Are you confident that your pseudonymized data transfers comply with GDPR? A significant ruling from the Court of Justice of the European Union (CJEU) on September 4, 2025, has provided welcome clarity for how organizations handle supposedly “anonymized” information.

The Ruling That Clarifies Data Privacy

The CJEU’s latest decision in the case of European Data Protection Supervisor (EDPS) v Single Resolution Board (SRB) (C-413/23 P) addresses a critical question that has puzzled data protection officers for years: when does pseudonymized data still count as personal data under GDPR?

Contrary to creating new restrictions, the Court’s answer provides organizations with greater flexibility. The CJEU confirmed that pseudonymized data may fall outside the scope of EU data protection law entirely when proper safeguards are in place and the risk of re-identification is insignificant.

What This Actually Means for Your Business

The ruling emerged from a case involving the transfer of pseudonymized comments from affected shareholders and creditors to Deloitte for audit purposes. Rather than expanding compliance burdens, legal experts describe this as “a welcome confirmation for innovative uses” of pseudonymized data.

As noted by several lawyers, this represents “No Revolution in Sight” – the Court “upholds narrow interpretation” rather than creating revolutionary new requirements. The decision maintains existing principles while providing helpful clarification.

The Court specifically emphasized that whether pseudonymized data qualifies as personal data depends on the specific circumstances of each case, particularly:

• Recipient capabilities: Can the receiving party realistically re-identify individuals with available means?
• Technical safeguards: How robust are the pseudonymization techniques implemented?
• Risk assessment: What is the actual likelihood of re-identification occurring?

The Practical Compliance Impact

Rather than invalidating current practices, this ruling provides organizations with a clearer framework for when pseudonymized data can be treated as effectively anonymous. This is particularly significant for:

• Healthcare organizations sharing research datasets
• Financial services firms conducting compliance audits
• Tech companies developing AI training models

For Chief Information Security Officers (CISOs) and data protection teams, this creates opportunities rather than obstacles:

1. Reassess pseudonymization effectiveness using the Court’s clarified criteria
2. Document risk assessments showing low re-identification probability
3. Leverage enhanced flexibility for legitimate data sharing purposes
4. Update data processing agreements to reflect the Court’s guidance

The Broader Privacy Landscape

This ruling fits within the broader European privacy framework, complementing other recent decisions on tracking-based advertising and workplace privacy. Together, these decisions show courts applying GDPR principles pragmatically rather than expansively.

The practical impact varies by industry, but organizations that regularly share pseudonymized datasets with partners now have clearer guidance on when such transfers may not trigger full GDPR obligations.

Your Next Steps

The Court’s decision provides valuable clarity and, in many cases, reduces compliance uncertainty. Organizations can now more confidently assess when pseudonymization creates sufficient protection to treat data as effectively anonymous for recipients.

Rather than demanding urgent action, this ruling offers a more nuanced framework that recognizes the reality of modern data processing while maintaining appropriate privacy protections.

The era of uncertainty around pseudonymization is ending. In its place, we have a clearer, more practical framework that supports both innovation and privacy protection.

Are you ready to take advantage of this enhanced clarity? The ruling provides the guidance many organizations have been waiting for.