Has pseudonymised personal data lost its data protection?

What happened

On April 2023, the Case T-557/20, SRB v EDPS has shaken the general assumption that pseudonymised data remains personal data no matter in what party’s hands the identifying components are. Following the ruling of the court it is now possible that if a controller remains the identifying information and shares the de-identified data with a third party, the shared information can become anonymized information for the receiving third party, while the same information is still personal data for the controller who keeps the identifying components.

The EDPS appealed this ruling on July 2023 in Case C-413/23 P, which has been ruled out on 4 September 2025. This blog tells you whether this ruling strengthens or weakens the broad scope of personal data protection, and what it means for your organisation.

Understand the differences first

Up until Case C-413/23 P, the main idea was that pseudonymised data is still personal data and the GDPR would apply. Conversely, anonymised data is no longer personal data, and the GDPR would not apply.

What the GDPR says about pseudonymised data

Pursuant to the GDPR, pseudonymised data is data that “can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately”,¹ and “Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.”²

A simple example is a list with income ranges, where a controller replaces the names with random numbers, and where the random numbers link to the names on a separate list. If the controller keeps the separate list and only shares the list with random numbers, the shared list is pseudonymised and in theory still personal data (at least prior to Case T-557/20, SRB v EDPS and Case C-413/23 P).

What the WP29 says

The WP29, on the one hand, confirms the above reasoning by stating “that when a data controller does not delete the original (identifiable) data, and hands over part of this dataset (for example after removal or masking of identifiable data), the resulting dataset is still personal data.“³ However it adds the nuance that personal data is only pseudonymous if it is reasonably likely to identify an individual. If it is not reasonably likely, the data would be anonymised and no longer be personal data.

What earlier case law says

In the Breyer case (C-582/14, at para.43) the court ruled that dynamic IP addresses were considered personal data, even if the identifying information was not in the hands of one person and would need to be combined to allow identification.

Turning point in recent case law?

The EDPS followed this assumption in the Case T-557/20, SRB v EDPS, and argued that the Regulation does not distinguish between those who keep pseudonymous data and those who keep additional information to re-identify. It would still be pseudonymous and not anonymous data. As a result, it would concern personal data, and the data protection regime would apply.

Ironically, the Court rejected the EDPS’ reasoning by referring to the Breyer case, on which the EDPB bases its viewpoint. The Court agrees to the fact from the Breyer case, that identifying information does not need to be in the hands of one person to constitute personal data. However, the Court points out the fact from the Breyer case, that combining information from different parties must constitute “a means likely reasonably to be used to identify the data subject” (Breyer, C-582/14, at para.45). That again would not be the case, if it is prohibited by law or practically impossible because it would require disproportionate effort of time, cost or manpower (SRB v EDPS at para 93, referring to Breyer at para.46).

First viewpoint of the appealing court

The court of appeal clarifies that pseudonymisation is not part of the personal data definition but constitutes the establishment of technical and organisational measures (Case C-413/23 P at para.72). Therefore, it would be wrong to assume that any personal data on which pseudonymisation is applied would in all cases and for every person constitute personal data. Otherwise, applying pseudonymisation on a data set would stamp that data set to be always personal data, and thus circumvent to test the definition of personal data whether this data set (even though being pseudonymised) is information relating to an identified or identifiable natural person (Case C-413/23 P at para.80-82).

Instead – although pseudonymisation may be applied – the identifiability criterion of the personal data definition must be tested. The identifiability test may fail, and the data set would not qualify as personal data. And the fact that pseudonymisation was applied does not make it personal data by default.

The court derives its reason from the wording of Recital 26 GDPR. “Personal data which have undergone pseudonymisation, which could be attributed to a natural person…” means that despite pseudonymisation it needs to be established whether this information still can be attributed to a natural person. And in order to establish this, the court refers to the next sentence in the same recital: “To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used … to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology…” (Case C-413/23 P at para.78-79).

And if those available means are not likely to identify that person the same recital concludes that “the principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person”. This means that, although pseudonymisation is applied, this data set may become anonymous if the identification test fails.

Second viewpoint of the appealing court

Another implication is the question for which party it needs to be impossible to combine both data sets. What Case T-557/20, SRB v EDPS and Case C-413/23 P add to the Breyer case, is that it takes the view of the receiver into account. If it is impossible for the receiver to combine the data sets, it would be anonymised data for the receiver, and hence no personal data. If it is possible for the receiver to combine and reidentify datasets, it would be personal data for the receiver.

This question implies an additional question: who should assess whether it is possible for a receiver to combine a data set and at what time? Should the controller who sends the data do this assessment or the receiver of the data? The Court points out that the definition of personal data in Article 4(1) GDPR⁴ does not state which party should do this assessment, whereas Recital 26 GDPR states that the “controller” or “another person” should do it (Case C-413/23 P at para. 99).

The Court states in the context of information obligations towards data subjects that “the identifiable nature of the data subject must be assessed at the time of collection of the data and from the point of view of the controller.” (Case C-413/23 P at para. 111). This means, that the controller who sends data to a recipient must assess whether these data constitute anonymized data from its own viewpoint (the sending controller’s viewpoint). If it does not constitute anonymised data (for the sending controller), it is personal data for the sending controller. In addition, the receiving controller also would need to make an assessment upon collection of the data. If the receiving controller concludes that it does not constitute anonymised data from its viewpoint (the receiving controller’s viewpoint), it is personal data for that receiving controller, and the receiving controller has information obligations to those data subjects. If from the viewpoint of the receiving controller the received data constitute anonymised data (non-personal data) upon collection, there is no information obligation towards data subjects.

This reasoning seems to uphold the GDPR’s broad attempt to personal data protection, and it does not weaken or make it obsolete for the following reasons. As a first obligation, a receiver must assess whether received data is personal data from its viewpoint. If it is personal data from the viewpoint of the receiver upon collection, this receiver has the obligation to inform data subjects about that processing. Thus, data protection “flies” with the data and data subjects are able to “track” the footage of their personal data, namely that they need to be informed by a controller in which viewpoint the receipt of that data constitutes personal data. Should, however, the receiver conclude (and be able to demonstrate) that in its viewpoint the received data is anonymised data (non-personal data), a notification is not required to data subjects – which is in line with the GDPR. This does not mean that data protection has been removed from those anonymized data types forever. If that receiver at a later stage would get e.g. legal means to re-identify data sets, it would constitute again personal data and upon that collection timing this receiver has the obligation to inform data subjects. Consequently, data subjects would again be updated about their personal data footage. This reasoning is supported with the Court’s reference (Case C-413/23 P at para. 111) to the Gesamtverband Autoteile-Handel Case-319/22.

This line of reasoning has been also adopted into the new Digital Omnibus Regulation Proposal at pages 19-20, and 61, adjusting the definition of personal data in Article 4 GDPR.

Conclusions

There is no concept of “pseudonymized data” which would stamp any data as personal data by definition in everyone’s hands. Instead pseudonymisation is a technical or organisational measure that can lead to anonymisation. The party that collects data must assess whether this data constitutes personal or anonymized data for them. Personal data protection is not made obsolete through this ruling, but it remains, because each receiver of data must assess whether it is personal data for them, and in the case of personal data, must inform data subjects about that processing. If data is anonymized for a receiver, information to data subjects is – in accordance with the GDPR – not required. Such information obligation would, however, be revived if the anonymized data set would no longer be anonymized in the hands of the receiving party. Finally, the threshold for anonymisation remains high, so that recipients of data cannot simply claim anonymisation to escape the scope of the GDPR.

‍

^{1. Article 4 (5) GDPR.}

^{2. Recital 26 GDPR.}

^{3. Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques (10 April 2014), at p.9. Note: WP29 is replaced by the EDPB. The EDPB has not endorsed officially this opinion of the WP29.}

^{4. The court of appeal refers to articles of the GDPR that applies to EU institutions. The legal text is the same, just the article numbers differ. For the sake of simplicity this blog uses the article numbers of the general GDPR.}