On 4 September 2025, the Court of Justice of the European Union (CJEU) once again ruled on the concepts of pseudonymisation and anonymisation of personal data.
The judgment is, in part, attributed considerable significance, particularly with regard to the secondary use of personal data for research purposes. This is because, especially in the field of research, a clear distinction between the two concepts is of central importance: While pseudonymised data continue to fall within the scope of application of the GDPR, anonymised data may, in principle, be used without restriction for research purposes.
The following article examines the extent to which the key findings of the judgment actually lead to a relief in research practice.
Note: The judgment concerns provisions of Regulation (EU) 2018/1725, which governs the processing of personal data by Union institutions, bodies, offices and agencies. However, the CJEU explicitly clarified that the concept of “personal data” must be interpreted identically under this Regulation and under the GDPR. The judgment is therefore of equal relevance for companies as well as for authorities of the Member States.
Background of the Judgment
Deloitte was commissioned to carry out an assessment in accordance with a procedure under the SRM Regulation. Under this procedure, shareholders and creditors of the bank under resolution may exercise their right to be heard. The purpose of the hearing was to provide the Single Resolution Board (“SRB”) with a sound basis for its final decision as to whether the affected parties were entitled to compensation. The hearing procedure was divided into two phases:
- Registration: Affected persons could register their interest in a later hearing online.
- Statement: The SRB subsequently sent individual links to a questionnaire. Each statement was labelled not with a name, but with a randomly generated 33-digit code in order to be able to demonstrate that the responses had been duly taken into account.
For the evaluation, Deloitte received only the statements sorted and categorised by the SRB – without access to the identity data collected during the first phase. A linkage of the codes with the registration data was therefore excluded. The CJEU had to decide whether the statements transmitted to Deloitte constituted merely pseudonymised data or anonymised data.
Key findings of the CJEU
1st key finding: Relative link to an identifiable person
The CJEU clarifies that data which are clearly personal data for one controller may be anonymous for another recipient. This explicit emphasis on the relativity of the personal reference is new in the CJEU’s case law.
For the controller who performs the pseudonymisation and who typically holds the “additional information” required for re-identification, pseudonymised data always remain personal data. However, this does not automatically apply to recipients.
For data to be regarded as anonymous from the recipient’s perspective, positive criteria must be met and negative criteria must be excluded.
Positive criteria (requirements for anonymity from the recipient’s perspective)
Anonymity exists if at least one of the following conditions is met:
- The recipient is factually unable to attribute the data to an identified or identifiable natural person.
- A theoretical attribution may be conceivable, but it is legally prohibited or practically impossible.
Negative criteria (circumstances which, despite positive criteria, result in personal data)
Even if a positive criterion is met, the personal nature of the data remains if one of the following situations applies:
- The recipient is able to re-identify the data subject by means of publicly available information (e.g. by matching with online sources or press releases without naming individuals).
- The recipient has legal powers to request additional information from third parties (e.g. authorities, service providers, associations) that would enable identification.
- The recipient discloses the pseudonyms, which are anonymous for them, to a third party who possesses information enabling attribution. In this case, the data become personal data for both actors from the moment of disclosure.
- The recipient transfers the pseudonyms to a third party, and it cannot be ruled out that this third party may attribute them to individuals (e.g. by matching them with its own data sets). In this case, both the disclosure and the processing by the third party constitute processing of personal data.
If at least one positive criterion is met and none of the negative criteria apply, the data are considered anonymous for the recipient.
However, for controllers, no material changes arise in practice: The concepts of pseudonymisation and anonymisation remain unchanged; what is new is merely the clear emphasis on the relative nature of personal data.
2nd key finding: The decisive factor is the perspective of the processing entity in the individual case
The CJEU further clarifies that the classification of data as pseudonymised or anonymised must be carried out exclusively from the perspective of the respective processing actor. If the data are regarded as pseudonymised from the controller’s perspective, their processing is fully subject to the requirements of the GDPR. From the controller’s perspective, the recipient must be regarded as a third party, meaning that the disclosure must also comply with the requirements of the GDPR. Accordingly, the recipient must, for example, be mentioned in the data protection information, and appropriate data protection agreements may need to be concluded (e.g. a data processing agreement). This applies even if the data are (relatively) anonymous for the recipient.
It should be emphasised in particular that the CJEU judgment concerns the processing of non-sensitive personal data. For the processing of special categories of personal data for research purposes (e.g. health data), authorities and courts regularly apply significantly stricter standards.
Conclusion
Overall, the practical significance of the CJEU judgment must be assessed in a differentiated manner. The explicit confirmation of the relative nature of personal data does create additional clarity for research practice, particularly when distinguishing between pseudonymisation and anonymisation. Research institutions thus receive a more reliable basis for assessing when data can genuinely be considered anonymous from their perspective.
At the same time, however, the judgment does not change the fact that data protection requirements for controllers remain high. As soon as data must be classified as personal data from their own perspective, all obligations under the GDPR apply. The decision therefore facilitates the assessment on the recipient side, but does not lead to a general relief for controllers in the research sector.
