Privacy & Information Security Law Blog

On September 4, 2025, the Court of Justice of the European Union (“CJEU”) issued a significant decision in the case EDPS v SRB C-413/23 P. The ruling overturned a previous 2023 decision by the General Court of the European Union (“General Court”) regarding how pseudonymized data should be treated under European Union (“EU”) data protection rules.

In the instant case, the European Data Protection Supervisor (“EDPS”) challenged a 2023 decision by the General Court. The 2023 General Court decision invalidated a 2020 finding by the EDPS against the Single Resolution Board (“SRB”), the bank resolution authority for a subset of banks in the eurozone. In the 2020 case, the SRB had shared stakeholders’ pseudonymized feedback from a Spanish bank resolution process with an outside consultant without notifying the stakeholders, who subsequently complained that their personal data had been shared without their being informed. In 2020, the EDPS found such failure to provide notice to be a violation of the EU General Data Protection Regulation (“GDPR”). In 2023, however, the General Court overturned the 2020 EDPS decision.

In the instant case, the CJEU sided with the EDPS’s finding that the SRB’s failure to notify the stakeholders that their personal data would be shared with an outside consultant violated the GDPR. The CJEU held that the General Court had erred in annulling the EDPS’s original ruling, largely on the basis that it had failed to determine if the pseudonymized feedback had, in fact, contained personal data.

Key insights from the CJEU decision include:

• Pseudonymized data does not always constitute personal data: The CJEU clarified that even when personal data is pseudonymized, it does not always constitute personal data for every party involved. If a third party, such as an external consultant in the case of SRB, receives the data but lacks any reasonable means to re-identify individuals, for that recipient, the information may not be considered personal data. The CJEU specifically noted that this assessment hinges on whether the recipient can realistically identify the individual to whom the pseudonymized data relates.
• Individual analysis required: The determination of whether pseudonymized data is personal data must be made based on the circumstances of each case. The key factor is whether the recipient of the pseudonymized data realistically can link the information back to an identifiable individual.
• Transparency obligations remain for data controllers: Even if a recipient third party cannot realistically identify the individuals associated with pseudonymized data, the data controller is still required to inform individuals about potential sharing of pseudonymized data with third parties. This means organizations must be diligent about transparency and notification, regardless of how the data appears after transfer.
• Personal opinions are personal data: The CJEU also held that individual opinions or comments (where they reflect the personal views of the author) are tightly linked to that person and should be treated as personal data. There is no need for additional analysis to determine whether such statements “relate” to the individual, the connection is inherent.

Read the judgment and the press release.