments submitted by stakeholders were found to reflect their personal views and opinions. The CJEU held that such expressions are inherently tied to the individuals who make them and thus qualify as personal data. The decision makes clear that a deeper analysis of the purpose or effect of the comments is unnecessary given comments were clearly personal in nature.

2. Pseudonymised data: always personal data?

The heart of the case lay in the qualification of pseudonymised data. Traditionally, data protection authorities have taken an absolute approach: if there is even a theoretical possibility that data could be linked to an identifiable person - by anyone, anywhere, using additional information held separately - it remains personal data. In other words, the mere existence of a re-identification key or supplementary data, regardless of how remote or unlikely its use may be, is sufficient for the data to fall within the scope of data protection law.

The EDPS argued that pseudonymised data, such as the comments sent to Deloitte, should always be considered personal data because they could be linked back to individuals using the re-identification key held by the SRB.

The AG, however, clarified that pseudonymisation is not a new category of personal data, but rather a safeguard that reduces the risk of re-identification. It does not eliminate the risk, nor does it render the data anonymous.

The CJEU adopted a nuanced, relative approach: pseudonymised data may be anonymous in the hands of a third party if that party lacks the means to re-identify individuals.

The CJEU explained that pseudonymisation presupposes the existence of additional information that could enable re-identification. The key question is whether the recipient (here, Deloitte) has realistic means to access that information and re-identify the data subjects.

3. The recipient's perspective: identifiability in context

The CJEU emphasised that identifiability must be assessed from the recipient's perspective. For Deloitte, the pseudonymised comments were not personal data if the technical and organisational measures in place prevented it from re-identifying individuals, even by cross-referencing with other data sources.

The Court set out two conditions:

  • Deloitte must not be in a position to lift the safeguards during any processing of the comments under its control.
  • The measures must effectively prevent Deloitte from attributing the comments to data subjects, including by recourse to other means of identification.

This approach ensures that the concept of personal data remains practical and context-sensitive, rather than absolute.

4. Transparency obligations: controllers vs. recipients

A further issue was whether transparency requirements apply when a controller shares a pseudonymised dataset that is anonymous in the hands of the recipient. The CJEU clarified that the recipient, for whom the data is not personal, is not required to provide information to data subjects. However, the controller (SRB) must still inform data subjects about the sharing of their data with third parties, regardless of whether the data remains personal in the recipient's hands.

Practical impact and key takeaways

  • Flexibility in data sharing: the decision provides much-needed clarity and flexibility for organisations sharing pseudonymised data with third parties. Pseudonymised datasets may be considered anonymous for the recipient, provided robust safeguards are in place and the recipient cannot realistically re-identify individuals.
  • Risk analysis and documentation: Each data sharing arrangement must be individually assessed and documented through a practical risk analysis. Organisations must evaluate whether there is a genuine risk of re-identification, considering all means reasonably likely to be used, including costs, time, and available technology.
  • Contractual safeguards: Organisations should implement contractual terms to restrict any re-identification efforts by recipients and to address potential risks. This is especially important if the sharing party relies on the assumption that the dataset is anonymous for the recipient.
  • Transparency remains paramount: Even if the recipient cannot re-identify individuals, the sharing organisation must comply with GDPR transparency requirements, informing data subjects about the sharing of their data with third parties.
  • Not a free pass: The decision does not provide a blanket exemption from EU data protection rules for pseudonymised data. The assessment is context-dependent, and organisations must remain vigilant (on the long run) in ensuring that safeguards are effective and that data subjects' rights are respected.

Conclusion: a pragmatic step forward

The CJEU's decision in EDPS v SRB confirms that identifiability must be assessed in context, not just in theory. Taking into consideration the findings of the CJEU's decision in EDPS v SRB, the EDPB will now likely move to finalise its Guidelines on pseudonymisation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Nathalie Poupaert
Nathalie Poupaert
Photo of Naomi Capelle
Naomi Capelle
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More