Legal news
Major contributions by the CJEU on the concepts of pseudonymisation and personal data
In a judgment dated September 4th, 2025 [1] , the Court of Justice of the European Union (CJEU) provided major clarifications regarding the concept of personal data.
In this case, the Court was asked to rule, in particular, on the qualification, in terms of the definition of personal data, of comments made by individuals to a controller (the Single Resolution Board – SRB) and then communicated to a recipient (Deloitte). In this case, these comments had been pseudonymised prior to being communicated, which meant that Deloitte was unable to re-identify their authors.
In order to rule on the qualification of the data transmitted to Deloitte, the CJEU mentioned, in particular, the following points :
- the implementation of technical and organisational measures, such as pseudonymisation, may have the effect that, with regard to a recipient of such data, the data does not have a personal character. However, this presupposes "[...] first, that Deloitte is not in a position to lift those measures during any processing of the comments which is carried out under its control. Second, those measures must in fact be such as to prevent Deloitte from attributing those comments to the data subject including by recourse to other means of identification such as cross-checking with other factors, in such a way that, for the company, the person concerned is not or is no longer identifiable." ;
- to determine whether a natural person is identifiable, “[…] account should be taken of ‘all the means reasonably likely’ to be used by the controller or by ‘another person’ to identify the natural person ‘directly or indirectly’. […] to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of ‘all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments”.
In light of these elements, in particular, the CJEU considered inter alia that :
- "[…] pseudonymised data must not be regarded as constituting, in all cases and for every person, personal data […] in so far as pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable.” ;
- a data recipient who is unable to re-identify individuals, cannot be subject to the obligation of information, which “requires the data subject to be identified”.
As this ruling changes the qualification, accepted until then, of pseudonymised data with regard to the definition of personal data, entities processing pseudonymised data must now assess the consequences of this ruling with regard to their obligations relating to personal data protection.
There is no doubt that these new developments will have significant implications for the obligation of compliance of personal data processing resulting from the GDPR today—for example, the information to be provided to individuals as required by Articles 13 and 14 of the Regulation, as well as security measures.
The response of the data protection authorities, particularly the CNIL, is awaited.