Pseudonymisation under the GDPR: What the latest EU ruling means for organisations

On 4 September, the Court of Justice of the European UnionA Court interpreting EU law, ensuring it is applied in the same way in all EU countries, and settling legal disputes between national governments and EU institutions. The Courts ensure the correct interpretation and application of primary and secondary EU law within the EU. It consists of two courts: the Court of Justice and the General Court. (CJEU) delivered an important judgement in European Data Protection Board (EDPS) vs Single Resolution Board (SRB), providing fresh clarification on the status of pseudonymised data under the EU General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR). 

Regulators have historically viewed all pseudonymised data as personal dataInformation which relates to an identified or identifiable natural person., but the CJEU has now adopted a more pragmatic stance: it depends on whether the recipient can reasonably re-identify individuals. This ruling challenges a long-held regulatory position and could have a significant impact across sectors that rely heavily on coded or pseudonymised datasets. For the Life Sciences sector in particular, it raises important questions about the treatment of coded clinical trial data, which has until now been assumed to fall firmly within GDPR. 

In this blog, we explore what the judgment means for Life Sciences organisations. We outline the CJEU’s reasoning, discuss its potential impact on pseudonymised data, and share practical steps for ensuring continued compliance. 

• Pseudonymisation under the GDPR 
• CJEU ruling in EDPS vs SRB 
• Implications for organisations 
• Next steps for organisations 

Pseudonymisation under the GDPR

Under Article 4(5) of the GDPR, pseudonymisation means altering personal data so it cannot be linked to an individual without additional information. This security measure reduces privacy risk but, until now, has not been deemed to remove data from the GDPR’s scope (unlike anonymisation).  

Regulators have maintained that pseudonymised data must always be treated as personal data, regardless of who holds the ‘key’ to re-identification. In practice, this meant that even where a recipient organisation could not identify individuals, the data remained in scope if the originating organisation could. 

Under the GDPR, the organisation deciding how and why the data is used is known as the controller. Any third-party service provider processing data on the organisation’s behalf is known as a processor (for example, a cloud provider or research partner). 

CJEU ruling in EDPS vs SRB

The CJEU has taken a more pragmatic approach to pseudonymisation, finding that data pseudonymised by one party may not constitute personal data for another if the recipient cannot reasonably attribute the data to an individual — either from the information provided or from other information they hold. 

In EDPS v SRB, the Court applied this reasoning to data shared by a national authority with the Single Resolution Board (SRB). As the SRB had no access to the key linking coded data to individuals, re-identification was not reasonably possible. Therefore, the dataset did not qualify as personal data and fell outside the GDPR’s scope.  

However, this is not a blanket exemption. GDPR obligations still apply where re-identification remains possible in practice. Rich datasets, such as those containing demographic or health-related details, may still allow re-identification when combined with other information. 

Remaining uncertainties

Although the ruling offers helpful clarity, it still leaves grey areas. The EDPS vs SRB case concerned a controller-to-controller transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. — where the data is shared between two organisations that each decide independently how and why the data is used. What remains uncertain is whether the same reasoning would apply when data is handled by a processor. 

This distinction matters because most organisations rely on a network of external partners to manage, analyse, or store pseudonymised data. If regulators later extend the ruling to controller–processor relationships, it could reshape how organisations structure contracts, allocate responsibilities, and assess compliance risk. 

Until this clarity is provided, it is sensible to review how pseudonymised data flows across your supplier and partner network and evaluate where re-identification might still be possible in practice. 

Implications for organisations 

The judgment introduces both opportunities and challenges for organisations handling pseudonymised data, particularly across research and clinical settings. 

Opportunities 

• Narrower GDPR scope: In some data-sharing scenarios, pseudonymised data may fall outside the GDPR where recipients cannot reasonably re-identify individuals 
• Support for secondary use: The ruling aligns with the EU’s direction of travel under the forthcoming European Health Data Space (EHDS), potentially easing the reuse of coded health data for research and innovation 
• Greater flexibility: Organisations may gain more scope to share or analyse data where robust technical, organisational, and contractual measures effectively prevent re-identification 

Challenges

• Proving non-identifiability: Organisations must be able to demonstrate that re-identification is impossible in practice, supported by strong safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... and clear accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. 
• Residual risk: Pseudonymisation remains less effective where re-identification keys or linked datasets are accessible, such as within corporate groups or research partnerships 
• Detailed datasets: Highly specific information, such as genetic profiles or combined demographic attributes, may still enable identification and therefore remain within GDPR scope 
• Exceptional cases: Sponsors may still need to act on information that indirectly identifies participants, such as in serious adverse events, bringing data back under GDPR 
• Regulatory caution: Authorities are expected to scrutinise claims that pseudonymised data is ‘anonymous’, so organisations should proceed cautiously until further guidance is issued 

Next steps for organisations

Until regulators provide clearer guidance, it’s best to stay proactive. Continue applying GDPR good practice and consider the following steps to maintain confidence in your data-sharing processes. 

1. Reassess data classification
   Review existing pseudonymised datasets to determine whether, in light of this ruling, they truly constitute personal data for your organisation. 
2. Document your analysis
   Record the technical and organisational measures that prevent re-identification, along with any contractual restrictions, to demonstrate accountability.
3. Review Data Sharing Agreements (DSAs)
   Clarify which party holds the re-identification key and ensure contracts reflect this distinction.
4. Update risk assessments
   Revisit Data Protection Impact Assessments (DPIAs) and Transfer Impact Assessments (TIAs) where pseudonymisation plays a key role in mitigating risk and adjust accordingly.
5. Strengthen safeguards
   Verify that appropriate technical and organisational measures are in place to prevent re-identification, particularly when data is shared across entities or borders.
6. Monitor regulatory developments
   The EDPB and national regulators are expected to issue further clarification. Track updates and be prepared to adapt policies and contracts in response.

Frequently asked questions 

When is pseudonymised data considered personal data under the GDPR?

Pseudonymised data is classed as personal data when the individual can still be identified, directly or indirectly, using information reasonably available to the data holder. If the recipient cannot reasonably re-identify individuals, the data may fall outside the GDPR’s scope. 

How does the CJEU ruling in EDPS vs SRB affect UK organisations?

The decision applies under the EU General Data Protection Regulation. The UK’s Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).) continues to take a stricter approach, so UK organisations should assume pseudonymised data remains within scope unless and until UK guidance changes. 

Does the CJEU ruling in EDPS vs SRB apply to data processorsThird parties processing personal data on behalf of a data controller. as well as controllers?

The case concerned a controller-to-controller transfer, and the Court did not expressly address processors. Further clarification from the European Data Protection Board (EDPB) and national regulators is expected. 

What is the difference between pseudonymisation and anonymisation under the GDPR?

Pseudonymisation replaces identifying details with codes or other references so that individuals cannot be identified without additional information. Anonymisation removes all links to an individual entirely, making re-identification impossible and placing data fully outside the GDPR’s scope. This case argues that, without the additional information, pseudonymised data is anonymisedAnonymised refers to data that has undergone a process of transformation to remove or alter personal data in such a way that individuals can no longer be identified from it, and it is impossible for that process to be reversed and the data to be re-identified. Anonymised data is considered non-personal and falls outside the scope of the GDPR. for the purposes of the recipient’s processing. 

How does the CJEU ruling affect coded clinical trial data?

Coded clinical trial data has traditionally been treated as pseudonymised and therefore within GDPR scope. The CJEU’s reasoning suggests that, in some cases, such data could fall outside the GDPR where the recipient cannot reasonably re-identify participants. However, sponsors and CROs should continue to apply the GDPR until further guidance is issued. 

What are the implications of the EDPS v SRB judgment for Life Sciences?

The ruling may influence how coded or pseudonymised research data is classified, particularly in multi-party trials or collaborations. It could ease secondary use of health data across the EU, aligning with the aims of the European Health Data Space (EHDS). However, regulators are likely to approach such interpretations cautiously. 

The DPO Centre’s team of specialist DPOs have extensive experience supporting clinical trial sponsors, CROs, and research organisations. Contact us to learn how we can help you navigate complex data protection requirements with confidence. 

In case you missed it…

• Anonymisation Part 1: challenges & considerations for Life Sciences 
• Understanding GDPR territorial scope: Essential compliance guide 
• How to choose the right lawful basis for clinical trial data processing