CJEU Gives Further Insights Over Data Anonymization
Introduction
On September 2025, the Court of Justice of the European Union (“CJEU”) delivered its judgment[1] in Single Resolution Board (SRB) v. European Data Protection Supervisor (EDPS), providing some clarification on the identifiability of data under the EU data protection regime. The case examined whether information that has been pseudonymized by one entity can still be regarded as personal data in relation to another entity that lacks the additional information needed to re-identify individuals.
This judgment builds upon and refines earlier CJEU case law and addresses how to determine when data truly falls outside the scope of the GDPR.
Background
Under Article 4(5) GDPR, pseudonymization refers to the processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided such information is kept separately and subject to technical and organizational measures ensuring non-attribution. In contrast, Recital 26 GDPR defines anonymization as rendering data irreversibly non-identifiable, meaning that identification of a natural person is “reasonably” impossible.
The distinction between pseudonymization and anonymization is fundamental because only truly anonymized data fall outside the GDPR’s scope. However, in practice, this boundary has proven difficult to delineate.
The SRB v. EDPS case arose in the context of the Single Resolution Board’s (SRB) activities managing bank resolutions in the EU. The SRB received comments from shareholders and creditors, later transferring a version of these comments in pseudonymized form (stripped of direct identifiers) to Deloitte assisting in valuation. Upon the complaints, the EDPS found that the SRB had disclosed comments that were personal data without a valid legal basis, reasoning that the transmitted dataset remained personal data even though Deloitte could not identify individuals. According to EDPS, the fact that the firm did not have that re-identification information was not sufficient to classify the data as anonymous, and it concluded that SRB did not comply with Regulation (EU) 2018/1725. Following the assessment of the EU’s General Court (EGC) on the matter, EDPS challenged this decision before the CJEU, which issued below-covered decision.
Main Findings of the Decision
The CJEU’s decision provides some further guidance for multi-actor processing scenarios.
- Transparency Requirement Shall be Assessed at the Time of Collection: The controller has a duty to inform data subjects of possible data recipients at the time of data collection.
- Pseudonymized Data Is Not Necessarily Personal Data for All Recipients: Meaning that the same pseudonymized data set can be personal data for an organization holding its key, and non-personal for other organizations lacking the key for re-identification[2].
- Data May Remain Personal Even if the Recipient Cannot Identify Individuals:
The Court held that pseudonymized data does not become anonymized merely because the recipient lacks the additional information required for re-identification. What matters is whether any party involved in the processing, including the sender or another entity, has means “reasonably likely” to re-identify the data subjects. Hence, the transmitted dataset remained personal data in the hands of the SRB because it retained access to the key linking identifiers.
Conclusion
The SRB v. EDPS judgment consolidates the CJEU’s evolving jurisprudence on identifiability. The Court has made clear that pseudonymized data does not always constitute personal data. Categorization of personal data as pseudonymous or anonymous should be assessed from the relative perspective of the recipient or holder of the data[3] .
Effectively pseudonymized data (without means for re-identification) may fall out of the scope of the GDPR, meaning fewer compliance requirements in data transfers. This could open the innovation path for responsible AI models and data-driven research. However, there is still some room to receive practical guidance on clear criteria for anonymization[4] .
- European Data Protection Supervisor v Single Resolution Board (Judgment of the Court (First Chamber), Case C-413/23 P, ECLI:EU:C:2025:645, for access: https://curia.europa.eu/juris/document/document.jsf;jsessionid=A343CFC69FFD630DD37626CED2C6EA25?text=&docid=303863&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=30979519
- Philipp Roos, Dr. Davide Borelli, Dr. Christoph Werkmeister, Annabelle Hamelin, Lexology, “Personal Data or Not? The CJEU’s (updated) understanding of anonymisation” (October 2025), for access: https://www.lexology.com/library/detail.aspx?g=fe99719f-7aac-45a6-baec-499ad7d3f93e
- CJEU Confirms Personal Data as a Relative Concept, Latham & Watkins, for access: https://www.globalprivacyblog.com/2025/09/cjeu-confirms-personal-data-as-a-relative-concept/
- Patrice Navarro, Pseudonymized data after EDPS v SRB, for access: https://www.cliffordchance.com/insights/resources/blogs/talking-tech/en/articles/2025/09/pseudonymized-data-after-edps-v-srb.html
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
In Türkiye, it has recently become increasingly common, especially in retail stores, to send verification codes to data subjects by SMS during the provision of goods and services and to process personal data in this way. In the complaints submitted to the Personal Data Protection Board (“Board”), it has been...
In contemporary workplaces, employers frequently implement surveillance systems for reasons such as ensuring occupational health and safety, maintaining workplace order, operating internal control mechanisms, and preventing potential misconduct. However, such monitoring practices often raise significant...
Although the Turkish Personal Data Protection Law No. 6698 (KVKK) stipulates certain rules on cross-border personal data transfer, the effective functioning of the transfer rules was limited over time due to some difficulties in practice. In particular, until late 2024, the application process for permission to transfer...
Personal Data Protection Law numbered 6698 (“PDPL”) was first drafted based on the Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals about the processing of personal data and on the free movement of such data, and entered into force in 2016...
Typically, when an employee departs, their corporate email account remains active and accessible to the employer for a period of time. During this time, the email archive and new incoming messages are forwarded to the employee's manager or another colleague...
In today's world, we now have the opportunity to purchase many products and services through e-commerce platforms with a single click from wherever we are. During these purchases, our personal data are collected and used through the websites or mobile applications of e-commerce platforms for various...
The processing of genetic data has the potential to affect not only the data subjects but also the persons with whom the data subject is genetically connected. “The Guidelines on Issues to be Considered in the Processing of Genetic Data” (“Guidelines”) published by the Personal Data Protection Authority...
In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...
