Pseudonymized Data: Key Takeaways from CJEU Decision

Introduction

On September 4, 2025, the Court of Justice of the European Union (the “CJEU”) rendered its decision for Case C 413/23 P, European Data Protection Supervisor (EDPS) v Single Resolution Board (SRB) (the “Decision”). This ruling clarifies that in some circumstances, pseudonymized data may not always be considered personal data under EU data protection laws.

Questions of this nature arose earlier this year when the European Data Protection Board issued its guidelines on pseudonymization. The Decision addresses several questions discussed in our previous article, and impacts Canadian organizations subject to the GDPR.

The Decision

In the Decision, the CJEU largely followed the non-binding opinion of the Advocate General of the CJEU. In particular, the CJEU affirmed that pseudonymized data may not always be considered “personal” for a party, for example, if the pseudonymization could prevent that party from identifying the individual. In this context, whether data is considered “personal” depends on the perspective and identification capabilities of the party handling it. For example, while a third-party service provider may not be able to identify an individual using the pseudonymized data alone, that same data would still be considered “personal” for a controller who holds an identification key, triggering the usual obligations applicable to personal data under the GDPR.

The CJEU noted that identifiability must be assessed by considering all methods that could reasonably be used to identify an individual, whether directly or indirectly, including techniques such as targeting by either the data controller or another party. When determining whether such methods are reasonably likely to be used to identify the person, consideration must be given to objective factors such as the cost and time required to identify an individual. The CJEU also upheld its previous determination that a method of identification may not be considered reasonably likely to be used if, in practice, the risk of identifying the person is insignificant, such as where identification would be unlawful or virtually impossible.

The Decision provides welcome clarity regarding the nature of pseudonymized data, whether it is held by a controller or a third-party recipient, and the corresponding obligations and expectations of these parties when handling it.

For More Information

Fasken is here to help. Do not hesitate to visit our Law 25 resource centre or contact this bulletin’s authors if you require assistance with any matters related to privacy or cybersecurity.