Analysis of CJEU judgment C-413/23 P: Implications for pseudonymised data

A new CJEU judgment clarifies that pseudonymized data remains personal data from the sender's perspective. This decision reinforces GDPR transparency obligations and has significant implications for the EU Data Act. Companies must now re-evaluate their data sharing practices, particularly for AI, and update their privacy notices.

Factual Background and Key Arguments

The case underlying the judgment concerned comments collected by the Single Resolution Board (SRB) from data subjects. These comments were pseudonymized with a 33-digit code and transferred to Deloitte. The SRB retained the key information that allowed the code to be linked to the submitters; Deloitte had no access to it. The SRB argued that from Deloitte's perspective, the data was anonymous and should therefore be treated as anonymous at the point of transmission. A detailed analysis of the case, which has been referred back to the General Court (EuG) for further proceedings following the ECJ judgment, can be found here.

Takeaway 1: The anchor point – It's all about the moment of collection

The CJEU stated that the data controller's perspective at the time of collection is decisive. Applied to the case, this means: Since the SRB knew the individuals' identities when it collected the data, the data was personal data for the SRB. This classification remained unchanged upon transmission to Deloitte, as the recipient's perspective is irrelevant. The transparency obligation thus arose at the moment of collection by the SRB.

Takeaway 2: Your opinion = Your data

The Court clarifies that personal opinions are inextricably linked to a person. Applied to the case, this means: The comments transferred to Deloitte constituted personal data for the simple reason that they were opinions. Their nature as an expression of an individual makes them inherently personal, regardless of any other identifiers.

Takeaway 3: Compliance Duties and Perspective on Pseudonymised Data – GDPR Remains Fully Applicable

The judgment highlights two key aspects for businesses:

1. No Anonymity for the Controller
   For the original controller, pseudonymised data is never anonymous. The controller must assess whether it is authorised under the GDPR to disclose the data – particularly where this involves a new purpose. A blanket approach is inappropriate. Special caution and thorough scrutiny are required when processing special categories of personal data under Article 9 GDPR.
2. Relative anonymity and case-by-case assessment
   The judgment cautiously advances the case law towards a “relative concept of anonymity”, meaning that classification depends on perspective. At the same time, it confirms that the question of re-identifiability must always be examined on a case-by-case basis. Further developments may arise from a pending referral by the German Federal Court of Justice (BGH) concerning whether IP addresses constitute personal data where the recipient has no reason to link them to individuals. A decision is not expected before 2027. In addition, legislative changes to the data protection framework are anticipated in 2026/2027, so businesses and legal advisers should continue to monitor the regulatory landscape.

While transparency obligations for the sender are reinforced, pseudonymised data may be considered legally anonymous for the recipient – subject to the strict condition that no re-identification is attempted. This creates opportunities for certain data uses (e.g., AI training, Data Act compliance) but demands clear compliance boundaries. The judgment does not create new freedoms: GDPR continues to apply, including to pseudonymised data. Businesses must maintain rigorous compliance, especially for special categories.

The To-Do List: Practical Requirements

The judgment leads to four key operational requirements:

1. Overhaul privacy notices: Ambiguities must be eliminated. All potential categories of recipients, including for pseudonymized data, must be clearly named.
2. Scrutinise data sharing: All data sharing agreements (especially data processing agreements) must be reviewed to ensure they correctly reflect the processing of pseudonymized data as personal data.
3. Re-evaluate data flows: Data flows, especially for AI and big data applications, must be re-evaluated to meet transparency requirements from the outset.
4. Prepare for the data act: Processes for data access requests under the Data Act must be implemented, taking into account the CJEU's clarifications.