On September 4, 2025, the Court of Justice issued an important ruling clarifying the concept of pseudonymization and when pseudonymized data can no longer be considered personal data.[1] In addition, the Court of Justice also provided clarity on the information obligation that applies to the controller.
Distinction between pseudonymization and anonymization
It is important to emphasize the difference between pseudonymized and anonymized data. Pseudonymization and anonymization are techniques that affect the traceability of personal data. In practice, the distinction between pseudonymized and anonymized data is relevant because anonymized data falls outside the scope of the GDPR, while pseudonymized data may fall under the GDPR, but not always as the Court clarifies in this ruling. This ruling clarified when pseudonymization may be qualified as anonymization.
Legal question
In short, the legal question in the judgment was when pseudonymized data qualifies as personal data.[2]
Facts
The ruling concerned a decision by the Single Resolution Board (European authority for the resolution of banks) on whether it was necessary to compensate former shareholders of a Spanish bank. The Single Resolution Board had asked stakeholder to complete a questionnaire and submit comments for its investigation into compensation. The Single Resolution Board pseudonymized the submissions by removing the names of the people concerned and replacing them with alphanumeric codes (randomly generated codes). Several interested parties lodged complaints, claiming that they had not been informed that the data would be forwarded to specific third parties.
Ruling
In this judgment, the Court of Justice clarifies that pseudonymized data is not always personal data by definition. The Court rules that pseudonymized data is only personal data for a specific recipient of that data if the recipient has access to means that can reasonably be expected to be used to identify the data subject.[3]
This means that the same data may be classified as personal data for one recipient, in which case the GDPR applies, but not for another recipient of the same data. The Court clarifies that pseudonymized data is therefore not always personal data by definition, but that the qualification depends on the specific circumstances of the recipients.[4]
This judgment makes it clear that technical measures taken by a controller with regard to personal data for pseudonymization are relevant and influence the assessing whether personal data is involved. If sufficient technical measures have been taken to make it impossible for a recipient to reverse the pseudonymization, this data is not considered personal data. This means that the GDPR does not apply to the relationship between the controller and the respective recipient.
Information obligation
It is important to note that the Court clarified that even if data has been pseudonymized before being disclosed to third parties, the original controller must still comply with the GDPR and inform data subjects about the disclosure to third parties.[5]
The application of the information obligation, under which the controller must inform the data subject about the use of the data and the recipients, must be assessed at the time the data is collected and from the perspective of the controller.
This means that the information obligation is part of the legal relationship between the data subject and the controller, and that this obligation must in principle be fulfilled at the time the personal data is collected, regardless of whether this data later is not considered to be personal data for the recipients.[6]
Disclaimer
Please note
that this is only a general summary of the judgment of the Court of Justice and
that the only exceptions to the main rules have been omitted. If you have any
further specific questions, please feel free to contact Roeland de Bruin
[1] Court of Justice, September 4, 2025 ECLI:EU:C:2025:59 C-413/23 P EDPS v SRB.
[2] It is important to briefly mention that this did not concern the GDPR, but another regulation, namely Regulation (EU) 2018/1725, but that the definition in this regulation is identical to the definition in the GDPR and is important for its interpretation.
[3]
[4] Court of Justice, 4 September 2025 ECLI:EU:C:2025:59 C-413/23 P EDPS v SRBpara. 86.
[5] Court of Justice, 4 September 2025 ECLI:EU:C:2025:59 C-413/23 P EDPS v SRBparagraphs 112-116 and 120.
[6] Court of Justice, 4 September 2025 ECLI:EU:C:2025:59 C-413/23 P EDPS v SRBparagraphs 112-116.
Do you have any questions?
Please contact us
Please contact us