What the SRB-case teaches us about Pseudonymisation, Consent, and GDPR Compliance
For years, privacy professionals have debated: should we consider personal data a relative or absolute concept? In other words, as long as there is a theoretical possibility for a pseudonymous dataset to be re-identified, will the data always remain personal data or is there a threshold where we can consider the data anonymous?
When privacy professionals talk about “personal data,” they tend to imagine names, addresses, maybe an email you can clearly link to someone. But the CJEU keeps reminding us that the boundaries are slipperier than they look. In its recent judgment EDPS v. SRB (C-413/23 P), the Court dug into the grey zone of pseudonymous data and what it means for GDPR compliance. The twist: whether data counts as “personal” can depend not only on what sits in your own systems, but also on what another party might reasonably do with it. This means that the relative approach to personal data is finally explicitly confirmed.
In this blog post, we break down the recent SRB-case, explain what it means for privacy professionals, and share actionable tips to improve your GDPR compliance, especially when pseudonymous data is involved.
1. The SRB Case: A quick recap
The Single Resolution Board (SRB), a European Union body that manages failing banks, handled the resolution of Banco Popular, a Spanish bank. As part of that process, they collected identification data and comments from shareholders and creditors, then passed just the comments on to Deloitte for an independent valuation.
Before doing so, SRB pseudonymised the dataset and argued that the data sent to Deloitte was no longer “personal data” under GDPR.
The creditors and shareholders were not informed that their data, pseudonymised or not, would be sent to Deloitte. Several of them filed a complaint with the European Data Protection Supervisor (EDPS) which got the ball rolling.
Eventually, the case made its way to the CJEU, who weighed in with two key rulings:
1.1. Personal data is relative
The Court ruled that pseudonymised data is not automatically personal data for every party in the chain.
- For SRB, the data was personal because they possessed the key to re-identify the individuals.
- For Deloitte, which received a version stripped of identifiers and had no way to reverse the pseudonymisation, it was not personal data.
This explicitely confirms the relative interpretation of personal data. Under GDPR, what counts as personal data may depend on who holds the dataset and what they can reasonably do with it.
If you’re transferring data, and the recipient has no way to re-identify individuals, and you’ve taken appropriate technical and organisational measures, the data may not be considered personal anymore in the recipients’ hands.
But, and it’s a big but, you must be able to prove it.
1.2. Consent requires full transparency (Yes, even for pseudonymised data)
The second big ruling? The SRB should have informed these individuals upfront that their data might be transferred to Deloitte, even if the data were pseudonymised.
Why? Because the data collection was based on consent. And under GDPR, consent must be informed to be valid which includes information on (potential) recipients.
2. Take-aways for Privacy Professionals
What can you learn from this case? It depends on whether you are a controller or a recipient of a pseudonymised dataset:
2.1. For controllers
The SRB case opens the potential to share pseudonymous datasets with less legal constraints, assuming that the pseudonymisation is done in a thorough way. The judgement gives a number of elements to consider and document when a controller want to demonstrate a pseudonymous dataset will not be personal data for the recipient:
- Be clear on which identifiers were removed
- Give an overview of which techniques were used (tokenisation, hashing, noise addition, separation of data stores, etc.)
- Spell out what the limit of the reasonable means of the recipient are
- Mention any legal framework that makes re-identification illegal
Documenting their approach allows a controller to assess the re-identification risk per recipient. What “reasonably means” are for one recipient may not be for another. The threshold for anonymous data, however, is very high.
The GDPR remains applicable to controllers and thus strict due diligence and contractual clauses must be implemented to share this data.
Additionally, all (potential) recipients of the data must be disclosed in order to meet the ‘informed’ requirement to rely on consent to process the data. Making the data pseudonymous or anonymous does not affect this requirement.
2.2. For recipients
The situation changes drastically for recipients of pseudonymous/anonymous data. Imagine if the recipient of pseudonymous shares this data with another party, but that party has the reasonable means necessary to re-identify the data subjects. At that moment, the data becomes personal data again, with all relevant aspects (role of the parties, DPA required, legal basis, etc.). This follows from the Scania C-319/22 case. As such, any company who works (or intends to work with) this ‘type’ of data should take the following measures:
- Do not assume your own status is stable: even if data is non-personal in your hands, its status can change the moment you transmit it further.
- Assess downstream partners: before sharing, consider whether the next recipient has the means to re-identify; if yes, prepare for full GDPR compliance.
- Anticipate contractual duties: a Data Processing Agreement (or broader data sharing contract) will be required, alongside ensuring a legal basis, purpose limitation, and transparency obligations.
Conclusion: Compliance is contextual
The SRB case reminds us that data protection law is not static, and neither should your compliance programme be.
While pseudonymisation is a valuable technical measure to protect against re-identification and could thus allow for further sharing of data without GDPR requirements, the threshold to reach a sufficient level remains very high. Still, the GDPR can come into play when you share (pseudonymous) data with a party which has the means necessary to re-identify the data subjects. Adequate governance frameworks will be required to handle this.
On top of that, the judgement confirms that informed consent equals sharing all (potential) recipients of the data, even if it is pseudonymous or anonymous!
Need Support?
At CRANIUM, we help organisations translate judgements like this into real-world compliance. From reviewing your legal bases to refining your data sharing protocols, our consultants are here to guide you.
