On September 4, 2025, the Court of Justice of the European Union ("CJEU"), delivered its judgment in European Data Protection Supervisor ("EDPS") v. Single Resolution Board ("SRB") (C-413/23 P).
The decision clarifies two questions: (i) when information "relates to an identified or identifiable natural person" for the purposes of Regulation (EU) 2018/1725 (the EU institutions' counterpart to the General Data Protection Regulation, "GDPR"), and (ii) how pseudonymisation affects that assessment. Because Regulation 2018/1725 and the GDPR share identical definitions of "personal data" and "pseudonymisation," the ruling carries direct interpretative weight for private-sector GDPR compliance.
The Court both broadened and refined the personal-data test, rejecting a categorical view that pseudonymised data always remain personal while emphasizing contextual, risk-based analysis.
Factual and Procedural Background
Following the 2017 resolution of an issue with Banco Popular Español SA, the SRB invited affected shareholders and creditors to submit comments in a two-phase "right to be heard" process. Phase 1 required participants to register and upload verifying identity documents; Phase 2 collected substantive comments on the SRB's preliminary decision and Deloitte's valuation ("Valuation 3") via an online form. Each comment received a randomly generated 33-character alphanumeric code. The SRB removed direct identifiers before transmitting 1,104 filtered comments plus the codes to Deloitte for evaluation. Deloitte never received the registration database linking codes to identities.
Several participants complained to the EDPS that they were not informed Deloitte would receive their data. The EDPS issued a reprimand, reasoning that (i) the comments, together with the alphanumeric codes, constituted "pseudonymised personal data," and (ii) Deloitte was a "recipient" not disclosed under Article 15(1)(d) of Regulation 2018/1725. The SRB sought judicial review. The General Court annulled the EDPS's decision, holding that the EDPS had not shown the comments related to "identifiable" persons from Deloitte's perspective. The EDPS appealed.
Holdings of the CJEU
The First Chamber set aside the General Court's judgment and referred the case back, after resolving two core legal issues:
a. Information "Relates to" a Natural
Person
The Court confirmed that opinions, assessments, or statements
inherently relate to their authors. Because the Phase 2
comments expressed the personal views of specific
shareholders/creditors on compensation, the EDPS was entitled to
treat them as information "relating to" natural persons
without separately analyzing purpose or effect.
b. Identifiability and Pseudonymisation
Controller-Centric Test for Article 15
Transparency
For obligations triggered at the moment of collection
(notably, Article 15 information duties), identifiability is
assessed from the viewpoint of the controller collecting
the data, not each eventual recipient. The SRB held the
registration database could re-identify commenters; therefore, the
SRB processed personal data and had to name Deloitte as a
potential recipient.
Contextual Nature of Pseudonymisation
The Court rejected an absolutist stance that pseudonymised data
invariably remain personal for all parties. Instead,
pseudonymisation may—in specific
circumstances—render the data non-personal for a party
that lacks "means reasonably likely" to re-identify
individuals, provided robust technical and organizational barriers
exist. However, that possibility does not dilute the
controller's own obligations if the controller itself can undo
the pseudonymisation.
Risk-Based "Reasonably Likely Means"
Standard
Echoing Recital 16 of the GDPR, identifiability turns on objective
factors: cost, time, technology, and legal/contractual access to
additional information. Even if identifiers reside with a third
party, a data subject remains "identifiable" if the
controller (or another party reasonably likely to receive the data)
can lawfully and practically obtain those identifiers—as
occurred where Deloitte worked under SRB mandate and contractual
arrangements might allow information exchange.
4. Implications for GDPR Pseudonymisation
Although the judgment arises under Regulation 2018/1725, recital 5 thereof mandates homogeneous interpretation with the GDPR. As such, the takeaways under the Regulation mirror those which apply to the GDPR.
Pseudonymisation Is Not Anonymization
The Court affirms that pseudonymisation reduces but does
not necessarily eliminate identifiability. Organisations may treat
pseudonymised datasets as non-personal only when no actor
in the processing chain has reasonably likely means to attribute
the data to individuals. Controllers must resist sweeping
assumptions that hashing, tokenisation, or code substitution
automatically lifts datasets outside GDPR.
Controller Obligations Are Unaffected by Downstream
De-identification
Under Articles 13–14 GDPR (mirroring Article 15 Regulation
2018/1725), the controller must disclose all intended
recipients of personal data at collection, even if the dataset will
later be pseudonymised before disclosure. This duty exists because
the transparency objective is to empower data subjects' choice
before processing.
Recipient-Focused Analysis Governs Secondary
Processing
A recipient that receives genuinely pseudonymised
data—lacking any reasonably obtainable key—may process
outside the GDPR's personal-data regime. The Court implicitly
leaves open that national supervisory authorities assessing the
recipient's processing must examine technical and contractual
measures, including evidence of data segregation, encryption key
custody, and legal limitations on data sharing.
Risk-Based, Dynamic Assessment
Identifiability is not static. New technology, database
consolidation, or changes in legal entitlements can convert
non-personal data back into personal data. Organizations must,
therefore, periodically review whether their pseudonymisation
measures continue to suffice.
Impact on Data Transfer Strategies
The ruling affects Article 26 and 28 GDPR (processor/controller)
allocations. Where a controller transmits pseudonymised data and
retains the "key," the recipient may be a separate
controller or processor depending on contractual control. However,
if the recipient can request the key or otherwise re-identify data
subjects, joint controllership may arise, expanding accountability
obligations.
Conclusion
EDPS v. SRB further refines EU data-protection doctrine on pseudonymisation. The judgment underscores that (i) personal opinions automatically "relate" to their authors, (ii) for transparency duties, identifiability is judged from the collector's viewpoint, and (iii) pseudonymisation's legal effect depends on practical, technical, and legal obstacles to re-identification. For GDPR compliance, the ruling cautions against overreliance on pseudonymisation as a silver bullet and reaffirms that controllers bear front-loaded obligations to inform data subjects about downstream disclosures, even where data will later be masked. Organizations should integrate dynamic, risk-based analysis into data-sharing architectures, ensuring pseudonymisation remains robust and that transparency remains comprehensive.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
