CJEU Delivers Landmark Ruling: Pseudonymized Data’s Status Under GDPR Hinges on Identifiability, Not Absolute Anonymity

Table of Contents

In a pivotal decision that could reshape how organizations handle data privacy in the European Union, the Court of Justice of the European Union (CJEU) has provided much-needed clarity on whether pseudonymized information qualifies as “personal data” under the General Data Protection Regulation (GDPR). The ruling, issued last week on the 5th, in case C-413/23 P, overturns a prior judgment by the General Court and emphasizes that pseudonymization does not automatically strip data of its personal character. Instead, the key determinant is whether the data subject remains identifiable through reasonable means, viewed from the controller’s perspective.

This decision arises from a complex saga involving the 2017 resolution of Spain’s Banco Popular Español S.A., one of the most dramatic bank failures in recent European history. As the financial institution teetered on the brink of collapse, the Single Resolution Board (SRB)—the EU’s banking resolution authority—stepped in to orchestrate its sale to Banco Santander for a nominal €1. To determine fair compensation for shareholders and creditors, the SRB commissioned Deloitte to conduct a valuation report known as “Valuation 3.”

Central to the process was a “right to be heard” procedure, allowing affected parties to submit comments on the preliminary valuation. Over 1,100 comments were received, but to protect privacy, the SRB pseudonymized them by assigning alphanumeric codes. These coded submissions were then shared with Deloitte, which lacked access to the underlying identification details. The SRB, however, retained the “key” to link codes back to individuals, ensuring it could maintain oversight.

The European Data Protection Supervisor (EDPS) challenged this setup, arguing that the pseudonymized comments constituted personal data under Article 3(1) of Regulation (EU) 2018/1725—the GDPR’s counterpart for EU institutions—and that the SRB violated transparency obligations by failing to inform commenters that Deloitte would receive their inputs. The General Court initially sided against the EDPS in 2023, but the CJEU’s latest ruling flips the script, setting aside that decision and sending the case back for further review.

Core Clarification on Pseudonymization vs. Personal Data

At the heart of the judgment is the CJEU’s interpretation of “personal data,” defined broadly as “any information relating to an identified or identifiable natural person.” The Court reiterated that this encompasses not just objective facts but also subjective elements like opinions and assessments, as long as they “relate to” the individual (paragraph 54). In this context, the comments—expressing views on the valuation—were inherently tied to their authors, satisfying the “relates to” criterion without needing a deep dive into content, purpose, or effect.

But the real novelty lies in the treatment of pseudonymization. Under Article 3(6) of the regulation, pseudonymization involves processing data so it can’t be attributed to a specific person without additional information, which must be kept separately and secured. Recital 26 of the GDPR (mirrored in the regulation) praises pseudonymization as a risk-reduction tool that aids compliance, but it’s not a silver bullet for anonymity.

The CJEU rejected a blanket rule that all pseudonymized data remains personal data for everyone involved. Instead, it stressed a nuanced, case-by-case assessment of identifiability: Can the natural person be identified “directly or indirectly” using “all means reasonably likely to be used,” including by the controller or third parties? Factors like technological feasibility, time, cost, and available resources weigh in (paragraphs 78-82).

Crucially, for recipients like Deloitte—who had no access to the linking codes—the data was not identifiable, and thus not personal data from their viewpoint. However, from the SRB’s standpoint as controller, the data retained its personal nature because the board could re-identify authors. This perspective is vital for transparency duties under Article 15(1)(d), which requires informing data subjects about recipients of their data. The Court held that identifiability should be evaluated at the collection stage from the controller’s lens, empowering individuals to make informed choices about sharing their information (paragraphs 111-112).

In a direct rebuke to the EDPS’s broader stance, the CJEU noted that “effective pseudonymisation measures may prevent the data subject from being identified” (paragraph 86), particularly when additional information is rigorously isolated. This aligns with GDPR Recital 26, which states that pseudonymized data “should be considered to be information on an identifiable natural person” only if re-identification is possible.

Implications for GDPR Compliance

This ruling is a game-changer for data controllers grappling with pseudonymization in an era of big data and AI-driven analytics. Organizations often rely on techniques like tokenization or hashing to “de-identify” datasets for sharing with processors or partners, assuming it exempts them from full GDPR scrutiny. The CJEU’s decision underscores that such assumptions are risky: If the controller holds the re-identification key, the data remains personal, triggering obligations like data subject rights, consent requirements, and breach notifications.

For EU institutions and financial regulators like the SRB, the judgment reinforces accountability in high-stakes processes. It also highlights the importance of robust technical and organizational measures (TOMs) to truly anonymize data—going beyond mere pseudonymization to achieve irreversible de-identification.

Broader GDPR implications ripple across sectors. In healthcare, pseudonymized patient records shared for research could still demand DPIA assessments if re-identification is feasible. Marketing firms using customer pseudonyms for analytics must reassess third-party disclosures. And in the age of machine learning, where models trained on pseudonymized data might inadvertently enable inference attacks, controllers face heightened responsibility to evaluate “reasonably likely” identification risks.

Experts anticipate this could spur updated guidance from the European Data Protection Board (EDPB), clarifying pseudonymization’s role in data minimization and pseudonymization as a processing technique under Article 4(5) GDPR. It may also influence national implementations, encouraging more consistent enforcement.

A Step Toward Balanced Data Protection

The CJEU’s nuanced approach strikes a balance: It protects individuals by upholding the controller’s responsibility while acknowledging pseudonymization’s value in enabling secure data flows. As the case returns to the General Court for scrutiny of remaining pleas, the EU’s data protection landscape gains a clearer contour—one where pseudonymization is a shield, not a loophole.

This decision reminds us that in the GDPR’s expansive framework, anonymity is earned through deliberate effort, not assumed by relabeling. For businesses and institutions we continue to emphasize that you need to know your key risks, assess your risks, and always prioritize transparency. As pseudonymized data becomes ubiquitous, this ruling ensures that privacy doesn’t get lost in the code.

For help with GDPR compliance we highly recommend you look into our automation software for privacy compliance and book a demo below with one of our privacy experts.

Written by: 

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.