It’s All Relative When it Comes to Pseudonymised Data: A Brief Analysis of the SRB v. EDPS Decision

On September 4, 2025, hot on the heels of the Latombe adequacy decision we discussed in  our last bulletin, the EU Court of Justice dropped another bombshell in its EDPS vs. SRB judgment (C-413/23 P). Namely, the appellate court dug into the thorny question of whether pseudonymised data is always personal data under the data protection laws. 

In its ruling, the Court stressed “identifiability” – a highly contextual concept – was the key criteria for designating information as ‘personal data.’

However, the Court challenged the General Court on whether opinions can be considered  personal data (they can), and said that the General Court was wrong to judge identifiability solely from the perspective of the data recipient, when meeting transparency obligations to data subjects. Rather, identifiability must be assessed in context, from the POV of both the controller and the recipient, at the time the data is collected. 

A Resolution Process That Left the Question of Personal Data Unresolved

This case arose from the resolution and eventual restructuring of Banco Popular Español S.A. in 2017. As part of a two-phase “right to be heard” process, the Single Resolution Board (SRB), the EU’s central resolution authority for banks, solicited opinions from affected shareholders and creditors who might be entitled to compensation. During this period, affected parties first registered with the SRB, providing personal data in the process. Separately, some registrants were asked to provide comments and opinions on the SRB’s proposed resolution and compensation scheme. The SRB then separated these comments from the registration data, and pseudonymized them by assigning a unique 33-digit code to each. 

After compiling the data, the SRB then shared the comments (without the registration data) with its consulting partner Deloitte for further analysis, but failed to make note that Deloitte would be a recipient of this pseudonymised data in its privacy notice. After the European Data Protection Supervisor (EDPS) received complaints from five shareholders, it initiated an investigation, later concluding that the SRB had violated Article 15(1)(d) of Regulation 2018/1725 – the GDPR for European Union Institutions (GDPR for EUIs) – by failing to inform data subjects of Deloitte’s involvement. The SRB then brought an action seeking annulment of the EDPS decision on the grounds that the transmission of the comments data to Deloitte was not personal data under the GDPR for EUIs in this specific case, along with  a declaration that the EDPS’ initial decision was illegal.   

On April 26, 2023, the General Court agreed that transmission of the pseudonymised comments to Deloitte was not personal data, as Deloitte had no meaningful way of matching or identifying comments to individual stakeholders, and the EDPS had not examined the “content, purpose or effect” of transmitting the data to Deloitte in this case. Thus, the EDPS failed to properly analyze whether the data “related to” identifiable persons. The EDPS decision was annulled, and the EDPS appealed.

When is Pseudonymised Data No Longer Personal Data?

On appeal, the CJEU noted that this analysis would apply not just to the GDPR for EUIs, but also for the GDPR. First, the Court agreed with the EDPS that the comments, which expressed personal opinions and views are inherently personal data (under Article 3(1) of the GDPR for EUIs), because they reflect the author's thinking. To that end, there was no reason for the EDPS to separately assess the “content, purpose or effect” when data are clearly personal opinions. 

The CJEU also noted that Article 15(1) notice obligations must be assessed prospectively i.e., “at the time of data collection” from the controller's perspective. The notice obligations – which are designed to provide data subjects with adequate knowledge on how their data will be used and who will receive it – cannot be based on whether all recipients might later be able to identify data subjects down the line.   

However, just because the opinions remained personal data from the standpoint of the controller (e.g., the SRB), it was not the case that they remained personal data in other other contexts–or for all other recipients. Technical and organisational measures such as pseudonymisation can render otherwise personal data as incapable of being used to identify a natural person. Accordingly, the factfinder must assess whether the recipient can reasonably identify data subjects given available means in the context of what technical measures are used by the controller. Those means also must be practicable for the recipient to use. 

In other words: the theoretical possibility of reidentification by the recipient is not enough.  

In so holding, the Court set aside the earlier judgment, referring the case back for further examination of the issues, and held that notwithstanding the specific analysis, the SRB violated its information disclosure obligations under Article 15(1).

What This Decision Tells Us: It’s All Relative

This ruling is important, because it clarifies an important, and sometimes confusing aspect of data protection law–namely, the status of pseudonymised data as personal data. 

Rather than making an all-or-nothing is/is not distinction, the Court emphasizes the importance of contextuality. It’s not enough to say that if a controller attempts to pseudonymise data that it effectively de-scopes personal data from the EU data protection laws. Similarly, it would, as the Advocate General opinion noted earlier, “deprive of any practical effect” the validity of pseudonymising data as a technical measure if such data “were to be regarded as constituting, in all cases and for every person, personal data” under the law. 

Importantly, the risk must be a real risk, not merely a theoretical one, and the ability or ‘means reasonably likely’ to re-identify data must be considered, both with respect to the controller’s access and those of the recipients. Thus, like so many things in life and physics, it’s all relative.