On September 4, 2025, the Court of Justice of the EU (“Court”) handed down its judgment in case EDPS v SRB C-413/23 P, setting aside the General Court of the European Union’s (“General Court”) judgment of April 26, 2023 in case SRB v EDPS T‑557/20.  In particular, the Court clarified that whether pseudonymized data can be considered as personal data depends on the specific circumstances of the case, such as whether a third party to whom data is transferred by a data controller can reasonably identify the data subject.

We provide below an overview of the Court’s key findings.

Background

The case arises from an appeal brought by the European Data Protection Supervisor (“EDPS”) against the General Court’s ruling of 2023, which had annulled a decision adopted by the EDPS.  In the contested decision, the EDPS had found that the Single Resolution Board (“SRB”) had violated Regulation 2018/1725  on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, because it had not informed the affected data subjects about the disclosure of their pseudonymized personal data – in the form of comments submitted as part of a consultation relating to a proposed liquidation of a Spanish bank –  to a third party, namely, a consulting firm engaged by the SRB (see our previous blogposts here and here).

The Court’s Ruling

Pseudonymized data does not always constitute personal data.  One of the key points in dispute related to whether the pseudonymized personal data that SRB shared with its consulting firm, which did not have access to other information that only SRB possessed – allowing it to assign the comments to the data subjects who submitted them – was personal data when received by the consulting firm. The Court agreed with the General Court’s finding in relation to the scope of pseudonymized data, rejecting the EDPS’ view that pseudonymized data is invariably personal data, even in circumstances where the recipient may not be in a position to attribute it to a data subject.  In particular, the Court maintained that:

pseudonymised data must not be regarded as constituting, in all cases and for every person, personal data for the purposes of the application of Regulation 2018/1725, in so far as pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable. (para 86)

Moreover, the Court clarified that the reference to “another person” in the fourth sentence of Recital 16 of Regulation 2018/1725, “refers only to persons who have or may have access to the means reasonably likely to be used for the purposes of identifying the data subject”, opening the door for the possibility that, in certain instances, the recipient may not be in receipt of personal data.  According to the Court:

pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable. (para 87)

The Court’s judgement provides that a highly fact-specific analysis will need to be undertaken “in each individual case” to assess whether the data subject is identifiable to the third party.

The “identifiability” of data subjects must be assessed from the controller’s point of view at the time of collection.  The Court found that the General Court erred in holding that the EDPS should have examined whether the comments transmitted to the third party constituted, from the third party’s point of view, personal data.  The Court confirmed that the “identifiable” nature of the data subject “must be assessed at the time of collection of the data and from the point of view of the controller”.  (para 111)

In addition, the Court held that SRB’s obligation to provide information about recipients with whom data would be shared, pursuant to Article 15(1)(d) of Regulation 2018/1725, was applicable “prior to the transfer of the data at issue and irrespective of whether or not those data were personal data”, from the third party recipient’s point of view after any potential pseudonymization. (para 112)  Put another way, it made no difference whether the consultancy firm received personal data or not, when assessing SRB’s obligation to notify data subjects about the disclosure.  This is important because it demonstrates that the Court’s decision is helpful for recipients of data, for whom the data may qualify as anonymous, but does not move the dial for the original controllers, who have to comply with the GDPR in full for the disclosure (i.e., legal basis, transparency, etc.), even though the data are anonymous for the recipient.

Comments may constitute personal data.  The Court found that the General Court erred in law in ruling that the EDPS should have assessed the content, purpose and effects of the data subjects’ comments, in order to conclude that the information contained in those comments “related”, within the meaning of Article 3(1) of Regulation 2018/1725, to the persons who submitted those comments, since it was common ground that they expressed the personal opinion or view of their authors. (para 68)  The Court, in keeping with its jurisprudence, confirmed the special nature of personal opinions, which, “as an expression of a person’s thinking, are necessarily closely linked to that person”. (para 58)  On this basis, it was improper for the General Court to require the EDPS to consider further the question of whether opinions might “relate” to the data subject and potentially be personal data.

***

Covington’s Data Privacy and Cybersecurity team regularly advises companies on their most challenging data protection and compliance issues in the EU and other key markets. If you have any questions about the topics discussed in this article, please do not hesitate to contact us.