DData Protection

Milestone in Data Protection: CJEU Rules on Pseudonymisation, Anonymisation and Transparency Obligations

Milestone in Data Protection: CJEU Rules on Pseudonymisation, Anonymisation and Transparency Obligations 1
0
Shares
0
0
0
0
0
0

In its judgment of 4 September 2025 (Case C-413/23 P), the Court of Justice of the European Union (CJEU) ruled on key questions regarding the scope of data protection law, in particular relating to pseudonymisation and the duty to inform when data is shared. The ruling reinforces the broad scope of EU data protection law and once again confirms that subjective statements – such as comments or personal assessments – qualify as personal data.

Although the ruling formally refers to Regulation (EU) 2018/1725 (the “EU Regulation for EU institutions”), it can be directly applied to the GDPR due to the substantial alignment of the rules (cf. Recital 5 of Regulation 2018/1725).

Key Findings of the Judgment – at a Glance

  1. If a third party receives pseudonymised data and has no means of re-identification, the GDPR does not apply.
  2. Controllers must inform data subjects at the time of collection about any possible disclosure of their data.
  3. The term personal data must be interpreted broadly and arguably also includes subjective statements – regardless of their content, purpose, or impact.

What is Pseudonymisation?

Pseudonymisation, under data protection law, means processing personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information (Article 4(5) GDPR). While the data remain identifiable in principle, the additional information must be kept separately and protected by appropriate technical and organisational measures. Pseudonymisation reduces risks for data subjects but does not eliminate the personal reference entirely. Thus, pseudonymised data still fall within the scope of the GDPR.

Background to the Case

The proceedings arose from a legal dispute between the European Data Protection Supervisor (EDPS) and the Single Resolution Board (SRB), the EU authority responsible for handling failing banks.

As part of the resolution of Banco Popular Español, shareholders and creditors were first required to prove their identity and ownership in order to participate in a hearing. In a second phase, they were invited to submit comments. These comments were transmitted to the law firm Deloitte – commissioned to conduct a valuation under resolution law – under a pseudonymised code.

Several data subjects complained to the EDPS, arguing that the SRB’s privacy notice did not mention this transfer. The EDPS found a breach of Article 15(1)(d) of Regulation 2018/1725, as data subjects should have been informed at the time of collection about recipients or categories of recipients. However, the General Court annulled this decision, reasoning that there was no personal reference since Deloitte could not perform re-identification without additional information. The EDPS appealed – successfully.

The CJEU’s Ruling

The CJEU overturned the General Court’s decision and clarified several key points:

  • Broad interpretation of personal data: Comments, opinions or evaluations constitute personal data. They reflect individual thoughts and are closely linked to a natural person – regardless of whether they contain objective information, and regardless of their content, purpose or effect.
  • Pseudonymisation vs. anonymisation: Pseudonymised data remain personal data for the controller. However, for third parties without the means to re-identify, the same data may be considered anonymised – and thus fall outside the scope of the GDPR. Identifiability depends on specific circumstances and technical capabilities.
  • Transparency obligations: Controllers must inform data subjects at the point of collection about who (specifically or by category) will receive their data. The fact that a third party cannot identify individuals does not waive this duty.

The CJEU therefore found a clear breach of Article 15(1)(d) by the SRB, as the privacy notice had not disclosed the transmission to Deloitte.

Practical Implications

The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) described the ruling as a “milestone in a highly controversial legal issue”.

While Recital 26 of the GDPR already states that the Regulation does not apply to anonymised data, it has long been debated when data truly qualify as anonymised. In its 2016 Breyer judgment (Case C-582/14), the CJEU held that IP addresses could be personal data if the controller had access to relevant additional information (e.g. from ISPs). That decision set fundamental standards for data protection online.

The CJEU now continues this case law consistently and clarifies the legal distinction between pseudonymisation and anonymisation.

  • Broad definition of personal data: Any statements or assessments are personal data. Differentiating based on content, purpose or effect is unnecessary.
  • Pseudonymised data must be evaluated contextually: If recipients cannot re-identify individuals, the GDPR does not apply – unless and until technical or factual conditions change.
  • Comprehensive transparency obligations: Controllers must clearly inform data subjects at the time of data collection about all (potential) recipients or categories – even when data is shared in pseudonymised form.

In light of this judgment, controllers should urgently assess whether their data protection practices meet the required standards:

  1. Recognise the extended definition: Subjective statements from natural persons are to be treated as personal data.
  2. Review privacy notices: Notices must clearly inform data subjects about planned processing, recipients, and recipient categories. Failure to do so can result in fines of up to €20 million or 4% of annual global turnover.
  3. Understand pseudonymisation in context: For a recipient without re-identification means, pseudonymised data may be effectively anonymised. The GDPR does not apply in such cases. But once the recipient is capable of re-identifying the individual, the full GDPR obligations apply. Companies should therefore implement regular checks on whether new technical or organisational capabilities make re-identification possible.
  4. Ensure documentation: Transparent and traceable internal processes are crucial to demonstrate GDPR compliance in case of audits or disputes.

Conclusion

The CJEU ruling of 4 September 2025 confirms that the scope of data protection law is not limited to classic identifiers. Subjective statements also count as personal data. At the same time, the decision brings legal certainty for third-party recipients of pseudonymised data, provided they cannot perform re-identification. For businesses, this means: transparency, careful pseudonymisation, and continuous monitoring of identifiability are essential.

0
0

Josefine Spengler is a lawyer and IT law specialist at Annerton's Berlin office. She has many years of in-house experience as Head of Legal and Data Protection Officer at a payment service provider. As an expert in the IT and FinTech segment, Josefine Spengler advises national and international clients on all issues at the interface between regulatory law and IT law as well as on compliance and AML issues. Josefine Spengler is a regular speaker at events on IT law and regulatory requirements for the IT of financial companies.



By continuing, you accept our privacy policy.
You May Also Like