A case seeking to provide clarity on EU General Data Protection Regulation requirements governing when pseudonymized data is to be considered personal information recently concluded without locking in a firm definition under the law. After being remanded by the Court of Justice of the European Union back to the European General Court for reconsideration, the case — EU Single Resolution Board v. the European Data Protection Supervisor — was ultimately withdrawn at the request of the parties without formally considering CJEU directives.

The case, which began as an SRB proceeding involving an insolvent Spanish bank in 2017, ultimately wound up with the CJEU after the EDPS brought an appeal of a General Court's 2023 ruling that sided with the SRB. The appeal addressed three core legal issues involving whether a person's pseudonymized opinions constitute as personal data, the circumstances when pseudonymized data is considered personal data and data controllers' notification obligations for reidentification risk during processing. The CJEU supported parts of the EDPS's appeal while siding with the SRB in other areas.

On 19 Dec. 2025, the General Court accepted the withdrawal of the case after the lead parties agreed to pay their respective portions of the costs incurred by the court. The European Commission and European Data Protection Board, which had joined as interveners on opposing sides, also agreed to pay their own costs. 

ADVERTISEMENT

Radarfirst- Looking for clarity and confidence in every decision? You found it.

In an email to the IAPP, EDPS Head of Supervision and Enforcement Thomas Zerdick said the office views the CJEU judgment as "fully valid and binding," and will serve as the "operative standard for evaluating when pseudonymized information is also personal data." Had the case proceeded in the General Court, he said it would have been only for the purposes of ruling on the "substance of (the) procedural matters," in the SRB's application to annul the 2020 EDPS decision. 

"The CJEU already decided on the substantive legal questions regarding the nature of personal data and when pseudonymized information constitutes personal data under the applicable regulation," Zerdick said. "That judgment continues to serve as authoritative legal authority on these issues." 

IITR Datenschutz Data Protection Officer and Lawyer Sebastian Kraska said the absence of a final ruling simply means the CJEU's clarifications now serve as the de-facto requirements. He recommended practitioners familiarize themselves with the CJEU's ruling on the EDPS appeal because it will help them understand how EU digital regulators will approach issues involving pseudonymized personal data going forward.

"The SRB ultimately lost the case and may therefore not be interested in providing further resources here," Kraska said in an email to the IAPP. "The other side may also have no interest in continuing to fight the case, especially since the CJEU has set out a relatively clear general line on pseudonymization, regardless of the General Court's decision."

EU data protection authorities are in midst of revising European Data Protection Board guidelines on pseudonymized data with the aim of incorporating the CJEU's determinations. Although, the absence of a final decision based on CJEU conclusions may precipitate a new debate over pseudonymized data as legal observers and other EU stakeholders consider next steps as negotiations on the European Commission's Digital Omnibus proposal have commenced. 

Zerdick said, "the CJEU's findings on pseudonymized data and personal data remain highly relevant to the Commission's proposal."

"The legal principles established by the Court of Justice continue to apply and inform how these issues should be understood in the context of EU data protection law, including in the ongoing legislative discussions," he added said. 

Background

The case originated in June 2017, when the SRB issued a preliminary decision regarding awarding compensation to an insolvent Spanish bank's creditors and shareholders without obtaining their input. The SRB established a subsequent mechanism for the stakeholders to provide comments on its ruling and transferred them in pseudonymized form to Deloitte, which was tasked with carrying out a valuation of the effects of the resolution procedure on shareholders and creditors.

In 2020, the EDPS initially ruled the SRB's sharing with Deloitte constituted personal information and stakeholders had not been notified their comments would be transferred to a third party, in violation of the GDPR.

Three years later, the SRB successfully petitioned the General Court to annul the EDPS's decision on the grounds that the pseudonymized data received by Deloitte was sufficiently deidentified so it could not be related to a natural person, as required by the GDPR, and that the EDPS had not considered the contents of the comments transferred to Deloitte to determine if they actually contained personal information.

The CJEU's perspective

In September 2025, the CJEU sided with the EDPS in finding that individuals' personal opinions constitute personal information and the General Court erred by not considering the bank stakeholders' opinions as personal information. It also sided with the EDPS that the reidentification risk of processing and transferring personal data must be evaluated on a case-by-case basis at the time of collection, and that the General Court erred in annulling the EDPS's original ruling, in part, because it had failed to determine if the contents of the pseudonymized comments contained personal information.

The CJEU, however, sided with the SRB for the question of under what conditions pseudonymized data can also be personal data, writing in the decision that "pseudonymized data must not be regarded as constituting, in all cases and for every person, personal data for the purposes of the application (of the GDPR) in so far as pseudonymization may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable."

"The key messages of the CJEU in the SRB ruling are here to stay — irrespective of the redrawing of the case," Baumgartner Baumann Partner Ulrich Baumgartner, CIPP/E, said. "In that respect, the CJEU essentially confirmed the General Court so the fact that there won't be a final decision doesn't change the importance and practical relevance of the CJEU decision in the SRB case."

Alex LaCasse is a staff writer for the IAPP.

Editor's note: This report has been updated to reflect additional perspective provided after its initial publishing.