Skip to Main Content

Parker Poe

Keeping you informed

European Court to Businesses: Pseudonymized Data Is Not Always Personal Data

    Client Alerts
  • September 16, 2025

When the European Central Bank declared the Spanish bank, Banco Popular Español, as "failing or likely to fail" in 2017, the Single Resolution Board (SRB) stepped in to resolve the issue by announcing the transfer of all shares of the bank to another bank to ensure continued operations and, in the end, to try to maintain financial stability in the country.

The SRB, which is the central authority in the European Union responsible for managing the winding down or restructuring of failing banks, also evaluated whether compensation was owed to shareholders and creditors. To support this process, the SRB collected comments from those affected and transmitted some of those comments, in pseudonymized form, to Deloitte, its appointed appraiser.

Not to be confused with anonymization, pseudonymization as defined under the General Data Protection Regulation (GDPR) and EU regulations, means the processing of personal data so it can’t be attributed to a specific person without additional information, which must be kept separately. It is a privacy-enhancing technique intended to reduce risks of re-identification and improve security. The process does not remove data from the scope of data protection law, meaning that if a controller can re-link the data to an individual, the information remains personal data.

Several individuals complained to the European Data Protection Supervisor (EDPS), the independent supervisor for data protection within the EU, arguing they were not informed of this transfer. The EDPS reprimanded the SRB in 2020 for breaching its duty under Regulation (EU) 2018/1725 to identify Deloitte as a data recipient. The European General Court annulled the EDPS decision. On appeal, the Court of Justice of the EU (CJEU) set aside the General Court’s ruling and clarified on September 4, 2025, the treatment of pseudonymized data.

The CJEU’s ruling has important implications for companies in the EU and U.S. when it comes to the treatment of pseudonymized data under data protection laws in the EU.

What the CJEU Decided About Pseudonymized Data

The CJEU’s decision provides significant clarification on the concept of "personal data" in the context of pseudonymization:

  • Opinions as Personal Data. Comments, views, and personal opinions are inherently personal data. They are inseparable from the identity of the individual expressing them, regardless of whether direct identifiers are removed.
  • Pseudonymization and Identifiability. Pseudonymized data is not automatically personal data in every sharing context. The assessment depends on context: if a third party receiving the personal data cannot reasonably re-identify the individual, the data may not constitute personal data for that party. However, for the controller that retains a means of re-identification, pseudonymized information remains personal data.
  • Controller’s Perspective Governs Information Obligations. The controller’s transparency obligation arises at the moment of collection under Article 15(1)(d), which requires controllers to disclose to data subjects the categories of recipients with whom the controller discloses personal data. The relevant perspective is the controller’s, not the recipient. The SRB should have informed participants that Deloitte was a potential recipient, regardless of whether Deloitte could re-identify the individuals.
  • Transparency Cannot Be Avoided Through Pseudonymization. Controllers must provide notice to data subjects before transmitting pseudonymized data to third parties. Pseudonymization reduces risk but does not negate transparency obligations.

Implications for Organizations

This judgment underscores that pseudonymization reduces risk but does not remove data from the scope of EU data protection law. Subjective opinions, even when pseudonymized, must be treated as personal data, and controllers remain responsible for meeting full transparency obligations. Organizations should therefore ensure that privacy notices identify all potential recipients at the time of collection, including third parties who may only receive pseudonymized datasets.

Because identifiability must be assessed in context, businesses should document how pseudonymization is applied and why particular data remain personal for the controller, even if they are not identifiable by a recipient. Staff training should reinforce the difference between pseudonymization and anonymization to prevent gaps in compliance.

Finally, organizations should revisit their contracts with auditors, consultants, and other service providers to clarify treatment of pseudonymized data and to allocate compliance responsibilities appropriately.

Final Takeaway

The CJEU’s decision strengthens the EDPS’s authority and clarifies that pseudonymization, while valuable, does not remove data from the definition of "personal data." Controllers must continue to meet full transparency and information obligations, and cannot shift responsibility by pointing to the recipient’s inability to re-identify individuals.

For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alerts and insights.

×
By using this website, you agree to our use of cookies.