- within Privacy topic(s)
- with Senior Company Executives, HR and Inhouse Counsel
- with readers working within the Media & Information industries
On 4 September 2025, the Court of Justice of the European Union (CJEU) delivered a ruling in EDPS v. SRB (Case C-413/23 P) that clarified how the EU General Data Protection Regulation (GDPR) applies to pseudonymised data. The ruling addressed both the definition of personal data in this context and the responsibility on controllers when transferring personal data to third parties.
The case, brought forward by the European Data Protection Supervisor (EDPS) against Single Resolution Board (SRB), focused on three questions: whether pseudonymised personal opinions qualify as personal data, under what conditions is pseudonymised information treated as personal data, and what are the controller obligations regarding reidentification risks during data processing.
Background
The case originated from the SRB's resolution of Banco Popular Español, a Spanish bank, after which the SRB began a procedure to grant former shareholders and creditors an opportunity to express their opinions in relation to potential compensation via online forms.
During this process, the SRB collected comments from affected parties and engaged Deloitte to evaluate some of the submissions. The SRB transferred 1,104 forms of pseudonymised data to Deloitte. Each form was assigned a unique alphanumeric code and had all directly identifiable personal information removed. Crucially, only the SRB retained the "additional information" necessary to relink the codes to specific individuals.
The EDPS challenged an earlier decision of the EU General Court, which had overturned a 2020 finding that the SRB breached the GDPR.
The CJEU agreed with the EDPS that personal opinions expressed by individuals qualify as personal data and ruled that the General Court erred in not recognising the stakeholders' comments as such. The court also endorsed the EDPS's position that the risk of reidentification when processing or sharing personal data must be assessed on an individual basis. The CJEU found the General Court was wrong to overturn the EDPS's original decision, partly because it failed to examine whether the pseudonymised comments actually contained personal data.
At the same time, the CJEU sided with the SRB regarding the broader question of when pseudonymised data should be treated as personal data.
- Pseudonymised data: The court clarified that pseudonymised information should not automatically be considered personal data in all cases. The CJEU confirmed that, when the risk of a third-party recipient having "reasonable means" to reidentify pseudonymised data is insignificant, such data may fall outside the definition of personal data.
- Risk mitigation: Pseudonymisation is an important method to reduce identification risk, but it is not a blanket exemption. Individual analysis on a case-by-case basis is required to determine whether pseudonymised data can be linked back to individuals.
- Obligations on controllers: There is still an obligation on controllers to inform data subjects about the potential sharing of pseudonymised data with third parties even if the data is not personal data in the hands of the third-party recipient. This is because the same data may be considered non-personal from the recipient's perspective while remaining personal data for the controller.
Key Takeaways
Following this ruling, the key takeaways are:
- An individual's opinion qualifies as personal data. When organisations are determining whether certain pseudonymised data qualifies as personal data, they must include any individual opinions contained in the dataset in their review.
- When determining whether pseudonymised data qualifies as personal data once shared with a third-party recipient, controllers must conduct a comprehensive assessment that considers all relevant circumstances. This includes assessing the potential for reidentification by the recipient. Controllers should document this assessment, providing a clear analysis of why any further processing by the recipient is unlikely to lead to the reidentification of data subjects.
- A controller that discloses pseudonymised data remains responsible for transparency and must inform data subjects of any potential sharing, regardless of how the data is classified once received by the third party. While GDPR does not apply to the recipient if the transferred information no longer qualifies as personal data, the recipient is nevertheless obliged to ensure no methods are used that could result in reidentifying the individuals concerned.
The European Data Protection Board (EDPB) is currently finalising guidelines on pseudonymisation. In a January 2025 draft, the EDPB stated pseudonymised data counts as personal data even if the recipient does not simultaneously have access to the additional information needed to reidentify data subjects. Given the recent CJEU ruling, the question is now whether the EDPB needs to revisit its position and revise its guidelines accordingly.
We would like to thank Geng To Law for their assistance with this alert.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.