[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article_59571":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":8,"wordCount":9,"readTime":10,"title":7,"nbDownloads":11,"excerpt":12,"lang":13,"url":14,"intro":15,"featured":4,"state":16,"author":17,"authorId":18,"datePublication":22,"dateCreation":23,"dateUpdate":24,"mainCategory":25,"categories":41,"metaDatas":67,"imageUrl":68,"imageThumbUrls":69,"id":77},false,"The **Court of Justice of the European Union (CJEU)**, [in its ruling of 4 September 2025, Case C‑413/23 P \"**EDPS v SRB\"**, ](https://curia.europa.eu/juris/document/document.jsf?text=&docid=303863&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=17376403)delivered a significant clarification on the status of pseudonymised data. For the first time, the Court stated in unambiguous terms that **pseudonymised data may be regarded as non-personal data from the recipient’s perspective**, provided that effective technical and organisational measures prevent access to the identifying information and that the recipient neither has nor lawfully obtains the means to re-identify the individuals, nor shares the data with someone who can.\r\n\r\nThis explicit recognition that **the recipient’s perspective matters** marks an important development in EU data protection law, departing from the long-assumed “absolute” approach to personal data.\r\n\r\n> To help Data Protection Officers, compliance teams, and legal professionals apply this decision in practice, we’ve prepared a **clear and actionable operational checklist**.\r\n>\r\n> {% button href=\"https://www.dastra.eu/en/article/operational-checklist-pseudonymised-data-under-gdpr/59575\" text=\"Download our checklist now\" target=\"\\_blank\" role=\"button\" class=\"btn btn-primary\" %}\r\n\r\n**Factual background**\r\n\r\nThe case arose from the resolution of **Banco Popular Español** in June 2017, when the **Single Resolution Board (SRB)** adopted a preliminary decision on possible compensation for shareholders and creditors.\r\n\r\nTo gather input, the SRB allowed affected parties to submit comments and later transferred some of those comments, in **pseudonymised form**, to **Deloitte**, which had been tasked with assessing the effects of the resolution. Several shareholders and creditors complained to the **European Data Protection Supervisor (EDPS)**, arguing that they had not been informed of this data transfer.\r\n\r\nThe EDPS ruled that Deloitte was indeed a **recipient of personal data** and that the SRB had **failed to meet its transparency obligations** under Regulation 2018/1725 (\"EUI\"). The SRB challenged this before the **General Court**, which partially annulled the EDPS’s decision.\r\n\r\n**Legal issue**\r\n\r\nThe CJEU had to address a central question: should pseudonymised data transmitted by a controller be considered personal data for the recipient?\r\n\r\nUntil now, the EDPS and the EDPB had supported an “**absolute**” approach: pseudonymised data should always be regarded as personal data.\r\n\r\n**Key takeaways from the decision:**\r\n\r\n- **Reminder on the scope of the GDPR**: The GDPR does not apply to anonymised data. Where a third party can no longer reasonably identify a person, GDPR obligations no longer apply.\r\n- **Opinions as personal data:** The Court confirmed that opinions, comments, or views can constitute personal data if linked to an identifiable person (building on Nowak, CRIF, OLAF cases). This is not novelty, but a reinforcement of existing case law.\r\n- **Recognition of the contextual nature:** the concept of “personal data” is relative. Identifiability depends on the means reasonably available to the recipient. As such, pseudonymised data may, in certain cases, be equivalent to anonymised data for a third party who cannot reasonably re-identify individuals.\r\n  - For the controller (SRB): Pseudonymised data was still personal data since SRB retained the identifying information.\r\n  - For the recipient (Deloitte): The same data could be anonymous if Deloitte had no means, legal or practical, to re-identify individuals.\r\n\r\n> **CJEU**: *“Pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable.” (paragraph 86)*\r\n\r\n- **Protection level concern:** EDPS argued broad interpretation was needed to maintain strong protection. The CJEU countered: protections only make sense where identification is possible; obligations cannot be imposed on entities unable to identify individuals.\r\n- **Information obligation:** Under Art. 13 GDPR (Art. 15 EUI GDPR), information obligations apply at the moment of data collection. SRB should have informed data subjects of potential recipients (Deloitte), even if the transferred data later became anonymous for Deloitte. **This obligation is assessed from the controller’s perspective (SRB), not the recipient’s.**\r\n\r\n**Practical impact: a more nuanced approach**\r\n\r\n- Organizations are required to assess identifiability based on the means that are realistically available, rather than on a purely theoretical or absolute basis.\r\n  - For controllers: GDPR obligations continue to apply in full. Even if data later becomes pseudonymized and potentially non-identifiable for a third party, the information obligation remains due, at the point of collection.\r\n  - For third-party recipients: where the CJEU’s conditions are met, the data may fall outside the scope of the GDPR.\r\n\r\n> It becomes strategically important to strengthen the separation of keys and to document risk assessments, ensuring defensible practices in the event of an audit.\r\n>\r\n> Controllers and recipients must document their assessment justifying why data should be considered personal or anonymous in a given context (accountability).\r\n\r\n- **Doctrinal shift:** the decision signals a departure from the strict position advocated by the EDPB, paving the way for a more pragmatic and nuanced interpretation of pseudonymized data under EU law.","\u003Cp>The \u003Cstrong>Court of Justice of the European Union (CJEU)\u003C/strong>, \u003Ca href=\"https://curia.europa.eu/juris/document/document.jsf?text=&docid=303863&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=17376403\" rel=\"nofollow\">in its ruling of 4 September 2025, Case C‑413/23 P \"\u003Cstrong>EDPS v SRB\"\u003C/strong>, \u003C/a>delivered a significant clarification on the status of pseudonymised data. \u003Cbr />\r\n\u003Cbr />\r\nFor the first time, the Court stated in unambiguous terms that \u003Cstrong>pseudonymised data may be regarded as non-personal data from the recipient’s perspective\u003C/strong>, provided that effective technical and organisational measures prevent access to the identifying information and that the recipient neither has nor lawfully obtains the means to re-identify the individuals, nor shares the data with someone who can.\u003C/p>\r\n\u003Cp>This explicit recognition that \u003Cstrong>the recipient’s perspective matters\u003C/strong> marks an important development in EU data protection law, departing from the long-assumed “absolute” approach to personal data.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>To help Data Protection Officers, compliance teams, and legal professionals apply this decision in practice, we’ve prepared a \u003Cstrong>clear and actionable operational checklist\u003C/strong>.\u003C/p>\r\n\u003Cdiv class=\"content-btn-container\">\u003Ca href=\"https://www.dastra.eu/en/article/operational-checklist-pseudonymised-data-under-gdpr/59575\" target=\"_blank\" role=\"button\" class=\"btn btn-primary\">Download our checklist now\u003C/a>\u003C/div>\r\n\u003C/blockquote>\r\n\u003Cp>\u003Cstrong>Factual background\u003C/strong>\u003C/p>\r\n\u003Cp>The case arose from the resolution of \u003Cstrong>Banco Popular Español\u003C/strong> in June 2017, when the \u003Cstrong>Single Resolution Board (SRB)\u003C/strong> adopted a preliminary decision on possible compensation for shareholders and creditors.\u003C/p>\r\n\u003Cp>To gather input, the SRB allowed affected parties to submit comments and later transferred some of those comments, in \u003Cstrong>pseudonymised form\u003C/strong>, to \u003Cstrong>Deloitte\u003C/strong>, which had been tasked with assessing the effects of the resolution. Several shareholders and creditors complained to the \u003Cstrong>European Data Protection Supervisor (EDPS)\u003C/strong>, arguing that they had not been informed of this data transfer.\u003C/p>\r\n\u003Cp>The EDPS ruled that Deloitte was indeed a \u003Cstrong>recipient of personal data\u003C/strong> and that the SRB had \u003Cstrong>failed to meet its transparency obligations\u003C/strong> under Regulation 2018/1725 (\"EUI\"). The SRB challenged this before the \u003Cstrong>General Court\u003C/strong>, which partially annulled the EDPS’s decision.\u003C/p>\r\n\u003Cp>\u003Cstrong>Legal issue\u003C/strong>\u003C/p>\r\n\u003Cp>The CJEU had to address a central question: should pseudonymised data transmitted by a controller be considered personal data for the recipient?\u003C/p>\r\n\u003Cp>Until now, the EDPS and the EDPB had supported an “\u003Cstrong>absolute\u003C/strong>” approach: pseudonymised data should always be regarded as personal data.\u003C/p>\r\n\u003Cp>\u003Cstrong>Key takeaways from the decision:\u003C/strong>\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cstrong>Reminder on the scope of the GDPR\u003C/strong>: The GDPR does not apply to anonymised data. Where a third party can no longer reasonably identify a person, GDPR obligations no longer apply.\u003C/li>\r\n\u003Cli>\u003Cstrong>Opinions as personal data:\u003C/strong> The Court confirmed that opinions, comments, or views can constitute personal data if linked to an identifiable person (building on Nowak, CRIF, OLAF cases). This is not novelty, but a reinforcement of existing case law.\u003C/li>\r\n\u003Cli>\u003Cstrong>Recognition of the contextual nature:\u003C/strong> the concept of “personal data” is relative. Identifiability depends on the means reasonably available to the recipient. As such, pseudonymised data may, in certain cases, be equivalent to anonymised data for a third party who cannot reasonably re-identify individuals.\r\n\u003Cul>\r\n\u003Cli>For the controller (SRB): Pseudonymised data was still personal data since SRB retained the identifying information.\u003C/li>\r\n\u003Cli>For the recipient (Deloitte): The same data could be anonymous if Deloitte had no means, legal or practical, to re-identify individuals.\u003C/li>\r\n\u003C/ul>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cblockquote>\r\n\u003Cp>\u003Cstrong>CJEU\u003C/strong>: \u003Cem>“Pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable.” (paragraph 86)\u003C/em>\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cul>\r\n\u003Cli>\u003Cstrong>Protection level concern:\u003C/strong> EDPS argued broad interpretation was needed to maintain strong protection. The CJEU countered: protections only make sense where identification is possible; obligations cannot be imposed on entities unable to identify individuals.\u003C/li>\r\n\u003Cli>\u003Cstrong>Information obligation:\u003C/strong> Under Art. 13 GDPR (Art. 15 EUI GDPR), information obligations apply at the moment of data collection. SRB should have informed data subjects of potential recipients (Deloitte), even if the transferred data later became anonymous for Deloitte. \u003Cstrong>This obligation is assessed from the controller’s perspective (SRB), not the recipient’s.\u003C/strong>\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>\u003Cstrong>Practical impact: a more nuanced approach\u003C/strong>\u003C/p>\r\n\u003Cul>\r\n\u003Cli>Organizations are required to assess identifiability based on the means that are realistically available, rather than on a purely theoretical or absolute basis.\r\n\u003Cul>\r\n\u003Cli>For controllers: GDPR obligations continue to apply in full. Even if data later becomes pseudonymized and potentially non-identifiable for a third party, the information obligation remains due, at the point of collection.\u003C/li>\r\n\u003Cli>For third-party recipients: where the CJEU’s conditions are met, the data may fall outside the scope of the GDPR.\u003C/li>\r\n\u003C/ul>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cblockquote>\r\n\u003Cp>It becomes strategically important to strengthen the separation of keys and to document risk assessments, ensuring defensible practices in the event of an audit.\u003C/p>\r\n\u003Cp>Controllers and recipients must document their assessment justifying why data should be considered personal or anonymous in a given context (accountability).\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cul>\r\n\u003Cli>\u003Cstrong>Doctrinal shift:\u003C/strong> the decision signals a departure from the strict position advocated by the EDPB, paving the way for a more pragmatic and nuanced interpretation of pseudonymized data under EU law.\u003C/li>\r\n\u003C/ul>\r\n","CJEU: Are pseudonymised data always personal?","The Court ruled that pseudonymized data should not automatically be treated as personal if, in practice, the recipient cannot reasonably re-identify indiviuals.",820,5,0,null,"en","cjeu-are-pseudonymised-data-always-personal","The Court ruled that pseudonymized data should not automatically be treated as personal data if, in practice, the recipient cannot reasonably re-identify individuals.","Published",{"id":18,"displayName":19,"avatarUrl":20,"bio":12,"blogUrl":12,"color":12,"userId":18,"creationDate":21},20352,"Leïla Sayssa","https://static.dastra.eu/tenant-3/avatar/20352/TDYeY3C8Rz1lLE/dpo-avatar-h01-150.png","2025-03-03T11:08:22","2025-09-05T13:43:00","2025-09-05T13:43:40.8578456","2025-09-09T09:38:12.1436148",{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":31},2,"Blog","A list of curated articles provided by the community","article","#28449a",[32,35,38],{"lang":33,"name":27,"description":34},"fr","Une liste d'articles rédigés par la communauté",{"lang":36,"name":27,"description":37},"es","Una lista de artículos escritos por la comunidad",{"lang":39,"name":27,"description":40},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[42,47],{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":43},[44,45,46],{"lang":33,"name":27,"description":34},{"lang":36,"name":27,"description":37},{"lang":39,"name":27,"description":40},{"id":48,"name":49,"description":50,"url":51,"color":52,"parentId":26,"count":12,"imageUrl":12,"parent":53,"order":10,"translations":58},69,"Expertise","Gain insights from our experts on GDPR compliance, data protection, and privacy challenges. In-depth articles, professional analysis, and real-world best practices.","indepth","#000000",{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":54},[55,56,57],{"lang":33,"name":27,"description":34},{"lang":36,"name":27,"description":37},{"lang":39,"name":27,"description":40},[59,61,64],{"lang":33,"name":49,"description":60},"Bénéficiez des conseils de nos experts sur la conformité RGPD, la protection des données et les enjeux privacy. Articles de fond, analyses et retours d’expérience métier.",{"lang":39,"name":62,"description":63},"Fachwissen","Entdecken Sie die Artikel unserer DSGVO-Experten",{"lang":36,"name":65,"description":66},"Experiencia","Descubre los artículos de nuestros expertos en Privacy",[],"https://static.dastra.eu/content/7fff0bd1-3435-4779-b009-eaaa8b21dd9b/visuel-article-37-original.jpg",[70,71,72,73,74,75,76],"https://static.dastra.eu/content/7fff0bd1-3435-4779-b009-eaaa8b21dd9b/visuel-article-37-1000.webp","https://static.dastra.eu/content/7fff0bd1-3435-4779-b009-eaaa8b21dd9b/visuel-article-37.webp","https://static.dastra.eu/content/7fff0bd1-3435-4779-b009-eaaa8b21dd9b/visuel-article-37-1500.webp","https://static.dastra.eu/content/7fff0bd1-3435-4779-b009-eaaa8b21dd9b/visuel-article-37-800.webp","https://static.dastra.eu/content/7fff0bd1-3435-4779-b009-eaaa8b21dd9b/visuel-article-37-600.webp","https://static.dastra.eu/content/7fff0bd1-3435-4779-b009-eaaa8b21dd9b/visuel-article-37-300.webp","https://static.dastra.eu/content/7fff0bd1-3435-4779-b009-eaaa8b21dd9b/visuel-article-37-100.webp",59571]