UK GDPR Notice
Important: This article discusses a Court of Justice of the European Union (CJEU) ruling that interprets the definition of “personal data” under EU GDPR as applied within the European Economic Area (EEA).
Interpretation of UK GDPR is not directly affected by this ruling or changes. For information about definitions of personal data under UK GDPR, we suggest consulting ICO guidance.
If your organisation operates in both the UK and EEA, you should consider both regulations separately. You may benefit from erring on the side of caution and taking a low risk approach. You should always consult with legal professionals.
Introduction
On 4 September 2025, the Court of Justice of the European Union fundamentally changed how “personal data” is defined under EU GDPR. The ruling in European Data Protection Supervisor v. Single Resolution Board (Case C-413/23 P) introduced a “relative approach” to personal data: the same dataset can be personal data for your organisation but not for the recipient you share it with.
This creates opportunities for data sharing, analytics partnerships, and dataset commercialisation that weren’t clearly permissible before. But it also creates immediate compliance obligations. If you share pseudonymised data and haven’t updated your privacy policies since September, you’re likely non-compliant right now.
The Ruling in 60 Seconds
The Single Resolution Board shared pseudonymised stakeholder opinions with Deloitte for analysis. The data was coded using 33-digit alphanumeric identifiers. SRB kept the key to re-identify individuals, but Deloitte had no way to link the codes back to real people. When individuals complained they weren’t informed about this data sharing, the case went to the CJEU.
The court made three findings that matter immediately. First, opinions and viewpoints are personal data, even when anonymised. Second, pseudonymised data uses a “relative approach” – the same dataset can be personal data for the sender (who can re-identify) but not for the recipient (who cannot). Third, transparency obligations remain with the sender: you must still tell data subjects about recipients in your privacy notices, even when those recipients receive effectively non-personal data.
The court rejected the “absolute approach” that had created uncertainty. Under that approach, data was considered personal for everyone if anyone could re-identify it. Now, whether data is “personal” depends on the specific means reasonably available to each party handling it.
What This Means: The “Relative Approach”
Whether data is “personal” depends on the “means reasonably likely to be used” by each specific actor. Data is not personal data where the “risk of identification appears insignificant” because re-identification would be unlawful, require disproportionate effort, or is technically impossible for that recipient.
Here’s how this works in practice. Your company collects customer reviews linked to customer IDs. For you, these reviews are personal data because you can link them to customer names. You share the reviews with an analytics vendor using hashed IDs. For the vendor, the same reviews are not personal data because they cannot reverse the hashing or link codes to individuals.
Consider clinical trial data. A pharmaceutical sponsor maintains patient data with key codes. For the sponsor, this is personal data because they hold the key. They share the coded data with a research partner but don’t share the key. For the research partner, the same dataset is not personal data because they cannot re-identify patients.
Or take device IDs in advertising technology. An AdTech platform maintains hashed device IDs that it can link to user profiles and browsing history. For the platform, these are personal data. The platform shares aggregated metrics with a third-party analytics firm that receives only the hashed IDs without any linking information. For the analytics firm, these IDs are not personal data.
The catch: even when recipients receive non-personal data, you must update your privacy policy to name those recipients. Transparency obligations stay with you as the data controller.
5 Documents to Update Right Now
Privacy Policies
Add all recipients of pseudonymised data to your “Who we share your data with” section. This applies even if the recipient receives effectively anonymous data. You must identify recipients by name or by meaningful categories of recipients. Generic references to “third parties” or “service providers” are insufficient.
The court ruled that transparency obligations arise at the point of collection, regardless of subsequent pseudonymisation. The burden is on you as the controller, not the recipient.
Data Sharing Agreements
Specify whether shared data is personal data for the recipient. Document your “means reasonably likely” assessment showing why the recipient cannot re-identify individuals. Include contractual prohibitions on re-identification attempts. Clarify which party’s GDPR obligations apply to the shared dataset.
If data is not personal for the recipient, they’re not bound by GDPR for that dataset. But you need documented evidence to prove it. Courts and regulators will scrutinise these assessments.
Data Subject Access Request (DSAR) Response Templates
Consider whether recipients of pseudonymised data must be named in DSAR responses. Data subjects have the right to know recipients under Article 15. The court clarified this applies even when recipients receive non-personal data.
Document your approach: will you name all recipients or only those for whom data remains personal? Update internal guidance for your teams handling DSARs. Be prepared to justify your approach to regulators.
Consent Forms
If you rely on consent as your legal basis, recipients must be specified in the consent wording itself. Update consent forms to name recipients or use well-defined categories. You cannot rely on generic “third parties” language.
GDPR requires specific identification of recipients when consent is the legal basis. Vague consent that doesn’t name recipients is not valid consent.
Legal Basis Documentation (Data Processing Records)
Document your legal basis for each disclosure of pseudonymised data. Record your “means reasonably likely” assessment for each recipient. Document why data is or isn’t personal for each recipient. Maintain evidence that re-identification is unlawful or requires disproportionate effort.
The burden of proof is on you to demonstrate data is not personal for the recipient. Keep contracts, technical specifications, security measures, and assessment documentation. Review these annually or when circumstances change.
The “Means Reasonably Likely” Assessment
When assessing whether pseudonymised data is personal for a recipient, work through these questions systematically.
Can the recipient access the pseudonymisation key? If yes, the data is personal for them. If no, continue.
Does the recipient have other information that could re-identify individuals? Consider whether they have partial identifiers like email domains, location data, or demographic information that could be cross-referenced. If yes, the data is personal for them. If no, continue.
Would re-identification be unlawful for the recipient? Consider contractual prohibitions, criminal offences, or professional obligations that would make re-identification illegal. If re-identification would be unlawful, the data is likely not personal. If lawful, continue.
Would re-identification require disproportionate effort? Consider the time, cost, and technology required. Account for the current state of technology and what’s commercially reasonable. If disproportionate, the data is likely not personal. If reasonable effort could achieve it, the data is personal.
Is there a realistic risk the recipient will attempt re-identification? Consider whether they have any legitimate reason or commercial incentive to re-identify individuals. If there’s no realistic risk, the data is likely not personal. If there’s a realistic risk, treat it as personal.
Document this assessment for each data sharing arrangement. Keep evidence including contracts, technical specifications, and security measures. Review assessments annually or when circumstances change.
Watch for red flags that indicate data is definitely personal for the recipient: they have partial identifiers, the dataset is small enough that unique characteristics could identify individuals, or they have legitimate reasons to re-identify individuals such as customer support obligations.
New Opportunities Unlocked
This ruling enables data partnerships that weren’t clearly permissible before. You can share pseudonymised datasets with third parties for analysis without imposing full GDPR obligations on recipients. Use independent data trustees or secure data clean rooms to ensure recipients cannot re-identify individuals. You can commercialise existing datasets in ways that previously seemed too risky.
For AI and machine learning, you can share training datasets with AI vendors where they cannot re-identify individuals. Recipients can process data without GDPR restrictions, provided the data is truly non-personal for them. This removes significant friction from AI development partnerships.
Research and analytics become more straightforward. You can provide pseudonymised data to research partners, enable cross-industry benchmarking, and support academic research with commercial datasets. The legal uncertainty that prevented many of these arrangements is now resolved.
In marketing and advertising technology, you can share hashed identifiers for attribution analysis and enable measurement without imposing full data controller obligations on measurement partners. This clarifies arrangements that have been operating in legal grey areas.
All these opportunities still require you to update privacy policies naming these recipients. The GDPR obligations shift between parties, but your transparency obligations remain unchanged.
Conclusion
The CJEU’s EDPS v. SRB ruling creates a more practical understanding of “personal data”. The same dataset can be personal for your organisation while being non-personal for recipients who cannot re-identify individuals. This unlocks opportunities for data sharing, analytics, and commercialisation.
But it doesn’t eliminate your obligations. You must still inform data subjects about recipients in privacy policies, regardless of whether data remains personal for those recipients. Transparency obligations stay with you as the data controller.
Update your five key documents: privacy policies, data sharing agreements, DSAR templates, consent forms, and legal basis documentation. Conduct “means reasonably likely” assessments for all pseudonymised data sharing arrangements. Document everything.
The ruling provides legal certainty for organisations using pseudonymisation properly. Take advantage of it, but maintain rigorous documentation to prove your assessments are sound.
Extra reading
Sidley Austin – “EU Court of Justice Issues Landmark Judgment on Concept of ‘Personal Data'” (10 October 2025) – https://datamatters.sidley.com/2025/10/10/eu-court-of-justice-issues-landmark-judgment-on-concept-of-personal-data/
Osborne Clarke – “CJEU clarifies concepts of personal and pseudonymised data: implications for data sharing” (1 October 2025) – https://www.osborneclarke.com/insights/cjeu-clarifies-concepts-personal-and-pseudonymised-data-implications-data-sharing
