Can Pseudonymised Data Be Shared Under GDPR?
In the latest episode of On Top of Data Privacy we discussed the Court of Justice of the European Union’s (CJEU) judgement in SRB v. EDPS.
In this article we will give you a deep dive into perhaps the most important privacy judgement of 2025 – can pseudonymised data be shared under the GDPR while retaining the data’s properties as personal data? This uncertainty has hindered data sharing and significantly raised the transactional cost of data transfers. Will we finally have clarity?
Does the Ruling Apply to GDPR?
First, the judgement did not apply to the GDPR per se. Instead, the judgement applied to the GDPR’s sister regulation 2018/1725 which governs EU bodies. Since the concepts of both regulations are identical, the conclusion reached by the CJEU is equally relevant for discussions on pseudonymised data, GDPR, and compliance more broadly.
What is ‘Pseudonymised Data’?
Pseudonymisation is a legal concept defined in the GDPR. Simply put, data is separated from a direct identifier such as a name or national identification number.
The identifier is replaced with a pseudonym – such as in the illustration below where names are replaced with a random string of numbers and letters. The key connecting the ‘name’ with the ‘applicable pseudonym’ is then stored in a secure data environment, ensuring that the users or systems processing the pseudonymised data set cannot connect the data with the identifier.
In summary, the pseudonymisation process will look something like this:
What is ‘Disclosure of Data to a Third Party’?
Disclosure is when the data is made available to a recipient that is another data controller. Consequently, the recipient will process the data received for his or her own purposes.
In our hypothetical scenario, above, the following data set is made available to the recipient:
The case tried by the CJEU was if this pseudonymised data set was personal data or non-personal data in the hands of the recipient.
CJEU: Pseudonymised Data Can Be Non-Personal
Simply put, the pseudonymised data set can be non-personal data in the hands of the recipient.
The concept of ‘personal data’ is contextual. Consequently, the disclosing party and the receiving party are required to make their own assessments if the data is personal data or not in the different stages of processing. This assessment can be documented in the form of a Data Transfer Agreement or similar to avoid confusion between the parties.
Therefore, if the recipient only receives the pseudonymised data set and not the key to “unlocking” the pseudonym – the data received can be non-personal data in the hand of the recipient. The disclosing party must treat the data as personal, since they hold the key to re-identification. An assessment will have to be made on a case-by-case basis in accordance with the CJEU’s criteria.
The CJEU’s Criteria for Assessing
The recipient must perform its assessment in accordance with the so-called Breyer criteria established in the CJEU’s case law. If the recipient has legal and reasonable means to re-identify the individual, the pseudonymised data remains personal in the hands of the recipient. The parties can, for example, apply contractual means to ensure that the pseudonymised data set cannot by reasonable means be re-identified by the recipient.
Can Pseudonymised Data Be Shared under GDPR?
The CJEU’s clarification brings greater legal certainty for data sharing. While case-by-case assessments remain, it will be easier to share pseudonymised data sets in compliance with the GDPR.
In addition, as icing on the cake, the cost associated with Data Transfer Agreements will be lowered since the roles of the disclosing party and the receiving party have been clarified.
Insights that Keep You Ahead, Compliant and Future-Ready
In the Q3 edition of 2025 we highlight the most significant regulatory updates, key court decisions, and upcoming developments shaping data protection and AI governance.
