Is pseudonymized data personal data? Key points following the European Court of Justice's judgment in the EDPS v SRB case

The parties in this case were the European Data Protection Supervisor (EDPS) and the Single Resolution Board (SRB). The dispute stemmed from the resolution of Banco Popular (which took place under decisions by the SRB and the FROB in Spain on June 7, 2017) and the "right to be heard" procedure commenced by the SRB in 2018 to assess possible compensation for shareholders and creditors, in which data and comments were collected via an online register and form. The comments on "Valuation 3" (1,104 in total) were transmitted on June 17, 2019, by the SRB to Deloitte via a secure virtual server. Following several complaints, the EDPS found in 2020 that the SRB had not informed data subjects that Deloitte could be a recipient of this data in the confidentiality statement for the procedure, a decision (later revised) that the SRB challenged and which led to the CJEU judgment on September 4, 2025.

The most significant issue discussed in this case, which has generated intense and interesting debate among professionals in the sector, is whether pseudonymous or pseudonymized data is in itself personal data by default (because it is not completely and irrevocably anonymized), or whether it can be "non-personal" data for those who cannot, without disproportionate effort, link that data to an individual.

One might think that something so basic should not be up for debate at this stage, but the truth is that the wording of the legislation has given rise to different perspectives on what should or should not be considered personal data. This has resulted in the formation of two different viewpoints on this concept:

• The absolute approach: which treats as personal data any information that, directly or indirectly, could be associated with an individual, however remote or improbable this link may be.
• The relative approach: which treats that data as only personal for those who have reasonable means of linking this data to an individual.

It may be observed, therefore, under a strict application of the absolute approach it may be concluded that data is either personal or non-personal in itself, regardless of who has it in their possession. So, for example, a pseudonymized code would be personal data for a person, even if they were unable to link it to an individual, provided that somewhere, some controller had the "key" or correspondence table that would allow this re-identification.

This "monolithic" interpretation of the concept of personal data, while seeking to be particularly protective of the rights of data subjects, results in regulatory burdens that are sometimes unreasonable for data controllers. Despite this, it has long been the interpretation most often applied by the data protection supervisory authorities and, consequently, by operators, as it carries a lower risk of non-compliance for data controllers.

Recently, however, this interpretation has been refuted in CJEU judgments, such as in the Breyer and Scania. cases In these judgments, the court plumped for the relative approach, by finding, in short, that a dynamic IP address (in Breyer) or a vehicle identification number (VIN) (in Scania) are personal data only insofar as an entity can link that data to an individual.

Although it might be expected that, with the endorsement of those CJEU judgments, the relative approach has been fully instated and accepted, and this has diminished the importance of the judgment we are discussing, that is not the case. Certain authorities, such as the European Data Protection Board itself in its recent Guidelines 1/2025 on Pseudonymization - currently only available in a preliminary version for public consultation -, continue to adopt a decidedly restrictive approach, leaning more towards the absolute than the relative approach.

That is why the CJEU judgment discussed in this commentary is so significant, because beyond reaffirming the relative approach, it also states for the first time in crystal-clear terms that pseudonymized personal data (in this case, an alphanumeric code relating to a person) processed by controller "A" may be personal data for "A" and not be personal data for recipient "B" if the latter cannot (reasonably) link or re-identify the data.

Besides reaffirming the relative approach, this has important practical implications, as described below.

Practical implications

Since for controller "A" the pseudonymized data will, in any case, be personal data (because they have the ability to re-identify the data subject from the alphanumeric code), "A" must comply with the applicable legislation for all purposes. This means, among other obligations, that they must: 

• have a legal basis (art. 6 GDPR) for processing that personal data, including, should the case arise, a sufficient legal basis for its disclosure to a third party; and provide information on the processing to the data subject, as required under articles 13 or 14 GDPR, as applicable, including information on the recipients of their personal data.
• The CJEU ruled along these lines in the discussed decision, although the details of the case show there is room for interpretation as to what type of information should be provided to data subjects on recipients who are not going to be able to establish the link between pseudonymized data and the data subjects.

Recipient B could be considered the controller for all purposes if it can reasonably reidentify the data subject. However, if, under the relative approach, recipient B is not considered the controller (because, from its point of view, personal data are not being processed), this poses difficult questions including:

What rights does the data subject have over the recipient of the data?

The judgment points out that the data subject can exercise its data protection rights against both the transferor and the recipient. For the latter, however, it might be materially impossible to respond, for example, to requests for access or erasure, because the information would not be personal for their purposes.

In that case, what information must the transferor provide to data subjects who are not able to identity the data subject?

In an attempt to rationalize the information requirements and avoid confusing scenarios between data subjects and the recipients who are unable to identity them, it could be considered that transferors: (i) should only provide information on the categories of recipients for whom the received information will not be personal information (without identifying each of the recipients individually); or (ii) should provide information to the effect that certain recipients will not be able to identity them with the received information, which will preempt the identified issues. As mentioned above, on this point the CJEU's decision leaves some room for interpretation (in view, for example, of the legal basis they apply in each case).

Does this apply to data processors?

In relation to data processor relationships, significant doubts arise as to whether this approach applies where the "processor" operates on the instructions of the controller but processes pseudonymous data which does not constitute personal information for the processor. Prudence suggests that the relative approach would not be fully applicable. This is because if the processor is operating on behalf of the controller, it is difficult to argue that the processor is processing "non-personal" data (as it is following the controller's instructions, the likelihood of re-identification should not be considered remote in any case). However, this case needs to be studied further, because the practical implications of accepting that the relative approach is fully applicable for these purposes would be huge (consider the benefits it would imply for contracts with third parties).

Conclusion

The CJEU ruling in the EDPS v SRB case not only reaffirms the known relative approach, it also provides a major milestone to guide practitioners by giving highly relevant insights into implementation of this approach. In particular: 

• It clarifies that pseudonymous data may or may not be personal data, depending on who processes it and the actual chances of identifying individuals, and provides guidance on the obligations of transferors and recipients of pseudonymized data, which must be studied in detail for their correct adoption.
• It opens up new ground to be explored by data protection professionals, who will have to take its conclusions into account when structuring compliance systems for controllers and processors. For example, its implications on the use of pseudonymized information for AI model training may be of great interest to holders of large volumes of personal information, as it could facilitate its sale.
• This judgment requires a new perspective not only with regard to new transfers or data processing engagements to brought into compliance, but also a rethinking of the structures already in place, which could be affected by this interpretation of the legislation.