This case note analyses the judgment delivered on 4 September 2025 by the Court of Justice of the European Union (CJEU) on the notion of personal data in the context of a transfer of pseudonymized data. The CJEU has explicitly confirmed the ‘relative’ approach to the notion of personal data. As the European Data Protection Supervisor (EDPS) v. Single Resolution Board (SRB) judgment shows, applying the ‘relative’ approach can push pseudonymization in the context of data-sharing scenarios beyond its role as a security measure within the meaning of Article 32 of the General Data Protection Regulation (GDPR), with the possible consequence that the GDPR may not apply. Against this background, this case note seeks to untangle the role of pseudonymization in the context of data sharing practices on the basis of EDPS v. SRB. In this regard, a differentiation between the perspective of the transferor and that of the recipient is made.
Global Privacy Law Review