When Does Pseudonymized Data Constitute Personal Data Under GDPR?

1. Introduction

On September 4, 2025, the Court of Justice of the European Union established binding principles on when pseudonymized data constitutes personal data under the GDPR. The ruling came in European Data Protection Supervisor v. Single Resolution Board (Case C-413/23 P). In September 2025, the CJEU partially set aside the General Court's decision and resolved the legal questions at issue. The Court remanded the case to the General Court for reconsideration. On December 19, 2025, the parties withdrew the matter from the General Court. Despite this withdrawal, the CJEU's legal determinations remain authoritative precedent, clarifying a question that has proven contentious in GDPR enforcement across member states.

The timing is particularly significant. The European Data Protection Board (EDPB) adopted its first comprehensive Pseudonymization Guidelines in January 2025, while the European Commission's Digital Omnibus proposal advances with provisions that would possibly codify the current ruling's pseudonymization principles and relativity approach to personal data into the GDPR itself. These developments will shape the framework for handling pseudonymised data in the future.

2. Background of the Case

The dispute originated from the Single Resolution Board's 2017 decision regarding the resolution of Banco Popular Español. The SRB initially made preliminary determinations about compensating creditors and shareholders without stakeholders'  input. Following criticism, the SRB established a mechanism for affected parties to submit comments on the valuation reports.

The SRB then transferred those comments to Deloitte in pseudonymized form for independent assessment of how the resolution affected stakeholders' interests. The European Data Protection Supervisor investigated the matter following complaints from stakeholders and, in 2020, found that the SRB had violated the GDPR on two grounds:

1. The pseudonymized comments still constituted personal data, and
2. The Stakeholders were not informed that their comments would be shared with a third party.

The SRB challenged this decision before the General Court, which in 2023 ruled in the SRB's favor. The General Court concluded that the data received by Deloitte did not constitute personal data because Deloitte lacked the means to re-identify individuals. The court also faulted the EDPS for failing to examine whether the content of the comments themselves revealed personal information.

The EDPS appealed to the CJEU, which in September 2025 partially overturned the General Court and established that pseudonymized data constitutes personal data depending on the specific recipient's ability to re-identify data subjects.

3. Reasoning of the Court

The CJEU addressed three central questions regarding pseudonymized data under the GDPR.

a. Personal Opinions Constitute Personal Data

The CJEU held that personal opinions are inherently personal data under the GDPR. The Court found that the General Court had erred by requiring the EDPS to examine whether the stakeholders' comments related to natural persons by their content, purpose, or effect. According to the CJEU, personal opinions or views, as expressions of a person's thinking, are necessarily closely linked to that person and therefore qualify as personal data without further analysis.

This principle builds on the Court's earlier reasoning in Nowak v. Data Protection Commissioner (Case C-434/16). In that case, the Court held that written answers on an exam script, along with comments and marks, constitute personal data relating to the candidate. Importantly, the Court extended this to hold that the examiner's comments also constitute personal data relating to the examiner, as they reflect that examiner's assessment and intellectual evaluation. Applying this same logic in the present case, the CJEU concluded that stakeholder comments on the SRB's valuation reports reflect those stakeholders' views and are therefore inherently personal data relating to the authors.

b. The Relative Nature of Pseudonymized Data

The CJEU established that pseudonymized data should not automatically be considered personal data in all cases and for every person. According to the Court, whether such data qualifies as personal data depends on the specific recipient's ability to re-identify individuals. Where pseudonymization effectively prevents recipients other than the original controller from identifying data subjects, the data subject is not or is no longer identifiable for those recipients.

The Court clarified that the test turns on whether the specific recipient has "means reasonably likely to be used" to identify individuals. In applying this test, the Court referenced Recital 26 of the GDPR, which provides that identifiability should account for all objective factors, including costs, time required, and available technology.

c. Transparency Obligations at the Point of Collection

The CJEU clarified that controllers must assess identifiability and fulfill transparency obligations at the moment of data collection, from the controller's own perspective. The Court rejected the General Court's approach, which had assessed identifiability from the recipient's viewpoint when evaluating obligations of disclosing the recipient under Article 15(1)(d) of Regulation 2018/1725.

The General Court had asked the wrong question: Can Deloitte identify individuals from the pseudonymized data it received? The correct question, according to the CJEU, is: Could the SRB identify individuals when it collected their comments? Since the SRB could identify stakeholders at collection, it had a duty to inform them that their data would be shared with Deloitte. This duty existed regardless of the subsequent pseudonymization.

4. Implications for Organizations

The CJEU's three core principles create specific compliance obligations for organizations using pseudonymization.

1. Organizations must recognize that personal opinions constitute personal data regardless of pseudonymization. This applies to employee surveys, customer feedback, stakeholder consultations, and similar contexts where individuals express subjective views. Organizations cannot avoid GDPR obligations by removing direct identifiers from opinion data.
2. Organizations must inform data subjects about third-party recipients at the point of data collection, evaluated from the controller's perspective. If the controller can identify data subjects at collection, the duty to inform arises before pseudonymization or transfer occurs. Organizations cannot defer or avoid this obligation by arguing that data becomes non-personal after pseudonymization for recipients.
3. Organizations must assess pseudonymization effectiveness from each recipient's perspective. Whether pseudonymized data constitutes personal data depends on the specific recipient's ability to re-identify individuals. What constitutes personal data for the transferring organization may differ from what constitutes personal data for recipients.

To implement these principles effectively, legal analysts recommend several practical measures. Organizations should conduct context-specific assessments of whether their pseudonymization techniques effectively prevent reidentification, given who will access the data, what other information recipients possess, and what technical capabilities they have. Organizations should document their pseudonymization methods and the rationale for determining whether data remains personal data for specific recipients.

5. Conclusion

The CJEU's judgment in European Data Protection Supervisor v. Single Resolution Board settles a longstanding question in EU data protection law by establishing the definitive framework for evaluating pseudonymized data. The ruling's relativity principle directly informs the European Commission's Digital Omnibus proposal, which seeks to codify this approach by amending the GDPR's definition of personal data.

Despite the withdrawal at the General Court level, the CJEU's legal determinations remain authoritative precedent. Organizations that implement these principles will be better positioned to use pseudonymization effectively while maintaining GDPR compliance.