On 4 September 2025, the European Court of Justice delivered its decision in Case C-2025/645 between the European Data Protection Supervisor (EDPS) and the Single Resolution Board (SRB).

Background 

This case arose when the SRB invited affected shareholders and creditors to participate in a right-to-be-heard survey, as part of a resolution scheme.

SRB pseudonymised the responses — replacing names with alphanumeric codes — and shared them with an external party, Deloitte, who had no access to the original identifying data or means of re-identifying individuals.

Complaints were subsequently made to the EDPS, alleging that SRB breached EU Regulation 2018/1725 (a GDPR equivalent for EU institutions) by failing to inform participants about the data sharing.

Decision of the General Court and appeal to the Court of Justice

The General Court held that pseudonymised data may fall outside the scope of the GDPR where the recipient has no means to (re-)identify the individuals to whom the data relates. It also found that personal views or opinions cannot, by default, be presumed to constitute personal data.

On this basis, the court annulled the EDPS’s decision, concluding that the data shared with Deloitte did not amount to personal data from Deloitte’s perspective.

The EDPS appealed the decision to the Court of Justice of the European Union (CJEU) on two grounds:

1. The General Court had misinterpreted Article 3(1) and (6) of the Regulation, by requiring the EDPS to assess whether the data was personal from the recipient’s perspective, and by failing to consider the concept of pseudonymisation as interpreted in CJEU case law; and
2. The General Court erred in its interpretation of the controller’s obligations under Articles 4(2) and 26(1) of the Regulation by failing to consider the principle of accountability, and suggesting that the EDPS was required to demonstrate that SRB had successfully anonymised the personal data it processed.

Key findings of the CJEU

Pseudonymised data is not always personal

The CJEU rejected the EDPS’s argument that pseudonymised data must always be treated as personal data, irrespective of context.

Instead, it held that pseudonymisation can, depending on the circumstances, effectively prevent parties other than the controller from identifying individuals — meaning the data may not qualify as personal data for those recipients.

The court underscored that identifiability must be assessed from the recipient’s perspective and referenced prior case law — including Nowak (C‑434/16) and Breyer (C‑582/14) — confirming that data may become personal if shared with someone who can reasonably re-identify the subject.

Personal opinions are inherently linked to the individual

The CJEU confirmed that personal opinions or views are intrinsically tied to the individual expressing them and therefore “relate to” that person within the meaning of personal data.

It rejected the General Court’s approach, which required an analysis of the content, purpose, or effect of each opinion to determine whether it concerned a data subject. 

Instead, the CJEU held that the very nature of personal opinions — as reflections of an individual’s thought process — creates a direct and inherent link to their author.

This clarification has implications for subject access requests, particularly where work emails or internal communications contain personal views, raising questions around access rights and the need to balance the interests of multiple data subjects.

Controller’s perspective determines transparency duty

The CJEU found that the General Court erred by requiring the EDPS to assess whether the data shared with Deloitte was personal from Deloitte’s perspective.

Instead, the court clarified that the obligation to inform data subjects arises at the time of data collection and must be assessed from the controller’s standpoint.

This obligation includes disclosing the identity of any recipients of the data, even if the data may not be considered personal from the recipient’s perspective.

It forms part of the controller’s duty of transparency and applies regardless of how the data is later processed or interpreted by third parties. 

Determining identifiability

The applicability of the Regulation to pseudonymised data depends on context and requires a case-by-case assessment. The key question is whether the data subject is identifiable from the perspective of the party processing the data.

If the party holds additional information enabling identification, the data are personal. If not, the identifiability test applies — assessing whether the risk of identification is non-existent or insignificant.

This involves assessing all means reasonably likely to be used to identify, directly or indirectly, a natural person, taking objective factors into account, such as (i) cost, (ii) time required to identify, (iii) available technology at the time of processing, and (iv) technological developments.

Conclusion

The CJEU’s decision in EDPS v SRB clarified the position in relation to pseudonymised data and whether it is always considered personal data.

The court affirmed that identifiability must be assessed contextually, from the recipient’s perspective, and that pseudonymised data may, under certain conditions, fall outside the scope of the definition of personal data under the GDPR.

Further, the court clarified that personal opinions inherently relate to the individual expressing them, and therefore qualify as personal data, regardless of their content or impact. This has practical implications for data controllers, especially in managing subject access requests and internal communications.

Finally, the CJEU emphasised that transparency obligations rest with the data controller, not the recipient, and must be fulfilled at the point of data collection.

This reinforces the principle of transparency and the controller’s duty to inform data subjects about data sharing, even when the shared data may not be personal from the recipient’s standpoint.

Overall, the ruling provides valuable guidance on personal data boundaries and the data controllers’ responsibilities, offering greater clarity and reinforcing a risk-based, contextual approach to data protection compliance.

• Rachel Hayes and David Cullen are partners and Aoife Keenan is an associate at William Fry LLP.