ARTICLE
21 October 2025

EU Weighs In On Pseudonymized Data

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin Richter & Hampton logo
Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
Explore Firm Details
A thorny issue for companies has been how to handle data derived from personal information.
European Union Privacy
Liisa M. Thomas and Kathryn Smith
Your Author LinkedIn Connections
Sheppard Mullin Richter & Hampton are most popular:
  • within Energy and Natural Resources topic(s)

A thorny issue for companies has been how to handle data derived from personal information. Is it still personal information? Do privacy laws apply? The EU Court of Justice of grappled with this issue in a September decision. The case arose following a Spanish bank's financial difficulties. Its regulatory agency, the European Single Resolution Board, stepped in to attempt to value some of the bank's investments and otherwise determine next steps. As part of the process, the board hired a consulting firm to analyze feedback from the bank's shareholders and creditors. The board collected the information, pseudonymized the data, and then sent the pseudonymized data set to the consulting firm.

At issue was whether the entity should have told shareholders the sharing with the consulting firm would happen. In other words, treating the pseudonymized data as personal and following notice obligations under a privacy law applicable to entities like the board (Regulation 2018/1725, which is like GDPR but applicable to EU institutions like the board). Which, according to the Court, included telling individuals at the time information was collected, of "potential recipients of that data" (para. 108). The Court held that if pseudonymized data can be combined with other information and identify the individual, it still counts as personal data. The Court noted that this analysis should be made separately for each entity: the original company and the data recipient.

Putting It Into Practice: Knowing when personal information is no longer "personal" will impact what legal obligations apply. As courts -like the one here- often point out, this is a factual analysis, and thus develop proactive processes and procedures can be tricky. In particular, because an entity may not have a full picture of all of the different data flows or intended internal or external uses. Remembering that any organization is made up of individuals with different needs and practices can help. Consider regular check-ins and conversations with business leaders and business teams to understand their current and future data uses and needs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Liisa M. Thomas
Liisa M. Thomas
Photo of Kathryn Smith
Kathryn Smith
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More