When data relate to us?
The EDPS vs. Single Resolution Board judgment goes to the heart of the EU’s fundamental right to data protection, shaping how artificial intelligence, data spaces and so-called privacy-enhancing technologies (PETs) will be governed in practice. The ruling of the Court of Justice of the European Union (CJEU) arrives at a crucial time to reiterate what counts as personal data, reinforcing the importance of the protection that the GDPR was designed to guarantee.
The SRB ruling and the case for data protection in the EU
The right to data protection, enshrined in the EU Charter of Fundamental Rights, hinges on one question: what counts as information “about a person”?
Courts have repeatedly tackled this issue as technology evolves, making it easier to collect, link, or disguise information that still affects individuals. Each ruling has pushed back against attempts to narrow the definition of personal data. The recent Single Resolution Board (SRB) case continues this trend.
The case arose under the EU banking framework. The SRB, responsible for overseeing the EU Banking Union, collected shareholder comments from a Spanish bank for a compensation process. These comments were shared with an external consultant after replacing names with random codes. The case was decided under EU data-protection law (Regulation 2018/1725), which mirrors the GDPR but applies to EU institutions.
The European Data Protection Supervisor (EDPS) concluded that the comments were still personal data and that shareholders had not been properly informed. The General Court disagreed, but the Court of Justice of the EU (CJEU) overturned that decision. The Court clarified how identifiability should be assessed and how pseudonymisation fits within EU law, sending the case back for reconsideration.
The SRB dataset was unusual: comments were aggregated and coded to prevent singling out within thematic groups. In plain terms: removing names is not enough. What matters is whether the data still relate to individuals in a way that could impact them. The ruling reaffirms, not narrows, the Court’s earlier case law on identifiability and indirect personal data.
The Court confirmed that data “relate to” a person when they describe or influence that person, even without names. Data protection is about the relationship between information and people, not just labels or formats. The test is whether the data describe, affect, or target human lives.
Pseudonymisation replaces identifiers with artificial codes, making re-identification harder while still allowing analysis. But because re-identification is possible, pseudonymised data are still personal data. Organizations must comply with all GDPR obligations: lawfulness, fairness, transparency, and security.
Why it matters
The SRB ruling reinforces a key principle: data are personal whenever they describe or affect someone, even without names. Pseudonymisation does not remove data from GDPR protection, and identifiability must be assessed objectively, based on what anyone could reasonably do with the information. This safeguards against profiling, singling-out, and hidden influence.
The ruling also contrasts with the European Commission’s Digital Omnibus proposal, which seeks to redefine personal data based on a controller’s technical ability to identify individuals. Such a change could weaken decades of jurisprudence and allow companies to classify personal data as “non-personal” simply by claiming they cannot re-identify it.
The SRB judgment is a timely reminder: protections must travel with the data, not with institutional convenience. As EU policymakers consider reforms, the Court’s message is clear: data protection must strengthen fundamental rights, not erode them.
Contribution by: Itxaso Domínguez de Olazábal (She/Her), Policy Advisor, EDRi & Douwe Korff, professor of international law at London Metropolitan University