CJEU Refines Scope of ‘Personal Data’ in Pseudonymization Process for EU Institutions

The Court of Justice of the European Union (“CJEU”) delivered a significant judgement addressing the interpretation of “personal data” and “pseudonymization” under EU data protection rules, as well as the notification obligations of EU institutions in processing personal data on September 4, 2025. The case, EDPS v. SRB C-413/23 P, arose from an appeal by the European Data Protection Supervisor (“EDPS”) against a General Court decision that had annulled the EDPS’ findings of data protection infringement by the Single Resolution Board (“SRB”). 

The dispute originated from the SRB’s implementation of a resolution scheme for Banco Popular Español, S.A. Following the resolution, during a consultation phase, the SRB solicited comments from its shareholders and creditors. Certain comments were pseudonymized using a unique alphanumeric code and could only be linked to a natural person using a database that the SRB alone had access to. These comments were then transferred to Deloitte, a third-party independent valuer, without notice to the relevant shareholders and creditors, for assessment. However, Deloitte was never given access to the database capable of linking the comments to the corresponding individual.

Several complainants alleged that the SRB had failed to inform them, as required by EU data protection laws (e.g., the EU General Data Protection Regulation (“GDPR”)), that their data would be disclosed to Deloitte. The EDPS found such failure to provide notice as a violation of EU data protection laws and recommended improvements, but the General Court annulled this decision, holding that the information transmitted to Deloitte did not constitute personal data as proper measures were taken to pseudonymize it. 

Primary legal issues resolved by the CJEU’s judgment include:

1. Whether the pseudonymized comments transmitted to Deloitte constituted “personal data” under EU data protection laws, like the GDPR[1].
2. Whether the SRB was obligated to inform data subjects of Deloitte as a recipient of their personal data at the time of collection, pursuant to the GDPR.

DEFINITIONS

Personal data is interpreted broadly and is defined under the GDPR as any information relating to an identified or identifiable natural person. This requires the information to, by reason of its content, purpose, or effect, be linked to an identifiable person. In this case, the CJEU held that this definition includes subjective information, such as opinions or views, which, as an expression of a person’s thinking, are necessarily closely linked to that person. 

Pseudonymized data under the GDPR is defined as personal data that can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure the personal data is not attributed to an identified or identifiable natural person. The CJEU held that pseudonymized data may still constitute personal data, depending on whether the protection measures put in place prevent the data subject from being identified.

IDENTIFIABILITY AND THE CONTROLLER’S PERSPECTIVE

The CJEU clarified that determining whether a data subject is identifiable from pseudonymized data, and thus regulated as personal data, considers:

• All the means reasonably likely to be used by the controller of the data or another person to identify the person, directly or indirectly. This includes consideration of all objective factors, such as costs, time required for identification, available technology, and technological developments.
• The assessment of identifiability must be made from the perspective of the controller at the time of data collection, not from the recipient’s perspective after pseudonymization. If a third party, such as an external consultant (in the case of SRB), receives the data but lacks any reasonable means to re-identify individuals, for that recipient, the information may not be considered personal data.
• Identifiability is not established where the risk of identification appears in reality to be insignificant, as identification of the data subject is prohibited by law or impossible in practice due to a disproportionate effort in time, cost, and labor.

OBLIGATION TO INFORM DATA SUBJECTS

The CJEU emphasized the importance of transparency and fair processing, holding that:

• Controllers are obligated to inform data subjects of potential recipients, including third parties, at the time of collection.
• This information must be provided in a concise, transparent, comprehensible, and easily accessible form, and formulated in clear and plain language to enable the data subject to fully understand the information.
• Where data is collected based on the data subject’s consent, the consent is valid only if the information was provided in light of all circumstances surrounding the data processing, including subsequent disclosure to third parties.
• This obligation is intrinsic to the relationship between the controller and the data subject and is not affected by subsequent pseudonymization or the recipient’s ability to identify the data subject.

COURT’S HOLDINGS

The CJEU set aside the General Court’s judgment, finding that:

• The General Court erred in requiring the EDPS to examine the content, purpose, and effect of each comment to determine if it related to a natural person, given that the comments were expressions of personal opinion inherently linked to their authors.
• The comments transmitted to Deloitte constituted “personal data,” as it could not be ruled out that Deloitte has means reasonably allowing them to attribute the pseudonymized data to the data subject, such as cross-checking with other data at their disposal. In such circumstances, pseudonymized data should be considered to be personal in nature.
• The SRB was obligated to inform data subjects of third parties who may become recipients of their personal data at the time of collection, such as Deloitte.

KEY TAKEAWAYS

This judgment provides several key takeaways for EU institutions and other controllers subject to the GDPR:

• Pseudonymization does not, in itself, remove data from the scope of “personal data” if the controller or other parties can use reasonable means to identify the data subject.
• Even if a third party receiving pseudonymized data cannot realistically identify the data subject, the obligation to inform data subjects of the potential sharing of pseudonymized data still remains.
• Transparency and comprehensive privacy notices are essential, particularly in processes which will distribute data to third parties.
• Individual opinions reflecting the author’s views are personal data.

The CJEU’s decision underscores the broad scope of “personal data,” and the robust notification obligations imposed on controllers subject to EU data protection laws. Pseudonymization, while a valuable risk mitigation tool, does not absolve controllers of their duties to inform data subjects of possible sharing of pseudonymized data with third parties at the point of data collection. Such controllers should ensure that privacy statements and data processing notices are comprehensive and up to date, reflecting all phases of data processing and all potential data recipients. 

[View source.]