Case Report: Pseudonymised Data is Not Permission To Share (SRB–EDPS C-413/23 P)
The SRB shared pseudonymised shareholder data with Deloitte, prompting EDPS complaints over undisclosed recipients and personal data obligations.
European institutions claim to prioritise transparency in data handling, yet the recent ruling in case C-413/23 P exposes a troubling inconsistency. The treatment of pseudonymised data demonstrates how formal legal safeguards can fracture under operational pressures. Stakeholders were left uncertain about who accessed their information, raising doubts about the credibility of institutional commitments to meaningful accountability in digital governance.
🏛️ Court: Court of Justice of the European Union (CJEU)
🗓️ Judgment Date: 4 September 2025
🗂️ Case Number: C-413/23 P
Access our EU AI Tracker here to monitor the latest developments in EU artificial intelligence laws and regulations.
Court of Justice Clarifies the Status of Pseudonymised Data in the SRB–EDPS Dispute
On 4 September 2025, the Court of Justice of the European Union delivered a judgment in case C-413/23 P that directly addresses the boundaries of what constitutes personal data when pseudonymisation is involved.
The decision arises from an appeal by the European Data Protection Supervisor (EDPS) against a judgment of the General Court that had annulled one of its enforcement decisions against the Single Resolution Board (SRB).
The case touches the intersection between banking resolution procedures, large-scale data collection from affected shareholders and creditors, and the responsibilities of Union institutions when handling sensitive information.
The Court’s findings matter to any organisation processing information that has been stripped of identifiers yet still carries a potential link back to individuals.
Background of the dispute
The events giving rise to the case can be traced back to the resolution of Banco Popular Español SA in June 2017.
The Single Resolution Board (SRB), acting under the Single Resolution Mechanism Regulation, determined that the bank was failing and adopted a resolution scheme.
This included the write-down and conversion of capital instruments and the transfer of shares to a purchaser, a decision which was subsequently approved by the European Commission.
Following this resolution, the regulation required an assessment of whether shareholders and creditors would have been treated more favourably had the bank undergone normal insolvency proceedings.
Deloitte was appointed by the SRB to carry out this valuation, referred to as Valuation 3.
Deloitte delivered its findings in June 2018, and on the basis of this work, the SRB launched a procedure to determine whether compensation was owed.
To ensure fairness and compliance with the right to be heard under the EU Charter of Fundamental Rights, the SRB invited affected shareholders and creditors to participate in a consultation.
The process was divided into two distinct stages.
First came the registration stage, which required each interested party to submit evidence of their identity as well as proof of ownership of relevant capital instruments at the time of resolution.
Identity documents and ownership records were uploaded directly to the SRB, which then verified eligibility.
This stage was critical because only verified individuals could proceed to the second stage.
The consultation stage followed, in which verified participants were invited to provide comments on the SRB’s preliminary decision and Deloitte’s valuation.
Submissions were made through an online form that posed a series of structured questions.
The SRB collected more than 23,000 comments from over 2,800 participants.
To manage this volume securely and efficiently, each submission was assigned a randomly generated alphanumeric code.
These codes ensured that comments could be tracked and audited without exposing the names or personal identifiers of the individuals.
The SRB retained the database containing the registration information, including identity documents and ownership proofs, and separately stored the comments linked by codes.
Staff members responsible for reviewing comments had no access to the registration data, which remained under restricted control.
As a result, the comments were pseudonymised, meaning that Deloitte, which was later asked to evaluate the submissions relevant to its valuation, only received files containing codes and the substantive responses.
Deloitte never had access to the underlying registration data and could not by itself identify the individuals behind the comments.
Nevertheless, the SRB still held the means to re-identify participants by linking the alphanumeric codes back to the registration records.
The codes were designed to allow auditability and to demonstrate that each comment had been considered, especially in the event of legal proceedings.
This arrangement prompted complaints to the European Data Protection Supervisor (EDPS).
Several participants argued that the transmission of their pseudonymised comments to Deloitte amounted to the disclosure of personal data.
They contended that Deloitte should have been identified in the SRB’s privacy notice as a recipient under Article 15 of Regulation 2018/1725, which obliges EU institutions to inform individuals when their personal data are shared and to specify the recipients or categories of recipients.
The complainants claimed that the omission breached their right to be informed about how their data were handled.
In essence, the SRB viewed its transfer of pseudonymised data as secure and compliant, while the complainants argued that pseudonymisation did not erase the personal character of their information, since the SRB could still re-establish the link.
This disagreement laid the foundation for the legal proceedings that followed.
The EDPS findings and General Court annulment
The EDPS initially concluded that the SRB had violated its obligations because Deloitte was a recipient of personal data and had not been identified as such.
The reasoning rested on the understanding that pseudonymised information remained personal data since the SRB held the key that could re-identify individuals.
The SRB challenged this finding before the General Court, which annulled the EDPS decision in April 2023.
The General Court held that the EDPS had not assessed whether the information constituted personal data from Deloitte’s perspective.
Since Deloitte lacked access to the re-identification key and could not reasonably obtain it, the comments could not be regarded as personal data for Deloitte.
The Court emphasised that the obligation to inform under Article 15 extends only where a recipient is indeed receiving personal data.
The EDPS appealed to the Court of Justice, arguing that pseudonymised data should be treated as personal data in all circumstances, regardless of the specific capacities of recipients.
The Court of Justice ruling
The Court of Justice rejected the EDPS appeal and upheld the General Court’s judgment. The ruling contains several important clarifications:
Pseudonymisation does not automatically mean that data remains personal in relation to every party. The decisive factor is whether the person concerned is identifiable for the recipient, considering all reasonably available means of re-identification.
For the SRB itself, the data clearly retained its personal character because it possessed the linking information. However, for Deloitte, the combination of technical and organisational measures prevented identification. The Court recognised that pseudonymisation can, in certain circumstances, effectively deprive data of its personal nature for third parties.
The EDPS obligation to assess a violation cannot be satisfied by a blanket presumption that pseudonymised data always amounts to personal data. The assessment must examine whether the recipient has access to or can reasonably obtain the necessary information to re-identify individuals.
The wide interpretation of “personal data” in Union law does not eliminate the requirement that someone must be identifiable. Obligations such as providing information to data subjects cannot apply where an entity has no way of identifying them.
By confirming that pseudonymisation can change the legal status of data depending on the actor, the Court has set a precedent with far-reaching implications.
Why this matters for data protection practice
This judgment demonstrates that the qualification of information as personal data is contextual.
It does not exist in abstraction but depends on who is processing it and what means are realistically available for identification.
Organisations handling pseudonymised data must therefore evaluate their own position carefully.
This legal decision clarifies that organisations cannot automatically treat all pseudonymised information as personal data when transmitting it to third parties.
The analysis must consider the technical and organisational safeguards that accompany the transfer.
At the same time, controllers must remember that if they themselves retain the ability to re-identify, the data remains personal for them, with all corresponding obligations.
For companies acting as processors or recipients, this ruling provides assurance that where pseudonymisation is implemented effectively, and there is no access to the re-identification key, the information they receive may not be subject to the full regime of data protection law.
Nevertheless, this does not authorise complacency.
The measures must genuinely prevent re-identification, and any possibility of combining data with other accessible sources must be addressed.
Organisations engaged in large projects involving sensitive financial or technical information can draw several lessons from the Court’s reasoning:
Context matters: Always assess whether the data in your possession relates to an identifiable person in your specific circumstances, not in the abstract.
Pseudonymisation is not anonymity: The Court acknowledged that pseudonymisation reduces risk but does not automatically render data anonymous. The possibility of re-identification must be considered for each individual involved.
Transparency obligations remain strict: For entities like the SRB that hold the keys to re-identify individuals, pseudonymised data continues to be personal. These entities must ensure that privacy notices accurately list all potential recipients.
Technical and organisational measures are decisive: Safeguards such as separate storage of linking information, restricted access, and clear contractual limits on use can make the difference between data being personal or not for recipients.
Legal arguments must be precise: Supervisory bodies, controllers, and processors should avoid absolute positions. The Court has required nuance and factual analysis rather than blanket statements.
Broader significance
Although this case arose in the context of the banking union and the resolution of a financial institution, the principle has broader relevance.
Many technology companies, research institutions, and public authorities rely on pseudonymisation to share or analyse data while seeking to reduce privacy risks.
This judgment will likely be cited in future disputes to argue that pseudonymised information may fall outside the scope of personal data obligations when recipients cannot reasonably identify individuals.
At the same time, organisations should be cautious. The Court did not suggest that pseudonymised data is generally exempt from data protection law.
Instead, it emphasised careful examination of whether identification is possible in practice. The decision therefore encourages both innovation in data handling and accountability in ensuring that protective measures are robust.
Final thoughts
The Court’s judgment in C-413/23 P strengthens the legal understanding of pseudonymisation in European Union law.
It confirms that whether data counts as personal depends on the circumstances and on who holds the means of re-identification.
As data flows continue to underpin financial oversight, research, and digital services, this ruling will stand as a reference point for years ahead.
Organisations would be wise to review their current pseudonymisation practices and privacy notices in light of the Court’s guidance.
This judgment forces us to reconsider how institutions and private actors handle pseudonymised information within regulatory frameworks. Its implications extend beyond financial resolution into the broader practice of data governance.
I would welcome your thoughts on whether this reasoning strengthens trust or complicates compliance. Reply directly to share your perspective, and let us continue the discussion together.
In otherwords, context decides whether pseudonymized data remains personal.