Are you certain your pseudonymised data transfers comply with GDPR? A significant ruling from the Court of Justice of the European Union (CJEU) on September 4, 2025, has provided important clarification on when pseudonymised data qualifies as personal data – and the implications could refine your data management strategy.

The Ruling That Provides Clarity

In the case of European Data Protection Supervisor (EDPS) v Single Resolution Board (SRB) (C-413/23), the CJEU confirmed that personal data is a relative concept. This means data can be pseudonymous in one party’s hands while being effectively anonymous for another recipient.

Important Timeline Context: The Advocate General’s opinion was delivered on February 6, 2025, with the final judgment rendered on September 4, 2025. This represents the completion of the standard CJEU procedural process.

The Court clarified that pseudonymised data doesn’t automatically qualify as personal data under GDPR in all circumstances. Instead, classification depends on whether the recipient has “means reasonably likely” to re-identify individuals – a test that has been part of GDPR since its inception in Article 4(1) and Recital 26.

What This Means for Your Business

While the “means reasonably likely” assessment has always been part of the GDPR framework, this ruling provides practical clarification on its application to pseudonymised data transfers. According to legal experts, this creates “welcome confirmation for innovative uses” of pseudonymised data.

Key factors the Court emphasized include:

• Recipient capabilities: Does the receiving party have realistic means to re-identify individuals?
• Technical safeguards: How robust are your pseudonymisation techniques?
• Risk assessment: What’s the actual probability of re-identification in the specific context?

The Compliance Impact You Need to Know

Important Context: This ruling doesn’t create new legal principles – it clarifies the application of existing GDPR provisions. As the European Data Protection Board’s Guidelines 01/2025 on Pseudonymisation (published January 16, 2025) make clear, pseudonymisation “allows controllers and processors to reduce the risks to data subjects” but doesn’t automatically remove data from GDPR scope.

The ruling provides contextual flexibility for legitimate data sharing scenarios. Organizations can now apply the Court’s clarified interpretation when assessing whether pseudonymised data remains personal data for specific recipients.

For Chief Information Security Officers (CISOs) and data protection teams, this creates opportunities to:

• Reassess current pseudonymisation practices using the Court’s clarified interpretation of existing criteria
• Document risk assessments showing low re-identification probability for specific recipients
• Update data processing agreements to reflect the refined legal understanding
• Apply more nuanced approaches for research, auditing, and analytics purposes

Your Action Plan

The CJEU’s decision provides helpful clarification on applying existing GDPR principles to pseudonymised data scenarios. Rather than demanding urgent overhauls, it offers a more refined understanding of how the “means reasonably likely” test works in practice.

As privacy experts note, this ruling confirms that “personal data as a relative concept” allows for more contextual compliance approaches while maintaining the fundamental principle that pseudonymised data generally remains personal data under GDPR.

The question isn’t whether this ruling revolutionizes GDPR compliance – it’s whether you’re prepared to apply the Court’s clarified interpretation to your specific data processing scenarios. Organizations that thoughtfully reassess their pseudonymisation strategies using the Court’s refined framework will be better positioned for both compliance and legitimate business innovation.

The ruling represents an evolution in understanding rather than a revolution, providing clearer guidance on applying established GDPR principles to the complex realities of modern data processing.

EU Court Ruling Redefines Pseudonymized Data: Is Your Company’s Privacy Strategy Still Valid?

Your Work Emails Are Personal Data: The GDPR Ruling That Changes Everything