In its decision C‑413/23 P, the ECJ clarified the circumstances under which pseudonymized data continues to be considered personal data and how the information obligations towards data subjects at the time of data collection are to be assessed. These clarifications have direct implications for data protection practice, particularly in the context of data transfers, anonymization solutions, and compliance in institutions and companies.
1. Background and objective
In its judgment of September 4, 2025, the ECJ ruled in the case of EDPS v SRB (C‑413/23 P) on the interpretation of key terms in the EU Data Protection Regulation (specifically Regulation (EU) 2018/1725, which sets out the GDPR-like rules for Union institutions) .
Essentially, two contentious issues were at stake:
- When is pseudonymized data considered personal data?
- What obligation to provide information about data recipients already exists at the time of data collection?
The aim of this article is to systematically analyze these legal issues, elaborate on the grounds for the judgment, and highlight the implications for practice — in particular for controllers, data protection officers, and legal advisors.
2. Legal basis
2.1 Regulation (EU) 2018/1725 and definitions
For EU institutions, Regulation (EU) 2018/1725 (“EU-DPR”) applies instead of the GDPR. The definitions of “personal data” (Art. 3(1)) and ‘pseudonymization’ (Art. 3(6)) are similar to those in the GDPR.
According to Art. 3(1), “personal data” means any information relating to an identified or identifiable natural person. Identifiability is to be assessed in accordance with all reasonably applicable means (including technical and organizational means). With the criterion of reasonably applicable means, the ECJ thus follows the landmark decision in Switzerland (BGE 136 II 508 Logistep), but with a different conclusion.
Pseudonymization according to Art. 3(6) EU GDPR means that data is processed in such a way that it cannot be directly attributed to a data subject, but that additional information (e.g., a key/reference table) is available that allows re-identification if such information is available and is stored separately due to technical or organizational measures.
Furthermore, Art. 15(1)(d) of the EU GDPR is particularly relevant (parallel to the information obligations under Art. 13/14 of the GDPR) — this obliges the controller to inform the data subject about recipients or categories of recipients when collecting personal data.
Although the ruling concerns an EU institution and is based on EU law (EU GDPR), the lessons learned are also relevant for Swiss or German data protection practice — in particular for cross-border data flows, EU partners, or compliance considerations.
3. Facts and proceedings
The case stems from a measure taken by the Single Resolution Board (SRB), which operates under the Bank Resolution Regulation. As part of a coverage procedure, the SRB collected comments from former shareholders and creditors. These comments were pseudonymized (using an alphanumeric code) and then sent to a consulting firm (Deloitte); The SRB retained the key information for identification (i.e., re-identifiability).
The EDPS objected that the SRB had not properly informed Deloitte, the recipient, when collecting this data, thereby violating Art. 15(1)(d) EU-DPR.
In the previous instance, the General Court had overturned the EDPS’s decision in whole or in part, on the grounds that the pseudonymized material was not necessarily personal to Deloitte and that information about Deloitte only had to be provided if the recipient had the possibility of re-identification.
The ECJ disagreed in C‑413/23 P and referred the case back for further decision after clarifying the legal situation.
4. Key decisions of the ECJ
In its judgment, the ECJ sets out several important guidelines:
4.1 Perspective of the information obligation: at the time of collection
The decisive factor is the state of identifiability at the time of data collection and from the perspective of the controller (in this case, the SRB). This means that the SRB must assess at the time of collection whether personal data is present and whether transparency obligations apply accordingly.
The question of whether the data is still identifiable in the hands of the recipient (e.g., Deloitte) is not relevant for the information obligation.
Thus, a controller cannot argue that it does not have to provide information about recipients because the data is no longer personal after transmission—the transparency obligation must be applied earlier.
4.2 Nature of statements/opinions
The ECJ emphasizes that personal opinions or statements are, per se, data that “relate to” the data subjects—even if the content does not separately establish identifiability. In other words, the fact that someone makes a statement is closely related to the data subject in terms of data processing.
Such statements must therefore be regarded as personal data in principle, provided that they are identifiable, at least potentially.
4.3 Relative concept of data and “indirectly identifiable”
The ECJ confirms that the concept of personal data is relative: the same pseudonymized data may be personal for the original controller (because they have the key), but anonymous or unidentifiable for the recipient.
This means that just because a recipient cannot re-identify someone, this does not mean that the data is anonymous per se — the decisive factor remains the assessment of the means that can reasonably be used to identify someone.
4.4 Consequence: referral back and further examination
Since the General Court had not fully examined all legal remedies and had confused the correct application of these principles, the ECJ referred the case back to the General Court for a new decision.
5. Addendum: Swiss perspective – “determinability” according to BGE 136 II 508
The relative determinability of pseudonymized data emphasized by the ECJ in case C‑413/23 P has a largely comparable legal basis in Switzerland – in particular in the case law of the Federal Supreme Court (BGE 136 II 508). There, a clear distinction is made between theoretical and practical identifiability.
5. 1 Distinction from purely theoretical identifiability
The Federal Supreme Court held that not every theoretical possibility of identification is sufficient for information to be considered personal. Rather, the decisive factor is whether the effort required for identification is so great that, based on general life experience, it is unlikely that an interested party would undertake this effort (BGE 136 II 508 E. 3.2; BBl 1988 II 444 f. para. 221.1). This assessment is based not only on objective criteria, but also on a realistic assessment of the intentions of potential actors.
This idea is closely in line with the ECJ’s emphasis on examining whether identification is possible “by means that can reasonably be used.” Both approaches advocate a practical, reality-based interpretation of the concept of data.
5.2 Specific individual cases as a benchmark
Like EU law, the Federal Court also makes it clear that the assessment depends on the specific case, taking into account technical developments (e.g., Internet search tools) and organizational circumstances. Not only is the objective technical possibility of identification taken into account, but also the interest of the data processor or a third party in re-identification.
This assessment leads to a dynamic interpretation: Depending on who has the information and under what circumstances, the same category of data may be personal or anonymous – a core idea that the ECJ also expressly adopts.
5.3 Perspective of the recipient when data is disclosed
In the case of data disclosure – for example, to third parties as in C‑413/23 P – the Federal Supreme Court states: It is sufficient if the recipient is able to identify the data subject. It is irrelevant whether the recipient is dependent on the intervention of authorities for this purpose (as in the case of the identification of IP addresses by law enforcement authorities), as long as the effort required for the determination is not disproportionately high.
This also rejects, from a Swiss perspective, the argument that information can be considered anonymous simply because the recipient cannot decrypt it without the help of third parties. Rather, it is sufficient that re-identification is realistically possible under certain circumstances – a finding that is consistent with the content of the ECJ’s decision.
5.4 No abstract assessment of typical data categories
Finally, the Federal Supreme Court emphasizes that it is not possible to make an abstract statement as to whether certain types of data – such as dynamic IP addresses – are always personal or anonymous. Here, too, the principle of context-dependent, functional interpretation of personal reference is followed, as is also established in EU law.
5.5 Conclusion of the comparison
The comparison with BGE 136 II 508 shows that both Swiss and European data protection law require a differentiated, contextual consideration of determinability. The legal assessment criteria are largely harmonized: neither a purely theoretical nor an exclusively technical perspective is sufficient. The decisive factor is always the practical feasibility of re-identification, taking into account the means, interests, and circumstances in the specific case.
For data processing entities, this means that even in the Swiss context, recipient information, technical access options, and specific usage interests must be taken into account and documented when assessing the personal nature of data—especially in the case of pseudonymization and data transfers.
In our opinion, particular consideration should also be given to the extent to which contextual information enables the recipient to re-identify the data and how the contractual agreements are structured in this regard. If the recipient is simply contractually prohibited from using the data for their own purposes and thus from re-identifying it, they have no interest in doing so.
6. Practical implications and recommendations
6.1 Clarify transparency obligations regarding recipients
When collecting personal data, controllers must disclose which recipients or categories of recipients may receive data, regardless of whether the recipients could be considered anonymous after transmission. Data protection notices should therefore be precisely adapted to explicitly cover pseudonymized data flows and name recipients.
6.2 Review of data transfers and interfaces
When data is transferred, an internal analysis should be carried out to determine:
- Whether the recipient has access to re-identification options (e.g., keys, additional data sources). In our opinion, this is always the case in the age of AI.
- Whether technical or organizational measures are in place that make re-identification practically impossible.
- What risks are typical (costs, time, technological effort).
Only if it can be clearly ruled out that the recipient could reasonably carry out identification can it be argued that the data is anonymous in their hands. Conversely, this means that in case of doubt, it is not anonymous.
6.3 Adapt processing contracts and governance
Obligations in contracts with data recipients should clearly stipulate that no attempt at re-identification shall be made, key access shall remain excluded, and data processing shall be carried out on a strictly pseudonymized basis. In addition, documentation and evidence of technical and organizational measures is recommended.
6.4 Relevance for AI, data analytics, and research
The decision is also significant in areas such as AI model training or big data analytics: when pseudonymized data is passed on to third parties, transparency obligations must be strictly observed. The practice of transferring pseudonymized data without disclosing the recipients is likely to be largely excluded.
6.5 Adaptation of national data protection practices
This ruling sets a precedent for institutions in Switzerland or Germany that work with EU institutions or EU data flows. Even though federal law (e.g., DSG, GDPR) contains differences, the ECJ ruling provides important guidance.
7. Conclusion and outlook
With its ruling in C‑413/23 P, the ECJ provides decisive clarifications on the duty of transparency, the relative understanding of personal data, and the role of pseudonymized data in data protection law. The obligation to provide information about recipients begins at the point of data collection, and pseudonymized statements are generally considered personal data.
For data protection officers, this means in concrete terms that data protection notices, data transfer agreements, and data governance structures must be adapted. Anyone who passes on pseudonymized data today must disclose the recipients at the time of collection and exclude re-identifiability technically/contractually.
In the future, it remains to be seen how the General Court will implement the referral back and whether the ECJ will formulate specific standards in further cases—in particular, regarding the specific distinction between anonymous and pseudonymized data in data networks with complex processing flows (e.g., in healthcare, scientific research, AI).
Sources
- “Judgment of the Court in Case C‑413/23 P (EDPS v SRB)” – ECJ judgment text (pdf) Curia
- Federal Supreme Court decision of September 8, 2010 BGE 136 II 508 (Logistep)