CJEU Clarifies Concept of Personal Data for a Transfer of Pseudonymised Data to Third Parties

Steve Wood
A&O Shearman
Contact
LinkedIn
Facebook
X
Send
Embed

A&O Shearman

On September 4 2025, the Court of Justice of the EU (CJEU) delivered its judgment in the case C-413/23 P, EDPS v SRB. The CJEU clarified the scope of the concept of personal data in the context of a transfer of pseudonymised data to third parties. A&O Shearman published a blog about the General Court’s previous judgment that was then appealed to the CJEU.

The case relates to Regulation (EU) 2018/1725, which focuses on the processing of personal data of the European Institutions and is very closely modelled on the GDPR. The case has been closely followed by data protection practitioners because of the precedent it will also set for GDPR.

A brief recap

The EU Single Resolution Board (SRB) shared pseudonymised data with its contractor, Deloitte, but did not reference Deloitte as a recipient in its privacy notice. This led to complaints lodged with the SRB's supervisory authority, the European Data Protection Supervisor (EDPS), which found the SRB infringed its obligation to inform data subjects about the recipients of personal data.

The SRB appealed this decision to the European General Court, which found that the EDPS had not assessed from Deloitte's perspective if personal data had been received. The General Court annulled the EDPS's decision.

In this latest judgment, CJEU set aside the judgment of the General Court. However, the key elements of EDPS’s appeal did not succeed. The case must now be referred back to the General Court.

Key takeaways from the CJEU’s judgment

  • The CJEU found that the General Court erred in law when it held that the “EDPS, in order to conclude that the information contained in the comments transmitted to Deloitte ‘related’, within the meaning of Regulation 2018/1725, to the persons who submitted those comments, should have examined the content, purpose or effects of those comments, whereas it was common ground that they expressed the personal opinion or point of view of their authors”.
  • The CJEU rejects the absolute position taken by EDPS (and the European Data Protection Board) that pseudonymised data must always be considered personal data, even when the person receiving has no realistic means to re-identify anyone. This confirmed the approach of the General Court.
  • The CJEU found that pseudonymised data is not personal data "in all cases and for every person". If a recipient does not have "access to the means reasonably likely to be used" to re-identify a data subject, then pseudonymisation may "effectively prevent" them "from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable". This the first time the CJEU has explicitly made this statement, whereas previously some had implied from the judgment in the case of Breyer under the forerunner to GDPR, Directive 95/46/EC.
  • The CJEU highlighted the limits of pseudonymisation: if a recipient of pseudonymised data disclosed it to someone else who is capable of reidentifying it, that can cause the data protection law to apply again.
  • Controllers will need to mention their disclosures of pseudonymised data to third parties in their privacy notices. The CJEU found that the identifiable nature of the data subject must be assessed at the time of collection of the data and from the point of view of the controller.

Unanswered questions

CJEU does not address whether other GDPR requirements applicable to controllers, such as agreeing data processing agreements, would continue to apply when pseudonymised data are provided to a third party in whose possession that data will not be considered personal data. A processor that cannot identify individuals in the pseudonymised data that it processes on behalf of its controller will not be able to discharge some of its obligations under an article 28 data processing agreement, such as assisting the controller with data subject rights requests.

Other implications

The judgment will also need to be considered by the European Data Protection Board, as it had taken the position in line with EDPS’s appeal in various guidelines recently issued for consultation, most notably the guidelines on pseudonymisation. We now await the revised guidelines following the consultation and the outcome of the SRB case. Other national data protection authorities may also need to update guidance. The judgment may also have relevance for controllers who may be planning to share pseudonymised data in contexts such as AI model training.

The judgment is available here.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© A&O Shearman

Written by:

A&O Shearman
A&O Shearman
Contact
more
less

What do you want from legal thought leadership?

Please take our short survey – your perspective helps to shape how firms create relevant, useful content that addresses your needs:

A&O Shearman on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide