In Short
The Background: The Single Resolution Board ("SRB") transferred pseudonymized comments from data subjects to Deloitte without informing them. The European Data Protection Supervisor ("EDPS") found a violation of information duties applicable when processing personal data. The General Court partially annulled the EDPS decision.
The Result: The Court of Justice of the European Union ("CJEU") overturned the annulment. It ruled that personal opinions necessarily relate to individuals, that pseudonymized data transferred to recipients is not always personal data from the recipients' perspective, and that information obligations apply at the point of data collection.
Looking Ahead: The ruling clarifies the relative nature of personal data under the GDPR and when data may be considered anonymized and therefore outside of the scope of the GDPR.
Clarification of Concept of Personal Data
On September 4, 2025, the CJEU delivered a landmark judgment in the case EDPS v SRB
(C-413/23 P), clarifying the concept of personal data under the GDPR in the context of the transfer of pseudonymized data to third parties.
Following the resolution of Banco Popular Español, the SRB adopted a preliminary decision regarding compensation for former shareholders and creditors without initially hearing them. Subsequently, the SRB gathered comments from affected parties, pseudonymized them and transferred these pseudonymized comments to Deloitte, tasked with valuing the resolution's effects. Shareholders and creditors filed complaints with the EDPS, alleging SRB had failed to inform them of such data transfers. The EDPS found Deloitte, as recipient of the pseudonymized data, to be a recipient of personal data and ruled that SRB violated its information obligations under the GDPR. The General Court annulled this EDPS decision in part. The EDPS appealed.
The Court's Reasoning
The CJEU overturned the General Court's partial annulment and referred the case back, setting out important legal clarifications:
- Personal opinions necessarily relate to individuals: Personal opinions are inherently linked to their authors and therefore necessarily relate to individuals. As such, and without further analysis of content, purpose, or effect of such data, they constitute personal data if the related individuals can be identified.
- Pseudonymization and identifiability:Pseudonymized data is not automatically personal data for every actor who processes such data. The CJEU underscores that identifiability of the individuals to whom the information relates requires a fact-specific, contextual assessment considering all means reasonably likely to be used for the identification of the individuals, reinforcing a dynamic and relative approach of the concept of personal data rather than an absolute one.
- Timing and perspective of informing data subjects: The obligation to inform data subjects arises at the point of data collection and must be assessed from the controller's (here SRB's) perspective, independent of any subsequent data transfer or data processing by third parties such as Deloitte. Thus, the SRB's duty to inform existed before transferring pseudonymized data to Deloitte and remains unaffected by whether that data constitutes personal data from Deloitte's viewpoint as recipient of the data.
- Pseudonymization as a risk mitigation, not a blanket exemption:Pseudonymization was recognized as an important method to reduce identification risks but does not in all cases suffice to exclude data from being personal data, depending on context and recipient capabilities.
This judgment refines the understanding of personal data, pseudonymization, and anonymization under EU data protection law. Companies must carefully assess whether transferred pseudonymized data remains personal data to third parties, with significant consequences for compliance duties including transparency and data subject rights. Importantly, controllers must maintain robust information provision at the time of data collection, irrespective of subsequent data processing stages.
The judgment is a vital reference for legal and compliance teams navigating nuanced data classification challenges, underpinning strategic data governance and risk management frameworks in the EU's evolving regulatory landscape.
Four Key Takeaways
- While pseudonymization reduces risk, it does not absolve controllers from GDPR obligations where the original controller (or another party) can still re-identify data subjects.
- Businesses relying on pseudonymization should document why downstream recipients cannot reasonably re-identify individuals and reassess that position whenever technology, data sets, or contractual terms change.
- Controllers must describe foreseeable onward disclosures at the point of data collection, irrespective of any subsequent pseudonymization.
- Employee surveys, customer feedback, whistle-blower reports, and similar materials that record personal viewpoints are per se personal data.
