Can pseudonymisation make data anonymous?

It is a truth universally acknowledged that GDPR applies to “personal data” but does not concern anonymous information. The status of pseudonymous data, by contrast, has been the subject of much dispute. 

GDPR defines “pseudonymisation” as processing of personal data, so that the only data that can be used to attribute information to a data subject (the key) is kept separately, protected by technical and organisational measures. If the risk of an organisation being able to access the key is insignificant, does this mean that the information is anonymous so far as that organisation is concerned? Alternatively, does the fact that the key exists mean that the data must always be regarded as personal data?  

On 4^th September 2025, in the case of EDPS v SRB (CJEU C‑413/23 P, EU:C:2025:645), the CJEU answered this question; pseudonymised data is not always personal data in all cases and for every person; if the risk of identification is insignificant, then the pseudonymisation may mean that the data is anonymous. However, if organisations disclose data, which is personal so far as they are concerned, to another organisation, they must still include information about this in their privacy notices – even if the data is anonymous in the recipient’s hands. Lastly, the CJEU also confirmed that personal opinions and views necessarily “relate to” individuals and amount to personal data.

Facts

In June 2017, the Single Resolution Board (a European Union institution) adopted a decision relating to a Spanish bank. This would affect shareholders and creditors of the bank. For procedural reasons, this meant that SRB had to undertake a consultation with affected parties.  Shareholders and creditors registered with SRB and provided evidence of identity and ownership. SRB invited verified stakeholders to provide comments on the process, by sending a survey with a unique link in it. SRB appointed Deloitte to provide an opinion on the SRB’s valuation of the bank. Comments from stakeholders relating to the valuation of the bank were sent to Deloitte for analysis. The comments were filtered, categorised and aggregated. Where multiple stakeholders made the same comment, only one version of the comment was sent to Deloitte. The comment sent to Deloitte had a unique alphanumeric code. This was included for audit purposes (so as to demonstrate, if necessary, that each comment had been considered). However, Deloitte did not have access to the registration data. 

Some stakeholders complained that the privacy notice issued by the SRB did not disclose that their information would be shared with Deloitte. The European Data Protection Supervisor (EDPS) as the supervisory authority for European Union institutions, concluded that SRB had shared pseudonymous (personal) data with Deloitte and that the SRB should have included this information in its privacy notice. The SRB applied to the General Court of the EU to annul the EDPS’s decision. The SRB argued Deloitte could not identify the stakeholders; that the information shared was therefore not personal data so far as Deloitte was concerned; and that as a result it did not have to include information about disclosures to Deloitte in its privacy notice. The General Court upheld the SRB’s position on these points. The EDPS then appealed to the Court of Justice of the EU (CJEU). The European Data Protection Board intervened in support of the EDPS. The Commission intervened in support of the SRB.

As a European Union institution, the SRB is not subject to GDPR, but to Regulation 2018/1725 (EUDPR). However, the provisions of  EUDPR and GDPR on the meaning of personal data (as on many other points) are identical and, where this is the case, are to be interpreted in the same way.  To recap, GDPR provides that personal data “means any information relating to an identified or identifiable natural person”

Personal opinions necessarily “relate to” the person expressing the opinion

The CJEU quoted its earlier decision of Nowak (C‑434/16, EU:C:2017:994), noting that data “relates to” an identified or identifiable natural person where, “by reason of its content, purpose or effect” it is linked to that person [55].  The CJEU added that it is not always necessary to consider the purpose and effect of the data. The use of “or” in Nowak shows that these are alternative criteria [56].

In the decision subject to appeal, the General Court had found that the EDPS presumed that the opinions of the shareholders and creditors “related to” the person expressing that view. The General Court concluded that this was an error and that, instead, EDPS should have inspected the content of the opinions to determine whether - based on the content, purpose or effect of the opinion - they actually related to the individual. The CJEU set aside the decision on this point. Instead, it held that there is a “particular nature of personal opinions or views, which, as an expression of a person’s thinking, are necessarily closely linked to that person”. Accordingly, it is axiomatic that personal opinions will “relate to” the person who expressed the opinion. The CJEU also stated that, in any event, it was apparent from the earlier judgment that the EDPS had examined the content of the opinions. [56]

Work emails can contain the opinions or views of the sender of the email. This becomes complex in the context of subject access requests. To what extent does a data subject have a right to access emails they may have sent, on the basis that those emails are that person’s personal data? Further, if an email exchange relates to another data subject who is mentioned in the exchange, how should the respective rights of the sender of the email be balanced with those of the person who is the subject of the opinion? This conclusion is likely to increase debate as to what amounts to a “personal opinion or view”, such that the data necessarily relates to the individual expressing the opinion. 

Pseudonymous data is not always, inherently, personal data

EDPS (supported by the EDPB) argued that pseudonymous data must be regarded as always amounting to personal data, in all cases and for every person processing the data. The mere fact that the key (or other pseudonymisation secret) existed in someone’s hands meant that the data must be regarded as personal data in all cases, irrespective of whether the data subject could actually be identified by other parties [86, 68]. 

The CJEU rejected this. It concluded that:

“… pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject, in such a way that, for them, the data subject is not or is no longer identifiable” [86]. 

This could be the case, “.. provided that such technical and organisational measures are actually put in place and are such as to prevent the data in question from being attributed to the data subject…  [in this case] pseudonymisation may have an impact on whether or not those data are personal…”  [75].

In this case, the CJEU concluded that the data would be personal so far as the SRB was concerned – as would usually be the case for the controller who had undertaken the pseudonymisation [76]. However, in respect of Deloitte, the pseudonymisation could have the effect of ensuring that the data is no longer personal. For this to be the case,  “… first, … Deloitte  [must not be] …in a position to lift those measures during any processing of the comments which is carried out under its control. Second, those measures must in fact be such as to prevent Deloitte from attributing those comments to the data subject including by recourse to other means of identification such as cross-checking with other factors, in such a way that, for the company, the person concerned is not or is no longer identifiable” [76]. 

The CJEU also re-iterated that when determining whether or not the pseudonymous data should be regarded as personal or not, the relevant test is whether re-identification is “reasonably likely”, where the risk of identification must be “insignificant” because it would be “prohibited by law or impossible in practice, for example because it would involve a disproportionate effort in terms of time, cost and labour” [82]. 

The CJEU also looked at what the situation would be if a person (party A) processes pseudonymous data which is not personal so far as party A is concerned, but where party A then makes the data available to someone else (party B) and where party B does have means reasonably likely to enable the data subject to be identified – so posing a re-identification risk.  The CJEU referenced the Gesamtverband Autoteile Handel case (CJEU C-319/22, EU:C:2023:837), noting that this would mean that the data should be regarded as personal both for party A and party B [84]. 

Privacy notices should cover disclosures of data, even when the data will be anonymous for the recipient

The EDPS had concluded that the SRB was in breach of its transparency obligations, because its privacy notice had not disclosed the fact that data could be disclosed to Deloitte, The SRB had argued that its obligation was to explain when it intended to transfer personal data to a recipient; in this case the data was not personal data in the recipient’s hands and so the obligation should not arise. The General Court had agreed with the SRB. 

The CJEU agreed with the EDPS on this point.  “… for the purposes of applying the obligation to provide information … the identifiable nature of the data subject must be assessed at the time of collection of the data and from the point of view of the controller [at that point]” [111].

This finding emphasises that this is for the purpose of ensuring transparency. It is, therefore, an open question whether the same approach should be taken in respect of other areas of GDPR. For example, would a controller still need to put in place a data processing agreement with a processor when the data is not personal so far as the processor is concerned? Would a controller still need to put in place appropriate safeguards with a recipient in a third country, if the data is not personal so far as the recipient is concerned?

General Court to take a decision on claim of breach of good administration

Lastly, the SRB had also raised a plea to the General Court alleging that EDPS had infringed the right to good administration. The General Court had dismissed this on procedural grounds. The CJEU referred this point back to the General Court for it to reach a decision.