What are you looking for?

Newsfeed
October 16, 2025

Data sharing: Is your ‘anonymous’ data actually personal?

Introduction

The definition of “personal data1” is fundamental to data protection law, but its scope remains a frequent source of confusion. While the GDPR clearly applies to personal data and excludes anonymous information, the regulatory status of pseudonymous data has long been a significant point of contention.

In its recent ruling, EDPS v SRB (Case C-413/23 P), the Court of Justice of the European Union (CJEU) brought much-needed clarity and addressed the conditions under which pseudonymised information escapes the reach of GDPR rules.

The central lesson for any organisation utilising feedback or external vendors is clear: data appearing anonymous is not necessarily safe from GDPR scrutiny. The ruling confirms that personal data status depends primarily on the controller’s possession of re-identification tools, rather than the format of the data shared.

Background

The foundation of this landmark case lies in the 2017 resolution of Banco Popular Español by the Single Resolution Board (the “SRB”). To determine potential compensation for creditors, the SRB initiated a feedback process where participants submitted views, proven by identity documents.

The SRB then separated personal identifiers from the submitted comments, assigning a unique code to each comment before passing only the coded feedback to the external valuer, Deloitte. This separation led to a crucial privacy clash: the European Data Protection Supervisor (the “EDPS”) asserted the SRB failed in its duty by not informing participants their data (opinions) would go to Deloitte.

The SRB defended its action by arguing that since Deloitte received only coded data lacking an identifying key, it never received “personal data” subject to GDPR notification rules.

This fundamental disagreement over the effect of pseudonymisation (specifically regarding opinions and re-identification capability) was ultimately referred up to the CJEU.

Procedures before the EDPS

The legal action began in late 2019 when affected shareholders complained that the SRB’s privacy notice was incomplete, failing to mention sharing registration data with third parties like Deloitte and Banco Santander.

The EDPS initially sided with the complainants, reprimanding the SRB specifically for the undisclosed transfer to Deloitte.

The SRB challenged this, arguing that since Deloitte received only coded comments lacking the identification key, the data was not “personal” under GDPR terms.

After reviewing new evidence, the EDPS issued a final ruling in November 2020.

The EDPS maintained that the data was personal (pseudonymous, because the SRB provided the linking code), meaning Deloitte was a recipient of personal data. This lack of transparency violated Article 15(1)(d) of Regulation 2018/1725.

Despite finding this breach, the EDPS opted not to issue corrective penalties, instead formally recommending that the SRB update all future privacy notices to list every potential data recipient.

Procedures before the General Court

In September 2020, the SRB challenged the EDPS’s revised decision, asking the General Court to annul the decision (claiming the data shared was not personal data) and to issue a declaration that the EDPS’s initial decision was illegal.

The General Court dismissed the SRB’s request for a simple declaration (citing lack of jurisdiction) but upheld the SRB’s main argument, annulling the EDPS’s decision. The Court found in favour of the SRB on its first plea: that the information transmitted to Deloitte did not constitute personal data under the relevant regulation.

The EDPS appealed this General Court judgment to the CJEU. The EDPS now asks the CJEU to set aside the General Court’s ruling and uphold the original findings of personal data infringement.

CJEUs Findings

The CJEU issued a mixed ruling. It set aside specific parts of the General Court’s judgment, sending those elements back for reconsideration, while simultaneously issuing final rulings on key substantive questions concerning the definition and scope of personal data.

Is pseudonymised data Personal Data?

The CJEU disagreed with the EDPS and ruled that pseudonymised data only qualifies as personal data if there is a significant risk of identification. Where that risk threshold is insignificant, the data is correctly categorized as anonymous. The CJEU stated that:

“pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject, in such a way that, for them, the data subject is not or is no longer identifiable provided that such technical and organisational measures are actually put in place and are such as to prevent the data in question from being attributed to the data subject… [in this case] pseudonymisation may have an impact on whether or not those data are personal.”

Transparency Obligation

The CJEU established that the controller’s transparency obligation (Article 15(1)(d) of Regulation 2018/1725) is locked to the moment of data collection and assessed from the controller’s perspective, overruling the General Court’s error of focusing on the recipient’s (Deloitte’s) ability to re-identify the data later. This upfront disclosure of recipients is vital for ensuring valid consent and protecting data subject rights.

Therefore, regardless of whether the information being transferred was anonymous or pseudonymous, the SRB breached its duty by omitting Deloitte from its privacy notice, as its obligation was fixed when it collected the data as personal information, not based on its subsequent classification in the recipient’s possession.

Conclusion

Although this ruling was issued under the Regulation governing EU institutions, its findings on the concepts and definitions of personal data directly mirror the general GDPR.

The CJEU’s confirmation that personal data is a “relative” concept assessed based on the recipient’s ability to re-identify data provides welcome clarity for organizations using pseudonymisation or anonymisation.

The essential lesson for businesses, is the critical need for transparency and caution. Organizations must proactively treat feedback, surveys, and opinion-based contributions as personal data. Crucially, the simple act of pseudonymising data is insufficient to remove it from GDPR scope; controllers must maintain the context of personal data throughout the process and explicitly detail any disclosure to third parties within their privacy notices.

Disclaimer: Ganado Advocates is responsible for contributing to this law report but was not in any way involved as legal advisor for the parties in the judgement being covered in this law report. This article was first published in ‘The Malta Independent’ on 15/10/2025.

1 ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

Share

Go Back

Author

Bettina Gatt

Associate (Malta)
View Profile

Related Articles

All Insights
Newsfeed image
Practice news
October 15, 2025

Circular CSSF 25/894 on information to be submitted to the CSSF in relation to investment funds non-authorised by the CSSF and updated FAQ
Newsfeed image
Practice news
October 15, 2025

MFSA circular on share buy-backs – pre-launch meetings
Newsfeed image
Practice news
October 14, 2025

Malta’s AI Act Framework: The new roles of the MDIA and IDPC
01
image

How can we assist?

Contact us