A case seeking to provide clarity on EU General Data Protection Regulation requirements governing when pseudonymized data is to be considered personal information recently concluded without locking in a firm definition under the law. After being remanded by the Court of Justice of the European Union back to the European General Court for reconsideration, the case — EU Single Resolution Board v. the European Data Protection Supervisor — was ultimately withdrawn at the request of the parties without formally considering CJEU directives.
The case, which began as an SRB proceeding involving an insolvent Spanish bank in 2017, ultimately wound up with the CJEU after the EDPS brought an appeal of a General Court's 2023 ruling that sided with the SRB. The appeal addressed three core legal issues involving whether a person's pseudonymized opinions constitute as personal data, the circumstances when pseudonymized data is considered personal data and data controllers' notification obligations for reidentification risk during processing. The CJEU supported parts of the EDPS's appeal while siding with the SRB in other areas.
On 19 Dec. 2025, the General Court accepted the withdrawal of the case after the lead parties agreed to pay their respective portions of the costs incurred by the court. The European Commission and European Data Protection Board, which had joined as interveners on opposing sides, also agreed to pay their own costs.
The absence of a final decision based on CJEU conclusions potentially leaves room for ongoing ambiguity around pseudonymized data as legal observers and other EU stakeholders consider next steps. However, IITR Datenschutz Data Protection Officer and Lawyer Sebastian Kraska said the absence of a final ruling simply means the CJEU's clarifications now serve as the de-facto requirements.
Kraska recommended practitioners familiarize themselves with the CJEU's ruling on the EDPS appeal because it will help them understand how EU digital regulators will likely approach issues involving pseudonymized personal data going forward.
"The SRB ultimately lost the case and may therefore not be interested in providing further resources here," Kraska said in an email to the IAPP. "The other side may also have no interest in continuing to fight the case, especially since the CJEU has set out a relatively clear general line on pseudonymization, regardless of the General Court's decision."
EU data protection authorities are in midst of revising European Data Protection Board guidelines on pseudonymized data with the aim of incorporating the CJEU's determinations. It is unclear if those revised guidelines will be impacted by the withdrawal of the case before the General Court's final ruling.
Background
The case originated in June 2017, when the SRB issued a preliminary decision regarding awarding compensation to an insolvent Spanish bank's creditors and shareholders without obtaining their input. The SRB established a subsequent mechanism for the stakeholders to provide comments on its ruling and transferred them in pseudonymized form to Deloitte, which was tasked with carrying out a valuation of the effects of the resolution procedure on shareholders and creditors.
In 2020, the EDPS initially ruled the SRB's sharing with Deloitte constituted personal information and stakeholders had not been notified their comments would be transferred to a third party, in violation of the GDPR.
Three years later, the SRB successfully petitioned the General Court to annul the EDPS's decision on the grounds that the pseudonymized data received by Deloitte was sufficiently deidentified so it could not be related to a natural person, as required by the GDPR, and that the EDPS had not considered the contents of the comments transferred to Deloitte to determine if they actually contained personal information.
The CJEU's perspective
In September 2025, the CJEU sided with the EDPS in finding that individuals' personal opinions constitute personal information and the General Court erred by not considering the bank stakeholders' opinions as personal information. It also sided with the EDPS that the reidentification risk of processing and transferring personal data must be evaluated on a case-by-case basis at the time of collection, and that the General Court erred in annulling the EDPS's original ruling, in part, because it had failed to determine if the contents of the pseudonymized comments contained personal information.
The CJEU, however, sided with the SRB for the question of under what conditions pseudonymized data can also be personal data, writing in the decision that "pseudonymized data must not be regarded as constituting, in all cases and for every person, personal data for the purposes of the application (of the GDPR) in so far as pseudonymization may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable."
"The key messages of the CJEU in the SRB ruling are here to stay — irrespective of the redrawing of the case," Baumgartner Baumann Partner Ulrich Baumgartner, CIPP/E, said. "In that respect, the CJEU essentially confirmed the General Court so the fact that there won't be a final decision doesn't change the importance and practical relevance of the CJEU decision in the SRB case."
Alex LaCasse is a staff writer for the IAPP.
