On 4 September 2025, the Court of Justice of the European Union (CJEU) handed down its judgment in EDPS v Single Resolution Board (C-413/23 P). The ruling addresses a fundamental question in EU data protection law: when pseudonymised information qualifies as personal data, and for whom.
This decision provides important clarification on the scope of EU data protection law, particularly in situations where personal identifiers are replaced with codes and only the controller retains the re-identification key.
Background
The case arose from the activities of the Single Resolution Board (SRB), which had collected comments from shareholders and creditors affected by a resolution measure. To protect identities, the SRB replaced names with random codes. Only SRB itself could link those codes back to real individuals.
The accounting firm Deloitte, acting as a processor, received the comments solely in pseudonymised form, without any access to the key.
The European Data Protection Supervisor (EDPS) took the view that the transfer to Deloitte still involved personal data and should have been disclosed to data subjects in line with transparency obligations. The General Court disagreed, finding that the data did not qualify as personal in Deloitte’s hands. The EDPS appealed to the CJEU.
The CJEU’s Reasoning
- Pseudonymisation may render data non-personal for recipients
The CJEU confirmed that pseudonymisation can, under certain circumstances, mean that data are no longer personal for parties other than the controller. As the CJEU stated:
“Pseudonymised data must not be regarded as constituting, in all cases and for every person, personal data (…), in so far as pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable” (para. 86).
In short, it depends. Pseudonymised data may be personal in some contexts and effectively anonymous in others. This turns on the concrete circumstances of processing and the position of the actor holding the data.
- For the controller, pseudonymised data remain personal
The CJEU underlined that the SRB itself did have the key to link the comments back to individuals. As long as it can re-identify the individuals, the data remains subject to the full scope of EU data protection law. Controllers therefore cannot rely on pseudonymisation to escape GDPR obligations.
By contrast, Deloitte had no such means. The CJEU emphasised:
“Second, those measures must in fact be such as to prevent Deloitte from attributing those comments to the data subject including by recourse to other means of identification such as cross-checking with other factors, in such a way that, for the company, the person concerned is not or is no longer identifiable” (para. 76).
This makes clear that the analysis is not limited to the absence of the key: what matters is whether the recipient can re-identify by any reasonably available means.
- Identifiability is contextual and relative
Building on Breyer (C-582/14) and subsequent case-law, the CJEU reiterated that identifiability depends on whether “means reasonably likely to be used” are available to the specific actor holding the data. In the case at hand:
- For the recipient of the data, without access to the key and with no realistic means of re-identification, pseudonymised data may not qualify as personal data.
- For the controller (SRB), with the key in hand, the data clearly remains personal.
The ruling therefore embraces an actor-specific understanding of personal data: the same dataset may be personal for one party but not for another.
Why This Judgment Matters
This ruling provides a balanced and nuanced interpretation of pseudonymisation within EU data protection law. Its importance lies in the very definition of the scope of personal data: if information qualifies as personal, the GDPR and its full set of obligations apply; if it does not (for example, if it is truly anonymised), the Regulation does not apply at all.
- For controllers: Pseudonymised data remains personal data as long as they retain re-identification means.
- For recipients: Under strict conditions, pseudonymised data may fall outside the scope of EU data protection law if they cannot reasonably re-identify individuals.
The CJEU therefore rejected the EDPS’s “one-size-fits-all” position and instead confirmed a contextual, proportionate approach.
The ruling in EDPS v SRB marks a significant refinement in EU data protection law, striking a proportionate balance between individual protection and operational reality.
Most importantly, the judgment shows that the qualification of data as personal or not requires a practical, case-by-case assessment. It depends on the actor, the information available, and the realistic means of re-identification.
For organisations, this means the application of pseudonymisation is never automatic. Always involve your data protection officer or privacy consultant when evaluating whether data qualify as personal or not, and when determining the corresponding obligations under the GDPR. Getting this wrong has direct consequences for compliance, transparency, and risk management.