On 4 September 2025, the EU Court of Justice (the “CJEU”) issued a landmark ruling in SRB v. EDPS confirming that pseudonymous data is not automatically personal data in all cases (the “SRB Case”). Instead, the key question is whether the controller can realistically re-identify the individual. This judgment is expected to have a significant impact on instances where effective technical and/or organisational measures prevent re-identification by the controller. Importantly, although the ruling arose under EU Regulation 2019/1725 – i.e., the EU data protection law applicable to EU Institutions (such as the Commission) – the CJEU confirmed that the same interpretation applies under the General Data Protection Regulation (the “GDPR”).

(more…)