The GDPR is not all-powerful – a new approach to pseudonymised data

On 4 September 2025, the Court of Justice of the European Union (CJEU) ruled that the notion of “personal data” under the GDPR must be interpreted relatively: you must always consider the perspective of the party who actually holds the information. Accordingly, if a given organisation – for example, an analytics or IT provider – does not possess (or cannot reasonably obtain) the means to re-identify natural persons from pseudonymised data, then the GDPR’s provisions do not apply to that organisation.

This stands in contrast to the absolute approach saying that any data that could in theory be used to identify someone counts as personal data regardless of whether the controller or processor actually has the means to identify individuals. Under that view, the GDPR would automatically apply to all pseudonymised datasets.

The CJEU’s relative interpretation brings significant practical relief, especially for actors who handle pseudonymised data but have no realistic way of linking it back to individuals. From now on, the GDPR’s applicability must always be assessed in light of the specific controller’s or processor’s situation. This does not mean, however, that pseudonymisation is a free pass: the ruling does not exempt controllers from all obligations. In fact, the Court emphasised that controllers still owe duties of transparency. Even when data is pseudonymised and later shared with third parties, the data subjects must be informed of what happens to their information, including the fact that pseudonymisation is taking place and the possibility of onward transfers.

In sum, this judgment marks a milestone. It tempers the tendency to treat the GDPR as an “all-encompassing” regime, yet it preserves the controller’s responsibilities and the requirement of openness.