Pseudonymous Data May Be Anonymous for Third Parties Without (Additional) Knowledge
On 4 September 2025, the Court of Justice (ECJ) delivered its landmark judgment in European Data Protection Supervisor v. Single Resolution Board (Case C-413/23 P). In that judgment, the ECJ clarified the conditions under which data must be regarded as personal in nature and, consequently, when its processing falls within the scope of data protection law. The full text of the judgment is available here.
In particular, the ECJ held that the question of whether data relates to an identifiable natural person must be assessed from the perspective of the controller and at the time the data is collected. Further, the ECJ ruled that pseudonymisation may, depending on the circumstances of the case, effectively prevent a third party (a person other than the controller) from identifying the data subject. If a third party receives (a subset of) pseudonymized data and does not have additional information that would enable it to be attributed to a particular person, that data is generally to be regarded as anonymized for the third party within the meaning of EU data protection law.
The ECJ Ruling
According to the ECJ, pseudonymized data transferred by a controller to a third party must not, in principle, be regarded as constituting personal data for that third party, provided that:
- the third party does not have access to the additional information enabling the identification of the data subjects, and
- the technical and organizational measures taken effectively prevent such identification.
SKW Schwarz previously published an article on the (overturned) judgment of the General Court of 26 April 2023 (Case T-557/20) in CR 2023, p. 532 et seq. We also contributed to the discussion paper "Anonymization in Data Protection as an Opportunity for Business and Innovation" by the Industry 4.0 Platform on the position paper of the Federal Commissioner for Data Protection and Freedom of Information (BfDI) on “Anonymization Under the GDPR With Special Consideration of the Telecommunications Industry”.
A. The Background
Following the resolution of Banco Popular Español, S.A. based on Regulation (EU) 2018/1725, the Single Resolution Board (SRB) collected personal information from the affected shareholders and creditors to verify their legal status and, in addition, obtained their written comments through an online form. Subsequently, the SRB separated the comments from the identifying information of the respondents and pseudonymized the comments by assigning to each a unique alphanumeric code. Only the pseudonymized comments, together with the corresponding codes, were transmitted to the third-party recipient (Deloitte). Deloitte had no means of linking the alphanumeric code to the author of the comment.
Some data subjects lodged complaints with the European Data Protection Supervisor (EDPS), which found that the SRB had infringed its information obligations under Article 15(1)(d) of Regulation (EU) 2018/1725 by not mentioning Deloitte in its privacy statement as a potential recipient of the personal data collected. Since this provision mirrors Articles 13(1)(e) and 14(1)(e) GDPR, the judgment has direct implications for the interpretation of the GDPR.
Initially, the General Court annulled the EDPS's decision (Case T-557/20). On appeal, however, the ECJ overturned that judgment, holding that “the General Court disregarded the objective nature of the condition relating to the ‘identifiable’ nature of the data subject, by holding […] that the EDPS should have examined whether the comments transmitted to Deloitte constituted, from Deloitte’s point of view, personal data”.
In particular, the ECJ ruled that – with regard to the data protection information obligations and the assessment of whether data is personal in nature at the time of collection – the relevant perspective is that of the controller (here, the SRB) rather than that of a subsequent third-party recipient. From the SRB's perspective, the data at issue constituted personal data, which triggered the information obligation, including disclosure of Deloitte as a potential recipient.
Consequently, the ECJ referred the case back to the General Court for a new decision in accordance with this ruling.
B. Key Legal Findings on the Concept of Personal Data
1. Interpretation of the Concept of Personal Data
First, the ECJ emphasized that the definition of the concept of "personal data" set out in Article 3(1) of Regulation (EU) 2018/1725 and Article 4(1) GDPR must be interpreted broadly.
As the European legislator has used the expression “any information” in defining the concept of “personal data,”this reflects the intention to assign a wide scope to that concept, which potentially encompasses all kinds of information, not only objective but also subjective, in the form of opinions and assessments, provided that it “relates” to the data subject.
2. Relative Nature of Personal Data
In the first step, the ECJ noted that, as is usually the case for controllers who have pseudonymized data, where the controller has additional information enabling the pseudonymized data transmitted to a third party to be attributed to the data subject, in its view, such data, despite pseudonymisation, remains personal in nature.
In the second step, the ECJ clarified that pseudonymized data transmitted by the controller to a third party who does not have additional information to attribute it to the data subject does not constitutepersonal data for that third party. Rather, for the third party, such data is considered anonymous.
According to the fifth sentence of Recital 26 GDPR, the principles of data protection should not apply to anonymous information, namely information that does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
However, that presupposes that the third party cannot lift the technical and organizational measures of pseudonymisation. In fact, these measures must be sufficient to prevent the third party from attributing the data to the data subject, including by recourse to other means of identification such as cross-checking with other factors, so that, from the third party’s perspective, the person concerned is not, or is no longer, identifiable.
According to the third sentence of Recital 26 GDPR, when assessing whether a natural person is identifiable, "all the means" reasonably likely to be used — either by the controller or by another person (e.g., a third party) to identify the natural person directly or indirectly — must be considered.
In this regard, the ECJ has already ruled, in particular in Breyer (19 October 2016, Case C‑582/14) and IAB Europe(7 March 2024, Case C‑604/22; commentary by SKW Schwarz here), that a means of identifying a natural person is not “reasonably likely to be used” if, in light of general experience, the risk of identification appears to be de facto negligible. This may be the case, for example, if the means of identifying the person is prohibited by law or because it would require a disproportionate amount of time, cost, or personnel.
In line with its prior case law, the ECJ confirms that the mere existence of additional information enabling identification does not, by itself, mean that pseudonymized data must be regarded as personal data for the purposes of Regulation (EU) 2018/1725 (or the GDPR) in every case and for every person.
Finally, the ECJ reiterated that a controller with the means to identify a data subject cannot escape its obligations by arguing that the additional information is held by a third party, as such a division of knowledge does not negate identifiability from the controller’s perspective; the data subject remains identifiable to the controller even if the controller does not itself hold the additional information.
3. Information Obligations – In Particular from the Perspective of the Controller
Lastly, the ECJ emphasized that the obligation to provide information under Article 15 of Regulation (EU) 2018/1725 and Articles 13 and 14 GDPR rests with the controller. Accordingly, the SRB should have disclosed Deloitte as a potential recipient of the personal data, because, from the controller's perspective, the data remain personal in nature and are therefore subject to the information obligation – irrespective of whether they were personal in nature from Deloitte's perspective.
A third party that cannot establish any link to an individual cannot fulfill data protection information duties or facilitate data subject rights in relation to those data. By contrast, the controller can – and must – provide the required information (immediately, i.e., at the time of collection) and ensure the exercise of data subject rights.
Since the obligation to provide information applies only if the data remains personal for the controller, the controller is not required to disclose information about recipients if the data is fully anonymized from the outset (for example, when incorporated into statistical analyses).
Practical Relevance
With its judgment in EDPS v. SRB, the ECJ strengthens the position of controllers and third parties in the anonymization of personal data, while also clarifying the obligation to inform data subjects.
Although the assessment depends on the individual case, the ECJ has provided guidelines that also apply to European Data Protection Authorities. Through appropriate technical and/or organizational measures, a data record that is “personal” in nature for one party may be “anonymous” for another party. This can encourage companies to make greater use of pseudonymisation and anonymization to develop new business models and better data analysis. It can also help ensure compliance with the EU Data Act by preventing the provision of personal data to third parties (for example, if there is no legal basis under data protection law).
Even though the ECJ referred the final decision back to the General Court, it confirmed that data sets can be regarded as de facto anonymized data if the recipient has no means of (re-)identification or if there is no sufficient likelihood that the data could be linked with additional information to identify individuals, for example, if the recipient has no legal access to the additional information (cf. Schweinoch/Peintinger, CR 2023, 532 (538 et seq.)).
It is important to note that the ECJ requires a case-by-case assessment. In the case of complex or large data sets, it must be carefully examined whether identification of individuals from the data set itself is possible. In such cases, additional measures (e.g., aggregation of data) must be applied to make identification of the data subjects significantly more difficult or effectively impossible.
From the perspective of the controllers, the obligation to provide information to data subjects can be particularly challenging when the transfer to third parties is not yet concretely planned at the time of data collection. Recipients of pseudonymized data sets must be documented to enable responses to potential information requests.
'/%3e%3c/svg%3e){kind=small}
'/%3e%3c/svg%3e){kind=small}
