CJEU Expands GDPR Scope and Clarifies Treatment of Pseudonymized Data: What Businesses Need to Know

In a landmark ruling issued on September 4, 2025, the Court of Justice of the European Union (CJEU) provided critical clarification on the scope of “personal data” under the General Data Protection Regulation (GDPR), particularly in the context of pseudonymized data and personal opinions. The decision in EDPS v SRB (C-413/23 P) has significant implications for businesses that collect, process, or transfer data involving EU data subjects.

Key Legal Questions Addressed

The CJEU addressed three pivotal questions that reshape how organizations must approach data governance:

1. Are personal opinions considered personal data under the GDPR?

Yes. The Court held that personal opinions—such as those expressed in surveys, feedback forms, or internal evaluations—are inherently linked to their authors and therefore constitute personal data if the individual can be identified. This applies even when such opinions are pseudonymized, provided reidentification is reasonably feasible.

2. Do data controllers have notification obligations when transferring pseudonymized data?

Yes. The CJEU emphasized that data controllers must assess the risk of reidentification on a case-by-case basis and cannot assume that pseudonymized data is exempt from GDPR obligations. The obligation to inform data subjects arises at the point of data collection, regardless of whether the data is later pseudonymized or transferred to third parties.

3. Is pseudonymized data considered personal data?

It depends. The Court clarified that pseudonymized data is not automatically personal data for every actor who processes it. The key factor is whether the recipient can reasonably reidentify the data subject using available means. This determination must be context-specific, considering the nature of the data, the technical safeguards in place, and the capabilities of the recipient.

Practical Implications for Businesses

This ruling has immediate consequences for organizations operating in or interacting with the EU market. Key considerations include:

• Reclassification of Data Types: Non-anonymous surveys, customer feedback, employee assessments, and similar expressions of opinion should be treated as personal data if they can be linked to an individual—even indirectly.
• Risk-Based Approach to Pseudonymization: Organizations must evaluate the likelihood of reidentification and document the technical and organizational measures used to mitigate that risk.
• Enhanced Due Diligence for Data Transfers: Both transferring and receiving entities must assess their respective obligations when pseudonymized data is shared. This includes updating data processing agreements and conducting transfer impact assessments.
• Policy and Documentation Updates: Privacy policies, internal procedures, and data protection impact assessments (DPIAs) may need to be revised to reflect the broader interpretation of personal data and the nuanced treatment of pseudonymized information.

Next Steps for Data Controllers

In light of the CJEU’s ruling, businesses should take the following steps to ensure compliance:

1. Conduct a Data Audit: Identify all datasets that include personal opinions or pseudonymized information and assess their risk of reidentification.
2. Review Contracts and Data Sharing Agreements: Ensure that agreements with third parties reflect the updated understanding of pseudonymized data and include appropriate safeguards.
3. Update Training and Awareness Programs: Educate internal teams—especially those involved in data processing and compliance—on the implications of the ruling and the importance of context-specific analysis.
4. Consult Legal Counsel: Engage with privacy counsel to evaluate your organization’s exposure and develop a tailored compliance strategy.

Conclusion

The CJEU’s opinion reinforces the GDPR’s broad protective scope and emphasizes the importance of context in assessing data identifiability. Businesses must now take a more nuanced and proactive approach to handling pseudonymized data and personal opinions to remain compliant and mitigate regulatory risk.

For assistance with GDPR compliance, data transfer assessments, or policy updates, our Cybersecurity & Data Privacy group is available to advise.