When Pseudonymised Data May Not Be “Personal”: Key Takeaways from EDPS v SRB

In September 2025, the Court of Justice of the European Union (CJEU) delivered a closely watched judgment in EDPS v Single Resolution Board (Case C‑413/23 P), offering long‑awaited clarification on how EU data protection law applies to pseudonymised data shared with third parties.

Among the ruling’s most consequential points is the Court’s recognition that pseudonymised data held by a recipient who lacks access to the re‑identification key—and has no reasonable means to re‑identify individuals—may not qualify as “personal data” in that recipient’s hands.

For organizations that routinely share data with vendors, consultants, and research partners, this judgment provides important nuance—but not a free pass.

Background: How the Case Reached the CJEU

The case arose from the resolution of Banco Popular Español, where the Single Resolution Board (SRB) collected comments from affected shareholders and creditors. Those comments were later shared with Deloitte to support valuation work—but only after being pseudonymised. Each submission was tagged with a random code, and only the SRB retained the “code list” that could link submissions back to individuals.

Several complainants argued that this data transfer should have been disclosed under EU transparency obligations. The European Data Protection Supervisor (EDPS) agreed, treating Deloitte as a recipient of personal data. The General Court disagreed, and the dispute ultimately reached the CJEU.

The Court’s Core Finding: Personal Data Is Contextual

The CJEU rejected the idea that pseudonymised data is automatically personal data for all parties. Instead, the Court emphasized that identifiability must be assessed from the perspective of the specific actor processing the data.

Crucially, the Court held that:

• Pseudonymised data may cease to be personal data for a recipient

• If that recipient does not have access to the re‑identification key

• And does not have “reasonable means” to re‑identify individuals, including by combining the data with other information

In Deloitte’s case, the Court noted that the firm received only coded submissions, had no legal or technical ability to access the code list, and could not realistically identify the individuals behind the data. Under those circumstances, the information may fall outside the definition of personal data for Deloitte.

What This Does Not Mean

The ruling is careful—and often misunderstood.

First, the Court reaffirmed that the same dataset can be personal data for one party and not for another. For the SRB, which retained the key and could re‑identify individuals, the data remained fully within the scope of EU data protection law.

Second, the judgment does not suggest that pseudonymisation alone converts personal data into anonymous data in all cases. The Court stressed that everything depends on actual, practical re‑identification risk, not theoretical possibilities or labels.

Third, the ruling does not erase transparency obligations at the point of data collection. The Court made clear that information duties must be assessed from the controller’s perspective when the data is collected, even if later transfers involve data that may no longer be personal for the recipient.

Why This Matters for Organizations

For privacy teams, especially those working with research data, analytics providers, or external advisors, the decision provides a more realistic and operationally grounded approach to pseudonymisation.

Key implications include:

• Recipient-specific analysis matters: Whether data is “personal” depends on who holds it and what they can realistically do with it.

• Strong separation controls are critical: Legal, contractual, and technical measures preventing access to re‑identification keys are central to reducing identifiability risk.

• Documentation becomes essential: Organizations should be able to demonstrate why a recipient lacks reasonable means of re‑identification.

At the same time, controllers cannot rely on pseudonymisation to “offload” GDPR or EU DPR obligations. If you hold the key, the data remains personal for you—full stop.

Practical Takeaways

Organizations that share pseudonymised data with third parties should consider:

• Clear key‑segregation practices: Ensure re‑identification keys are never shared and are protected by both technical and organizational measures.

• Recipient risk assessments: Evaluate whether recipients could realistically re‑identify individuals using other data sources.

• Contractual safeguards: Explicitly prohibit re‑identification attempts and access to auxiliary data.

• Transparency at collection: Inform individuals about downstream processing, even where recipients may not ultimately process “personal data” in a strict sense.

  
  

Conclusion

The EDPS v SRB judgment confirms what many privacy professionals have long argued: pseudonymised data is not inherently personal data in every context. Where a recipient lacks access to the code list and has no reasonable means of re‑identification, EU data protection law may not apply to that recipient’s processing. At the same time, the ruling reinforces that pseudonymisation is a risk‑reduction technique, not a compliance shortcut. Controllers remain fully accountable for how data is collected, disclosed, and safeguarded—especially when they retain the means to re‑identify individuals.

Further reading:

• CJEU Press Release, 4 September 2025 (EDPS v SRB) [curia.europa.eu]

• Goodwin, Personal Data or Not? CJEU Weighs In on Pseudonymisation [goodwinlaw.com]

• Datenschutz‑Notizen, Pseudonymised Data: Not Always Personal [datenschut...notizen.de]