When Pseudonymized Data Becomes Anonymous: CJEU Clarifies a Key Concept

The Court of Justice of the European Union delivered a landmark judgment in September 2025 that fundamentally clarifies how pseudonymization affects data protection obligations.

The ruling in EDPS v SRB (C-413/23 P) addresses a question that compliance teams have wrestled with for years: when does pseudonymized data stop being personal data?

The Case: Banking Resolution and Data Sharing

The dispute arose from the 2017 resolution of Banco Popular Español. The Single Resolution Board (SRB) collected comments from affected shareholders and creditors through an online consultation process. Participants provided identity documents during registration, then submitted comments through a form that assigned each comment a unique code.

The SRB shared coded comments with Deloitte for valuation purposes—but not the registration data needed to identify the authors. The European Data Protection Supervisor found this violated transparency obligations. The SRB argued the comments were not personal data from Deloitte's perspective. The case reached the CJEU.

Three Key Rulings

1. Personal Opinions Are Personal Data

The Court ruled that personal opinions and views constitute personal data because "as an expression of a person's thinking, [they] are necessarily closely linked to that person." This applies regardless of whether the content explicitly identifies the author.

The Court emphasized that when information constitutes personal opinions, no additional examination of content, purpose, or effect is needed to establish that it "relates to" a natural person under Article 4(1) GDPR (and Article 3(1) of Regulation 2018/1725). The subjective nature of opinions creates an inherent link to their authors.

This builds on the Court's earlier ruling in Nowak (C-434/16), where examiner comments about a candidate's performance were held to constitute personal data both about the candidate and the examiner.

2. Pseudonymization Can Make Data Anonymous

The Court's most significant holding addresses pseudonymization directly. Pseudonymized data "must not be regarded as constituting, in all cases and for every person, personal data" when "pseudonymization may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable."

This means the same dataset can be:

• Personal data for the controller (who retains the means to re-identify individuals)

• Anonymous data for recipients (who lack any reasonable means of identification)

The critical factors are whether the recipient has access to:

• The additional information needed for re-identification

• Legal means to obtain such information

• Practical ability to cross-reference with other data

The risk of identification must be "insignificant"—meaning identification is prohibited by law or impossible in practice because it would require disproportionate effort in terms of time, cost, and labor.

3. Controllers Must Disclose All Recipients When Collecting Data

The third ruling resolves the procedural question: when must the controller inform data subjects about recipients?

The Court held that the obligation under Article 15 to inform data subjects about recipients applies "prior to the transfer of the data at issue and irrespective of whether or not those data were personal data" from the recipient's perspective after pseudonymization. The assessment of whether data are personal must be made:

• At the time of collection (not transfer)

• From the controller's perspective (not the recipient's)

This timing matters because the information allows data subjects to "decide, in full knowledge of the facts, whether to provide or, on the contrary, refuse to provide the personal data being collected." The transparency obligation protects the relationship between the data subject and the controller - it cannot depend on what happens after data are transferred to third parties.

Put simply, this means that the controller must include all foreseeable disclosures into the privacy notice, regardless of whether the data is anonymous to the recipient or not.

Practical Implications

For Data Controllers Sharing Pseudonymized Data

• Controllers must document pseudonymization measures thoroughly, demonstrating that recipients cannot reasonably identify individuals through direct re-identification, legal channels, or cross-referencing.

• Privacy notices must include all foreseeable recipients at the point of collection. The test is whether the controller is sharing data that are personal data in the controller's hands, not whether recipients can identify individuals. The same pseudonymized dataset might be anonymous for one recipient but personal data for another, depending on what additional information each possesses.

• Practical example: Sponsors retaining the identification key continue processing personal data and cannot use pseudonymization to avoid GDPR compliance obligations.

For Data Recipients and Research Organizations

• Organizations receiving pseudonymized data should assess whether they have reasonable means of identification, including contractual rights to request identifying information, other data sources enabling cross-referencing, or technical capabilities to reverse pseudonymization.

• If identification remains possible, all GDPR obligations apply. For research collaborations, this ruling implies that sharing coded datasets can make data anonymous for recipients when the key remains exclusively with the original controller and no mechanism exists for re-identification.

• Practical example: A collaborating university receiving only effectively pseudonymized, aggregated data can process it as “just data” - not personal data.

Practical Recommendations

Organizations processing pseudonymized data should:

• Review and update privacy notices. Privacy notices provided at data collection should identify all entities that will receive personal data, regardless of pseudonymization. This is particularly important for research studies and clinical trials with extended timelines and multiple data recipients.

• Document pseudonymization measures. Organizations should create detailed records of technical measures preventing re-identification by recipients, organizational measures (contractual restrictions, access controls) and risk assessments of identification likelihood.

• Conduct recipient-specific assessments. When sharing pseudonymized data, organizations should evaluate each recipient's ability to identify individuals and document why data should be considered anonymous from that recipient's perspective.

• Train staff on the distinction. The ruling confirms that "personal data" is not a fixed characteristic of a dataset—it depends on who is processing the data and what means they have available. Teams need to understand when data transition from personal to anonymous.

• Consider contractual protections. When sharing pseudonymized data, contracts should explicitly prohibit recipients from attempting re-identification and from combining the data with other sources that could enable identification.

Conclusion

The EDPS v SRB judgment brings needed clarity to pseudonymization's role in data protection. Pseudonymization can make data anonymous, but only when technical and organizational measures effectively prevent identification by the recipient.

For controllers, this ruling emphasizes that transparency obligations attach at the point of collection and not at what happens after collection. For recipients, it confirms that careful assessment is needed before treating pseudonymized data as anonymous.

The practical effect is that pseudonymization becomes a more reliable privacy-enhancing technique when properly implemented, but controllers bear the burden of demonstrating that recipients genuinely cannot identify individuals.

This ruling brings new opportunities for data sharing but only if implemented properly.

Regulyn specializes in GDPR compliance and data protection governance - including review and structuring of data sharing agreements to align with current regulatory requirements. If you are evaluating your data sharing arrangements or pseudonymization practices, reach out to discuss your compliance approach.

Further Reading

For additional context on data protection and pseudonymization:

• CJEU Judgment: EDPS v SRB (C-413/23 P), 4 September 2025

• GDPR Article 4(5): Definition of pseudonymization

• Recital 26 GDPR: Principles of data protection and pseudonymization

This article is part of Regulyn's Knowledge Centre.

Note: This article reflects the CJEU's ruling in Case C-413/23 P, EDPS v SRB, judgment of 4 September 2025. Organizations should consult legal counsel regarding application to specific circumstances, particularly where national data protection authorities have issued additional guidance on pseudonymization.