Personal data or anonymous data?

What was the trigger?

In the resolution of the bankruptcy of Spain's Banco Popular, the Joint Resolution Council ("GAR") reviewed comments from affected shareholders and creditors. The GAR requested Deloitte, as an independent audit firm, to also review some of the comments. In doing so, Deloitte's investigators did not have access to the shareholders' and creditors' records; only to a unique alphanumeric code assigned to each comment. This unique numeric code had been developed for audit purposes.

However, shareholders and creditors subsequently filed complaints with the European Data Protection Supervisor ("EDPS"). This was because the GAR had not informed them about the disclosure of their personal data to Deloitte. The discussion that followed revolved not only around the GAR's duty to inform, but (precisely) also around the fundamental question: were personal data provided to Deloitte at all, or was the data pseudonymized by the numerical code such that the data were anonymous to Deloitte?[1]

Pseudonym or anonymous?

Pseudonymization means that measures have been taken to ensure that personal data cannot be easily traced back to an individual. In this case, the GAR had shared shareholder and creditor comments with Deloitte, but in doing so, their data had been pseudonymized. A numeric code had been assigned to the comments, preventing Deloitte from tracing the data to individual shareholders and creditors.

For the GAR, additional data were still available so that the comments for the GAR - despite the numerical code - retained their personal nature. Deloitte, however, did not have access to that additional data.

The Court emphasizes (again) in this judgment that what matters is whether the recipient (Deloitte) reasonably had the ability to identify the persons. If identification is prohibited by law or proves almost impossible in practice - for example, because it takes too much time, money or personnel - it need not be assumed that the recipient could identify.

Therefore, the Court notes that pseudonymization can mean that data are not personal data to the recipient, even if they remain personal data to the provider. Similarly, the existence of additional data - at another party's premises - by which the data subjects can still be identified does not imply that pseudonymized data are then just personal data in all cases and for all parties.

What are the conditions for anonymizing?

Thus, the context and concrete circumstances of the case must always be considered. The Court mentions two conditions to be able to speak of anonymous data:

• the recipient does not have the ability to undo the pseudonymization measures; and

• those pseudonymization measures are so effective that the recipient cannot reconnect the data to individuals by other means either. In other words, the recipient has no legal or practical means to link the data (again) to an individual.

This is also in line with the contextual line from the Breyer judgment, and thus the Court rejects the more absolute line of the EDPS and the European Data Protection Board ("EDPB"), which argue that pseudonymized data always remain personal data as long as additional information exists somewhere. The rather recent EPDB guidelines on pseudonymization will thus have to be amended in line with this judgment.

Incidentally, this contextual line was also followed by a lower Dutch court in April 2025, in which the court ruled on directly and indirectly traceable personal data. In this case, the court ruled that it was not reasonably possible for the recipient - the Dutch Healthcare Authority - to trace the data back to individuals. The data had been pseudonymized by hashing and thus encrypted. The recipient could not 'decrypt' this data. This was because it did not have the key to undo the hashing, and thus the pseudonymization. Therefore, it was not technically possible for the recipient to reverse the encryption. Also, the recipient had no legal authority to request (non-pseudonymized) data in order to make the link. The court thus again concluded that the data was not personal data for the recipient.

What about the duty to inform?

The Court emphasized that the duty to disclose cannot be imposed on an entity that is not at all capable of identification. Deloitte was therefore not the appropriate party for this purpose. For the purposes of the duty to disclose, identifiability must be assessed at the time the data is collected.

This means that even before the pseudonymized comments were provided to Deloitte, the GAR was required to comply with the disclosure requirement. It does not matter whether the data were personal data to Deloitte. At the time the data was collected from shareholders and creditors, the GAR should have already provided information about possible recipients, for example in the privacy statement. This could also have immediately explained what measures had been taken. This way, data subjects know how their data is protected and where they can exercise their rights.

What does this mean for your practice?

For the question of the applicability of the AVG, it is first of all important to know whether there is "personal data. With this judgment, the Court confirms the contextual approach. Where regulators often chose the approach "everything always remains personal data," the Court creates more room for customization and more legal certainty for organizations working with proper pseudonymization.

In any case, it is important that your organization analyze for each recipient whether identification is reasonably possible, and document these considerations properly. If necessary, adjust your privacy statement(s) accordingly. After all, the provider remains subject to the AVG obligations towards the data subjects.