The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email:

When pseudonyms are not personal data -2

We resume our analysis of the European General Court decision of April 26, 2023 on the dispute that occurred between a European agency ( the Single Resolution Board – SRB) and the EDPS concerning the appeal of a decision of the European Supervisor against the same SRB for alleged violation of the obligations to inform data subjects, through the privacy notice.
In this round we will examine some relevant aspects of the decision regarding the definition of “personal data” and the scope of application of pseudonymization, especially with regard to a third party. The Court also takes into account the interventions of national administrative courts as well as, in some respects, a preliminary ruling of the CJEU, which was involved in this complicated process.
The Court’s decision may be appealed before the CJEU within two months of the notification to the parties.


With regard to the decision of the European Court in the dispute between the SRB and the EDPS, the following conclusions can be drawn:

  • the Court did not address the question of whether pseudonymized data is always personal data but, rather, indicated the determinative criteria for this finding
  • First, it must be ascertained whether the information subject to pseudonymization is “personal data” within the meaning of EUDPR and GDPR
    • In this regard, it is necessary to ascertain the presence of the two cumulative conditions that are (a) that the the information “concerns” natural persons and (b) that the natural person is “directly or indirectly identified
  • Once this first examination has been successfully passed, the next step is to ascertain whether the pseudonymized data are re-identifiable to the reference party: that is, if we are dealing with pseudonymized data made available to a third party (e.g., a data controller) whether such data are re-identifiable from the perspective of the third party
    • To establish re-identifiability – as specified by the recitals of EUDPR and GDPR – it is necessary to ascertain whether the relevant subject (a) has the “reasonable opportunity” to re-identify and (b) has or can reasonably dispose of the means – legal and operational – necessary to do so
  • In case of disputes, the above-mentioned findings are the responsibility of the supervisory authority, must relate to the specific situation of the case and must be based on objective evidence.