Back to the overview
09-22-2025 Article

Landmark ECJ ruling on the pseudonymization of personal data

Update Data Protection No. 216

In its judgment of September 4, 2025 (Case C-413/23 P), the ECJ clarified important legal issues relating to pseudonymization and the transfer of personal data and once again confirmed a broad interpretation of the term "personal data."

Although the judgment concerns the interpretation and application of Regulation (EU) 2018/1725 ("EU Data Protection Regulation for EU Institutions" – EUDPR), it can be applied to the interpretation and application of Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) due to the nearly identical provisions in this regard (see Recital 5 EUDPR).

Summary of the ruling in 3 sentences

Third-party recipients of pseudonymized data who do not have the means to re-identify individuals are not subject to the provisions of the GDPR in this respect. Controllers must inform data subjects of any planned disclosure of their personal data. The term "personal data" is to be interpreted broadly and (probably) covers all expressions of opinion, views, comments, etc. of natural persons – regardless of the content, purpose, and impact of the statements.

Relevance of the ruling: "Milestone in a highly controversial legal issue" (HmbBfDI)

The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) describes the ruling as a "milestone in a highly controversial legal issue" (see here).

The ECJ's clarification, that the transfer of (originally) personal data that is pseudonymized only for the controller may be anonymized for the recipient and thus no longer carry a personal reference, is very relevant in practice. If the data no longer has any personal reference for the recipient, the recipient does not have to comply with the requirements for the protection of personal data in this respect. However, entities handling anonymized data must continuously monitor whether the GDPR becomes applicable if they are able to re-identify the data due to new (technical) means or additional data.

The ruling strengthens the protection of natural persons. Even opinions or comments are personal data – not just data such as name, address, etc. The classification of personal opinions or views as personal data, without further examination of their content, purpose, or effect, once again illustrates the broad interpretation of the term "personal data."

Finally, it should be noted that controllers must already inform data subjects comprehensively about who the potential recipients of their data are when collecting personal data. This also applies to personal data that is passed on in pseudonymized form.

Facts

The background to this is a legal dispute between the European Data Protection Supervisor (EDPS) as plaintiff and the Single Resolution Board (SRB), an EU authority for the resolution of banks.

Following the resolution of Banco Popular Español by the SRB, affected shareholders and creditors were invited to participate in a hearing procedure. To do so, they first had to register and were then able to submit comments in a later consultation phase. Proof of identity and ownership had to be provided during registration. The comments were then forwarded to Deloitte under a pseudonymized code for an assessment required under resolution law.

Some of those affected complained to the EDPS. They criticized the fact that the SRB's privacy policy did not indicate that certain data, in particular their comments together with pseudonymized codes, could be passed on to third parties such as Deloitte. This constituted a violation of Art. 15(1)(d) GDPR, which requires data subjects to be informed of recipients or categories of recipients at the time of data collection.

The EDPS ruled in favor of the data subjects and confirmed a violation of Article 15(1)(d) of the GDPR. The SRB should have informed the shareholders and creditors concerned at the time of data collection that their comments, together with a pseudonymized code, could be passed on to third parties such as Deloitte.

The General Court of the European Union (GCEU) had overturned the EDPS's decision. It took the view that the comments passed on to third parties, together with the pseudonymized code, did not constitute personal data, as the third-party recipients of the data could not identify the data subjects without access to the additional information retained by the SRB. Consequently, according to the General Court, there was no breach of the information obligation under Article 15(1)(d) of the GDPR. The EDPS appealed against this decision, so that the CJEU now had to rule on the matter.

Judgment of the ECJ

The ECJ overturned the first-instance ruling of the General Court, as the statements sent to Deloitte constituted personal data. The ECJ emphasized that the concept of personal data must be interpreted broadly. It covers not only objective data, but also subjective data such as opinions or comments made by a person, as these are inextricably linked to the author.

The ECJ does not agree with the General Court's view that it was necessary to examine whether the content, purpose, or effect of the comments made it possible to link them to a specific person. This assessment fails to recognize the special nature of personal opinions and views, which, as expressions of a natural person's thoughts, are inevitably closely linked to that person. They are therefore personal data, regardless of their content, purpose, or effect.

Furthermore, the ECJ clarifies that pseudonymized personal data does not in all cases continue to be considered personal data within the meaning of data protection. Under certain circumstances, pseudonymization can effectively prevent third parties, other than the controller, from identifying the data subject, so that the data cannot or can no longer be traced back to a person by third parties. For these third parties, the data is then even anonymized, so that the GDPR no longer applies. The assessment of whether data subjects are (still/again) identifiable depends largely on the specific circumstances of the respective data processing.

However, the ECJ confirms that data subjects must be informed of potential (additional) recipients of their data at the time of data collection. As the controller, the SRB is obliged to inform data subjects at the time of data collection about the recipients and/or categories of recipients to whom their personal data may be disclosed, regardless of whether third-party recipients can still identify the individuals. The ECJ emphasizes that the obligation to provide information exists in the relationship between the data subject and the controller. The form in which the data is available to the controller before it is disclosed to third parties is therefore also decisive. Accordingly, the question of identifiability had to be assessed from the perspective of the controller and not from the perspective of the subsequent recipient (in this case, Deloitte). Since SRB had not mentioned in its privacy policy that personal data, such as comments, would be transferred to Deloitte, this constitutes a violation of Art. 15(1)(d) GDPR.

Conclusion and recommendations for action

Since violations of the GDPR can be punished with fines of up to €20 million or up to 4 % of a company's global annual turnover, we recommend that the following findings from the current ECJ ruling be taken into account and implemented:

  • All statements made by natural persons, as well as identifiers such as names, dates of birth, and address details, should be classified as personal data and only processed within the legally permissible framework of data protection regulations, in particular the GDPR.
  • Privacy policies must provide data subjects with comprehensive information about the (intended) processing of their personal data. Controllers are obliged to indicate any (intended) transfer to third parties at the time of the initial collection. Controllers should review whether their privacy policy contains the necessary information about all recipients and/or categories of recipients and, if necessary, supplement it immediately.
  • Pseudonymized data is not automatically personal data. If pseudonymization can effectively prevent third parties who receive pseudonymized data from the controller from identifying the data subject, then no personal data is available to the third-party recipient. The GDPR is therefore not (initially) applicable to the third-party recipient. However, as soon as (re)identification is possible and realistically feasible for the third-party recipient, the GDPR is (once again) applicable and must be fully complied with. For companies and other data recipients, this means that they must always carefully check whether (re)identification is possible. Against this background, we recommend establishing regular review processes and documenting the regular reviews.
Download as PDF
Download as PDF

Contact persons

Dr. Thomas Jansen
Munich
Andrea Elisabeth Bauer
Munich

Contact persons

Dr. Thomas Jansen
Munich
Andrea Elisabeth Bauer
Munich

Related articles

12-02-2025
EU DIGITAL LAW: What legal obligations will providers of SaaS (Software as a Service) services face in the future?
12-02-2025
Competition authority files another lawsuit against Amazon – What impact could this have on platform liability?
11-27-2025
Digital Omnibus: What changes in data protection (GDPR) can be expected?
11-25-2025
EU Defence Industry Transformation Roadmap: What Aerospace, Defence, and Space Clients Need to Know
11-14-2025
Bundestag approves NIS2 implementation law – What companies need to know and do now
11-14-2025
A new facet of coaching law: Is the invalidity of coaching contracts unconstitutional?
11-13-2025
Digital Omnibus: EU Commission presents draft
11-13-2025
GEMA vs. OpenAI: Landmark ruling on AI language models and copyright law
11-12-2025
New EU Initiative to Boost Defense Investments – Opportunities for the Aerospace, Defense & SpaceTech Industry
10-28-2025
AI ACT: Should ChatGPT be classified as High-Risk AI?
10-17-2025
Follow‑Up Briefing on Europe’s Defence Readiness Roadmap 2030
10-15-2025
EU DIGITAL LAW: Will there be an extension of the deadline for the implementation of the AI Act, the Data Act, and the Cyber Resilience Act (Digital Omnibus)?

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.