24 Sep Pseudonymisation and the Relativisation of the Concept of Personal Data: Reflections on the Deloitte Judgment

Authors: Carmine Perri, Laura Senatore, Lorenzo Covello

Abstract

The Court of Justice of the European Union (“CJEU”) has clarified that pseudonymised data may be regarded – for the third party receiving them – as “non-personal data” if, given the specific context, the recipient cannot trace back to the individual to whom the data relate. The “Deloitte” judgment “relativises” the concept of personal data and allows the controller to argue when data can no longer be considered “personal” for the recipient.

Background

The demarcation line between anonymised data and pseudonymised data has long been at the centre of the European debate, particularly due to its practical implications in terms of compliance for companies. The recent judgment of the CJEU of 4 September 2025 (C-413/23 P)[1] provides a long-awaited clarification on this point, establishing some important reference criteria.

It is useful to recall that, according to Regulation (EU) 2016/679 (“GDPR”),[2] personal data means any information relating to an identified or identifiable natural person, even indirectly. Put simply: pseudonymisation is a security measure that reduces the risk of identification of the data subject without eliminating it; therefore, pseudonymised data remain subject to the GDPR. By contrast, anonymisation is an irreversible process which does not allow information to be linked – even indirectly – to the data subject, and anonymised data thus fall outside the scope of the GDPR.

Although, in this case, the CJEU’s considerations concerning the processing of data refer to Regulation (EU) 2018/1725[3] which reproduces the definitions of personal data, pseudonymisation and anonymisation already indicated, the CJEU shares some significant observations on the possibility of relativising the concept of personal data for the third party receiving such data.

Brief Overview of the Procedural background and Analysis of the “Deloitte” Judgement

The case originates in 2017 with the resolution of Banco Popular Español. In that context, the Single Resolution Board (“SRB”) launched an online consultation, inviting shareholders and creditors to submit comments on the bank’s crisis management. Contributions were first collected through an electronic form which was then filtered, categorised and aggregated. Finally, alphanumeric codes were assigned to the contributions for SRB’s audit purposes only, thus rendering them pseudonymised and devoid of direct identifiers.

The comments collected were transmitted to Deloitte, which had been engaged to assess whether it would be more advantageous for shareholders and creditors to opt for the ordinary insolvency procedure. Deloitte therefore received only pseudonymised contributions, without additional personal data immediately attributable to the contributors; that is, Deloitte could not reconcile the alphanumeric codes with the data subjects who provided their contributions. However, some individuals argued that they had not been clearly informed of the disclosure of their data to Deloitte. This gave rise to a complaint before the European Data Protection Supervisor (“EDPS”), which was called upon to verify the lawfulness of the processing carried out by SRB.

In 2020, the EDPS upheld the complaint, considering that the pseudonymised information transmitted still constituted personal data, as it remained referable to identifiable persons, albeit indirectly. According to the EDPS, the SRB had breached the transparency obligations laid down in the GDPR and in Regulation (EU) 2018/1725, by failing to indicate Deloitte as a recipient in the privacy notice addressed to shareholders and creditors.

The SRB decided to challenge the decision before the General Court of the European Union (“General Court”), arguing that the data transmitted were in fact anonymous, since Deloitte did not have the means to identify the authors. In 2023, the General Court upheld the action (T-557/20[4]), holding that, with regard to the recipient, such information should not be classified as personal data.

The dispute was subsequently brought before the CJEU, on appeal by the EDPS (supported by the European Data Protection Board, “EDPB”). On this occasion, the CJEU observed that, on the one hand, the comments of shareholders and creditors may constitute personal data insofar as they represent expressions of their authors’ opinions. On the other hand, it specified that pseudonymisation does not in itself exclude the personal nature of the data; it is necessary to verify, on a case-by-case basis, whether the recipient has means reasonably likely to re-identify the data subject.[5] In the present case, however, the CJEU held that – in light of the technical and organisational measures in place – Deloitte did not have such means and concluded that no processing of personal data had occurred.[6]

Practical Implications

The judgment provides important clarifications on the scope (and limits) of the concept of pseudonymisation. On the one hand, the CJEU reinforces the principle that any information expressing personal opinions is, by definition, personal data, insofar as it is inevitably attributable to its author.[7] In this sense, it is certainly incorrect to assume that pseudonymisation automatically renders data anonymous. On the other hand, the judgment emphasises that the qualification of information as personal data is not absolute but must be assessed in relation to the context and to the actual possibilities of identification of the data subject.[8]

Therefore, it is necessary to determine whether, in practice, the third-party recipient of information – in this case Deloitte – in light of the technical and organisational measures and the legal means at its disposal, is capable of linking such information to the identity of the individual to whom it relates, including through cross-referencing with other information in its possession. Only when such identification proves in fact impossible or excessively burdensome, may the data be considered non-personal (defined as impersonal[9]). Particularly noteworthy is paragraph 85 of the judgment, which refers to the legal means available to link pseudonymised information with the data subject. In our view, the concept of legal means should not be understood solely as contractual arrangements between the parties defining the use of information, but also as processing activities permitted or precluded under applicable law.

The judgment also makes another interesting clarification concerning the scope of the transparency principle. The CJEU specified that transparency obligations must be assessed at the time of data collection and from the perspective of the controller, before any subsequent pseudonymisation or disclosure to third parties. This means that transparency is an ex ante obligation and cannot be excluded on the basis of how data will later be processed.

Conclusions and Operational Takeaways for Controllers

1. 1. The judgment “relativises” the concept of personal data and allows the controller – in compliance with the principle of accountability – to argue when data can no longer be considered “personal” for the recipient. The CJEU clarifies that pseudonymised data may be regarded – for the third-party recipient – as “non-personal data” if, given the specific context and the technical and organisational measures in place, the recipient cannot trace back to the individual to whom the data relate.
   2. In assessing these circumstances within the concrete context referred to in section 1, it is necessary to evaluate:
      • whether the recipient is technically able to reverse such measures in the context of processing operations carried out under its supervision;[10]
      • whether the recipient is legally able to reverse such measures in the context of processing operations carried out under its supervision[11] and to attribute the pseudonymised information to the data subjects. The judgment literally refers to legal means to obtain further information from another person making it possible to identify the data subject. The notion of legal means should be interpreted not only in terms of contractual arrangements within the parties’ autonomy, but also in terms of processing activities permitted or precluded under applicable law.
   3. The judgment expressly states that the transparency obligation concerning third-party recipients of data must be assessed at the time of collection (i.e., prior to any pseudonymisation or transfer). Consequently, the recipients of pseudonymised data must be indicated as recipients in the privacy notice addressed to the data subjects, even if such recipients do not have immediate means to identify them.[12]
   4. It will also be necessary to assess the practical implications of section 3 with respect to the application of the obligations governing international transfers pursuant to Articles 44 et seq. of the GDPR.
   5. From a contractual perspective, it will likewise be crucial to determine how to regulate the limitations on the third party’s use of pseudonymised information without, however, providing genuine data processing instructions typical of data processing agreements pursuant to Article 28 GDPR.

[1] Judgment of the European Court of Justice (First Chamber) of 4 September 2025. European Data Protection Supervisor v Single Resolution Board,    https://eur-lex.europa.eu/case/EN/C_413_23_P.

[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng.

[3] Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data  and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002 /EC https://eur-lex.europa.eu/eli/reg/2018/1725/oj/eng.

[4] Judgment of the Court of Justice of the European Union, 26/04/2023 – SRB v EDPS, case T-557/20, https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=T-557/20.

[5] On this point, the CJEU refers to the concept of pseudonymization as outlined in recital 26 of the GDPR, drawing on established case law (see, among others, the judgments in Breyer, C-582/14, and Nowak, C-434/16).

[6] See point 77 et seq. of the judgment in question.

[7] See point 55 et seq. of the judgement in question.

[8] See points 75, 76, 77 of the judgement in question.

[9] See points  83 and 84 of the judgment under commentary, in which the CJEU, citing respectively the rulings C-582/14, EU:C:2016:779 emphasized that  “(…) that data that are inherently impersonal and have been collected and retained by the controller were nevertheless connected to an identifiable person, since the controller had legal means of obtaining additional information from another person making it possible to identify the data subject. In such “(…) data which are in themselves impersonal may become ‘personal’ in nature where the controller puts them at the disposal of other persons who have means reasonably likely to enable the data subject to be identified” and C-604/22, EU:C:2024:214, emphasized that “(…) data which are in themselves impersonal may become ‘personal’ in nature where the controller puts them at the disposal of other persons who have means reasonably likely to enable the data subject to be identified”.

[10] See point 77 of the judgment in question, in which the CJEU establishes that “(…) However, that presupposes, first, that Deloitte is not in a position to lift those measures during any processing of the comments which is carried out under its control. Second, those measures must in fact be such as to prevent Deloitte from attributing those comments to the data subject including by recourse to other means of identification such as cross-checking with other factors, in such a way that, for the company, the person concerned is not or is no longer identifiable (…).”

[11] See point 85 of the judgement in question.

[12] See points 111-114 of the judgement in question.