The Court of Justice of the European Union (CJEU), in its ruling of 4 September 2025, Case C‑413/23 P "EDPS v SRB", delivered a significant clarification on the status of pseudonymised data.
For the first time, the Court stated in unambiguous terms that pseudonymised data may be regarded as non-personal data from the recipient’s perspective, provided that effective technical and organisational measures prevent access to the identifying information and that the recipient neither has nor lawfully obtains the means to re-identify the individuals, nor shares the data with someone who can.
This explicit recognition that the recipient’s perspective matters marks an important development in EU data protection law, departing from the long-assumed “absolute” approach to personal data.
To help Data Protection Officers, compliance teams, and legal professionals apply this decision in practice, we’ve prepared a clear and actionable operational checklist.
Factual background
The case arose from the resolution of Banco Popular Español in June 2017, when the Single Resolution Board (SRB) adopted a preliminary decision on possible compensation for shareholders and creditors.
To gather input, the SRB allowed affected parties to submit comments and later transferred some of those comments, in pseudonymised form, to Deloitte, which had been tasked with assessing the effects of the resolution. Several shareholders and creditors complained to the European Data Protection Supervisor (EDPS), arguing that they had not been informed of this data transfer.
The EDPS ruled that Deloitte was indeed a recipient of personal data and that the SRB had failed to meet its transparency obligations under Regulation 2018/1725 ("EUI"). The SRB challenged this before the General Court, which partially annulled the EDPS’s decision.
Legal issue
The CJEU had to address a central question: should pseudonymised data transmitted by a controller be considered personal data for the recipient?
Until now, the EDPS and the EDPB had supported an “absolute” approach: pseudonymised data should always be regarded as personal data.
Key takeaways from the decision:
- Reminder on the scope of the GDPR: The GDPR does not apply to anonymised data. Where a third party can no longer reasonably identify a person, GDPR obligations no longer apply.
- Opinions as personal data: The Court confirmed that opinions, comments, or views can constitute personal data if linked to an identifiable person (building on Nowak, CRIF, OLAF cases). This is not novelty, but a reinforcement of existing case law.
- Recognition of the contextual nature: the concept of “personal data” is relative. Identifiability depends on the means reasonably available to the recipient. As such, pseudonymised data may, in certain cases, be equivalent to anonymised data for a third party who cannot reasonably re-identify individuals.
- For the controller (SRB): Pseudonymised data was still personal data since SRB retained the identifying information.
- For the recipient (Deloitte): The same data could be anonymous if Deloitte had no means, legal or practical, to re-identify individuals.
CJEU: “Pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable.” (paragraph 86)
- Protection level concern: EDPS argued broad interpretation was needed to maintain strong protection. The CJEU countered: protections only make sense where identification is possible; obligations cannot be imposed on entities unable to identify individuals.
- Information obligation: Under Art. 13 GDPR (Art. 15 EUI GDPR), information obligations apply at the moment of data collection. SRB should have informed data subjects of potential recipients (Deloitte), even if the transferred data later became anonymous for Deloitte. This obligation is assessed from the controller’s perspective (SRB), not the recipient’s.
Practical impact: a more nuanced approach
- Organizations are required to assess identifiability based on the means that are realistically available, rather than on a purely theoretical or absolute basis.
- For controllers: GDPR obligations continue to apply in full. Even if data later becomes pseudonymized and potentially non-identifiable for a third party, the information obligation remains due, at the point of collection.
- For third-party recipients: where the CJEU’s conditions are met, the data may fall outside the scope of the GDPR.
It becomes strategically important to strengthen the separation of keys and to document risk assessments, ensuring defensible practices in the event of an audit.
Controllers and recipients must document their assessment justifying why data should be considered personal or anonymous in a given context (accountability).
- Doctrinal shift: the decision signals a departure from the strict position advocated by the EDPB, paving the way for a more pragmatic and nuanced interpretation of pseudonymized data under EU law.