ARTICLE
21 October 2025

EU Weighs In On Pseudonymized Data

SM
Sheppard, Mullin, Richter & Hampton LLP

Contributor

Sheppard, Mullin, Richter & Hampton LLP logo
Businesses turn to Sheppard to deliver sophisticated counsel to help clients move ahead. With more than 1,200 lawyers located in 16 offices worldwide, our client-centered approach is grounded in nearly a century of building enduring relationships on trust and collaboration. Our broad and diversified practices serve global clients—from startups to Fortune 500 companies—at every stage of the business cycle, including high-stakes litigation, complex transactions, sophisticated financings and regulatory issues. With leading edge technologies and innovation behind our team, we pride ourselves on being a strategic partner to our clients.
Explore Firm Details
A thorny issue for companies has been how to handle data derived from personal information.
European Union Privacy
Liisa M. Thomas and Kathryn Smith
Your Author LinkedIn Connections
Liisa M. Thomas’s articles from Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • with readers working within the Consumer Industries industries
Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • within Insolvency/Bankruptcy/Re-Structuring topic(s)

A thorny issue for companies has been how to handle data derived from personal information. Is it still personal information? Do privacy laws apply? The EU Court of Justice of grappled with this issue in a September decision. The case arose following a Spanish bank's financial difficulties. Its regulatory agency, the European Single Resolution Board, stepped in to attempt to value some of the bank's investments and otherwise determine next steps. As part of the process, the board hired a consulting firm to analyze feedback from the bank's shareholders and creditors. The board collected the information, pseudonymized the data, and then sent the pseudonymized data set to the consulting firm.

At issue was whether the entity should have told shareholders the sharing with the consulting firm would happen. In other words, treating the pseudonymized data as personal and following notice obligations under a privacy law applicable to entities like the board (Regulation 2018/1725, which is like GDPR but applicable to EU institutions like the board). Which, according to the Court, included telling individuals at the time information was collected, of "potential recipients of that data" (para. 108). The Court held that if pseudonymized data can be combined with other information and identify the individual, it still counts as personal data. The Court noted that this analysis should be made separately for each entity: the original company and the data recipient.

Putting It Into Practice: Knowing when personal information is no longer "personal" will impact what legal obligations apply. As courts -like the one here- often point out, this is a factual analysis, and thus develop proactive processes and procedures can be tricky. In particular, because an entity may not have a full picture of all of the different data flows or intended internal or external uses. Remembering that any organization is made up of individuals with different needs and practices can help. Consider regular check-ins and conversations with business leaders and business teams to understand their current and future data uses and needs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Liisa M. Thomas
Liisa M. Thomas
Photo of Kathryn Smith
Kathryn Smith
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More