IT and data

CJEU clarifies concepts of personal and pseudonymised data: implications for data sharing

Published on 1st October 2025

Transparency obligations apply to a transfer of pseudonymised data, even if it is not identifiable as personal data in the hands of the transferee

Fingerprint ID on a screen

In its judgment of 4 September 2025 (Case C‑413/23 P), the Court of Justice of the European Union (CJEU) examined the concepts of personal data and pseudonymisation in a dispute between the European Data Protection Supervisor (EDPS) and the Single Resolution Board (SRB), an EU agency. Building on earlier case law, the court clarified how personal data should be understood when pseudonymised data is shared with third parties, presenting legal challenges for organisations considering how to implement the ruling in practice.

The context

In 2017, the SRB adopted a decision relating to Spain's Banco Popular Español. The SRB consulted with affected stakeholders (the bank's shareholders and creditors). As part of the process, it provided a third-party consultancy with data about opinions expressed by stakeholders relating to the valuation of the bank in pseudonymised form, having first removed information about the identify of the persons expressing the opinions.

As an EU agency, the SRB is subject to the Data Protection Regulation for EU institutions, bodies, offices and agencies (the EUDPR) rather than the EU's General Data Protection Regulation (EU GDPR). For present purposes, the relevant provisions of the EUDPR and the GDPR are the same and must – according to the CJEU – also be understood in the same way.

Five individuals complained to the EDPS, alleging that they had not been told that their data would be submitted to third parties, contrary to the SRB's privacy statement. The case eventually made its way to the CJEU.

Opinions are personal data

The court found that statements expressing a person’s opinions or viewpoints are information about that person. As expressions of an individual’s thoughts, they are inherently and closely linked to that individual and generally will be “personal data” within the meaning of the EU GDPR.

This has implications for sharing testimonials and similar content. According to the court’s case law, customer reviews, employee testimonials and survey responses will generally constitute personal data even where names are removed. Work emails or instant messages expressing opinions about individuals may also be caught, raising issues about the extent to which this information must be provided in response to a subject access request.

It also means that GDPR obligations must be observed when engaging consultancy firms to evaluate pseudonymised datasets – for example, when analysing pseudonymised employee surveys to support diversity initiatives.

Pseudonymised data as personal data

The CJEU held that pseudonymised data is not automatically personal data for everyone involved. Identifiability must be assessed from the perspective of each actor, taking into account the means reasonably likely to be used to de-anonymise. The same pseudonymised dataset may constitute personal data for the transferor (who can re‑identify it using their key) but not for the recipient (who cannot).

This reflects relative anonymisation, as opposed to absolute anonymisation, where re‑identification is factually impossible for anyone, including the transferor. Consequently, while the recipient may not be subject to the GDPR in respect of that dataset, the transferor’s GDPR obligations remain. This approach is consistent with prior CJEU case law and the European Data Protection Board's (EDPB's) draft Guidelines on Pseudonymisation.

Obligations of the transferor

The CJEU held that there remains an obligation to inform data subjects about the recipients of their personal data (for example via a privacy notice) even where, from the recipient’s perspective, no personal data is received because the dataset is effectively anonymous for that recipient.

The court reasoned that the transparency obligation is addressed to the transferor; accordingly, it is the transferor’s perspective on whether personal data is being disclosed that is decisive. The obligation to inform arises at the point of collection, when it may still be uncertain whether pseudonymisation will ultimately prevent the recipient from re‑identifying individuals: subsequent pseudonymisation cannot narrow the scope of the obligation to inform.

This reasoning raises another question: if, at the time that the privacy notice is provided, the controller is certain that it will only disclose personal data to recipients in pseudonymised form and where there is no reasonable possibility of re-identification, then why should it be under an obligation to say that personal data will be transferred?

The UK perspective

The court's view on opinions as personal data aligns with that of the UK's data regulator, the Information Commissioner's Office (ICO), which confirms that an opinion is personal data about the giver provided that it relates to them in some way (for example, revealing their identity, beliefs, or other personal characteristics).

Likewise, on the status of pseudonymised data, the ICO has always been clear that it is personal data in the hands of the controller, but may cease to be in the hands of a transferee. The key question is whether it is reasonably likely that the person to whom it is transferred could identify the data subjects, whether from the information provided to them, or from that and/or other information they may possess or obtain.

On the question of transparency about data transfers, the court's position provides more clarity than that of the ICO. The ICO’s guidance states that if the recipient does not have, and is not provided with, the means to re-identify individuals, and it is not reasonably likely that they could obtain such means, then the data may be considered effectively anonymised in the hands of the recipient. However, it does not explicitly deal with the question of whether transparency obligations apply to the pseudonymised data.

Opportunities for business

The CJEU’s judgment provides greater legal certainty for sharing and using pseudonymised datasets. Where a recipient does not have, and cannot reasonably obtain, the additional information needed to re‑identify individuals, those datasets will generally be treated as non‑personal data for that recipient. In practice, this can unlock new use cases: recipients may aggregate, evaluate and analyse such data without triggering the GDPR obligations that apply to personal data.

The decision also creates opportunities for data collectors. With clearer criteria for lawful transfers of pseudonymised data, organisations can better leverage and commercialise existing datasets by making them available to third parties in pseudonymised form. New pseudonymisation models – such as independent data trustees or secure data clean rooms – can further reduce re‑identification risk and enable legally robust data partnerships.

Points to consider when disclosing pseudonymised data

Following the CJEU’s ruling, when companies disclose pseudonymised data, they should pay particular attention to the following points:

  • Privacy policy: Controllers should anticipate subsequent disclosures of pseudonymised data at the point of collection. Specific recipients or meaningful categories of potential recipients must be identified, for example in the privacy policy, regardless of whether the data will be anonymous from the recipient’s perspective.
  • Consent: If the data collection is based on consent, the specific recipients or well-defined categories of recipients should be set out in the consent wording itself, again irrespective of whether the data would be relatively anonymous for the recipient. Failure to do so may call the validity of consent into question.
  • Data subject rights request: Although the CJEU did not rule on access rights in this context, controllers should consider whether recipients of pseudonymised data must be named in responses. Based on the court’s reasoning, it could be argued that this information must be given; again, irrespective of whether the data would be anonymous for the recipient. However, a different position might be arguable, especially for past disclosures where the transferor has documented that the data was in fact relatively anonymous for the recipient.
  • Legal basis for the data transfer: It could be inferred from the CJEU’s reasoning that a controller disclosing data that is anonymous from the recipient’s perspective must still identify, document and communicate a legal basis for the disclosure, because the processing is personal data processing from the transferor’s perspective.

The case has highlighted not only significant opportunities for businesses that are subject to the EU GDPR, but also the compliance obligations that they must meet when disclosing pseudonymised data.

Related articles
Are you ready for the Data Act?
13/08/2025 2 mins
The EU Critical Entities Resilience Directive - What is the impact on your organisation?
29/07/2025 5 mins
UK and EU GDPR for HR | Summer 2025
10/07/2025 7 mins
Data (Use and Access) Act becomes law, with first ever changes to UK GDPR
03/07/2025 9 mins
Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up