CJEU Clarifies Scope of Personal Data in EDPS v SRB Decision

Clarification of Concept of Personal Data

On September 4, 2025, the CJEU delivered a landmark judgment in the case EDPS v SRB 
(C-413/23 P), clarifying the concept of personal data under the GDPR in the context of the transfer of pseudonymized data to third parties.

Following the resolution of Banco Popular Español, the SRB adopted a preliminary decision regarding compensation for former shareholders and creditors without initially hearing them. Subsequently, the SRB gathered comments from affected parties, pseudonymized them and transferred these pseudonymized comments to Deloitte, tasked with valuing the resolution's effects. Shareholders and creditors filed complaints with the EDPS, alleging SRB had failed to inform them of such data transfers. The EDPS found Deloitte, as recipient of the pseudonymized data, to be a recipient of personal data and ruled that SRB violated its information obligations under the GDPR. The General Court annulled this EDPS decision in part. The EDPS appealed.

The Court's Reasoning 

The CJEU overturned the General Court's partial annulment and referred the case back, setting out important legal clarifications:

• Personal opinions necessarily relate to individuals: Personal opinions are inherently linked to their authors and therefore necessarily relate to individuals. As such, and without further analysis of content, purpose, or effect of such data, they constitute personal data if the related individuals can be identified.
• Pseudonymization and identifiability:Pseudonymized data is not automatically personal data for every actor who processes such data. The CJEU underscores that identifiability of the individuals to whom the information relates requires a fact-specific, contextual assessment considering all means reasonably likely to be used for the identification of the individuals, reinforcing a dynamic and relative approach of the concept of personal data rather than an absolute one.
• Timing and perspective of informing data subjects: The obligation to inform data subjects arises at the point of data collection and must be assessed from the controller's (here SRB's) perspective, independent of any subsequent data transfer or data processing by third parties such as Deloitte. Thus, the SRB's duty to inform existed before transferring pseudonymized data to Deloitte and remains unaffected by whether that data constitutes personal data from Deloitte's viewpoint as recipient of the data.
• Pseudonymization as a risk mitigation, not a blanket exemption:Pseudonymization was recognized as an important method to reduce identification risks but does not in all cases suffice to exclude data from being personal data, depending on context and recipient capabilities.

This judgment refines the understanding of personal data, pseudonymization, and anonymization under EU data protection law. Companies must carefully assess whether transferred pseudonymized data remains personal data to third parties, with significant consequences for compliance duties including transparency and data subject rights. Importantly, controllers must maintain robust information provision at the time of data collection, irrespective of subsequent data processing stages.

The judgment is a vital reference for legal and compliance teams navigating nuanced data classification challenges, underpinning strategic data governance and risk management frameworks in the EU's evolving regulatory landscape.