The European Court of Justice's SRB judgement: A landmark in the interpretation of personal data

The European Court of Justice delivered a judgement on 4 September 2025 interpreting the concept of personal data in a way that could have significant implications for how companies and authorities share data going forward.   

Therefore, in this article, we delve into the judgement and examine the consequences it is expected to have for those of you working with data protection.  

At the beginning of September, a judgement was handed down in a case which has now proved to have far-reaching consequences for the interpretation of the concept of personal data. 

The case concerned the question of the GDPR's application to pseudonymised personal data, i.e. personal data which, prior to transfer to a third party, has been masked in such a way that the party holding the key to the dataset can restore the information to clear text.   

Pseudonymisation must therefore not be confused with anonymisation, which in a GDPR context requires that it be irreversible.  

In the case, the SRB (Single Resolution Board, or in Danish Den Fælles Afviklingsinstans, which is the EU's central authority for the resolution of banks in the banking union) had sent a completed questionnaire survey to Deloitte for analysis of the responses.   

The responses had been provided by individuals, but before transmission to Deloitte, the SRB had pseudonymised the answers. Deloitte did not, in fact, need to know the personal connection in order to deliver their service. The SRB had not informed the respondents that Deloitte would later receive their responses for analysis.  

The question in the case was therefore whether it was an error that the duty to provide information as set out in Article 13 of the GDPR had not been followed by the SRB.  

The question of the meaning of the concept of personal data has far greater scope than the duty to provide information.   

All information that is not personal data falls, by definition, outside the scope of the GDPR. This means that there is no requirement to maintain records, enter into data processing agreements or take account of the right to erasure, access and data portability.  

Previously, the application of the rules has been such that as long as anyone (including the data controller itself) could take a dataset and identify individuals, the data has been considered personal data and has therefore fallen within the scope of the GDPR.   

But the EU judgement now states that 'anyone' must be replaced by the receiving party of the dataset in question – and the assessment should therefore, in this case, be made from Deloitte's perspective and not from the perspective of any conceivable recipient:  

If Deloitte did not, in reality, have a reasonable chance of re-identifying the respondents, then the dataset would not be personal data, and the obligations under the GDPR would not apply. 

The judgement is a breakthrough and a potentially huge regulatory relief, if the conditions are respected and applied correctly.   

The easing has massive political attention because the AI agenda and the pressure on the EU's innovative capabilities have made the GDPR a scapegoat for even the slightest hint of a future where the EU can compete with the USA, China and India.  

Furthermore, the entirely pragmatic and logical consequence of the judgement is that companies and authorities that process personal data begin to take genuine responsibility for privacy and protection principles by focusing on themselves first, rather than 'imposing' data processing agreements and security requirements down through an endless chain of data processors and sub-processors with the law behind them.   

Genuine compliance rather than pseudo-compliance. Responsibility rather than control.  

For providers of B2B services, it will be pertinent to consider whether one can deliver one's services on the basis of pseudonymised information.   

For data controllers, it will be pertinent to consider whether one can design IT solutions that can insert the required security layer between the data controller and the suppliers.  

The judgement has already had ripple effects. The Danish Data Protection Agency has stated that as a data controller, one cannot remove the processing of personal data by data processors from the data processor construction.   

But the fundamental question in that context is whether there should be a data processing agreement at all if the recipient (the supplier) cannot identify the data subjects? 

The Data Protection Agency also states that a supplier's further processing of data belonging to the data controller for the supplier's own purposes will require a basis for disclosure, i.e. a legal basis for processing that covers disclosure.   

But again – if the data are not personal data for the recipient, why should there be a legal basis for processing?  

In my assessment, the original legal basis can always accommodate deletion, anonymisation and pseudonymisation – it can never be incompatible with the law. Once one has reached, for example, anonymisation, the obligations cease.  
 
Furthermore, the GDPR abolished the dual legal basis that previously existed, in the form of a legal basis for processing and a legal basis for disclosure. So I do not believe that disclosure as such should be problematised in any way other than what the original legal basis can accommodate. 

If data are fully anonymised, then the data controller is free to share and even publish the data.   

This is possible because anonymous information, by definition, does not relate to individuals and therefore does not need to be subject to the protection of individuals' privacy and right to the protection of information, including the requirement for a legal basis for processing.   

Why should the same not apply to pseudonymised information when the SRB judgement states that it is the recipient's ability to re-identify that determines whether something is personally identifiable?  

It's our privacy that's at stake – not data in itself. 

For me, the second crucial question is instead what is required in relation to the data controller's assessment of the possibility of re-identification by the third party? The third party is, all other things being equal, best placed to assess its own possibility of re-identification. It cannot be sufficient for the original data controller alone to assess others' ability to re-identify. That would be guesswork.  

Instead, in my view, one should replace data processing agreement terms with guarantees from the third party concerning their lack of ability to re-identify individuals.   

In the spirit of the regulations, there should also be documentation or an independent assessment, possibly from an independent party (in certain contexts), which has verified the third party's statement. 

Such a solution would shift the responsibility from the data controller to the third party, but would give the original data controller peace of mind on the compliance front. In my view, the third party would have far greater headaches from contractual reprisals and insurance questions than from the risk of enforcement by the EU (which is really lagging due to the complicated cooperation system and the limited resources available to data protection authorities).   

A related question will be whether, in ongoing service agreements (which the data processor construction often represents through, for example, SaaS, IaaS and PaaS), one should repeat the re-identification assessment, and how often should one do so? And yes, whom can and should one then trust?   

But that question already exists today. Just look at the Chromebook case, where Google struggled to comment on the connection between software and hardware. 

Regardless of the many questions the judgement will raise, it is a significant and quite clear contribution to the interpretation of the GDPR, which addresses the fundamental tensions between privacy and security on the one hand, and innovation and digitalisation on the other.  

If the EU is to get back on the innovation track, the rules must improve conditions.   

The GDPR must not stand in the way of a good idea or global competition on the tech side.   

With the judgement, the GDPR has far less scope, provided we can organise our workflows correctly. That is actually really sensible.  

One should also remember that the GDPR is not disappearing – and instead of trying to control all kinds of global third parties and countries, EU companies and authorities can concentrate their efforts on themselves. This will still require a huge effort – it will simply feel more right.