EU: The SRB decision: A new era for personal data and data processing agreements?

On 4 September 2025, the Court of Justice of the European Union (“CJEU”) delivered a significant judgment in the case EDPS v. SRB (C-413/23 P). This is the first judgment in which the CJEU has explicitly confirmed that sufficiently strongly pseudonymised data may constitute personal data for the original controller but not for the recipient who cannot reverse the pseudonymisation and cannot identify data subjects by other means. This raises the question as to whether controllers are required to conclude Data Processing Agreements with processors that are unable to identify data subjects.

Background to the case

The case concerned the EU's Single Resolution Board (“SRB”), an EU agency that had organised a consultation with creditors and shareholders of a Spanish bank. The SRB shared the creditors' and shareholders' comments with a consulting firm (recipient), replacing respondents' names with alphanumeric codes. The European Data Protection Supervisor (“EDPS”) argued that the statements were pseudonymised personal data and not anonymised because the SRB had the alphanumeric code that could link the responses given during the registration phase to those given during the consultation, even though the identifying information from the registration phase was not transferred to the recipient.

Two different interpretations of the concept of personal data have long prevailed in the data protection community. According to the "absolute personal data" concept, if even one party can link data to a natural person, everyone must treat that data as personal data regardless of whether they themselves have the ability to identify data subjects. The alternative "relative personal data" concept assumes that the nature of personal data depends on the party whose data protection obligations are being assessed – data may be personal data for one party but not for another.

The CJEU's ruling

The CJEU stated that pseudonymisation may influence whether data are considered personal data provided that the technical and organisational measures prevent the data in question from being attributed to the data subject so that they are not identifiable.

The CJEU found that the comments remained personal data for the SRB despite pseudonymisation, as the SRB had additional information enabling it to link the data to data subjects. However, regarding the recipient, the CJEU stated that technical and organisational measures may lead to the conclusion that these comments are not personal data from the recipient’s perspective. This required that the recipient cannot reverse these measures during its processing of the comments under its control. Furthermore, these measures must actually prevent the recipient from attributing these comments to the data subject so that the data subjects are not identifiable by the recipient. In other words, the CJEU confirmed the existence of the concept of relative personal data — meaning, in practice, that the same data may constitute personal data in the hands of one party, but not in the hands of another.

Impact on data processing agreements

The judgment leaves significant practical questions open, particularly whether the SRB decision's reasoning applies to situations where a controller transfers pseudonymised data to a processor, and how this affects the parties' obligation to enter into a data processing agreement under Article 28 of the EU General Data Protection Regulation.

The SRB judgment leaves open whether Article 28 GDPR applies to pseudonymised personal data in controller-processor relationships. Applying the relative concept of personal data, processors might argue that such agreements are no longer needed. On the other hand, controllers might insist on concluding contracts to minimise their risks in the (unlikely) event of re-identification, e.g., following a data breach. Organisations must also consider the possibility that the processor is treated by data protection authorities as an extension of the controller, in which case the identifiability of data subjects is assessed from the controller’s perspective. In this legal uncertainty, entering into a data processing agreement remains a recommended approach.

Future CJEU rulings may clarify that no data processing agreement is needed if the processor cannot reasonably identify data subjects.

Conclusion

The concept of personal data has never been entirely absolute, nor is it fully relative even after the SRB judgment. What is clear is that the threshold has been lowered for interpreting data as anonymous, even though it would be personal data for another party.

Until the CJEU provides a specific ruling on whether Article 28 of the GDPR applies to the processing of pseudonymised personal data by processors who cannot identify data subjects, controllers should enter into data processing agreements to mitigate legal risks and ensure adequate protection.