{"id":4235,"date":"2025-11-11T11:57:04","date_gmt":"2025-11-11T08:57:04","guid":{"rendered":"https:\/\/pathlawfirm.gr\/en\/?p=4235"},"modified":"2025-11-11T11:57:43","modified_gmt":"2025-11-11T08:57:43","slug":"pseudonymised-data-gdpr","status":"publish","type":"post","link":"https:\/\/pathlawfirm.gr\/en\/pseudonymised-data-gdpr\/","title":{"rendered":"CJEU C-413\/23 P: Pseudonymised and Personal Data"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n

CJEU Judgment in EDPS v Single Resolution Board (C-413\/23 P)<\/em> \u2013 Pseudonymised Data Are Not Always \u201cPersonal Data\u201d<\/h2>\n\n

What changes for businesses, organisations and professionals handling data in the EU<\/em><\/strong><\/p>\n\n

A Landmark Ruling in the Data Era<\/h3>\n\n

The Court of Justice of the European Union (CJEU) has issued a landmark judgment that redefines what constitutes \u201cpersonal data\u201d<\/em> under the GDPR.
Specifically, the Court held that pseudonymised data are not automatically personal data for every recipient<\/strong>; it depends on whether the recipient can realistically<\/em> re-identify the individuals concerned.<\/p>\n\n

This development is highly significant for companies, organisations, and service providers that process data for analytics, artificial intelligence, commercial assessment, or service optimisation purposes.<\/p>\n\n

Case Background<\/h3>\n\n

The case arose in the context of the 2017 resolution of Banco Popular Espa\u00f1ol<\/strong>.
The Single Resolution Board (SRB)<\/strong>, an EU authority, invited shareholders and creditors to submit comments. The responses were pseudonymised \u2014 names were removed and replaced with random codes \u2014 and then transmitted to an external consultancy.<\/p>\n\n

Some participants complained that they had not been informed of this disclosure, claiming a breach of transparency obligations.
The European Data Protection Supervisor (EDPS)<\/strong> found the SRB responsible, but the General Court<\/strong> annulled that decision, considering the data to have become anonymous. The matter reached the CJEU, which has now issued its final ruling.<\/p>\n\n

Key Points of the CJEU Judgment<\/h3>\n\n

a. Contextual Assessment<\/strong>
The Court held that whether data qualify as personal data<\/em> must be assessed in context<\/em>.
If the recipient does not realistically have the means to identify the individuals (for instance, lacks access to supplementary information or is legally prohibited from obtaining it), then the data are not personal data<\/strong> for that recipient<\/em>.<\/p>\n\n

b. Perspective of the Recipient<\/strong>
The assessment must be made from the recipient\u2019s standpoint<\/strong>, not that of the original controller.
If the recipient, due to technical or legal constraints, cannot re-identify individuals, the GDPR does not apply<\/strong> to that specific processing.<\/p>\n\n

c. No \u201cBlank Cheque\u201d<\/strong>
The Court emphasised that this is not<\/em> a general exemption.
If the recipient has<\/em> or could obtain<\/em> the means to re-identify the persons, the data remain personal and fall under the GDPR.<\/p>\n\n

d. Transparency Obligations<\/strong>
The original controller<\/strong> (such as the SRB) remains obliged to inform data subjects<\/strong> of any disclosure, even where the data have been pseudonymised.<\/p>\n\n

e. Documentation and Review<\/strong>
Organisations must document the measures preventing re-identification and periodically review<\/strong> their effectiveness, particularly when technologies or datasets evolve.<\/p>\n\n

Implications for Businesses and Organisations<\/h3>\n\n

The ruling creates significant flexibility<\/strong> in the use of data:<\/p>\n\n