What key EU data ruling means for cross-border transfers

This piece originally featured in Law360, October 2025.

On Sept. 4, the Court of Justice of the European Union delivered a landmark judgment in European Data Protection Supervisor v. Single Resolution Board that squarely tests how EU data protection law classifies pseudonymized datasets handled by third-party recipients in complex regulatory workflows, and sets aside the EU General Court's ruling in SRB v. EDPS of April 26, 2023.

The controller, SRB, had disclosed pseudonymised consultation comments to an external adviser, Deloitte, in a bank-resolution exercise.

Following complaints from several affected individuals against the absence of prior information on disclosures to a third party, the supervisory authority, EDPS, challenged compliance with the EU institutions data protection regulation, or EU DPR.

The court reaffirmed that pseudonymised information is not automatically personal data "in all cases and for every person."

Instead, its status depends on whether, for the recipient, the data subject is identifiable by means reasonably likely to be used, following the EU General Data Protection Regulation, Recital 26-based, objective assessment.

Although the appeal arose under the EU DPR, the court applied a homogeneous interpretation with the EU GDPR, giving the decision immediate relevance for financial services firms' transfers by controllers under Chapter V of the GDPR — international transfers.

The judgement also does not fully align with aspects of the draft guidelines on pseudonymisation published by the European Data Protection Board, or EDPB, on January 17, 2025 which are still under public consultation.

The judgment also touches on transparency obligations' context points, e.g., timing and locus, which remain relevant for controllers' privacy notice strategies in financial services.

This article examines the recipient-specific identifiability analysis applied by the CJEU, its compatibility with the EDPB guidelines on pseudonymisation and the implications for financial services firms.

New Recipient-Specific Identifiability Test

The court applies the GDPR's identifiability concept to pseudonymised data disclosures in a recipient-specific, fact-sensitive manner, with immediate legal consequences for characterisation, governance and Chapter V obligations for financial services firms acting as controllers and recipients.

Objective Test

The GDPR defines personal data by reference to identifiability. In line with established Nathalie Moreno doctrine, the court assesses whether a data subject is identifiable by means reasonably likely to be used. The test is based on a practical, context-dependent inquiry that considers technology, time, cost, the availability of additional information, and the presence of legal and contractual constraints.

The court confirms that legal prohibitions and contractual duties, e.g., no-reidentification, no-linkage, effective audit and sanctions can reduce what is reasonably likely in practice. However, boilerplate clauses, i.e., standard, noncontroversial provisions without enforceability carry little weight.

The assessment should be dynamic, as a dataset that is not personal data for a specific recipient today may become personal in the future if capabilities, access to additional information or legal constraints change. Financial services firms should therefore reevaluate identifiability at appropriate intervals.

Crucially, EDPS v. SRB treats the analysis as recipient-specific. The question is not whether anyone could reidentify. It is whether this recipient, in this factual and legal context, is likely to be able to do so by means reasonably likely to be used. The same data can therefore be:

Personal data for the controller, who retains the key, that is, the separate piece of information that associates a pseudonym with the real person or other additional information enabling linkage; and
Not personal data for a recipient who neither holds that additional information nor can lawfully or practically obtain it, given effective legal prohibitions, audit and sanctions.

Two features of the court's reasoning matter for practice. First, legal prohibitions count only if they genuinely bite. Contractual no-reidentification and no-linkage obligations influence the means-reasonably-likely assessment only where they are enforceable, auditable and backed by credible sanctions.

Second, the analysis is evidence-driven. Controllers should be able to show, at the time of sharing, how technical, organisational and legal controls render reidentification not reasonably likely for that recipient.

Consequences

Consequences extend beyond transfers and include characterisation, role allocation and transparency. For financial services firms, however, whether the cross-border transfer rules apply often decides the outcome. In practice, there are two main consequences that follow from the recipient-specific test.

First, under the GDPR, the dataset's legal characterisation is recipient-specific. Whether a recipient processes personal data turns on that recipient's ability to identify the data subject by means reasonably likely to be used.

This relative status affects downstream obligations. Meanwhile, whether the recipient itself owes data subject rights responses or records of processing activities, the controller remains fully subject to the GDPR, where it retains the key or other linkable attributes.

Role allocation — deciding which GDPR role each party has in a data processing activity, i.e., controller, processor or joint controllership — is not determined by pseudonymisation alone. It follows Articles 24-28 of the GDPR and case law on purposes and means. If a recipient can obtain the key or otherwise determines purposes jointly, joint controllership may arise with correlative accountability.

Second, the analysis affects the obligations applicable to the recipient under Chapter V of the GDPR. Where a third-country recipient cannot reidentify by means reasonably likely to be used, that onward transfer may fall outside Chapter V, because in that recipient's hands, the dataset is not personal data.

Conversely, any transfer step to a recipient that can reidentify the dataset remains a transfer of personal data and must satisfy Chapter V obligations — that is, the appropriate transfer tool, transfer risk assessment and supplementary measures, as needed.

Third, the test is fact-sensitive. If keys or linkable attributes are accessible anywhere in a group or vendor chain, a supervisory authority may infer that reidentification is reasonably likely, keeping the dataset personal throughout.

The court provides a framework, not a safe harbor, and the burden lies with controllers to maintain an updated evidence file showing why reidentification by the recipient is not reasonably likely.

Financial services firms should also consider that opinions and comments relating to identifiable persons, such as employee or customer surveys, whistleblower reports and similar personal comments, are themselves personal data in many contexts. In such cases, transparency obligations arise at collection and cannot be retrofitted at sharing.

The remaining question is how this framework aligns with current supervisory guidance, most notably the EDPB's pseudonymisation guidelines.

Compatibility With EDPB Guidelines

As the EDPB issued its draft guidelines on pseudonymisation, it is worth considering where the court's approach and the draft guidelines converge and where they diverge in ways that affect effective compliance. Currently, the guidelines remain in draft. Supervisory expectations, however, typically align with the EDPB's direction pending finalisation.

General Convergence Points

There is substantive common ground between the judgment and the draft guidelines:

Both distinguish pseudonymisation from anonymisation. It is clear that removing direct identifiers alone is insufficient. Any additional information required for reidentification must be out of reach for the recipient in question.
Both accept that a pseudonymised dataset remains personal for any recipient who retains or can access the additional information needed for reidentification.
Both treat identifiability as contextual, requiring consideration of technology, time and cost, and the effectiveness of protective measures.

In this respect, the judgment reinforces the risk-based logic embedded in EU data protection law.

While those shared premises provide stability for organisations transferring pseudonymised data to third countries, two important practical differences have emerged.

Points of Divergence

The court's lens is recipient-specific. Whether a dataset is personal data for this recipient depends on the recipient's means to reasonably likely reidentify, and the enforceable legal prohibitions with audit and sanctions that can weigh against identifiability.

By contrast, parts of the EDPB's draft guidelines on pseudonymisation adopt a more holistic approach for multiparty arrangements, tending to treat pseudonymised datasets as personal data across the chain of data unless stringent conditions — technical, organisational and legal — are met at each link. This is stricter in practice than the court's approach and may need to be reconsidered in light of the ruling.

Under the court's analysis, some pseudonymised data transferred to a third-country recipient may fall outside Chapter V. In such cases, no personal data would be transferred to that recipient.

Under the EDPB's guidelines on pseudonymisation, such transfers would typically still be treated as transfers of personal data, keeping applicable transfer mechanisms squarely in play.

Pending updated guidance, organisations should assume supervisory expectations will still accord with the EDPB guidelines.

In addition, the EDPB's draft emphasises technical sufficiency, e.g., robustness against singling out, linkability and inference. It warns that weak tokenisation or stable identifiers can depersonalise data across datasets. These are issues that must be addressed in any recipient-specific assessment.

Compliance Essentials

Financial services firms should align their contracting framework, technical controls and governance with the court's analysis while maintaining a legally justifiable position, showing that they have acted properly and in compliance with the law, in light of the strict interpretation of pseudonymised data under the EDPB draft guidance.

The aim is twofold: evidence, for defined recipients, that reidentification is not reasonably likely, and to retain conservative transfer safeguards while guidance evolves.

Contractual Protections

Terms entered with consultants, cloud vendors and any third parties should prohibit reidentification and linkage. This includes prohibition on matching against auxiliary datasets, that is, any other data sources a recipient could use to help reidentify people in a pseudonymised file.

Terms should also restrict onward transfers without the controller's consent. They should grant audit rights and provide tiered sanctions for breaches, such as suspension, termination and indemnity.

In group or multivendor chains, it is important to map exactly who holds additional information, e.g., keys, mapping tables and stable tokens, and to ensure that no support channel will supply reidentification assistance to the recipient.

Where feasible, codify no reidentification assistance obligations for affiliates and support desks and require prompt incident reporting of suspected reidentification attempts.

Technical and Organisational Controls

To carefully align their contractual protections with technical controls, financial services firms should:

Impose segregation duties for environments and support. This means keeping keys and any additional information in a segregated environment under the controller's exclusive control. It also requires dual-control access and immutable logging.
Minimise quasi-identifiers — data points that do not identify someone on their own, but when combined with other information reduce high-risk attributes, i.e., rare combinations — and apply output controls. It is best to constrain outputs to what is necessary for the use-case, while favoring aggregation where feasible.
Close backdoors to ensure operations runbooks — the step-by-step guides or manuals that IT or support teams use to carry out routine tasks, fix problems or escalate issues and ticketing workflows — do not allow escalations to entities that hold the key.
Periodically test controls — red-team exercises, simulated attacks or stress tests where an internal or external team deliberately tries to break controls — to validate that reidentification avenues are not reasonably likely for recipients.

International Transfers

Financial services firms are advised to follow the most cautious reading of the draft EDPB guidelines — even if the CJEU judgment could be read more flexibly — until updated and finalised.

For third-country recipients, it is recommended to implement an appropriate transfer tool and keep keys within the European Economic Area or otherwise under EU-law controls, even if a robust recipient-specific assessment indicates that the recipient does not receive personal data.

To demonstrate compliance, it is useful to keep on record an evidence file, including a short transfer analysis note explaining why, for that recipient, reidentification is not reasonably likely.

It is also advised to record why transfer tools are retained as a prudential measure pending updated guidance, the set of contract clauses in place, a diagram of key segregation and access paths, i.e., the specific roles, systems or routes, such as permissions, support escalations and application programming interfaces that could reach them, and a list of output constraints.

Where recipients act as processors — Article 28 — data processing agreements should expressly prohibit reidentification, onward disclosures and auxiliary-dataset matching, and require cooperation in identifiability testing.

Where recipients act as controllers or independent controllers — Article 26 — data sharing agreements should allocate transparency, data protection impact assessment and rights-handling responsibilities, and address liability for breach of reidentification prohibitions.

Joint controllership may arise where purposes or means are jointly determined, or where the recipient can obtain additional information. Financial services firms should analyse this early.

Conclusion

After the CJEU's EDPS v. SRB decision, the EDPB will no doubt take time to take stock of the ruling before updating its draft guidelines, of which consultation only ended in March.

In the meantime, financial services firms should cautiously follow the EDPB's draft guidelines and maintain conservative Chapter V safeguards for third-country onward transfers. They should also build an evidence file showing why reidentification is not reasonably likely for defined recipients, and align contracting, controls and governance so that legal constraints genuinely bite in practice.

The judgment is notable not because it creates a new standard, but because it reanchors identifiability in a recipient-specific, evidence-based analysis that financial services firms can implement carefully without abandoning prudent safeguards.