How the CJEU ruling affects your handling of pseudonymised data
A new ruling by the Court of Justice of the European Union clarifies what constitutes personal data and clarifies the conditions under which companies can use pseudonymised data. Here's what you need to know - and what new opportunities it could open up for your business.
New GDPR guidelines on pseudonymisation - what applies now
Many companies find it challenging to determine what is personal data and what is not - especially when it comes to pseudonymised data. The European Court of Justice ruling EDPS v. SRB from 4 September 2025 now provides clearer guidelines that could change the way you work with data.
The new ruling clarifies an important principle: what is personal data to you may not be to the person you send it to. This opens up more ways to use pseudonymised personal data as more datasets now fall outside the scope of the GDPR.
Three key principles to keep in mind
Different perspectives on the same data: What is personal data for you as the sender is not necessarily personal data for the recipient. The judgement depends on what information each party has access to.
Freer use under certain conditions: Recipients of pseudonymised data can in some cases use the data without restriction by the GDPR - provided they do not have access to information that allows re-identification.
Access to additional data is decisive: If a recipient of pseudonymised data has access to additional data that can be used for re-identification, the GDPR applies to both sender and recipient.
The business case: What does it mean in practice?
This ruling will be particularly important in AI training and digital marketing, where pseudonymised data is often used. For companies in AI, life sciences, media and tech, this potentially means more and freer ways to use data, as well as possible administrative relief.
At Lindahl, we regularly assist clients who are training various AI models and who need to consider a large number of regulations before using data - from the Copyright Act and the GDPR to the Data Act and the AI Act. The CJEU's ruling now sets a clearer framework for the use of pseudonymised data, which creates new business opportunities.
What should you do?
Even if no immediate action is required, it is worth reviewing your current data flows and assessing whether the new ruling creates new opportunities for your business. Remember that the assessment must always be made based on what information the recipient actually has access to.
Do you have questions about how the new ruling affects your business? Contact one of our experts to discuss your specific circumstances.
Do you want to know more? Contact:
Lisa Liljekvist
Senior Associate | AdvokatMikael Olsson
Senior Associate | AdvokatCarousel items
-
News articles
4/1/2026
Insights from Oxford: climate transition is business-critical
When leading experts gathered in Oxford for this year's Climate Policy Monitor symposium, one thing was clear: climate is no longer purely a regulatory issue – it is business-critical.
-
Knowledge
3/30/2026
How to deal with bankruptcy during legal proceedings
What happens to ongoing legal proceedings if the opposing party goes bankrupt? We explain the estate's right to take over the claim and the risks involved.
-
Cases and transactions
3/23/2026
Lindahl advises Seafire on the acquisition of Splendor Plant AB
Lindahl has acted as legal adviser to Seafire in connection with the acquisition of all shares in Splendor Plant AB, the Nordic region's leading wholesale plant nursery, and in negotiations regarding an expanded financing agreement with its existi...
-
Portraits
1/20/2026
How I use AI in my daily work as a lawyer
AI is no longer the future – it is everyday reality. Johanna Karlsson, lawyer and senior associate at Lindahl, talks about how AI tools such as Legora have become a natural part of her workflow.
-
Read more news and insights?
