Recognition of the subjectivity of the concepts of personal data and pseudonymisation

November 2025  |  SPECIAL REPORT: HEALTHCARE & LIFE SCIENCES

Financier Worldwide Magazine

November 2025 Issue

In a long-awaited and much-needed judgment dated 4 September 2025, the Court of Justice of the European Union (CJEU) ruled on the concept of ‘pseudonymisation’, endorsing a subjective approach to assessing the identifiability of a data subject.

This opens new perspectives for data reuse, particularly in the health sector, where secondary use is essential for both research and innovation.

Facts and reasoning

This judgment was rendered in the context of a resolution procedure initiated by the Single Resolution Board (SRB) against a Spanish bank. As part of this procedure, the SRB transmitted to a third party (Deloitte), for evaluation purposes, comments from the bank’s creditors and shareholders. The transmitted comments were associated with an alphanumeric code, and Deloitte did not have the information necessary to re-identify the authors. Only the SRB was able, using this code, to link the comments to the authors’ identification data. The authors of the comments submitted five complaints to the European Data Protection Supervisor (EDPS), arguing that the SRB had not informed them that their data would be transmitted to third parties.

The two main questions were whether the pseudonymised data transmitted should be considered personal data from the recipient’s perspective, and if not, whether the obligation to inform data subjects about the transmission still applies.

The General Court annulled the EDPS’s decision, due to its strict approach to pseudonymisation, considering that “the fact that Deloitte did not have access to the information held by the SRB that would enable re-identification does not mean that the ‘pseudonymised’ data transmitted to Deloitte became anonymous data”, and thus held that “‘Pseudonymised’ data remain so even when transmitted to a third party that does not have additional information”.

Before the CJEU, the SRB, supported by the European Commission, disputed the EDPS’s argument, in favour of a subjective approach to pseudonymisation. According to this approach, pseudonymised data do not, in all circumstances, constitute personal data “solely because of the existence of information enabling the data subject to be identified”.

The CJEU adopted this approach, holding that, “contrary to what the EDPS maintains… pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable”.

The CJEU noted that technical and organisational measures may have the effect that, for the recipient, “those comments are not personal in nature” if: (i) the recipient is not “in a position to lift those [technical and organisational] measures during any processing of the comments which is carried out under its control”; and (ii) “those measures must in fact be such as to prevent [the recipient] from attributing those comments to the data subject including by recourse to other means of identification such as cross-checking with other factors”.

Impact of the judgment on the concepts of pseudonymisation and personal data

Pseudonymised data constitute personal data from the perspective of the data controller, who has the means to identify the data subjects, but not necessarily from the perspective of the recipient, provided that, for the latter, the data subject is not or is no longer identifiable.

Data subjects are not identifiable where the technical and organisational measures implemented by the controller: (i) cannot be lifted by the data recipient; and (ii) prevent the use of other means of identification, such as cross-referencing by the recipient.

The Article 29 Working Party, in its opinion on anonymisation techniques, identified three essential risks in anonymisation, through which to analyse the nature of data: (i) singling out (the possibility to isolate some or all records which identify an individual in the dataset); (ii) linkability (the ability to link at least two records concerning the same data subject or a group of data subjects); and (iii) inference (the possibility to deduce, with significant probability, the value of an attribute from the values of a set of other attributes).

This analysis remains relevant. The clarification provided by the ruling is that this analysis can be carried out separately, on the one hand by the controller, and on the other hand by the recipient of the pseudonymised data.

As a result, pseudonymised data may be assessed differently, depending on the means of identification available to the actors accessing them, and may or may not constitute personal data.

This leads to a subjective approach to the notions of ‘personal data’, ‘pseudonymisation’, and, by extension, ‘anonymisation’.

Thus, the same data may be pseudonymous for one actor and anonymous for another.

Although this decision does not open many doors for clinical research, since such research requires access to sufficiently detailed information to be useful, it could nevertheless facilitate the secondary use of data by AI system providers, where the level of data granularity can be limited to what is necessary for AI training purposes (as long as the combination of values never allows re-identification, based on a subjective risk assessment).

Link between the nature of data and data subjects’ right to information

Beyond the issue of the nature of the data, the judgment provides guidance on the information obligation, considering that, for the application of this obligation, “the identifiable nature of the data subject must be assessed at the time of collection of the data and from the point of view of the controller”. The data controller should therefore inform data subjects of the transmission of their data to a recipient, regardless of whether the data constitute personal data for the recipient.

Therefore, the subjective nature of the data for the recipient does not affect the controller’s obligation to inform them about its transmission.

Even if the recipient is not required to comply with data protection principles because the data are considered anonymous to him, the initial controller remains bound by those principles in relation to that recipient.

In this context, it is therefore crucial to conduct a comprehensive re-identification risk assessment, guided by the three anonymisation criteria and considering the data, processing activities and actors involved.

 

Marguerite Brac de La Perrière is a partner and Léa Rogerie is a paralegal at Fieldfisher. Ms Brac de La Perrière can be contacted on +33 (0)1 89 53 20 49 or by email: marguerite.bracdelaperriere@fieldfisher.com. Ms Rogerie can be contacted on +33 1 89 53 20 52 or by email: lea.rogerie@fieldfisher.com.

© Financier Worldwide

BY

Marguerite Brac de La Perrière and Léa Rogerie

Fieldfisher

©2001-2025 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.