Personal Data, Interrupted

Since the Court of Justice’s September judgment in EDPS v Single Resolution Board (C-413/23 P, ‘SRB Case’), the discussion on the notion of personal data has hardly slowed, and practitioners keep adding fresh voices on the likely consequences of the verdict. The discussion has also been enriched by proposed amendments to the GDPR and the Regulation 2018/1725 resulting from the latest Digital Omnibus proposal.

Can the very same pseudonymised dataset be treated as personal data for one actor, yet non-personal for another – depending on the availability of ‘reasonable means’ to re-identify data subjects?  That is the focal point of the CJEU’s judgment in SRB Case and the new definition of personal data proposed in Digital Omnibus.

Although the definition of personal data has remained largely consistent since Directive 95/46/EC the way the concept is interpreted and commonly understood has evolved significantly over time.

Under Article 4(1) GDPR[1] personal data means any information relating to an identified or identifiable natural person (‘data subject’) […]. The four building blocks of this definition are therefore the following:

• ‘any information’ – broad in scope, applies to objective and subjective information, captured on various means (photos, recordings etc.);
• ‘relating to’ – an information relates to (an individual) if it references to that individual by the means of its content (it is about someone), purpose or effect;
• ‘identified or identifiable’ – an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier[2] and as explained in recital 26 of the GDPR to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly;
• ‘natural person’ – living individual.[3]

In addition to the definition of personal data, the GDPR clarifies in recital 26 the concept of anonymous data, to which the GDPR does not apply. Anonymous data is defined as information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.

Pseudonymisation on the other handmeans the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.[4]  The goal of pseudonymisation is therefore to render data in such a way that the controller still can link them to the identified or identifiable data subjects and that the recipient of that data cannot.

The most frequently cited judgment in respect of understanding the notion of personal data is Breyer v Bundesrepublik Deutschland (C-582/14, ‘Breyer Case’). In that case, the CJEU explicitly noted the importance of context when assessing the ‘means likely reasonably to be used’ to identify the data subject. The Court said specifically that:

• it must be determined whether the possibility of combining a dynamic IP address with the additional data held by the internet service provider constitutes a means likely reasonably to be used to identify the data subject (para. 45);
• identification would not be considered reasonably likely where it is prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant(para. 46).

Considering the above, in the specific circumstances of theBreyer Case, the CJEU decided that a dynamic IP address should be considered personal data in the processing operations of the website operators because they could link the IP addresses to a natural person with the cooperation of internet service providers, as such cooperation would be legally permissible, under certain circumstances.

Breyer Case was followed by a series of CJEU judgements, which further elaborated on the understanding of personal data, including Gesamtverband Autoteile-Handel eV v Scania CV AB (C‑319/22), OLAF – OC v European Commission (C‑479/22 P), IAB EUROPE v
Gegevensbeschermingsautoriteit (C-604/22).        

The interpretation of the concept of personal data and the resulting obligations of the parties involved in its processing was also at the heart of the recent SRB Case. The case concerned Regulation 2018/1725 which is the equivalent of GDPR for EU institutions. Therefore, as stated by the CJEU, when the Regulation 2018/1725 uses the same principles as the GDPR, the two should be interpreted in the same way.

The case traces back to 2017 when SRB, as an EU central resolution authority, resolved Banco Popular Español, after determining that the bank was failing and that resolution was necessary to safeguard financial stability. The SRB also launched a ‘right to be heard’ process for bank’s shareholders and its creditors. After collecting the comments, the SRB pseudonymized them by replacing the name of the contributor by an alphanumeric code and transferred the pseudonymised comments to Deloitte for their assessment as an independent evaluator. Deloitte did not have access to the codes. The privacy notice provided to the contributors of the comments by SRB did not mention that Deloitte would be a recipient of their personal data.

a. The procedure before the EDPS

In 2019, a group of shareholders and creditors who had exercised the ‘right to be heard’ submitted five complaints to the EDPS under Regulation 2018/1725. In those complaints, they alleged an infringement of Article 15(1)(d) of that regulation, on the ground that the SRB in its privacy notice had failed to inform them that the data collected through the responses on the forms would be transmitted to third parties, including Deloitte. The EDPS agreed with the complainants, finding that SRB had infringed Article 15 of Regulation 2018/1725 by failing to indicate in its privacy notice that the complainants’ personal data could be shared with Deloitte.

b. The procedure before the General Court

SRB appealed the EDPS’s decision to the General Court (‘GC’) claiming that the data shared with Deloitte was not personal, therefore there was no obligation to disclose Deloitte as a its recipient in the privacy notice. EDPS defended its position and argued that:

‘the data the SRB shared with Deloitte were pseudonymous data, both because the comments in [the consultation phase] were personal data and because the SRB shared the alphanumeric code that allows linking the replies given in [the registration phase] with the ones given in [the consultation phase] – notwithstanding the fact that the data provided by the participants to identify themselves in [the registration phase] were not disclosed to Deloitte. […] The EDPS finds that Deloitte was a recipient of the complainants ’personal data’.

However, the GC disagreed with these arguments. The Court concluded that:

‘in order to determine whether the information transmitted to Deloitte constituted personal data, it is necessary to put oneself in Deloitte’s position in order to determine whether the information transmitted to it relates to ‘identifiable persons’. […] Deloitte’s situation can be compared to that of the online media services provider referred to in [Breyer] […]. The SRB’s situation can also be compared to that of the internet service provider in that case […]. Therefore, pursuant to paragraph 44 of the judgment of [Breyer], it was for the EDPS to examine whether the comments transmitted to Deloitte constituted personal data for Deloitte.’

Therefore, GC annulled the EDPS’s decision. The verdict was appealed by the EDPS to Court of Justice of the European Union (‘CJEU’).

c. The judgment of the CJEU

In the appeal, EDPS’s argued that it is not disputed that for SRB the comments constitute personal data, even though they are pseudonymized. Therefore, if those same comments are transferred to Deloitte (even despite no code is shared), there is no need to examine if they are personal data for this recipient. In other words, ‘pseudonymised data such as the comments transmitted to Deloitte constitute, in all cases, personal data solely because of the existence of information enabling the data subject to be identified, without it being necessary to examine specifically whether, despite pseudonymisation, the person to whom those data relate is identifiable.’[5] CJEU rejected this reasoning and clarified that pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable.

At the same time, following Advocate General’s opinion, the CJEU stated that the information obligation under Article 15(1)(d) of Regulation 2018/1725 forms part of the legal relationship between the data subject and the (initial) controller. It follows that, for the purposes of information obligation under Article 15(1)(d), the assessment whether the data subject is identifiable must be performed at the time the data are collected and from the controller’s perspective. Accordingly, the SRB was required to provide the data subjects with information about the recipients of their data, prior to transferring it. This obligation is regardless of whether – following any potential pseudonymisation – those data would still qualify as personal data from the recipient’s (Deloitte) perspective.

Accordingly, CJEU set aside the judgment of the GC which had annulled the decision of the EDPS.

d. Conclusions from the judgment of the CJEU

In SRB Case, the CJEU confirmed the relative understanding of the concept of personal data, emphasizing that it depends on the specific context and, in particular, on the recipient’s means of re-identification. Thus, if it can be demonstrated that the recipient has no such means, for that recipient the data is  not personal.

However, somewhat different from what the SRB and parts of the market had anticipated, the CJEU adopted a highly formal and literal interpretation of controllers’ transparency obligations when disclosing data that, from the recipient’s perspective, does not constitute personal data. Such an approach may be potentially misleading for data subjects, who could be informed that another entity has had access to their personal data even when that entity has no reasonable means to identify the individuals concerned.

The question of how this relative understanding of the concept of personal data aligns with the application of other GDPR obligations remains open. In practice, it appears that the original controller’s GDPR obligations may continue to apply in full when disclosing pseudonymised data to third parties, regardless of whether the recipients have any realistic ability to re-identify the data subjects.

The issue of the concept of personal data has also been recently addressed in the Digital Omnibus Proposal. It is a legislative initiative aimed at simplifying the EU digital regulatory framework, which, if adapted, will inter alia, amend the GDPR and Regulation 2018/1725. More detail on these proposals is provided in a related blogpost ‘ONE BUS, MANY PASSENGERS: HOW THE DIGITAL OMNIBUS REWRITES THE EU DIGITAL RULEBOOK’.

The Digital Omnibus proposes to add the following sentence of clarification to the current definition of personal data in Article 4(1) GDPR:

‘Information relating to a natural person is not necessarily personal data for every other person or entity, merely because another entity can identify that natural person. Information shall not be personal for a given entity where that entity cannot identify the natural person to whom the information relates, taking into account the means reasonably likely to be used by that entity. Such information does not become personal for that entity merely because a potential subsequent recipient has means reasonably likely to be used to identify the natural person to whom the information relates.’

While it is unusual for a legal definition to incorporate such an extensive interpretative explanation within its own wording, and this technique may raise concerns from a legislative-drafting perspective, the intention of the European Commission is nevertheless clear: to formally confirm a relative approach to the concept of personal data. In this respect, the proposed change aligns with the conclusions of CJEU’s judgment in SRB Case.

The EDPB and the EDPS recently issued Joint Opinion 2/2026 on the Proposal for a Regulation regarding the simplification of the digital legislative framework (Digital Omnibus). Adopted on 10 February 2026, the opinion criticises the proposed change to the definition of personal data, stating that it would significantly narrow its scope and increase legal uncertainty for organisations.

They further argue that although the proposal claims to codify the approach taken in SRB case, the final sentence of the amended definition- “Such information does not become personal for that entity merely because a potential subsequent recipient has means reasonably likely to be used to identify the natural person to whom the information relates” – is inconsistent with the CJEU’s earlier judgment in Gesamtverband Autoteile-Handel eV v Scania CV AB (C-319/22), later reaffirmed in the SRB case.

The Digital Omnibus Proposal further introduces a corresponding empowerment for the European Commission to adopt implementing acts specifying the means and criteria for determining whether data resulting from pseudonymisation no longer constitutes personal data for certain entities. The implementation of the means and criteria outlined in an implementing act may be used as an element to demonstrate that data cannot lead to re-identification of the data subjects.

The proposal to introduce implementing acts aims to increase legal certainty for controllers and data recipients, assisting them in conducting well-grounded assessment of the risk of re-identifying data subjects in their datasets. However, it remains uncertain whether such implementing acts can stay technologically neutral and future-proof given the rapid development of re-identification techniques.

In their Joint Opinion, the EDPB and the EDPS also emphasised that the interpretation and application of GDPR definitions should remain the competence of supervisory authorities, subject to review by the competent courts. Finally, they note that the proposal lacks clarity as to whether implementing the “means and criteria” specified in the envisaged implementing acts would create a rebuttable presumption of non-identifiability or merely constitute one factor among others in the assessment. In their view, this ambiguity risks generating further legal uncertainty rather than enhancing clarity.

In the SRB Case, the CJEU firmly confirms that personal data is a context-dependent concept, reinforcing the subjective approach introduced in the Breyer case. Pseudonymised data may qualify as personal data for the sender, while not constituting personal data for a recipient who lacks reasonably likely means of re-identification. At the same time, the judgment makes clear that this contextual assessment does not automatically reduce the original controller’s obligations under the GDPR.

The Digital Omnibus Proposal builds on this logic and seeks to write an interpretation of the concept of personal data directly into its definition in GDPR. It also aims to empower the Commission to specify the means and criteria for determining whether data resulting from pseudonymisation no longer constitutes personal data for certain entities. If adopted, this could increase legal certainty and help controllers, processors and other recipients in documenting their assessments and justifying the choices for data sharing, and applied legal and security measures. The real impact of these developments will ultimately depend on whether the relative concept of personal data can be turned into workable criteria that stay reliable over time, even as data analytics and re-identification methods continue to evolve quickly. If not, the years ahead may only bring more compliance uncertainty, heavier documentation demands, and further disagreements over what counts as “reasonable means.”

---

[1] The same goes for the definition of personal data under art. 3(1) of Regulation 2018/1725
[2] Art. 4(1) GDPR
[3] WP29 Opinion 4/2007 on the concept of personal data
[4] Art. 4(5) GDPR
[5] Para. 68 of the SRB case.

Authors

Marta Wilinska, Magdalena Kogut Czarkowska