On 4 September 2025, the Court of Justice of the European Union (CJEU) delivered its judgment in Case C-413/23 P, European Data Protection Supervisor (EDPS) v. Single Resolution Board (SRB), clarifying when pseudonymised data may fall outside the scope of EU data protection law.
The CJEU confirmed that pseudonymisation can, in principle, result in data no longer being considered “personal data” for the recipient, provided that the recipient has no means reasonably likely to be used for re-identification. However, the court set the bar very high: the decisive test remains whether the data subject is identifiable by means reasonably likely to be used. It recalled that identifiability is excluded where the risk is “insignificant,” such as when prohibited by law or practically impossible due to disproportionate effort. This preserves the relative approach to identifiability established in earlier case law while offering a cautious clarification on pseudonymisation rather than a doctrinal shift on the definition of personal data.
How GDPR case law has approached personal data until now
The CJEU has traditionally taken an expansive view of personal data. Under both the Data Protection Directive 95/46/EC and the GDPR, any information relating to an individual has fallen within scope, with identifiability extending to both direct and indirect means.
This began with Breyer (C-582/14), where dynamic IP addresses were held to be personal data because the website operator could, in some circumstances, lawfully request additional information enabling identification. Even if this possibility arose only in narrow contexts (such as a cybersecurity incident), it was sufficient to bring dynamic IP addresses within scope. In Nowak (C-434/16), exam scripts, including examiner comments, were found to “relate to” the candidate and thus to qualify as personal data. Scania (C-319/22) held that vehicle identification numbers constitute personal data only where the party processing them has lawful and reasonably likely access to complementary information linking them to individuals. Most recently, IAB Europe (C-604/22) confirmed that online identifiers such as consent strings were personal data where the actor processing them had means reasonably likely to be used for re-identification.
Across these decisions, the court has consistently held that personal data is relative.
Relationship between Regulation (EU) 2018/1725 and the GDPR
The SRB case arose under Regulation (EU) 2018/1725, which governs the processing of personal data by EU institutions and bodies. The GDPR applies to other public and private actors. Despite this difference, both frameworks share substantively identical definitions of “personal data” and “pseudonymisation.”
The court expressly confirmed that these definitions must be interpreted homogeneously across EU data protection law, drawing on its existing GDPR and Directive 95/46/EC case law. In other words, the clarification delivered in this judgment is also relevant to GDPR.
A narrow margin for excluding pseudonymised data
The case concerned the SRB’s transfer of pseudonymised comments from affected shareholders and creditors to Deloitte for audit purposes. The EDPS had argued that such data remained personal data because someone, even if not the recipient, could in theory re-identify the individuals.
The court rejected this absolutist reading. It confirmed that pseudonymisation may, depending on the circumstances, effectively prevent third parties from identifying the individual so that they are no longer identifiable from their perspective. It was clear to the court that SRB (the sender) was still processing personal data. For Deloitte (the recipient), however, the court accepted that if appropriate technical and organisational measures made re-identification impossible by any means reasonably likely to be used, the data would not qualify as personal data in its hands.
The court clarified (somewhat) what “reasonably likely” means in practice. A means is not reasonably likely where the risk of identification is in reality insignificant, for example, if re-identification would be unlawful (because prohibited by law) or practically impossible (because it would require a disproportionate effort in terms of time, cost, and manpower).
Practical consequences for businesses
Pseudonymised data remain personal data so long as the actor who is processing the data retain the means of re-identification (e.g. holding the encryption key of encrypted data or is able to retrieve said key by law or contract). For data recipients, the GDPR may cease to apply only in rare cases where robust safeguards ensure that re-identification is not reasonably likely.
In my view, it is unlikely that a processor who receives pseudonymised data from its controller can in any situation successfully argue that the data does not constitute personal data on this basis. The reason being that this would effectively circumvent the safeguards stipulated in Article 28 GDPR, and due to the fact that the processor is viewed as an extended arm of the controller. Furthermore, based on the careful language used by the court, it is unlikely that it would be sufficient in a controller-to-controller scenario for the recipient to avoid processing pseudonymised personal data solely on the ground that they are contractually prohibited from receiving the encryption key or similar means from the sender to re-identify the data. Whether this measure would be sufficient to satisfy the court’s requirement is unclear as the CJEU did not determine in its ruling whether Deloitte in the specific case was actually processing personal data. However, based on existing guidance it would be surprising if it were that easy to avoid the application of GDPR.
What can be said with a higher degree of certainty however is that the CJEU’s ruling maintains the wide definition of personal data established from previous case law rather than signalling a major shift. It affirms the relative, “reasonably likely means” test for identifiability but offers limited room for pseudonymisation to exclude data entirely from EU data protection law. For most scenarios, businesses should operate on the assumption that pseudonymised data is personal data.
Future guidance from courts, national data protection authorities, and perhaps the EDPB may clarify how the “reasonably likely” standard will be applied in practice. In my view, this ruling provides limited legal certainty in that respect.