This event features discussions on important judgments recently delivered by the Court of Justice of the European Union (CJEU).
On 4 September 2025, the First Chamber of the Court of Justice of the European Union issued a judgment in appeal concerning the obligation to inform data subjects about data transfers, while clarifying the definitions of personal and pseudonymised data. The case concerns the collection of comments and opinions by the Single Resolution Board (SRB) from affected shareholders and creditors of a Bank subject to a resolution (Banco Popular). To analyse these comments, the SRB engaged the consulting firm Deloitte and transferred some of these comments to it after having pseudonymised them. The core of the dispute was whether pseudonymised data transferred by an EU authority (the Single Resolution Board) to an external service provider (Deloitte) should be considered personal data within the meaning of Regulation 2018/1725, and more largely within the meaning of European data protection law.
In this judgment, first, the Court considered that the comments and opinions issued by the affected shareholders and creditors constituted information relating to natural persons. Then, it refuted that such pseudonymised data constituted, in all cases, personal data, solely because of the existence of information enabling the data subject to be identified. It highlighted that pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable. Finally, it demonstrated that in the present case, the SRB should have complied with its obligation of information, which must be assessed at the time of the data collection and from the point of view of the controller, irrespective of whether, for the recipient, the data received constituted personal data or not. The CJEU, in this ruling, set aside the judgment of the General Court and thus referred back to it for a new decision.
The judgment is interesting in many respects. It is particularly noteworthy that the CJEU confirms the relative conception of personal data and that subsequently the data protection obligations can differ between sender and recipient. The reasoning underlying this conclusion has far-reaching implications and clarifies the legal definitions of both personal and pseudonymised data.