When is Pseudonymized Data (Non)personal Data? Decoding the EDPS v. SRB Ruling

Moderator: Joe Jones,Director of Research and Insights, IAPP

Ulrich Baumgartner, CIPP/E, Regional Leader, DACH, IAPP; Partner, Baumgartner Baumann

Karolina Mojzesowicz, Deputy Head of Unit Data Protection, European Commission

Gintarė Pažereckaitė, Legal Officer at the Secretariat, European Data Protection Board

Thaima Samman, Partner, SAMMAN

The debate on the scope of the definition of personal data gained further momentum this September with the EDPS v. SRB judgment, in which the CJEU concluded that pseudonymized data is not always personal data. The court clarified that, depending on the context, such data may be considered non-personal for a third-party recipient, specifically when that recipient cannot reasonably identify the data subject.

This session will address important business, legal and practical questions arising from the judgment, including its impact on how companies and institutions design and govern their data frameworks. It will also examine the distinction between pseudonymized and anonymized data, and the EDPB’s recent and future revised guidelines on this subject.

What you will learn:

• The legal interpretation of the EDPS v SRB judgment and its outcomes.
• The operational implications and practical recommendations for practitioners.
• Additional considerations across relevant compliance obligations.
• How might EDPS v. SRB expand the use of privacy-enhancing technologies.