When is pseudonymized data still personal data?

Transferring data after identifying characteristics such as a name have been removed is an everyday practice. But when is this "pseudonymized" information still considered personal data under the General Data Protection Regulation (GDPR)? In a judgment of 4 September 2025 (C-413/23 P), the European Court of Justice clarified this issue. The conclusion is nuanced: although data may be anonymous to the recipient, the original party collecting the data (the controller) remains bound by the transparency obligation and must inform the data subject about the transfer.

The facts: the case of EDPS v. SRB

The case revolved around the resolution of Spanish bank Banco Popular. The European Single Resolution Board (SRB), the central resolution authority within the banking union, collected comments from shareholders and creditors in this context. To have these comments analyzed, the SRB forwarded them to the consultant Deloitte.

Crucially, the SRB had pseudonymized the data: the names of the individuals were replaced by a unique alphanumeric code. Only the SRB possessed the key to re-link this code to a specific person. Deloitte was thus unable to identify the authors. Some shareholders filed a complaint about this with the European Data Protection Supervisor (EDPS), the European privacy regulator. Their argument: they were never informed that their comments would be shared with a third party such as Deloitte.

The EDPS vindicated the complainants and ruled that the SRB had violated its duty to provide information. However, the EU General Court overturned this decision, after which the case came before the Court of Justice.

The decision of the Court of Justice

The ECJ overturned the General Court's ruling and largely found in favor of the EDPS, albeit based on very nuanced reasoning. The judgment falls into three key points:

A personal opinion is personal data: The Court states unequivocally that personal opinions or views, as expressions of a person's thoughts, are inseparable from that person. An analysis of content, purpose or effect is not necessary to conclude that such information "relates to" a natural person.
The term "personal data" is relative: The Court confirms that pseudonymized data should not be considered personal data in all cases and for everyone. Whether data are identifiable depends on the context and the resources available to a party. Thus, it is perfectly possible that data for the recipient (Deloitte) is not personal data, because it does not have the means to identify those involved, while the same data remains personal data for the sender (SRB).
The duty to disclose is assessed from the point of view of the controller: This is the crux of the judgment. The obligation to inform a data subject (including about the recipients of his data) arises at the time of data collection. To assess whether this duty has been met, one must place oneself in the perspective of the data controller (the SRB) at that time. Since the SRB could trace the data back to the individuals, they were personal data for the SRB. Thus, the SRB should have informed the data subjects of the potential transfer to Deloitte, regardless of whether or not the data were identifiable to Deloitte.

Legal analysis and interpretation

This ruling brings clarity to a long-running debate involving two opposing views of the concept of personal data: the absolute and the relative approach. According to the absolute view, data remain personal data as long as re-identification is theoretically possible, regardless of who holds the data. In contrast, the relative or contextual approach holds that qualification depends on the specific party holding the data and their reasonable ability to identify the person.

In this judgment, the Court of Justice unequivocally opts for the relative or contextual approach, which was already initiated in the Breyer-ruling. Data are not personal data in the abstract; their qualification depends on whether a specific party (the holder or recipient) has means by which they can reasonably be expected to identify a person. The Court clearly states that "...pseudonymised data must not be regarded as constituting, in all cases and for every person, personal data ...". The Court thus goes directly against this, which is a major victory for data-driven sectors such as scientific research and AI development

At the same time, the Court places a fundamental caveat here. The principles of transparency and accountability of the original data controller weigh more heavily at the time of data collection. The obligation under Article 15 of Regulation 2018/1725 (the equivalent of Articles 13 and 14 GDPR) is precisely to enable the data subject to make an informed decision on whether or not to provide his data. The Court therefore held that identifiability for this particular obligation must be assessed from the point of view of the controller at the time of collection.

Thus, the Court's reasoning is twofold: the concept is relative, but the obligations of the controller are not. The controller cannot hide behind the technical measures of pseudonymization to circumvent its own basic transparency obligations.

What this specifically means

For the controller (your organization):
- Transparency is crucial: Even if you pseudonymize data for transfer, you must inform data subjects (customers, employees, etc.) from the outset about the categories of recipients with whom the data may be shared. Your data protection statement should explicitly state this.
- You remain responsible: The fact that the recipient cannot trace the data does not relieve you of your duties under the GDPR for the data that you keep yourself. For you, it remains personal data.
For the recipient of the data (e.g., a consultant, researcher):
- Analyze your position: If you receive pseudonymized data and you have no contractually and technically reasonable ability to identify the individuals, you may not be processing personal data.
- Avoid re-identification: You must make every effort to avoid re-identification. Combining the received data set with other information you have at your disposal may still make the data personal data to you.
For the data subject (the citizen):
- Enhanced right to information: This ruling confirms your right to know in advance who will potentially receive your data, even if your name is removed. An organization may not simply pass on your opinions or feedback without informing you.

FAQ (frequently asked questions)

What is the difference between pseudonymization and anonymization?
Pseudonymization replaces identifiable data with a pseudonym (e.g., a code). Re-identification remains possible with additional information (the "key"). Anonymization involves processing the data in such a way that the person is irrevocably no longer identifiable. Anonymous data falls outside the GDPR, pseudonymized data in principle does not.

Is a personal opinion always personal data?
Yes. The Court of Justice confirms that an opinion or point of view is inseparable from the person expressing it. Once the author of the opinion is identifiable (even if only to the party collecting the opinion), the opinion itself is considered personal data.

Can I pass on pseudonymized data now?
Yes, but you have to do this in a transparent way. The crux of the ruling is not that the transfer is prohibited, but that the SRB should have informed data subjects about it in advance in its data protection statement. So make sure your data protection policy clearly states the types of third parties to which you can transfer data (even pseudonymized).

Does it matter if the recipient of the data is a "processor"?
Yes, that is an essential distinction that this ruling leaves open. The ruling concerned a recipient who was considered a separate "data controller. If the recipient is a 'processor' acting purely on the instructions of the controller, it is generally considered to be the controller's extension. In that case, the data remain within the control of the controller and are treated as personal data throughout the chain.

Conclusion

The EDPS v. SRB ruling brings much-needed nuance to the debate on pseudonymization. It affirms the contextual nature of the concept of personal data, which leaves room for innovation and data sharing. At the same time, it draws a clear red line: the fundamental duty of transparency of the data controller is absolute and cannot be eroded by technical artifice. For organizations, the message is clear: be clear from the start about what you do with data, even if you later pass it on pseudonymized.

Are you facing a complex data protection or data transfer case? Our attorneys specializing in privacy and data protection law are ready to analyze your case. Feel free to contact us for an initial consultation.

Contact

Recent posts

Phishing via Facebook Marketplace and Payconiq: should the bank refund your stolen money?

Is compensation automatically due after a conviction by the European Commission for a cartel violation?

May a seizure regarding counterfeiting continue after patent expiration?

Phishing and bank fraud: when should the bank refund your stolen money?

When is a failed investment actionable scam?

Can you continue to use a trademark for a plant variety after a license expires?

Press freedom vs. reputational damage: How far may investigative journalism go on sensitive social issues?

Topics

Topics

ICT Legal Guide

Contact details

Where to find us

Disclaimers

When is pseudonymized data still personal data?

The facts: the case of EDPS v. SRB

The decision of the Court of Justice

Legal analysis and interpretation

What this specifically means

FAQ (frequently asked questions)

Conclusion

Joris Deene

You might also like this

Contact

Recent posts

Topics

Topics

ICT Legal Guide

Contact details

Where to find us

Disclaimers