Contact Us

EU Court Clarifies Definition of Personal Data in Pseudonymisation Case

Written by Jeremy Werner

Jeremy is an experienced journalist, skilled communicator, and constant learner with a passion for storytelling and a track record of crafting compelling narratives. He has a diverse background in broadcast journalism, AI, public relations, data science, and social media management.
Posted on 09/05/2025
In News

The Court of Justice of the European Union (CJEU) has clarified the definition of personal data in a ruling concerning the transfer of pseudonymised information to third parties. The decision, delivered on September 4, 2025, in case C-413/23 P (EDPS v SRB), sets aside a previous judgment of the General Court and refines the legal boundaries of data protection under Regulation (EU) 2018/1725.

 

The case stems from the 2017 resolution of Banco Popular Español, when the Single Resolution Board (SRB) engaged Deloitte to assess compensation claims from former shareholders and creditors. In doing so, the SRB transferred pseudonymised comments from affected parties to Deloitte. Complaints later reached the European Data Protection Supervisor (EDPS), which ruled that Deloitte had received personal data without proper notification to those individuals. The General Court annulled that decision in 2023, prompting the EDPS to appeal.

 

In its ruling, the Court of Justice emphasized that personal opinions or views expressed by individuals are inherently linked to their identity, even when pseudonymised. It held that the General Court erred in requiring an additional assessment of content, purpose, or effects to determine whether such data related to identifiable persons. At the same time, the Court acknowledged that pseudonymised data is not always personal data, depending on whether the recipient can reasonably re-identify individuals.

 

Crucially, the Court also ruled that the SRB’s duty to inform data subjects applied at the time of collection and from the controller’s perspective, regardless of how the data might later appear to third parties. This interpretation reinforces the responsibility of data controllers to ensure transparency before any transfer of information.

 

The case has been referred back to the General Court for further proceedings, but the ruling is expected to shape future debates on pseudonymisation, accountability, and the scope of personal data protection in the European Union.

 

Need Help?

 

If you’re wondering how these measures, or any other AI regulations and laws worldwide could impact you and your business, don’t hesitate to reach out to BABL AI. Their Audit Experts can address your concerns and questions while offering valuable insights

 

What’s New?

Stay up to date with the latest updates.

EU Court Clarifies Definition of Personal Data in Pseudonymisation Case

EU Court Clarifies Definition of Personal Data in Pseudonymisation Case

09.05.2025
Uruguay Becomes First Latin American Nation to Sign Global AI Treaty

Uruguay Becomes First Latin American Nation to Sign Global AI Treaty

09.05.2025
South Korea Establishes National AI Strategy Committee to Drive Innovation and Global Leadership

South Korea Establishes National AI Strategy Committee to Drive Innovation and Global Leadership

09.05.2025

Subscribe to our Newsletter

Keep up with the latest on BABL AI, AI Auditing and
AI Governance News by subscribing to our news letter
By subscribing, you agree with our privacy policy and our terms of service.