Court clarifies personal data definition in pseudonymized transfers

The Court of Justice of the European Union set aside a General Court judgment on September 4, 2025, in a case that establishes important principles about when personal data maintains its classification during transfers to third parties. The judgment in EDPS v SRB (Case C-413/23 P) addressed whether pseudonymized comments constituted personal data for all parties involved in data processing operations.

Background of the banking resolution case

The dispute originated from the resolution of Banco Popular Español on June 7, 2017. According to the Court of Justice, "Following the resolution of Banco Popular Español, on 7 June 2017, the Single Resolution Board (SRB) adopted a preliminary decision on whether or not it was necessary to grant compensation to the former shareholders and creditors of that bank as a result of that resolution."

The SRB subsequently organized a consultation procedure allowing affected shareholders and creditors to submit written comments on the preliminary decision. The board transferred some comments to Deloitte, an auditing company tasked with conducting an independent valuation of the resolution's effects.

The key technical measure involved using unique alphanumeric identifiers to pseudonymize the comments. According to the court documents, "Comments were coded with a unique alphanumeric identifier" and "Only SRB could link comments to identities; Deloitte received only coded comments."

Five stakeholders complained to the European Data Protection Supervisor (EDPS) because the SRB's privacy statement failed to mention Deloitte as a recipient of their data. The EDPS found that SRB breached its duty to inform under Regulation 2018/1725 and issued a reprimand in 2020.

The General Court's initial ruling

The General Court annulled the EDPS decision in April 2023, establishing two key findings about personal data assessment. First, the court ruled that "EDPS had not properly examined whether comments, by content/purpose/effect, related to an identifiable person." Second, it determined that "'Identifiable person' – must be assessed from Deloitte's perspective. Deloitte had no access to identity data, so re-identification was not reasonably possible."

The General Court concluded that "data sent to Deloitte were not 'personal data' for Deloitte" based on the recipient's inability to identify individuals from the pseudonymized information.

Court of Justice establishes new framework

The Court of Justice addressed three main issues in its September 4 ruling. According to the court's analysis, "The Court of Justice has found, in the first place, that the General Court erred in law in holding that the EDPS, in order to conclude that the information contained in the comments transmitted to Deloitte 'related', within the meaning of Regulation 2018/1725, to the persons who submitted those comments, should have examined the content, purpose or effects of those comments, whereas it was common ground that they expressed the personal opinion or point of view of their authors."

The judgment established that personal opinions inherently relate to their authors without requiring additional analysis. According to the court, "personal opinions or views which, as an expression of a person's thinking, are necessarily closely linked to that person."

On the question of whether data subjects are "identifiable," the court confirmed the General Court's approach regarding the relative nature of personal data. The ruling states: "pseudonymised data must not be regarded as constituting, in all cases and for every person, personal data for the purposes of the application of Regulation 2018/1725."

According to paragraph 77 of the judgment, "As regards Deloitte, to which the SRB transmitted pseudonymised comments, the [technical and organizational measures] have the effect that, for that company, those comments are not personal in nature." However, this outcome required meeting specific conditions.

Technical requirements for effective pseudonymization

The judgment established that effective pseudonymization for recipients requires two critical elements. First, according to the court, "Deloitte is not in a position to lift those measures during any processing of the comments which is carried out under its control." Second, "those measures must in fact be such as to prevent Deloitte from attributing those comments to the data subject in such a way that, for the company, the person concerned is not or is no longer identifiable."

The court emphasized that this assessment must consider practical rather than theoretical possibilities. According to paragraph 82, "the existence of additional information enabling the data subject to be identified does not, in itself, mean that pseudonymized data must be regarded as constituting, in all cases and for every person, personal data."

The ruling clarified that "means of identifying the data subject is not reasonably likely to be used where the risk of identification appears in reality to be insignificant, in that the identification of that data subject is prohibited by law or impossible in practice."

Information transparency obligations remain with controllers

The court addressed whether controllers must assess data from recipients' perspectives when determining transparency obligations. The judgment established that "the relevant perspective for assessing the identifiable nature of the data subject depends, in essence, on the circumstances of the processing of the data in each individual case."

For information obligations specifically, the court ruled that "the identifiable nature of the data subject must be assessed at the time of collection of the data and from the point of view of the controller." This means that "the SRB's obligation to provide information was applicable prior to the transfer of the data at issue and irrespective of whether or not those data were personal data, from Deloitte's point of view, after any potential pseudonymisation."

The ruling emphasized that information obligations serve to enable data subjects to "decide, in full knowledge of the facts, whether to provide or, on the contrary, refuse to provide the personal data being collected from him or her" and to "defend his or her rights against those recipients subsequently."

Implications for data sharing with third parties

The judgment addresses scenarios where recipients might share pseudonymized data with additional parties. According to paragraph 85, "that fact [pseudonymisation] has no bearing on the assessment of the personal nature of those data in the context, inter alia, of a potential subsequent transfer of those data to third parties."

The court specified that "in so far as it cannot be ruled out that those third parties have means reasonably allowing them to attribute pseudonymised data to the data subject, the data subject must be regarded as identifiable as regards both that transfer and any subsequent processing of those data by those third parties."

This creates ongoing obligations for controllers to consider downstream data flows when implementing pseudonymization measures and transparency requirements.

Why this matters for marketing

The ruling establishes a framework where data classification can vary based on actual technical capabilities rather than theoretical possibilities. For digital marketing platforms, this suggests that effective pseudonymization could change data protection obligations for different parties in complex data ecosystems.

PPC Land has extensively covered how pseudonymization affects data sharing obligations in advertising technology. The privacy-enhancing technologies being developed across the industry align with the court's emphasis on technical measures that prevent re-identification.

Marketing teams should note that transparency obligations for data collection remain unchanged regardless of subsequent pseudonymization. Organizations must continue disclosing all potential recipients when collecting personal data, even if technical measures later prevent those recipients from identifying individuals.

The decision also reinforces the importance of implementing robust technical measures throughout data processing operations. Recent enforcement actions against major platforms demonstrate how technical implementations affect legal compliance assessments.

Timeline

• June 7, 2017: Single Resolution Board resolves Banco Popular Español
• 2017-2018: SRB conducts consultation procedure with pseudonymized data transfer to Deloitte
• 2018: Stakeholders submit complaints to EDPS about undisclosed data sharing
• 2020: EDPS finds SRB violated information obligations and issues reprimand
• April 26, 2023: General Court annuls EDPS decision, ruling data not personal for Deloitte
• February 6, 2025: Advocate General delivers opinion supporting recipient-centric approach
• August 3, 2025: PPC Land reports on upcoming court decision implications
• September 4, 2025: Court of Justice delivers final judgment establishing new framework
• July 2025: GDPR enforcement patterns show evolving compliance approaches

Summary

Who: The Court of Justice of the European Union ruled in a case between the European Data Protection Supervisor and the Single Resolution Board, with Deloitte as the third-party recipient of pseudonymized data.

What: The court established that pseudonymized data may not constitute personal data for recipients who cannot reasonably identify individuals, while maintaining that controllers must assess transparency obligations from their own perspective at the time of data collection.

When: The judgment was delivered on September 4, 2025, resolving a dispute that began with Banco Popular Español's resolution on June 7, 2017.

Where: The ruling applies across the European Union and affects data protection obligations for organizations transferring personal data to third parties, particularly in financial services and professional consulting contexts.

Why: The decision addresses fundamental questions about how GDPR applies when different parties have varying capabilities to identify individuals from the same dataset, establishing that data protection obligations should reflect actual rather than theoretical identification risks.