a significant decision on data protection law<\/a> that will reshape how organisations approach pseudonymisation and information obligations under the European data protection framework (hereinafter the “Decision”).<\/p>\nIn Case C-413\/23 P (EDPS v SRB), delivered on 4 September 2025, the CJEU set aside a General Court judgment and established important principles for the concept of personal data and the role of pseudonymisation.<\/p>\n
The case arose from the 2017 resolution of Banco Popular Espa\u00f1ol, where affected shareholders and creditors participated in a “right to be heard” process. When the Single Resolution Board (SRB) shared pseudonymised comments from this process with external auditor Deloitte, data protection complaints emerged that ultimately reached the EU’s highest court.<\/p>\n
2. The Legal Framework and Core Disputes<\/h2>\n2.1. Defining Personal Data in the Digital Age<\/h3>\n
The central dispute revolved around Article 3(1) of Regulation 2018\/1725 (hereinafter “EUDPR”), which defines ‘personal data’ as ‘any information relating to an identified or identifiable natural person’.<\/span><\/p>\nThe General Court had previously found that the European Data Protection Supervisor (hereinafter “EDPS”) incorrectly classified comments shared with Deloitte as personal data, arguing that insufficient analysis had been conducted regarding their content, purpose, and effect.<\/p>\n
The CJEU fundamentally disagreed with this approach. Establishing a crucial principle, the Court held that information relates to an identifiable natural person where, by reason of its content, purpose or effect, it is linked to an identifiable person.\u00a0<\/span><\/p>\nHowever, the CJEU went further, recognising that subjective expressions such as personal opinions or views, as expressions of a person’s thinking, are necessarily closely linked to that person and do not require further content analysis.<\/p>\n
This decision may significantly reduce the burden on Data Protection Authorities when dealing with subjective information such as comments, opinions, or assessments, establishing that their inherently personal nature must be recognised without extensive content analysis.<\/p>\n
2.2. Pseudonymisation: Protection Measure, Not Legal Transformation<\/h3>\n
The CJEU analysed the increasingly important technique of pseudonymisation with notable nuance. While confirming that pseudonymisation may impact whether data are personal within the meaning of Article 3(1) EUDPR<\/span>, it clarified that this does not equate to anonymisation. The Decision establishes that this depends entirely on the specific circumstances and the perspective of different processors.<\/p>\nThe CJEU rejected the EDPS’s argument that pseudonymised data should always be considered personal data simply because identifying information exists somewhere. Instead, it confirmed that effective pseudonymisation measures can render data non-personal for specific recipients, provided they cannot reasonably identify the data subjects through available means.<\/p>\n
This contextual approach means that the same dataset could simultaneously be personal data for the original controller (who retains identification keys) and non-personal data for recipients who lack reasonable means of identification.<\/p>\n
2.3. Information Obligations: Controller’s Perspective Prevails<\/h3>\n
Perhaps the most practically significant aspect of the decision concerns transparency obligations under Article 15(1)(d) EUDPR. The CJEU clarified that regarding information obligations, the identifiable nature of the data subject must be assessed at the time of collection of information relating to them from the controller’s perspective.\u00a0<\/span><\/p>\nThis settles a crucial timing question: Controllers cannot avoid transparency obligations by arguing that data becomes non-personal after pseudonymisation for recipients. In short, if the controller can identify the data subject at the time of collection, they must inform them regardless of technical measures that will be applied to the information subsequently.<\/p>\n
3. Practical Implications for Legal Practice<\/h2>\n3.1. For Data Controllers<\/h3>\n
The Decision provides significant clarification for organisations handling personal data:<\/p>\n
Enhanced Transparency Requirements<\/strong>: Controllers must disclose all potential recipients in their data protection privacy notices, even if that data will be pseudonymised before transfer. The recipient’s subsequent inability to identify natural persons does not exempt the controller from this obligation.<\/p>\nPseudonymisation Strategy<\/strong>: While pseudonymisation remains an important technical measure for enhancing confidentiality, controllers should not assume it automatically removes data protection obligations. The technique’s effectiveness depends on implementation specifics and recipient capabilities.<\/p>\nOpinion and Comment Handling<\/strong>: Organisations collecting subjective information\u2014surveys, comments, complaints, or consultation responses\u2014should presume this constitutes personal data without requiring extensive content analysis.<\/p>\nRisk Assessment<\/strong>: Before a data disclosure\/transfer, the effectiveness of pseudonymisation should be evaluated from each recipient’s perspective, considering their technical capabilities and access to supplementary identifying information.<\/p>\nCompliance Timing<\/strong>: Privacy impact assessments for information confidentiality and compliance reviews should focus on the controller’s position at data collection, not post-transfer scenarios involving pseudonymised data.<\/p>\nCross-border Transfers<\/strong>: The decision’s reasoning may influence how adequacy decisions and international transfers are assessed, particularly where pseudonymisation is used as a safeguard measure. Re-evaluation of any Transfer Impact Assessments (TIAs) is recommended.<\/p>\n3.2. For Banking and Financial Services<\/h3>\n
Given the case’s origins in banking resolution procedures, financial institutions should note:<\/p>\n
Regulatory Reporting<\/strong>: When sharing data with supervisory authorities, auditors, or resolution authorities, comprehensive privacy statements must identify these potential recipients, regardless of planned pseudonymisation.<\/p>\nCustomer Communication<\/strong>: Standard data protection privacy notices may require updating to reflect the broad interpretation of personal data and recipient disclosure obligations.<\/p>\nDue Diligence Procedures<\/strong>: When engaging third parties for data analysis, financial institutions must evaluate their capabilities to identify natural persons to determine whether pseudonymisation effectively renders data non-identifiable and consequently falls outside the definition of personal data.<\/p>\n4. Conclusion and Strategic Directions<\/h2>\n
This landmark decision confirms specific conclusions regarding data protection law. Specifically:<\/p>\n
First<\/strong>, the scope of personal data is generally particularly broad and is influenced by subjective information expressing individual thoughts or opinions. With the (almost automatic) classification of subjective opinions as personal data, the strict compliance scope will encompass cases of collecting comments, questionnaires, or feedback interactions, even where the connection to the person is not obvious.<\/p>\nSecond<\/strong>, pseudonymisation remains useful. However, its effectiveness in removing personal data status depends on contextual factors, particularly the recipient’s reasonable means of identification. This “relativisation” of the concept of pseudonymisation, depending on the recipient’s technical means, provides flexibility but also uncertainty. While it allows for realistic assessment of identification risk, it may make it difficult for organisations to predict in advance when data will be considered personal, especially in environments with multiple and diverse recipients.<\/p>\nThird<\/strong>, transparency obligations are formed at data collection based on the controller’s perspective. Organisations cannot defer or avoid these obligations based on subsequent processing limitations affecting third parties. This means detailed and continuous updating of data protection privacy notices by organisations is required, adding recipients and\/or processors.<\/p>\nIt is noted that the CJEU reiterated that the definition of personal data in the EUDPR must be interpreted in full harmony with the corresponding definition in the GDPR, strengthening the coherence of European data protection law.<\/p>\n
Generally, it is recommended that controllers re-examine existing data protection privacy notices as well as data processing agreements (DPAs) in light of these principles. Particular attention should be paid to consultation processes, comment mechanisms, and any arrangements involving pseudonymised data transfers.<\/p>\n
The CJEU’s approach reflects the EU’s commitment to broad data protection coverage while recognising that privacy-enhancing technologies can provide meaningful protection when properly implemented. As pseudonymisation and other technical measures continue to evolve, this decision provides a framework for assessing their legal significance that balances practical privacy benefits with fundamental transparency rights.<\/p>\n
For organisations operating across multiple jurisdictions, this decision reinforces the importance of adopting the most protective approach when designing global privacy compliance programmes, ensuring that EU standards are met regardless of local variations in data protection law.<\/p>\n","protected":false},"excerpt":{"rendered":"
1. Introduction The Court of Justice of the European Union (hereinafter “CJEU”) issued a significant decision on data protection law that will reshape how organisations approach pseudonymisation and information obligations under the European data protection framework (hereinafter the “Decision”). In Case C-413\/23 P (EDPS v SRB), delivered on 4 September 2025, the CJEU set aside […]<\/p>\n","protected":false},"author":4,"featured_media":1777,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[605,620,612,610,613,615,46,607,618,159,608,616,609,604,611,111,621,400,137,150,123,614,606,617,619,116],"class_list":["post-1779","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-en","tag-anonymisation","tag-banco-popular-en","tag-bank-resolution","tag-c-413-23-p","tag-case-law","tag-cjeu-en","tag-compliance-en","tag-data-controller","tag-data-privacy-en","tag-data-protection-en","tag-data-subjects","tag-edps-en","tag-eu-law","tag-european-court-of-justice","tag-financial-services","tag-gdpr-en","tag-information-privacy-en","tag-legal-analysis","tag-personal-data","tag-privacy-law","tag-pseudonymisation","tag-regulation-2018-1725","tag-right-to-information","tag-srb-en","tag-transparency-obligations-en","tag-psevdonymopoiisi"],"_links":{"self":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts\/1779","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/comments?post=1779"}],"version-history":[{"count":2,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts\/1779\/revisions"}],"predecessor-version":[{"id":1781,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts\/1779\/revisions\/1781"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/media\/1777"}],"wp:attachment":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/media?parent=1779"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/categories?post=1779"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/tags?post=1779"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}