The recent Court of Justice of the European Union (CJEU) decision in European Data Protection Supervisor (EDPS) v. Single Resolution Board (SRB) unveils a significant new perspective on how European data-protection law treats pseudonymized data and reinforces the enduring importance of full anonymization.
The case arose from events following the 2017 resolution of Banco Popular in Spain. The Single Resolution Board invited shareholders and creditors to submit comments as part of a compensation process. These comments – many of which contained personal views and arguments – were shared with the auditing firm Deloitte for analysis after being pseudonymized. Names were replaced with random codes, and Deloitte never had access to the original identities.
However, some participants later raised complaints to EDPS, saying that they had never been told their comments might be transferred to Deloitte. The EDPS agreed and concluded that the SRB had failed to meet its data-protection duties, and after several layers of appeals, the CJEU issued its final judgment in September 2025.
The Court’s decision makes three points of lasting significance:
- Opinions themselves are personal data. Even when a person’s name or birth date is removed, a written comment can reveal enough about its author to be “information relating to” that person.
- Pseudonymization is not a free pass under EU data-protection law. Whether pseudonymized data remain “personal” depends on whether the recipient (or any other party) has “means reasonably likely” to re-identify the individual. In other words, the interpretation can be different for different use cases and data recipients. In the SRB case, the Board still held the key that linked the coded comments back to real names, so the data counted as personal for the SRB. Deloitte, on the other hand, had no access to that key, so with strong safeguards in place, the court ruled that the same data was not personal from Deloitte’s perspective.
- The Court also emphasized that transparency obligations begin the moment data is collected. The Court stated that the consent should have been obeyed, and the individuals should have been informed up front about the intended data release, even if the data will later be pseudonymized.
These findings highlight both the value and the limits of pseudonymization. It is a powerful risk-reduction measure and can, in some circumstances, render data anonymous and thus take data outside the GDPR from the recipient’s perspective. Yet its legal effect depends on context: regulators will always ask whether anyone could reasonably re-identify the data. For the original controller, the data generally remain personal until it can be shown that no such reasonable means exist.
Where pseudonymization wavers, anonymization holds firm. As Recital 26 of the GDPR states, “the principles of data protection should not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person.” When all direct and indirect identifiers are irreversibly removed or mixed so that no one can realistically re-identify an individual, the data fall completely outside the scope of the GDPR. That is the only way to guarantee privacy without ongoing obligations outlined in the GDPR.
The SRB ruling also underscores a growing challenge for organizations: text can be as identifying as numbers. Free-form comments, feedback, or documents often contain opinions that count as personal data. This makes advanced text anonymization essential for organizations working with unstructured data. Having worked extensively with unstructured data, we appreciate how intricate and painstaking it is to anonymize unstructured text without losing its value.
The message from this CJEU ruling is clear: pseudonymization is no silver bullet for data privacy. Under specific circumstances pseudonymized data can be interpreted to be anonymous. However, for organizations that require strong privacy guarantees in utilizing data for research, innovation, or cross-border collaboration, anonymization remains the gold standard for achieving both privacy compliance and data utility.
