European Court of Justice ruling redefines the boundaries of personal data in pseudonymised form, with implications for data controllers and recipients like Deloitte.

Written By: Anssi Laakkonen Data Protection Specialist at Privaon

In a landmark judgment delivered on 4 September 2025, the Court of Justice of the European Union (CJEU) clarified the legal status of pseudonymised data under EU data protection law. The case revolved around the Single Resolution Board’s (SRB) transmission of pseudonymised comments from affected shareholders and creditors to Deloitte, in the context of the resolution of Banco Popular Español. The European Data Protection Supervisor (EDPS) had previously reprimanded the SRB for failing to disclose Deloitte as a recipient of personal data. The CJEU’s decision provides critical guidance on whether such pseudonymised data should be considered personal data, particularly from the recipient’s perspective.

At the heart of the dispute was whether the comments submitted by shareholders and creditors – each tagged with a unique alphanumeric code – constituted personal data when transferred to Deloitte. The SRB argued that Deloitte could not identify the individuals behind the comments, and therefore the data was not personal from Deloitte’s point of view. The EDPS, maintained that the data remained personal because the SRB retained the ability to re-identify the individuals using the codes.

First of all, the CJEU stated that the transferred data constitutes personal data for SRB, reaffirming that subjective information, such as personal opinions or assessments, inherently relates to the individual expressing them. For the purposes of the SRB’s obligation to inform data subjects of the data transfer, the assessment must be made from the controller’s (SRB’s) perspective at the time of data collection, and regardless of whether the recipient can identify the authors of the comments.

Importantly however, the Court clarified that pseudonymised data does not automatically constitute personal data to the recipient. The key factor is whether the recipient has “means reasonably likely” to identify the data subject. If such means are unavailable or impractical, the data may not be considered personal from the recipient’s perspective. The CJEU noted, that the clarifications relating to assessing data subject identifiability given for pseudonymisation in the recitals of regulation (EU) 2018/1725 (and the General Data Protection Regulation) would be rendered meaningless, if pseudonymised data was considered to be personal data in all instances. This interpretation is noteworthy, as the established interpretation was that pseudonymised data constitutes personal data if at least some party has the means to identify the individual from the data.

The CJEU’s decision reinforces the importance of a nuanced understanding of pseudonymisation and personal data. For Deloitte and similar entities, the ruling underscores the need for clear contractual and technical boundaries when processing data received from controllers. For data controllers like the SRB, it highlights the critical importance of transparency and full disclosure in data protection statements. Ultimately, the decision strengthens the EU’s commitment to robust data protection, even in complex, multi-actor scenarios.

Key Takeaways for Organisations

1. Obligation to inform applies at collection: Controllers must disclose all potential recipients of personal data at the time of collection, regardless of whether those recipients can identify the data subjects.
2. Recipient perspective matters for identifiability: Whether data is personal for a recipient depends on their ability to re-identify individuals using available means, including cross-referencing with other data.
3. Audit trails and transparency are crucial: The use of unique identifiers for audit purposes must be carefully managed to avoid unintended re-identification risks.

You can read the full decision here.

We support companies worldwide, including those outside of the EU, in safeguarding their data and ensuring compliance. Get in touch today and discover how Privaon takes the guesswork out of EU data compliance and evolving data demands.