Definition of personal data clarified in data transfers using pseudonyms by court ruling
The Court of Justice of the European Union (CJEU) recently set aside a General Court judgment, ruling on September 4, 2025, in the case EDPS v SRB (Case C-413/23 P). This ruling addresses fundamental questions about how the General Data Protection Regulation (GDPR) applies when different parties have varying capabilities to identify individuals from the same dataset.
The dispute originated from the resolution of Banco Popular Español on June 7, 2017. The Single Resolution Board (SRB), a European Union institution, organized a consultation procedure allowing affected shareholders and creditors to submit written comments on a preliminary decision. The SRB transferred some comments to Deloitte, an auditing company, for an independent valuation of the resolution’s effects.
Five stakeholders complained to the European Data Protection Supervisor (EDPS) because the SRB's privacy statement failed to mention Deloitte as a recipient of their data. The EDPS found that the comments sent to Deloitte were not "personal data" for Deloitte based on the recipient's inability to identify individuals from the pseudonymized information. However, the General Court annulled the EDPS decision in April 2023, stating that the comments were not personal data for Deloitte.
The CJEU's ruling, however, clarified that the General Court erred in law by requiring the EDPS to examine the content, purpose, or effects of the comments to conclude that they related to identifiable persons. The judgment establishes that personal opinions inherently relate to their authors without requiring additional analysis.
The court emphasized that data subjects must be regarded as identifiable if it cannot be ruled out that third parties have means reasonably allowing them to attribute pseudonymized data to the data subject. Effective pseudonymization for recipients requires that they cannot lift the measures during any processing and that the measures prevent the recipient from attributing comments to the data subject in such a way that the person is not or is no longer identifiable.
The ruling reinforces the importance of implementing robust technical measures throughout data processing operations. It also establishes a framework where data classification can vary based on actual technical capabilities rather than theoretical possibilities. This decision applies across the European Union and affects data protection obligations for organizations transferring personal data to third parties, particularly in financial services and professional consulting contexts.
Information transparency obligations remain with controllers. Organizations must continue disclosing all potential recipients when collecting personal data, even if technical measures later prevent those recipients from identifying individuals. This ruling underscores the importance of clear and transparent communication to data subjects about how their personal data will be used and shared.
Deloitte is a data processor acting on behalf of the Single Resolution Board, which is the recipient of pseudonymized data in the legal dispute with the European Data Protection Supervisor. The court's ruling emphasizes that data subjects must be treated as identifiable if there is a possibility that third parties could attribute pseudonymized data to the data subject, regardless of the recipient's ability to do so.
The comments were pseudonymized with unique alphanumeric identifiers, and only the SRB could link comments to identities. The court's judgment applies across the European Union and affects data protection obligations for organizations transferring personal data to third parties, particularly in financial services and professional consulting contexts.
In conclusion, the CJEU's ruling provides clarity on how GDPR applies to data transfers to third parties and emphasizes the importance of effective pseudonymization, robust technical measures, and clear communication with data subjects. Organizations must ensure that their data protection practices reflect the actual technical capabilities of potential recipients, rather than theoretical possibilities, to ensure compliance with GDPR.
