ECJ (Case C‑413/23): no dis­clo­sure of “per­so­nal data” if the pseud­ony­mizati­on can­not be remo­ved for the recipient

EN 
EN  DE  FR 

from

on

Indu­stries

Aut­ho­ri­ty

Laws

,

Topics

, ,
Take-Aways (AI)
  • The ECJ does not gene­ral­ly con­sider pseud­ony­mi­zed data to be per­so­nal data; if third par­ties are not able to remo­ve the pseud­ony­mizati­on, data sub­jects remain uniden­ti­fia­ble to them.
  • The controller’s obli­ga­ti­on to pro­vi­de infor­ma­ti­on must be checked at the time of data coll­ec­tion; it does not app­ly if it is unli­kely that reci­pi­en­ts will be able to pro­cess the data as per­so­nal data at the time of collection.

The ECJ ruled on Sep­tem­ber 4, 2025 (Rs. C‑413/23) that a dis­clo­sure of pseud­ony­mous data does not con­sti­tu­te a dis­clo­sure of per­so­nal data if

The back­ground to this was a decis­i­on by the Sin­gle Reso­lu­ti­on Board SRBa Euro­pean Ban­king Uni­on aut­ho­ri­ty respon­si­ble for reso­lu­ti­on, which had initia­ted reso­lu­ti­on pro­ce­e­dings against a bank. In this con­text, state­ments were obtai­ned from share­hol­ders and cre­di­tors. The­se were later trans­mit­ted to Deloit­te in pseud­ony­mi­zed form:

28 Only tho­se opi­ni­ons were sub­mit­ted to Deloit­te that […] were asso­cia­ted with a alpha­nu­me­ric code were pro­vi­ded. Howe­ver, only the SRB could use this code to link the opi­ni­ons to the data coll­ec­ted during the regi­stra­ti­on pha­se […]. […] Deloit­te had no access to the data­ba­se with the data coll­ec­ted during the regi­stra­ti­on phase […].

It was dis­pu­ted whe­ther the affec­ted share­hol­ders and cre­di­tors should have been infor­med about the dis­clo­sure to Deloit­te, and the­r­e­fo­re in par­ti­cu­lar whe­ther this was a dis­clo­sure of per­so­nal data.

The ECJ ans­wers this que­sti­on in the nega­ti­ve: Pseud­ony­mi­zed data is not per­so­nal under all cir­cum­stances. If a third par­ty can­not remo­ve the pseud­ony­mizati­on, the data sub­jects are for this not iden­ti­fia­ble.

This judgment is cor­rect becau­se it results from the rela­ti­ve approach in deter­mi­ning the per­so­nal refe­rence: It depends on the iden­ti­fi­ca­ti­on pos­si­bi­li­ties of the body that pro­ce­s­ses data or has it pro­ce­s­sed by a pro­ces­sor. A direct con­se­quence of this is the fact that pseud­ony­mizati­on can have the same effect as anony­mizati­on vis-à-vis third par­ties, which is why pseud­ony­mizati­on could also be refer­red to as sub­jec­ti­ve anony­mizati­on. In Switz­er­land, the HGer Zurich 2021 deci­ded imme­dia­te­ly.

This means, for exam­p­le, that when dis­clo­sing robust­ly pseud­ony­mi­zed data to a pro­ces­sor abroad neither an ADV nor the SCC neces­sa­ry are. Howe­ver, the con­trol­ler may be requi­red to ensu­re con­fi­den­tia­li­ty and pur­po­se limi­ta­ti­on with the reci­pi­ent under the hea­ding of data secu­ri­ty and the­r­e­fo­re con­clude a qua­si DPA.

Test cri­te­ria for the per­so­nal reference

The con­cept of per­so­nal data depends on whe­ther a pie­ce of information

55 […] due to their Con­tentstheir For the pur­po­se of or their Effects is lin­ked to an iden­ti­fia­ble per­son (judgments of Decem­ber 20, 2017, Nowak, C‑434/16 […], OC v Com­mis­si­on, C‑479/22 […], IAB Euro­pe, C‑604/22 […] and the case law cited therein).

Howe­ver, it is not always neces­sa­ry to check the pur­po­se and effects of pro­ce­s­sing separately:

56 […] […] Accor­ding to the case-law cited in para­graph 55 of the pre­sent judgment, an exami­na­ti­on of the con­tent of an infor­ma­ti­on not neces­s­a­ri­ly com­ple­men­ted by an ana­ly­sis of their pur­po­se and impact beco­me. This results from the use of the con­junc­tion “or”, with which the various cri­te­ria men­tio­ned in this case law were linked.

Per­so­nal refe­rence of pseud­ony­mi­zed data

Initi­al­ly, pseud­ony­mizati­on is mere­ly a Mea­su­rewhich lowers the pro­ba­bi­li­ty of iden­ti­fi­ca­ti­on, and is not inclu­ded in the legal defi­ni­ti­on of per­so­nal data:

72 As sta­ted by the Advo­ca­te Gene­ral […], pseud­ony­mizati­on is the­r­e­fo­re not an ele­ment of the defi­ni­ti­on of ‘per­so­nal data’. Rather, it refers to the imple­men­ta­ti­on of tech­ni­cal and orga­nizatio­nal mea­su­res inten­ded to redu­ce the risk that a par­ti­cu­lar set of data is asso­cia­ted with the iden­ti­ty of the data subjects. […]

And if this mea­su­re leads to a per­son being de fac­to no lon­ger iden­ti­fia­ble the per­so­nal refe­rence is missing:

75 If such tech­ni­cal and orga­nizatio­nal mea­su­res are actual­ly taken and are sui­ta­ble to pre­vent the data in que­sti­on from being assi­gned to the data sub­ject, so that the data sub­ject is not or no lon­ger iden­ti­fia­ble, the pseud­ony­mizati­on may have an effect on the per­so­nal natu­re of the­se data within the mea­ning of Art. 3 No. 1 of Regu­la­ti­on 2018/1725.

For this rea­son, the employees trans­mit­ted Pseud­onyms are not per­so­nal data per se:

77 With regard to Deloit­te, to which the SRB has trans­mit­ted pseud­ony­mi­zed opi­ni­ons, […] the tech­ni­cal and orga­nizatio­nal mea­su­res […] can have the effect that the­se opi­ni­ons are not per­so­nal for Deloit­te. Howe­ver, this pre­sup­po­ses on the one hand that Deloit­te is not in a posi­ti­on to revo­ke the­se mea­su­res when pro­ce­s­sing the opi­ni­ons under its con­trol. On the other hand, the­se mea­su­res must also actual­ly be sui­ta­ble for pre­ven­ting Deloit­te from assig­ning the­se comm­ents to the per­son con­cer­ned, inclu­ding by other means of iden­ti­fi­ca­ti­on, such as a com­pa­ri­son with other ele­ments, so that the per­son con­cer­ned is not or no lon­ger iden­ti­fia­ble for Deloitte.

This result is in line with case law:

82 Fur­ther­mo­re, the Court has alre­a­dy ruled that a means is not likely to be used to iden­ti­fy the per­son con­cer­ned if the risk of iden­ti­fi­ca­ti­on appears de fac­to insi­gni­fi­cant becau­se the Iden­ti­fi­ca­ti­on of this per­son is pro­hi­bi­ted by law or imprac­ti­ca­ble e.g. becau­se it would requi­re a dis­pro­por­tio­na­te amount of time, cost and labor […]. […] 

83 Simi­lar­ly, the Court […] essen­ti­al­ly ruled that non-per­so­nal data per se coll­ec­ted and stored by the con­trol­ler nevert­hel­ess rela­ted to an iden­ti­fia­ble per­son, as the con­trol­ler had legal means to obtain addi­tio­nal infor­ma­ti­on from third par­ties that allo­wed that per­son to be identified. […].

84 In par­ti­cu­lar, accor­ding to case law […] data which are not in them­sel­ves per­so­nal can beco­me “per­so­nal” data if the con­trol­ler pro­vi­des them to other per­sons who have means which, accor­ding to com­mon judgment, are likely to allow the iden­ti­fi­ca­ti­on of the data subject. […] 

85 […] Unless […] it can be exclu­ded that the­se third par­ties are rea­son­ab­ly able to asso­cia­te the pseud­ony­mi­zed data with the data sub­ject by means such as a com­pa­ri­son with other data at their dis­po­sal, this per­son is to be con­side­red iden­ti­fia­ble both in rela­ti­on to the trans­mis­si­on of the data and in rela­ti­on to the sub­se­quent pro­ce­s­sing of the­se data by third par­ties. In such cir­cum­stances, pseud­ony­mi­zed data would have to be con­side­red as per­so­nal data.

86 Con­se­quent­ly, […] pseud­ony­mi­zed data must […] not con­side­red per­so­nal data in every case and for every per­son beco­me. This is becau­se pseud­ony­mizati­on can – depen­ding on the cir­cum­stances of the indi­vi­du­al case – actual­ly pre­vent per­sons other than the con­trol­ler from iden­ti­fy­ing the data sub­ject, so that the lat­ter is not or no lon­ger iden­ti­fia­ble to them.

Effects on the duty to inform

It was also dis­pu­ted to what point in time the obli­ga­ti­on to pro­vi­de infor­ma­ti­on about the reci­pi­en­ts should be applied. Here it comes does not depend on whe­ther a poten­ti­al sub­se­quent reci­pi­ent can make an iden­ti­fi­ca­ti­on:

112 It fol­lows […] that the SRB’s duty to pro­vi­de infor­ma­ti­on in the pre­sent case pri­or to the trans­mis­si­on of the opi­ni­ons in que­sti­on and regard­less of thiswhe­ther or not it was per­so­nal data from Deloitte’s point of view after pseudonymization.

113 […] It is clear from para­graphs 102 to 108 of the pre­sent judgment […] that that pro­vi­si­on governs the duty to pro­vi­de infor­ma­ti­on incum­bent on the con­trol­ler. at the time of coll­ec­tion of such data. The que­sti­on of whe­ther the con­trol­ler has ful­fil­led its duty to inform at that time can­not depend on the means of iden­ti­fy­ing the data sub­ject which a poten­ti­al reci­pi­ent might have at his or her dis­po­sal after a sub­se­quent trans­fer of the data in question.

114 As sta­ted by the Advo­ca­te Gene­ral […], the argu­ment […] that the per­spec­ti­ve of the reci­pi­ent should be taken in order to veri­fy com­pli­ance with this infor­ma­ti­on obli­ga­ti­on would lead to a tem­po­ral shift of this con­trol. Sin­ce this con­trol would neces­s­a­ri­ly con­cern per­so­nal data alre­a­dy trans­mit­ted to the reci­pi­ent, this argu­ment also dis­re­gards the The pur­po­se of the infor­ma­ti­on obli­ga­ti­on, which is inex­tri­ca­bly lin­ked to the rela­ti­on­ship bet­ween the con­trol­ler and the data sub­ject is.

This con­clu­si­on is plau­si­ble – but only if, at the time the data is coll­ec­ted, it is at least to be expec­ted that data will be dis­c­lo­sed to a reci­pi­ent that is effec­tively per­so­nal to that reci­pi­ent. If this is not to be expec­ted, e.g. becau­se it is clear that data is only to be pas­sed on in pseud­ony­mi­zed form, no obli­ga­ti­on to pro­vi­de infor­ma­ti­on can ari­se becau­se the cor­re­spon­ding pro­cess is not rele­vant to data pro­tec­tion and the­r­e­fo­re can­not have any con­se­quen­ces under data pro­tec­tion law.