CJEU Judgment in EDPS v Single Resolution Board (C-413/23 P) – Pseudonymised Data Are Not Always “Personal Data”
What changes for businesses, organisations and professionals handling data in the EU
A Landmark Ruling in the Data Era
The Court of Justice of the European Union (CJEU) has issued a landmark judgment that redefines what constitutes “personal data” under the GDPR.
Specifically, the Court held that pseudonymised data are not automatically personal data for every recipient; it depends on whether the recipient can realistically re-identify the individuals concerned.
This development is highly significant for companies, organisations, and service providers that process data for analytics, artificial intelligence, commercial assessment, or service optimisation purposes.
Case Background
The case arose in the context of the 2017 resolution of Banco Popular Español.
The Single Resolution Board (SRB), an EU authority, invited shareholders and creditors to submit comments. The responses were pseudonymised — names were removed and replaced with random codes — and then transmitted to an external consultancy.
Some participants complained that they had not been informed of this disclosure, claiming a breach of transparency obligations.
The European Data Protection Supervisor (EDPS) found the SRB responsible, but the General Court annulled that decision, considering the data to have become anonymous. The matter reached the CJEU, which has now issued its final ruling.
Key Points of the CJEU Judgment
a. Contextual Assessment
The Court held that whether data qualify as personal data must be assessed in context.
If the recipient does not realistically have the means to identify the individuals (for instance, lacks access to supplementary information or is legally prohibited from obtaining it), then the data are not personal data for that recipient.
b. Perspective of the Recipient
The assessment must be made from the recipient’s standpoint, not that of the original controller.
If the recipient, due to technical or legal constraints, cannot re-identify individuals, the GDPR does not apply to that specific processing.
c. No “Blank Cheque”
The Court emphasised that this is not a general exemption.
If the recipient has or could obtain the means to re-identify the persons, the data remain personal and fall under the GDPR.
d. Transparency Obligations
The original controller (such as the SRB) remains obliged to inform data subjects of any disclosure, even where the data have been pseudonymised.
e. Documentation and Review
Organisations must document the measures preventing re-identification and periodically review their effectiveness, particularly when technologies or datasets evolve.
Implications for Businesses and Organisations
The ruling creates significant flexibility in the use of data:
- Analytics and AI: Enables the use of pseudonymised data for AI model training or data analysis, provided re-identification is not realistically possible.
- Reduced Regulatory Burden: Organisations may reduce compliance obligations where non-identifiability criteria are met.
- Need for Due Diligence: Each dataset must be assessed on a case-by-case basis to determine whether it still qualifies as personal data.
- Contractual Clauses: Data-sharing agreements should be reviewed to reflect the CJEU’s new interpretative approach.
Practical Steps for Compliance and Utilisation
- Re-examine data-sharing practices that rely on pseudonymisation.
- Record the technical and organisational measures preventing re-identification.
- Update GDPR policies and contracts to incorporate the Court’s approach.
- Strengthen transparency towards data subjects.
- Monitor future guidance from supervisory authorities on the implementation of the judgment.
Conclusion – Towards a More Realistic GDPR Framework
The CJEU’s judgment brings a balanced approach between privacy protection and innovation.
For businesses, it means that pseudonymisation — when properly implemented and documented — can serve as a lawful and secure tool for data analysis, technological development, and commercial growth.
Accurate legal guidance remains essential, ensuring that organisations seize these new opportunities without crossing the boundaries of the GDPR.