On 4 September 2025, the Court of Justice of the European Union ("CJEU") delivered a notable judgment on what is considered pseudonymised personal data under EU data protection law. While, technically speaking, the judgment concerns the interpretation of Regulation (EU) 2018/1725 (which governs the processing of personal data by the EU institutions and bodies), it fully applies to the interpretation of the concepts of personal data and pseudonymised data under Regulation (EU) 2016/679 ("GDPR").
This question is essential for many companies operating in the EU, and in particular Life Sciences companies handling key-coded or otherwise pseudonymised patients' personal data in the context of research and development, supply of healthcare products and related safety monitoring.
Key elements of the judgment
As a starting point, the CJEU stressed upon the fact that the concept of "personal data" is defined very broadly in EU law as "any information relating to an identified or identifiable natural person" which includes "all kinds of information, not only objective but also subjective, in the form of opinions and assessments, provided that it 'relates' to the data subject" [emphasis added].
As a next step, the CJEU found, however, that (i) pseudonymised data must not be regarded as constituting, in all cases and for every person, personal data; and (ii) pseudonymisation may, depending on the circumstances and factual context, effectively prevent the recipients of the pseudonymised data from identifying the data subject in such a way that, for such recipients, the data subject is not or is no longer identifiable (and such data is no longer personal data for the recipients).
In this context, the CJEU highlights that the assessment of whether the data subject (e.g., patient) is identifiable based on the pseudonymised data depends, in essence, on the circumstances of the processing of the data in each individual case.
Practical implications for life sciences companies
The key point of the judgment is the rejection of a dogmatic approach that any pseudonymised data is personal data under the GDPR for any and all parties having access to such pseudonymised data irrespective of whether a recipient of the pseudonymised data is able to identify the data subjects based on the pseudonymised data alone or in combination with other available data.
In practice, this raises the question of whether key-coded clinical data and data contained in safety reports made available to Life Sciences companies would be considered personal data under the GDPR. The judgment does not address this specific issue but rather points to the general principle that the answer would depend on an assessment of the circumstances of the processing of the data in each individual case. In essence, the key criteria is whether the company would be able to identify the patient based on the pseudonymised data alone or in combination with other information available to the company. The answer may, therefore, vary widely between different scenarios.
It is worth noting that the Health Research Authority in the United Kingdom ("UK") already seems to be adopting a similar approach and seems to consider that key-coded patient and other healthcare data held by a recipient is not always personal data for such recipient (see for example HRA guidance here).
Next steps
Life Sciences companies should monitor closely the positions that would be eventually adopted by the national supervisory data protection authorities in the EU Member States, Ethics Committees and the European Data Protection Board following and in response to the judgment.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
