Pseudonymised Data: CJEU provides clarification on the concept of Personal Data

On 4 September 2025, the Court of Justice of the European Union (CJEU) provided its judgment in Case C-413/23 P. The judgment provided clarification on the scope of personal data under the GDPR, particularly in the context of pseudonymised data disclosed to third parties. 

The case arose from a dispute between the European Data Protection Supervisor (EDPS) and the Single Resolution Board (SRB) following the SRB’s transfer of pseudonymised stakeholder and creditor comments to Deloitte without informing the individuals concerned. The EDPS determined that this was a breach of the SRB’s transparency obligations despite the pseudonymisation of the personal data.

This article analyses the key legal findings of the CJEU, namely:

• Personal opinions are personal data. The CJEU confirmed that personal opinions, by their nature, “necessarily relate” to the individuals who express them. Therefore, such opinions constitute personal data under the GDPR.
• Pseudonymised data is not always personal data. The CJEU clarified that pseudonymised data does not automatically qualify as personal data, but is dependant on whether the recipient has reasonable means to re-identify the data subject. If re-identification is not possible or the risk is insignificant, the data may fall outside the scope of personal data for that recipient.
• Controllers must assess identifiability at the point of data collection and are responsible for informing data subjects, regardless of any subsequent pseudonymisation. The CJEU emphasised that the obligation to inform data subjects under the GDPR applies at the time of data collection.

Background

Following the decision to place Banco Popular Español SA under resolution in 2017, the SRB tasked Deloitte with assessing whether the former shareholders and creditors would have received better treatment if the bank had entered into normal insolvency proceedings and were therefore entitled to compensation. 

As part of this assessment, the SRB collected comments from affected individuals via a personalised online form and shared pseudonymised responses to Deloitte. Each comment was assigned a unique alphanumeric code which only SRB could link to individuals.

In late 2019, the affected individuals submitted five complaints to the EDPS, arguing that they had not been informed that their data would be transferred to Deloitte. The EDPS found that Deloitte was a recipient of personal data and that the SRB had breached its obligation under the GDPR to inform data subjects of the possibility of disclosure within its privacy statement. 

The General Court partially annulled the EDPS’s decision and upheld the SRB’s argument that Deloitte would not have been able to identify the affected individuals, meaning that the information transferred was not personal data and that the SRB did not need to state that information could be disclosed to Deloitte in its privacy notice. This prompted an appeal to the CJEU, who overturned the General Court’s decision. 

Key Findings of the CJEU

1. Nature of Personal Opinions as Personal Data

The CJEU drew on its earlier case of Nowak in which it concluded that information relates to an identified or identifiable person where it is linked to an identifiable person by its content, purpose or effect.

In this case though, the CJEU held that the General Court erred in requiring the EDPS to examine the content, purpose, or effects of the comments to determine whether they “related” to the individuals who submitted them. According to the CJEU, this was because:

“That assessment by the General Court’s interpretation misconstrues the particular nature of personal opinions or views which, as an expression of a person’s thinking, are necessarily closely linked to that person.” [paragraph 58]

This reinforces the principle that personal opinions, even when pseudonymised, may still constitute personal data due to their inherent link to the individual. As in Nowak where an examiner’s comments on written answers were found to relate to the examiner as their author, it was clear that the comments transferred to Deloitte expressed the personal opinions and views of the stakeholders and therefore “related” to them.

2. Pseudonymised Data Is Not Always Personal Data

The CJEU confirmed that pseudonymised data does not automatically qualify as personal data for all parties:

“Pseudonymised data must not be regarded as constituting, in all cases and for every person, personal data for the purposes of the application of Regulation 2018/1725...” [paragraph 86]

It was concluded that data would not be considered personal in circumstances where pseudonymisation prevents persons other than the original controller from identifying the data subject. While the data in question would be considered personal in relation to SRB (the controller), the pseudonymisation may remove the personal element from Deloitte’s perspective. Using existing case law and the “means reasonably likely to be used test”, the CJEU set out that the existence of additional information allowing the data subject to be identified does not constitute personal data where it is “not reasonably likely to be used” i.e. identification of the data subject is prohibited by law or impossible in practice.

This aligns with the recitals of the GDPR, which states that pseudonymised data may still be considered personal data if it can be attributed to a natural person using additional information. The CJEU reiterated that identifiability must be assessed in context, considering whether the recipient has access to the means of re-identification. 

3. Obligation to Inform Data Subjects of Data Disclosures

The CJEU affirmed that the controller must inform data subjects about the processing and potential transfer of their data, even if the data is pseudonymised before transfer; which could be (and is most commonly) included in an organisation’s privacy notice. 

Additionally, the General Court was found to have erred in requiring the EDPS to assess identifiability from Deloitte’s perspective when evaluating the SRB’s compliance with its information obligations. The CJEU clarified that the assessment of whether data is personal must be made from the perspective of the controller at the time of collection, not the third-party recipient. This is significant in that it places the burden of compliance with information obligations on the controller, regardless of whether the data remains identifiable to the third party after pseudonymisation.

Key Takeaways 

Whilst this decision concerns the GDPR, its alignment with the UK GDPR means that CJEU judgments carry persuasive weight and are likely to influence UK courts and the ICO.

We set out some key takeaways below:

1. Pseudonymisation is not a silver bullet: Businesses should not assume that pseudonymised data falls outside the scope of data protection law. Pseudonymised data may still be personal data if the individual is identifiable in context.
2. Information obligations remain robust: Data controllers must inform data subjects about the processing and transfer of their data, even if pseudonymised. This includes identifying third-party recipients. Privacy notices should be updated where necessary in light of upcoming projects.
3. Assess identifiability from the controller’s perspective: When evaluating whether data is personal, the relevant viewpoint is that of the controller at the time of collection, not the recipient post-transfer.
4. Review data sharing practices: Organisations should audit their data sharing arrangements to ensure that pseudonymisation techniques are effective and that information obligations are met.
5. Legal risk in outsourcing: When engaging third-party processors, organisations must ensure that data protection obligations are clearly defined and that pseudonymisation does not obscure the need for compliance.

If you have any questions or would otherwise like to discuss any of the issues raised in this article, please contact Martin Cook, Amanda Leiu, or another member of our Commercial & Technology team. 

This article was written by Fraser Campbell, Victoria McCarron and Amanda Leiu.