Can pseudonymisation make data anonymous? New court ruling in EU.
Introduction
When it comes to personal data, EU data protection requirements and GDPR compliance, many organizations struggle with the same questions:
what is personal data?
is pseudonymised data still identifiable?
how to transfer data in a compliant manner?
how to comply with GDPR in data sharing?
can we share pseudonymized data in research?
The recent ruling of the Court of Justice of the EU (“Court”) clarifies the interpretation of personal data under General Data Protection Regulation (GDPR). Below is a summary of the key aspects of the judgement (EDPS v SRB C-413/23 P) and practical considerations for companies, universities and research organizations.
The Court confirmed that pseudonymisation may, in certain cases, effectively anonymise data for the recipient, provided re-identification is not reasonably likely. The ruling may have major implications in the scientific and clinical research setting, especially regarding sharing pseudonymised (key-coded) data in medical research.
2. Pseudonymised data is not always personal data
The key takeaway of the judgement is that pseudonymized data does not always constitute personal data to the recipient. One of the key questions was if pseudonymised personal data shared with a consulting firm was personal data upon receipt. In this case the court determined that:
“pseudonymised data must not be regarded as constituting, in all cases and for every person, personal data -- in so far as pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable.”
In practise, this means that the pseudonymised data may not be personal data, if the recipient does not have the reasonably likely means to identify the persons. The risk of identification should be insignificant (identification prohibited by law or impossible in practise, for example because of it would involve a disproportionate effort in terms of time, cost and labour).
However, the court emphasized that a case-by-case analysis must be taken to assess if the data is identifiable to the third party. In other words, simply pseudonymising data does not mean it is automatically anonymized data.
3. Controller is subject to transparency obligations
Another important point of the judgement is that, even if the pseudonymised data is not personal data for the recipient the controller is still liable for informing the subjects of disclosures. The transparency obligation was applicable “prior to the transfer of the data at issue and irrespective of whether or not those data were personal data”, from the third party recipient’s point of view, after any potential pseudonymization.
In other words, the controller remains liable for informing the subjects of the recipients that their data may be shared with or disclosed to. The controller’s obligation is to provide information at the time when such data are collected. The obligation applies “prior to the transfer of the data at issue and irrespective of whether or not those data were personal data” from the third party recipient’s point of view. In practice, this means that privacy notices should cover all foreseeable disclosures, even if the data is anonymous from the recipient’s perspective.
The Court also clarified the interpretation of personal opinions as personal data. The court found that personal opinions and views are, as an expression of a person’s thinking, necessarily closely linked to that person. Therefore, personal opinions will “relate to” the person expressing that opinion. In practice, this means that comments including personal opinions are likely to be personal data, at least for the controller.
4. Practical takeaways
For researchers, data controllers, and public institutions, this ruling sharpens the boundaries of pseudonymisation in practice.
In practise, the ruling means that:
pseudonymisation can make data anonymous (to the recipient);
opinions and feedback from study subjects and stakeholders often consitute personal data;
privacy notices must include all foreseeable data recipients at the time of the collection - not only those handling identifiable datasets.
It should be noted that:
Identifiability of personal data must be assessed on a case-by-case basis, and preferably documented
Controller must ensure that privacy notice includes all foreseeable data disclosures (even if the data is anonymous to the recipient, it is not anonymous to the controller (i.e. provider).
Last reviewed: 02 December 2025
This article is part of Regulyn’s Knowledge Centre and is reviewed for legal accuracy, clarity and current regulatory alignment before publication.
Author
Katri Harjuveteläinen, LL.M., CIPP/E, CIPM, FIP
Legal Counsel specialising in AI compliance, research regulation, data protection and complex agreements.
For further information on data protection and research compliance, or to discuss how pseudonymisation and transparency obligations apply to your organisation, please contact Regulyn directly.