ARTICLE
18 December 2025

Pseudonymized Data: Key Takeaways From CJEU Decision

F
Fasken

Contributor

Fasken logo
Fasken is a leading international law firm with more than 700 lawyers and 10 offices on four continents. Clients rely on us for practical, innovative and cost-effective legal services. We solve the most complex business and litigation challenges, providing exceptional value and putting clients at the centre of all we do. For additional information, please visit the Firm’s website at fasken.com.
Explore Firm Details
Lexpert Firm Profile
On September 4, 2025, the Court of Justice of the European Union (the "CJEU") rendered its decision for Case C 413/23...
Canada Privacy
Julie Uzan-Naulin and Alexander J. Shapiro
Your Author LinkedIn Connections
Julie Uzan-Naulin’s articles from Fasken are most popular:
  • with Senior Company Executives, HR and Finance and Tax Executives
  • with readers working within the Oil & Gas and Law Firm industries

Introduction

On September 4, 2025, the Court of Justice of the European Union (the “CJEU”) rendered its decision for Case C 413/23 P, European Data Protection Supervisor (EDPS) v Single Resolution Board (SRB) (the “Decision”). This ruling clarifies that in some circumstances, pseudonymized data may not always be considered personal data under EU data protection laws.

Questions of this nature arose earlier this year when the European Data Protection Board issued its guidelines on pseudonymization. The Decision addresses several questions discussed in our previous article, and impacts Canadian organizations subject to the GDPR.

The Decision

In the Decision, the CJEU largely followed the non-binding opinion of the Advocate General of the CJEU. In particular, the CJEU affirmed that pseudonymized data may not always be considered "personal" for a party, for example, if the pseudonymization could prevent that party from identifying the individual. In this context, whether data is considered "personal" depends on the perspective and identification capabilities of the party handling it. For example, while a third-party service provider may not be able to identify an individual using the pseudonymized data alone, that same data would still be considered "personal" for a controller who holds an identification key, triggering the usual obligations applicable to personal data under the GDPR.

The CJEU noted that identifiability must be assessed by considering all methods that could reasonably be used to identify an individual, whether directly or indirectly, including techniques such as targeting by either the data controller or another party. When determining whether such methods are reasonably likely to be used to identify the person, consideration must be given to objective factors such as the cost and time required to identify an individual. The CJEU also upheld its previous determination that a method of identification may not be considered reasonably likely to be used if, in practice, the risk of identifying the person is insignificant, such as where identification would be unlawful or virtually impossible.

The Decision provides welcome clarity regarding the nature of pseudonymized data, whether it is held by a controller or a third-party recipient, and the corresponding obligations and expectations of these parties when handling it.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Julie Uzan-Naulin
Julie Uzan-Naulin
Photo of Alexander J. Shapiro
Alexander J. Shapiro
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More