How the CJEU ruling affects your handling of pseudonymised data
A new ruling by the Court of Justice of the European Union clarifies what constitutes personal data and clarifies the conditions under which companies can use pseudonymised data. Here's what you need to know - and what new opportunities it could open up for your business.
New GDPR guidelines on pseudonymisation - what applies now
Many companies find it challenging to determine what is personal data and what is not - especially when it comes to pseudonymised data. The European Court of Justice ruling EDPS v. SRB from 4 September 2025 now provides clearer guidelines that could change the way you work with data.
The new ruling clarifies an important principle: what is personal data to you may not be to the person you send it to. This opens up more ways to use pseudonymised personal data as more datasets now fall outside the scope of the GDPR.
Three key principles to keep in mind
Different perspectives on the same data: What is personal data for you as the sender is not necessarily personal data for the recipient. The judgement depends on what information each party has access to.
Freer use under certain conditions: Recipients of pseudonymised data can in some cases use the data without restriction by the GDPR - provided they do not have access to information that allows re-identification.
Access to additional data is decisive: If a recipient of pseudonymised data has access to additional data that can be used for re-identification, the GDPR applies to both sender and recipient.
The business case: What does it mean in practice?
This ruling will be particularly important in AI training and digital marketing, where pseudonymised data is often used. For companies in AI, life sciences, media and tech, this potentially means more and freer ways to use data, as well as possible administrative relief.
At Lindahl, we regularly assist clients who are training various AI models and who need to consider a large number of regulations before using data - from the Copyright Act and the GDPR to the Data Act and the AI Act. The CJEU's ruling now sets a clearer framework for the use of pseudonymised data, which creates new business opportunities.
What should you do?
Even if no immediate action is required, it is worth reviewing your current data flows and assessing whether the new ruling creates new opportunities for your business. Remember that the assessment must always be made based on what information the recipient actually has access to.
Do you have questions about how the new ruling affects your business? Contact one of our experts to discuss your specific circumstances.
Do you want to know more? Contact:
Lisa Liljekvist
Senior Associate | AdvokatMikael Olsson
Senior Associate | AdvokatCarousel items
-
Cases and transactions
2/24/2026
Lindahl advises Medivir in directed share issue of SEK 45 million
Lindahl has acted as legal adviser to Medivir AB (publ) in connection with the company's directed share issue of SEK 45 million to Carl Bennet AB. The issue was carried out at a premium of 19 per cent to the closing price and has been well receive...
-
Knowledge
2/20/2026
Ambiguities and contradictions in construction contracts
Lindahl's construction law webinar addressed the interpretation of unclear contractual provisions, ranking in the event of conflicting contract documents and adjustment of delay penalties. The article summarises practical advice and recent case la...
-
News articles
2/12/2026
Lindahl ranked in Chambers and Partners Global Guide 2026
Lindahl is proud to once again be ranked in Chambers and Partners Global Guide. This year's ranking confirms the firm's strong position within several business-critical practice areas.
-
Portraits
1/20/2026
How I use AI in my daily work as a lawyer
AI is no longer the future – it is everyday reality. Johanna Karlsson, lawyer and senior associate at Lindahl, talks about how AI tools such as Legora have become a natural part of her workflow.
-
Read more news and insights?
