In the recently released Digital Omnibus, the Commission proposes amending the definition of personal data in article 4(1) of the GDPR. The revision includes further text to clarify that information about a natural person is personal data under the GDPR only if an entity can realistically identify the individual. The revision seeks to emphasise that identifiability is context-dependent and not universal for all recipients.
This proposal is a result of the recent judgment by the Court of Justice (CJEU) in EDPS v SRB (C-413/23). This case clarified prior judicial decisions on this matter, confirming that the definition of personal data in the EU is based on a “relativist” approach that is both context-sensitive and recipient-specific. While this case focused on the application of Regulation (EU) 2018/1725, this regulation directly mirrors the GDPR and creates similar obligations for application.
The case arose after the Single Resolution Board (SRB), an EU body, collected comments from stakeholders during the resolution of Banco Popular Español. These comments, which included personal opinions, were pseudonymised (identifiers replaced with codes) and transferred to a consultant for analysis. In this transfer, SRB alone held the necessary key to re-link the codes to individuals. Following complaints from individuals involved in the resolution, the European Data Protection Supervisor (EDPS) found that the SRB had breached transparency obligations by failing to disclose that the data had been sent to a consultant. The General Court initially annulled the EDPS decision, holding that the data had been anonymised when transferred to the consultant.
The EDPS appealed to the CJEU, which provided a nuanced interpretation of what constitutes personal data. The CJEU’s judgment is notable for its explicit endorsement of a relativist or context-dependent” approach to personal data. Rather than treating identifiability as an absolute, the Court held that whether information is personal data depends on the specific context and the recipient’s ability to identify individuals using “means reasonably likely to be used”. The Court’s approach is dynamic, reflecting the practical realities of modern data processing.
The Court of Justice based its decision in its earlier decision in the case of Breyer (C-582/14) from 2016. In Breyer, the Court held that information can qualify as personal data even when identification requires access to additional data held by a third party, provided that identification is “reasonably likely” given the means available. The EDPS v SRB judgment confirmed that identifiability is not a binary or abstract matter, but a relational question. Instead of creating an absolute marker for all personal data, the Court makes clear that realistic questions must be asked, such as: to whom is it identifiable, by what means, and in what context? If adequate measures are taken by a data controller that mean a particular recipient cannot re-identify individuals, then for that recipient, the data are not personal.
The judgment in EDPS v SRB brings several important clarifications to the understanding of personal data under the GDPR. It confirms that personal opinions or views, as expressions of an individual’s thinking, are inherently linked to their authors and therefore constitute personal data, even when presented in pseudonymised form. Pseudonymisation, while a valuable technical and organisational safeguard to reduce the risk of re-identification, does not automatically remove data from the scope of the GDPR. Instead, the legal status of such data depends on whether the recipient can realistically re-identify the individuals concerned. The obligation to inform data subjects about the recipients of their data remains with the controller. It must be fulfilled at the time of collection, regardless of whether the data is later transferred in pseudonymised form. There is no blanket exemption for downstream recipients. Pseudonymised data may not be personal for a recipient who lacks the means to re-identify individuals, this does not absolve the original controller from their responsibilities under EU law.
The practical implications of this relativist approach are both flexible and complex. Controllers must assess identifiability from their own perspective to meet transparency obligations and cannot rely on downstream pseudonymisation to avoid disclosure duties. Recipients, on the other hand, must carefully evaluate whether they truly lack the means to re-identify individuals, taking into account the possibility of cross-referencing with other datasets, technological capabilities, and legal access to additional information.
For data subjects, the judgment strengthens transparency rights, ensuring that controllers cannot circumvent disclosure obligations through technical measures applied after collection. However, this context-sensitive approach introduces operational complexity, as a dataset may be considered personal for some actors and not for others. This complicates processing chains, data clean rooms, and arrangements for training AI models. As a result, organisations must document their risk assessments thoroughly and maintain evidence of their analysis regarding the means reasonably likely to be used for re-identification.
The EDPS v SRB judgment is a clear reminder that data protection, in itself, is not the only objective to be pursued, and that the practical realities of data processing must be recognised. By reaffirming a context-dependent approach, the CJEU has clarified that personal data is not an absolute characteristic but one that depends on the circumstances of processing and the realistic means of identification available to the relevant actor. Under the absolutist approach, if anyone could, in principle, re-identify individuals from a dataset, it should be classified as personal data for everyone, regardless of the recipient’s actual capabilities. This approach maximises protection but increases regulatory burden and may restrict beneficial uses of data.
The relativist approach, by contrast, supports flexibility and proportionality, enabling broader data reuse—especially in analytics and research—while still preserving core protections. However, legal protection for data remains strong, as there is an evidential burden on controllers to show that re-identification is not reasonably likely.
Including the CJEU’s approach in clarifying the definition of personal data in the GDPR is to be welcomed. Not only is the Court’s decision the highest legal standard in the EU, but it will also require many national authorities to reconsider their approaches to personal data. For organisations processing data, the relativist approach provides greater flexibility but also greater responsibility to carry out robust, documented risk assessments. For data subjects, the judgment enhances transparency and ensures that data protection rights cannot be circumvented solely by technical measures. As data ecosystems grow ever more complex, the CJEU’s approach offers a nuanced, risk-based path forward for a more realistic EU data protection law.
29 November 2025
Rond Point Schuman 6 | Box 5
1040 Brussels | Belgium
info@privacynext.eu
Copyrights © 2026 PrivacyNext.eu | Privacy Policy | Cookie Policy Webdesign & Development by ALYS
