CJEU on EDPS v SRB: Are pseudonymised data personal data?

The Court of Justice of the European Union (CJEU) has decided case C-413/23 P between the European Data Protection Supervisor (EDPS) and the Single Resolution Board (SRB). The judgment concerns the transfer of pseudonymised data to a third party and how the concept of personal data should be understood. It also addresses the information obligation under Regulation 2018/1725 for EU institutions, while offering guidance relevant to the General Data Protection Regulation (GDPR). In this context, the EU institutions’ data protection regulation plays a central role in framing duties of transparency and accountability.

EDPS, SRB and Deloitte: what was the case about?

Following the resolution of Banco Popular Español on 7 June 2017, the SRB took a preliminary decision on compensation for former shareholders and creditors. As the decision was provisional and the SRB had not collected these parties’ views, it sought comments and transmitted some of them, in pseudonymised form, to Deloitte. Deloitte was a contractor engaged to assess the effects of the resolution.

Several affected individuals complained to the EDPS because the SRB had not informed them that data would be shared with Deloitte. The EDPS found that Deloitte was a recipient of the complainants’ personal data and that the SRB had breached the information obligation under Regulation 2018/1725. The General Court annulled parts of the EDPS decision, but the CJEU set that judgment aside and referred the case back.

Which GDPR rules did the court examine?

The judgment clarifies the interpretation of Regulation 2018/1725 governing the processing of personal data by EU institutions. The Court held that personal views and positions, as expressions of a person’s thinking, are closely linked to that individual and may therefore “relate to” that person. The General Court erred by requiring an assessment of content, purpose or effects to reach that conclusion.

At the same time, the Court confirmed that pseudonymised data are not always personal data for every recipient; identifiability must be assessed in context. For the information obligation, the assessment is made at the time of collection and from the controller’s perspective, not the recipient’s. The SRB’s duty arose before the transfer, regardless of Deloitte’s ability to identify the data. This aligns with the framework for EU institutions’ data protection regulation under Regulation 2018/1725.

Why does the judgment matter for your organisation?

The judgment clarifies when data “relate to” an individual and how pseudonymisation affects responsibilities. It also specifies the point in time and the perspective from which the information obligation between the data subject and the controller must be fulfilled. This has implications for governance, processes and communications.

• Personal opinions can constitute data relating to an identifiable person.
• Pseudonymisation does not remove controller responsibility; the assessment is context-dependent.
• The information obligation is assessed at collection and from the controller’s perspective.
• The recipient’s ability to identify is not decisive for the duty to inform.
• The judgment sets aside the General Court’s decision and remits the case, providing continued guidance.

What should organisations take away from the judgment?

Assume that personal views may be personal data in a legal sense. Handle pseudonymised data with care, as identifiability is assessed case by case. Ensure the information obligation is correctly addressed at the point of collection and in your role as controller. Document decisions and communications ahead of any transfers to third parties. The judgment signals clear expectations on accountability and transparency, with consequences for risk, regulatory oversight and trust.