EU Court: pseudonymised data transmitted to a recipient is not personal data if the recipient does not have the means to re-identify the data subject.

In its judgment of 26 April in Case T-557-20 (CRU - Single Resolution Committee v European Data Protection Supervisor), the EU Court (Eighth Chamber, Extended Composition) ruled that pseudonymised data transmitted to a recipient is not personal data if the recipient does not have the means to re-identify the data subject. The Court has consistently and consequently applied a principle that is the one contained in both Recital 26 of the GDPR and Recital 16 of Regulation 1725/18, namely: if personal data has been rendered sufficiently anonymous that the data subject cannot or can no longer be identified, the data protection principles do not apply. The point revolves around the possibility of re-identification and this possibility - as has been well highlighted since Opinion WP 5/2014 on anonymisation techniques - may change over time. In 2023/2024, the new Guidelines on Pseudonymisation that the European Data Protection Board is preparing are also expected.