On September 4, 2025, the Court of Justice of the European Union (“CJEU”), delivered its judgment in European Data Protection Supervisor ("EDPS") v. Single Resolution Board ("SRB") (C-413/23 P). 

The decision clarifies two questions: (i) when information “relates to an identified or identifiable natural person” for the purposes of Regulation (EU) 2018/1725 (the EU institutions’ counterpart to the General Data Protection Regulation, “GDPR”), and (ii) how pseudonymisation affects that assessment. Because Regulation 2018/1725 and the GDPR share identical definitions of “personal data” and “pseudonymisation,” the ruling carries direct interpretative weight for private-sector GDPR compliance. 

The Court both broadened and refined the personal-data test, rejecting a categorical view that pseudonymised data always remain personal while emphasizing contextual, risk-based analysis.

Factual and Procedural Background

Following the 2017 resolution of an issue with Banco Popular Español SA, the SRB invited affected shareholders and creditors to submit comments in a two-phase “right to be heard” process. Phase 1 required participants to register and upload verifying identity documents; Phase 2 collected substantive comments on the SRB’s preliminary decision and Deloitte’s valuation (“Valuation 3”) via an online form. Each comment received a randomly generated 33-character alphanumeric code. The SRB removed direct identifiers before transmitting 1,104 filtered comments plus the codes to Deloitte for evaluation. Deloitte never received the registration database linking codes to identities.

Several participants complained to the EDPS that they were not informed Deloitte would receive their data. The EDPS issued a reprimand, reasoning that (i) the comments, together with the alphanumeric codes, constituted “pseudonymised personal data,” and (ii) Deloitte was a “recipient” not disclosed under Article 15(1)(d) of Regulation 2018/1725. The SRB sought judicial review. The General Court annulled the EDPS’s decision, holding that the EDPS had not shown the comments related to “identifiable” persons from Deloitte’s perspective. The EDPS appealed. 

Holdings of the CJEU

The First Chamber set aside the General Court’s judgment and referred the case back, after resolving two core legal issues:

a. Information “Relates to” a Natural Person
The Court confirmed that opinions, assessments, or statements inherently relate to their authors. Because the Phase 2 comments expressed the personal views of specific shareholders/creditors on compensation, the EDPS was entitled to treat them as information “relating to” natural persons without separately analyzing purpose or effect. 

b. Identifiability and Pseudonymisation

Controller-Centric Test for Article 15 Transparency
For obligations triggered at the moment of collection (notably, Article 15 information duties), identifiability is assessed from the viewpoint of the controller collecting the data, not each eventual recipient. The SRB held the registration database could re-identify commenters; therefore, the SRB processed personal data and had to name Deloitte as a potential recipient. 

Contextual Nature of Pseudonymisation
The Court rejected an absolutist stance that pseudonymised data invariably remain personal for all parties. Instead, pseudonymisation may—in specific circumstances—render the data non-personal for a party that lacks “means reasonably likely” to re-identify individuals, provided robust technical and organizational barriers exist. However, that possibility does not dilute the controller’s own obligations if the controller itself can undo the pseudonymisation.

Risk-Based “Reasonably Likely Means” Standard
Echoing Recital 16 of the GDPR, identifiability turns on objective factors: cost, time, technology, and legal/contractual access to additional information. Even if identifiers reside with a third party, a data subject remains “identifiable” if the controller (or another party reasonably likely to receive the data) can lawfully and practically obtain those identifiers—as occurred where Deloitte worked under SRB mandate and contractual arrangements might allow information exchange. 

4. Implications for GDPR Pseudonymisation

Although the judgment arises under Regulation 2018/1725, recital 5 thereof mandates homogeneous interpretation with the GDPR. As such, the takeaways under the Regulation mirror those which apply to the GDPR. 

Pseudonymisation Is Not Anonymization
The Court affirms that pseudonymisation reduces but does not necessarily eliminate identifiability. Organisations may treat pseudonymised datasets as non-personal only when no actor in the processing chain has reasonably likely means to attribute the data to individuals. Controllers must resist sweeping assumptions that hashing, tokenisation, or code substitution automatically lifts datasets outside GDPR. 

Controller Obligations Are Unaffected by Downstream De-identification
Under Articles 13–14 GDPR (mirroring Article 15 Regulation 2018/1725), the controller must disclose all intended recipients of personal data at collection, even if the dataset will later be pseudonymised before disclosure. This duty exists because the transparency objective is to empower data subjects’ choice before processing. 

Recipient-Focused Analysis Governs Secondary Processing
A recipient that receives genuinely pseudonymised data—lacking any reasonably obtainable key—may process outside the GDPR’s personal-data regime. The Court implicitly leaves open that national supervisory authorities assessing the recipient’s processing must examine technical and contractual measures, including evidence of data segregation, encryption key custody, and legal limitations on data sharing. 

Risk-Based, Dynamic Assessment
Identifiability is not static. New technology, database consolidation, or changes in legal entitlements can convert non-personal data back into personal data. Organizations must, therefore, periodically review whether their pseudonymisation measures continue to suffice. 

Impact on Data Transfer Strategies
The ruling affects Article 26 and 28 GDPR (processor/controller) allocations. Where a controller transmits pseudonymised data and retains the “key,” the recipient may be a separate controller or processor depending on contractual control. However, if the recipient can request the key or otherwise re-identify data subjects, joint controllership may arise, expanding accountability obligations.

Conclusion

EDPS v. SRB further refines EU data-protection doctrine on pseudonymisation. The judgment underscores that (i) personal opinions automatically “relate” to their authors, (ii) for transparency duties, identifiability is judged from the collector’s viewpoint, and (iii) pseudonymisation’s legal effect depends on practical, technical, and legal obstacles to re-identification. For GDPR compliance, the ruling cautions against overreliance on pseudonymisation as a silver bullet and reaffirms that controllers bear front-loaded obligations to inform data subjects about downstream disclosures, even where data will later be masked. Organizations should integrate dynamic, risk-based analysis into data-sharing architectures, ensuring pseudonymisation remains robust and that transparency remains comprehensive.