Personal data and pseudonymization: ECJ specifies requirements

November 14, 2025

Categories:

Data protection in Europe

The European Court of Justice (ECJ) has dealt with various questions on the subject of personal data and Pseudonymization dealt with. The reason for this was a legal dispute between the European Data Protection Supervisor (EDPS) and the Single Resolution Board (SRB), in which the European Data Protection Board (EDPB) and the European Commission were also involved. With reference to its previous case law, the ECJ clarified the meaning of the term "personal data" in connection with the Transmission pseudonymized data to Third specified.

SRB appeals against EDPS decision

Following the resolution of Banco Popular Español, the Single Resolution Board (Single Resolution
Board, SRB) issued a preliminary decision on June 7, 2017 on whether to grant former shareholders and creditors a
compensation must be granted to this bank due to its liquidation. As the persons concerned
were not heard prior to the adoption of this decision, the SRB conducted proceedings at a later date.
in which these persons were able to comment on his provisional decision. Within the scope of this
procedure, the SRB transmitted certain opinions as pseudonymized data to Deloitte, a
auditing and consulting firm, which it commissioned to carry out an assessment of the impact of the
of the settlement to the shareholders and creditors.

Several affected Shareholders and creditors lodged a complaint with the European Data Protection Supervisor (EDPS).
complaints because the SRB had not informed them that data concerning them would be passed on to Third, namely to
Deloitte, would be transmitted. The EDPS took the view that Deloitte was a recipient in the present case.
personal data of the complainants. He also found that the SRB had infringed the
Regulation 2018/17251 had been breached. The SRB then brought an action before the General Court
of the European Union brought an action for annulment against the EDPS's decision. The General Court partially upheld this action.
and declared the decision in question null and void.

Personal data vs. Pseudonymization

The central core of the ruling is the interpretation of the terms „personal data” and „Pseudonymization” in accordance with the EU data protection regulation. Regulation (EU) 2018/1725, which applies to EU institutions and largely corresponds to the GDPR is defined as personal data as „any information relating to an identified or identifiable natural person“. The ECJ emphasizes the broad scope of this term: „any information“ is to be understood literally. It potentially includes all types of information of an objective or subjective nature (including expressions of opinion or assessments), provided that there is a reference to a person. The decisive factor is whether the information is linked to a person in terms of its content, purpose or impact. In the present case, it was undisputed that the comments reflected the personal views of the authors and therefore constituted information „about“ these persons. The use of codes instead of names did not initially change this.

Pseudonymization is legally defined as Processing personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to prevent re-identification. Important: The Pseudonymization is not part of the definition of „personal data“, but a technical measure to reduce the risk of personal linkage. In accordance with recital 17 of Regulation 2018/1725 (corresponding to recital 28 GDPR) merely reduces the risks for those affected and supports Responsible persons and processors in data protection compliance. As long as identification is at least theoretically possible with additional knowledge, pseudonymized data remains personal data.

Reading tip: Anonymization personal data - a practical guide

Relative personal reference is decisive

The ECJ clarifies that pseudonymized data is not automatically considered „anonymous“. The decisive factor is the existence of additional information that enables identification. If such information is available somewhere (such as a key directory at the controller), its very existence contradicts the assumption that pseudonymized data is completely anonymous and does not fall under data protection law. Anonymization rather requires that the affected person is not or no longer identifiable. With Pseudonymization On the other hand, it is assumed that there is separately stored identification data.

However, the ECJ introduces a relative personal reference: One must distinguish for whom the data is (still) personal. The starting point is the perspective of the controller: The SRB as the one who Pseudonymization still had all the additional information (keys) to assign the code data to specific persons. For the SRB, the comments therefore remained valid despite Pseudonymization personal data.

The ECJ states that effectively pseudonymized data is generally not personal for a recipient who has no additional information. In other words, from Deloitte's point of view, the data records supplied were ultimately anonymous information, as there were no names or direct identifiers and Deloitte had no way of assigning the codes to real persons:

The recipient must not be technically or organizationally in a position to reverse or circumvent the pseudonymization measures taken, and
the measures must actually effectively prevent identification by other available means. Even through comparison with external data, the affected person cannot (or can no longer) be identified by the recipient. Only under these strict conditions is the pseudonymized data de facto anonymous for the recipient.

With Pseudonymization must be examined on a case-by-case basis

With this differentiated view, the ECJ also confirms the principle from recital 16 sentence 5 GDPR (or Regulation 2018/1725): Data protection principles do not apply to anonymized information, i.e. data that does not (or no longer) relate to an identified or identifiable person. This means that as soon as a data set has been processed in such a way that no one involved can be identified, it is anonymous data that falls outside the scope of the GDPR fall.

However, the ECJ emphasizes that it must be examined in each individual case whether there is really no possibility of identification. All objective factors must be taken into account here: In particular, available technologies, the time and cost of a possible re-identification and whether a merge with other data is legally or practically accessible. If the risk of identification is de facto insignificant (e.g. due to legal prohibitions or disproportionate effort), then there is a strong case for the information to be considered anonymous.

Overall, the ruling underlines the fact that Pseudonymization is not a license to disclose data to the Data protection to be withdrawn. Under certain circumstances, however, it can lead to a third party not being subject to data protection law with the data received.

Obligation to provide information at the time of data collection

For companies, whether as Responsible persons or processors, this ruling has important practical consequences. Firstly, the ECJ unequivocally confirms that pseudonymized data can still be regarded as personal data are to be treated as long as the Responsible persons (or someone else) can establish a personal reference by means of additional information. In particular Responsible persons not evade their obligations by pseudonymizing data and transferring it to third parties. Third pass on. The obligations under data protection law continue to apply in full from the perspective of the original controller.

In the present case, this meant that the SRB did not fulfill its obligations when collecting shareholder data. Duty to inform pursuant to Art. 15 Regulation 2018/1725 (or Art. 13 GDPR). Including the obligation to inform the data subjects of all intended recipients. The fact that the data was later pseudonymized vis-à-vis Deloitte is irrelevant.

The ECJ clarifies that the information obligation of Art. 15 para. 1 lit. d Regulation 2018/1725 exists in the relationship between the controller and the data subject and must be fulfilled at the time of data collection. From the SRB's perspective, the participants were identifiable (it itself had all the identifying information), i.e. personal data, and consequently it should have named Deloitte as the recipient. The later non-identifiability from Deloitte's perspective is irrelevant for the question of timely information.

Recommendations for action in practice

Companies should Pseudonymization the following points:

Transparency via receiver: Inform Affected parties at the time of data collection about all intended recipients of their data (Art. 13 para. 1 lit. e GDPR). This also applies if the transfer is to take place in pseudonymized form. The non-naming of a recipient weighs as Infringement difficult, even if the recipient cannot identify the persons. If it is still unclear at the time of collection which third-party recipients will be involved, at least categories of possible recipients should be specified. If data is only sent pseudonymized later to Third it must be examined whether subsequent information of the data subjects pursuant to Art. 14 GDPR is required.
Anonymization vs. Pseudonymization: As long as anyone can re-identify people using additional data or with reasonable effort, the data remains personal. Complete Anonymization is technically demanding. However, if it succeeds, the GDPR obligations do not apply. Make use of Pseudonymization as a protective measure, but continue to treat pseudonymized data with the required level of data protection.
Effective technical/organizational measures: Separate identification keys from the actual data records and restrict access to them. Check the effectiveness of the measures: For example, can individual persons be guessed using specific characteristics in the data record?
Drafting contracts with service providers: If you engage a processor and transmit pseudonymized data to them, ensure in the data processing agreement that they only process the data in accordance with your instructions and do not attempt to identify individuals. As a rule, the service provider itself is not in a position to identify individuals without additional knowledge. Nevertheless, a ban on re-identification should be explicitly included. In addition, list all subcontractors who receive the pseudonymized data and check their measures.
Documentation and ability to provide information: Keep a record of who you make pseudonymized data available to. Even if this data is anonymous to the recipient, you as the controller must be able to provide information to data subjects about which bodies have received data (in any form).