by Annika Gierich / Johannes Zhou//
On September 4, 2025, the European Court of Justice (CJEU) issued an important decision (Case C-413/23 P) concerning the concept of “personal data”. The decision provides further clarity on how to distinguish between personal, pseudonymized, and anonymous data.
Background to the case
The background is a legal dispute between the European Data Protection Supervisor (EDPS) and the Single Resolution Board (SRB), an EU authority responsible for bank resolution. In the resolution proceedings of a Spanish bank, the SRB had requested affected shareholders and creditors to participate in hearings and submit comments. The SRB then pseudonymized relevant comments by assigning a unique alphanumeric code to each individual comment and forwarded them to an audit firm (Deloitte). Because those affected were not informed of the data transfer to Deloitte, several shareholders subsequently filed complaints with the EDPS.
The EDPS considered the transfer to be a violation of data protection requirements, as the shareholders had not been informed about the disclosure, which involved personal data. The General Court, however, held that from the recipient’s (Deloitte) point of view, the data was not personal. The EDPS then appealed this decision to the CJEU.
Key statements of the CJEU
In its decision, the CJEU reaffirms key principles for assessing whether data is personal, pseudonymized, or anonymous. While the decision concerns the Regulation (EU) 2018/1725, the CJEU stated that its conclusions also apply to the General Data Protection Regulation (GDPR), as both regulations use identical definitions.
In doing so, the CJEU emphasized that the term “personal data” must be interpreted broadly. The term “any information” (in Article 4(1) GDPR) covers both objective and subjective information, such as opinions or statements made by a person, as these are inextricably linked to the author.
The CJEU also continues to apply its case law based on a “relative approach” when determining what constitutes personal data (C-582/14, C-604/22, C-319/22). Whether data is personal therefore depends on the perspective of the respective controller. The decisive factor is whether the controller has the means reasonably likely to identify the data subject. Data may therefore be personal for one controller and anonymous for another.
As a further aspect, the CJEU clarifies that pseudonymized personal data does not always continue to be considered personal data within the meaning of data protection law. Pseudonymization may, under certain circumstances, prevent third parties, other than the original controller, from identifying the data subject. In this case, the data is anonymized for third parties, and the GDPR does not apply to those. The assessment therefore depends on whether a given party has means reasonably likely to enable the data subject to be identified.
The CJEU also found that the information obligation under Article 15(1)(d) of Regulation (EU) 2018/1725 had not been fully met. The court clarified that data subjects must be informed of the recipients of their data at the time of collection. This obligation applies between the controller and the data subject and must be assessed from the controller’s perspective, regardless of whether third-party recipients can identify the individuals.
Consequences for practice
In practice, the CJEU decision provides additional legal certainty with several key implications, clarifying the boundaries of pseudonymized data under the GDPR and guiding both data controllers and recipients in determining their respective obligations:
-
No anonymity for the original controller: Pseudonymized data remains personal data for the original controller. Therefore, the validity of the legal basis for any processing and data transfer should be carefully assessed on a case-by-case basis.
-
Non-applicability of the GDPR for recipient: When receiving pseudonymized data, the third-party recipient is not subject to the obligations under the GDPR if there is no possibility of re-identification.
-
Information obligations of controllers: Controllers must inform data subjects about all recipients at the time of data collection pursuant to Articles 13(1)(e) and 14(1)(e) GDPR. This obligation also applies to controllers if recipients cannot identify the individuals.
Conclusion
The CJEU’s reaffirms its case law regarding the concept of “personal data” and offers important practical guidance. Anonymous data does not require re-identification to be absolutely impossible. Rather, it depends on whether a party has means reasonably likely to enable the data subject to be identified. In addition, the decision strengthens the transparency obligation in favor of data subjects.
Annika Gierich is a legal trainee at the Regional Court of Darmstadt.
Dr. Johannes Zhou is an attorney at the law firm FPS in Frankfurt. He advises on IT and data protection law as well as cyber security law.