The Court of Justice of the European Union (“CJEU”) has delivered a judgment clarifying when pseudonymized data are considered personal data within the meaning of the General Data Protection Regulation (“GDPR”). Following an appeal lodged by the European Data Protection Supervisor (“EDPS”), the case came before the CJEU, which examined the criteria under which pseudonymized information may still be regarded as personal data, in the context of its transfer to third parties. The judgment provides important guidance for data controllers regarding the obligations they have when sharing pseudonymized data.
Proceedings Before the Lower Instance Courts of the EU
The dispute began in 2017, when the Single Resolution Board (“SRB”), in the context of a company resolution procedure, enabled creditors and shareholders to submit comments on a preliminary decision. The SRB then transferred those comments, in pseudonymized form, to an auditing firm for the purpose of assessing the effects of the resolution procedure.
In 2020, the EDPS found that, by transferring those comments to a third party, the SRB processed personal data without adequately informing the data subjects. However, the General Court of the European Union annulled that decision, holding that the comments had been anonymized to such an extent that they could not be linked to individuals, and that the EDPS had not examined the content of the comments themselves in order to determine whether they contained personal data.
The EDPS lodged an appeal against that judgment, and the case was subsequently brought before the CJEU.
The CJEU Judgment
Examining the grounds of appeal, the CJEU held that the content of the creditors’ pseudonymized comments may constitute personal data where it is possible, based on that content, to draw conclusions about the identity of the data subjects. The Court emphasised that the assessment of whether specific information constitutes personal data is not based solely on the technical level of so-called “de-identification”, but also on whether, in the circumstances, the individual can be re-identified based on the content of the data.
The CJEU found that the risk of re-identification must be assessed at the time of data collection and processing, considering all information available. In doing so, it underlined that pseudonymization does not automatically exclude the application of the GDPR; rather, it is a relative concept that depends on whether the person processing the data has access to information enabling the re-identification of the data subject.
At the same time, the CJEU confirmed that pseudonymized data do not necessarily constitute personal data for every person who processes them. Where pseudonymization has been implemented in a manner that effectively prevents third parties from identifying the individual, such data may, in relation to those third parties, be treated as data falling outside the scope of the GDPR. This establishes a clear distinction between a controller who holds information enabling the data to be linked to a specific individual and third parties who do not have access to such information.
Practical Implications for the Interpretation of Pseudonymization in the EU and Serbia
The CJEU judgment provides important guidance on the practical use of pseudonymization, confirming that pseudonymized data cannot be assessed independently of the context of processing. The Court stresses that it is necessary to assess whether an individual remains identified or identifiable based on the content of the data or other information available, which significantly affects controllers’ obligations when transferring such data to third parties. In this way, the judgment sets a higher standard for assessing the risk of re-identification, which controllers must carry out already at the data collection stage.
Although the judgment primarily affects the practice of EU institutions, its findings are of broader relevance, as they confirm the high level of protection the GDPR affords in the context of pseudonymization. For EU Member States, the judgment serves as a reminder that pseudonymized data often retain their status as personal data, particularly where the content of the data allows conclusions to be drawn as to the identity of individuals.
As for Serbia, bearing in mind that domestic legislation follows European standards, it may be expected that the approach confirmed in this judgment will also be reflected in Serbian practice. This is particularly important for sectors in which pseudonymization is frequently used—such as financial services, telecommunications, healthcare, and digital platforms—where it will be necessary to carefully assess the possibility of re-identification and the lawfulness of data transfers.
The judgment confirms that pseudonymization may contribute to data protection; however, it does not exclude the application of the GDPR. Whether pseudonymized data are still regarded as personal data depends on the context, the content of the data, and the possibility of re-identification. In this way, the CJEU judgment lays the groundwork for a clearer and more stable interpretation of this issue in EU practice and, indirectly, in Serbia as well.
This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.
Author:
Sonja Stojčić, Senior Associate
sonja.stojcic@prlegal.rs; legal@prlegal.rs;