How the CJEU ruling affects your handling of pseudonymised data

A new ruling by the Court of Justice of the European Union clarifies what constitutes personal data and clarifies the conditions under which companies can use pseudonymised data. Here's what you need to know - and what new opportunities it could open up for your business.

New GDPR guidelines on pseudonymisation - what applies now

Many companies find it challenging to determine what is personal data and what is not - especially when it comes to pseudonymised data. The European Court of Justice ruling EDPS v. SRB from 4 September 2025 now provides clearer guidelines that could change the way you work with data.

The new ruling clarifies an important principle: what is personal data to you may not be to the person you send it to. This opens up more ways to use pseudonymised personal data as more datasets now fall outside the scope of the GDPR.

Three key principles to keep in mind

Different perspectives on the same data: What is personal data for you as the sender is not necessarily personal data for the recipient. The judgement depends on what information each party has access to.
Freer use under certain conditions: Recipients of pseudonymised data can in some cases use the data without restriction by the GDPR - provided they do not have access to information that allows re-identification.
Access to additional data is decisive: If a recipient of pseudonymised data has access to additional data that can be used for re-identification, the GDPR applies to both sender and recipient.

The business case: What does it mean in practice?

This ruling will be particularly important in AI training and digital marketing, where pseudonymised data is often used. For companies in AI, life sciences, media and tech, this potentially means more and freer ways to use data, as well as possible administrative relief.

At Lindahl, we regularly assist clients who are training various AI models and who need to consider a large number of regulations before using data - from the Copyright Act and the GDPR to the Data Act and the AI Act. The CJEU's ruling now sets a clearer framework for the use of pseudonymised data, which creates new business opportunities.

What should you do?

Even if no immediate action is required, it is worth reviewing your current data flows and assessing whether the new ruling creates new opportunities for your business. Remember that the assessment must always be made based on what information the recipient actually has access to.

Do you have questions about how the new ruling affects your business? Contact one of our experts to discuss your specific circumstances.