The concept of personal data is at the heart of data protection law, yet its boundaries are not always clear. In a recent judgment, the Court of Justice of the European Union (CJEU) in EDPS v SRB (Case C-413/23 P, (CJEU C‑ 413/23 P, EU:C:2025:645)) clarified two points that often cause difficulty in practice: whether a person’s opinions count as their personal data and whether pseudonymisation can ever take information outside the scope of data protection rules.
For organisations, including SMEs, that collect feedback from individuals or share information with third-party providers, the decision is a reminder that what looks like ‘anonymous’ data may still fall under the GDPR. It also shows that whether information is personal data can depend on who is handling it and whether they have the means to identify individuals concerned.
Background of EDPS v SRB
The case stems from the resolution of Banco Popular Español, a Spanish bank, in 2017 by the Single Resolution Board (SRB), the EU agency responsible for handling failing banks. After the resolution, the SRB engaged Deloitte to carry out what is called a ‘valuation of difference in treatment.’ This valuation was designed to assess whether Banco Popular’s shareholders and creditors would have been better off under normal insolvency proceedings and therefore entitled to compensation.
On the basis of Deloitte’s valuation, the SRB published a preliminary decision invited affected shareholders and creditors to register, provide proof of identity and ownership and then submit comments on the preliminary decision before a final decision on compensation was made. The SRB collected thousands of comments during this process, assigning each one a unique alphanumeric code to separate the comments from the personal details gathered at registration.
The SRB then passed comments relevant to Deloitte’s valuation to Deloitte to review, but only in pseudonymised form. Deloitte received coded comments without any way of linking them back to the individuals who had submitted them.
Several stakeholders later complained to the European Data Protection Supervisor (EDPS) that the SRB’s privacy notice had not mentioned their data would be shared with Deloitte. The EDPS agreed, finding Deloitte was indeed a recipient of personal data in this context and that the SRB should have disclosed this.
The SRB argued that Deloitte had not received personal data at all, since it could not identify any individual from the coded information. In other words, if the recipient is not receiving ‘personal data’ within the meaning of the GDPR, the sender’s obligations under the GDPR in respect of this sending (to inform individuals that it is happening) do not apply. The General Court of the European Union (General Court) sided with the SRB and annulled the EDPS’s decision. The EDPS then appealed to the CJEU, leading to this ruling.
This case revisited two important questions:
1. Are opinions the personal data of the individuals who expressed them?
2. Can pseudonymisation remove information from the scope of ‘personal data’ under the GDPR when a third-party recipient cannot re-identify the relevant individuals?
Legal background
Personal data
Under Article 4 GDPR – and for EU institutions, under Regulation (EU) 2018/1725 (also referred to as the EUDPR) – personal data is defined as any information relating to an identified or identifiable natural person. This definition is interpreted broadly: a natural person is ‘identifiable’ if they can be identified directly or indirectly, for example by reference to a name, number or online identifier.
Although the SRB, as an EU institution, is subject to the EUDPR rather than the GDPR, the two regimes contain the same definition of personal data (and many other aligned provisions). Where the wording is identical, the rules are interpreted in the same way by the courts.
Pseudonymisation
Article 4 GDPR defines pseudonymisation as the processing of personal data in such a way that the information can no longer be attributed to a specific person without the use of additional information, provided that the additional information is kept separately and protected. Crucially, Recital 26 GDPR makes clear that pseudonymised data is still personal data: it only reduces the risks for individuals but does not take the information outside the scope of data protection law.
In practice, this means that pseudonymised data remains personal data for the controller who holds the ‘key’ to re-identification. What has been less clear – and the issue raised in EDPS v SRB – is whether the same data should also count as personal data for a recipient who has no access to the key and no realistic way of identifying the individuals concerned.
Personal opinions
Another area of uncertainty has been whether opinions or comments should always be treated as personal data. While they are clearly linked to the individuals who expressed them, regulators and courts have not always been consistent in treating them as falling automatically within the definition.
The Court’s findings
Personal opinions are personal data
The CJEU held that comments expressing someone’s own views are, by their nature, personal data about the author. Because opinions are an expression of a person’s thinking, they are inherently linked to that person. In these circumstances, regulators do not need to run a separate ‘content, purpose or effect’ analysis to decide whether the comments ‘relate to’ an individual – their personal character is enough – provided those opinions can be properly linked to the individual that held them.
This has practical consequences. Whenever a business collects feedback from customers or employees, those comments should be treated as personal data, even if the comments say nothing about the individual or their particular experience.
Pseudonymised data and third parties
The CJEU confirmed that pseudonymisation reduces risk but does not automatically take data outside data protection law. Whether information is ‘personal data’ depends on whether the individual is identified or identifiable using means that are reasonably likely to be used, considering cost, time, technology and available information.
- Controller holding the key (SRB): pseudonymised comments remained personal data because the SRB could link codes back to individuals.
- Recipient without the key (Deloitte): pseudonymised comments are not automatically personal data in all cases. If in practice the recipient cannot realistically re-identify people (including by combining with other data), then from the recipient’s perspective the individuals may not be identifiable. The court (and any regulator) would have to have regard to the specific facts of the case to form a full view.
This is fact specific. If re-identification is reasonably likely – for example, because the pseudonymisation is weak or can be undone using other information, or if with low effort the organisation could re-identify the relevant individual – the data remains personal. The test is whether identification is realistically possible without disproportionate effort.
The key argument raised by the EDPS is that the mere existence of additional information was sufficient to render pseudonymised personal data subject to the GPDR from the perspective of the third party. The CJEU rejected this argument, holding that that interpretation fell well outside of what is provided for in the GDPR and applicable European case-law.
Transparency duty assessed from the controller’s perspective at collection
The CJEU separated the identifiability analysis from the controller’s duty to inform. The obligation to tell people about recipients arises when the data are collected and is assessed from the controller’s point of view. Because the SRB held personal data at the point of collection and decided to disclose comments to Deloitte, it had to name Deloitte (or the relevant category of recipients) in its privacy information, even if Deloitte could not identify anyone after pseudonymisation.
A key point for organisations is that even if data will be anonymous in the recipient’s hands, the organisation disclosing it must treat it as personal data when it shares it. That means the disclosure must be explained in privacy notices and individuals should be informed that their information will be shared, regardless of whether the recipient can identify them.
Outcome
The CJEU set aside the General Court’s judgment, endorsed the EDPS’s approach on the two core points above (opinions as personal data and the controller-focused transparency duty at collection). The result being that the SRB should have disclosed at the time of collection that the comments were going to be shared with Deloitte, even if Deloitte was to receive them in pseudonymised without the means of re-identifying the commenters.
However, as above, the CJEU rejected the EDPS’s assertion that pseudonymised personal data is always personal data.
Conclusion
The judgment in EDPS v SRB may on its face appear like a shift in the fundamental of the GDPR. That isn’t the case – the CJEU very much applied known and generally understood principles of the GDPR.
That said, given the complexity of the GDPR itself it remains to be seen whether the emphasis on the controller’s responsibility to comply with the GDPR irrespective of what the obligations of any third party recipient of the personal data it controls are. A consistent application of this principle may further widen the scope of controller’s obligations as it pertains to pseudonymised personal data.
For businesses, the takeaway is clear: be transparent and careful. Treat feedback, survey responses and other opinion-based data as personal data. When sharing pseudonymised information, do not assume that it automatically falls outside data protection law. And at the point of disclosure, you must still handle the information as personal data and explain the sharing in your privacy notice.
Most businesses that take a suitably cautious approach to data protection compliance will not be troubled by this judgment. Businesses that rely heavily on the processing of pseudonymised personal data (e.g. marketing companies) may, however, want to make sure their practices are compliant.
At EM Law, we monitor developments like these closely because they illustrate how data protection continues to evolve in Europe and beyond. UK businesses trading with the EU or handling EU personal data should pay close attention on such judgments to ensure that they remain compliant with both UK and EU regimes. You can contact our experts Neil Williamson or Colin Lambertus or reach out to us here if you would like to discuss data protection matters further.
