How the CJEU ruling affects your handling of pseudonymised data
A new ruling by the Court of Justice of the European Union clarifies what constitutes personal data and clarifies the conditions under which companies can use pseudonymised data. Here's what you need to know - and what new opportunities it could open up for your business.
New GDPR guidelines on pseudonymisation - what applies now
Many companies find it challenging to determine what is personal data and what is not - especially when it comes to pseudonymised data. The European Court of Justice ruling EDPS v. SRB from 4 September 2025 now provides clearer guidelines that could change the way you work with data.
The new ruling clarifies an important principle: what is personal data to you may not be to the person you send it to. This opens up more ways to use pseudonymised personal data as more datasets now fall outside the scope of the GDPR.
Three key principles to keep in mind
Different perspectives on the same data: What is personal data for you as the sender is not necessarily personal data for the recipient. The judgement depends on what information each party has access to.
Freer use under certain conditions: Recipients of pseudonymised data can in some cases use the data without restriction by the GDPR - provided they do not have access to information that allows re-identification.
Access to additional data is decisive: If a recipient of pseudonymised data has access to additional data that can be used for re-identification, the GDPR applies to both sender and recipient.
The business case: What does it mean in practice?
This ruling will be particularly important in AI training and digital marketing, where pseudonymised data is often used. For companies in AI, life sciences, media and tech, this potentially means more and freer ways to use data, as well as possible administrative relief.
At Lindahl, we regularly assist clients who are training various AI models and who need to consider a large number of regulations before using data - from the Copyright Act and the GDPR to the Data Act and the AI Act. The CJEU's ruling now sets a clearer framework for the use of pseudonymised data, which creates new business opportunities.
What should you do?
Even if no immediate action is required, it is worth reviewing your current data flows and assessing whether the new ruling creates new opportunities for your business. Remember that the assessment must always be made based on what information the recipient actually has access to.
Do you have questions about how the new ruling affects your business? Contact one of our experts to discuss your specific circumstances.
Do you want to know more? Contact:
Lisa Liljekvist
Senior Associate | AdvokatMikael Olsson
Senior Associate | AdvokatCarousel items
-
Cases and transactions
7/13/2026
Lindahl Advises Bokusgruppen AB (publ) on the Acquisition of Pen Store Sthlm AB
Lindahl has advised Bokusgruppen on its acquisition of Pen Store, the leading Nordic retailer of pens and artists' materials serving customers across the EU.
-
News articles
7/7/2026
Lindahl included among Sweden's ten most reputable patent firms for the second consecutive year
For the second consecutive year, Lindahl has been named among Sweden's ten most reputable patent law firms by The Patent Lawyer Magazine – a testament to the firm's strong expertise and long-term commitment in intellectual property law.
-
Portraits
7/3/2026
Jesper on business-oriented legal advice in energy: "It is not enough for the advice to be correct"
Lindahl's energy team is recognised in Legal 500 for combining deep regulatory expertise with broad commercial legal experience – find out how they support clients in a rapidly evolving sector.
-
Knowledge
6/29/2026
The scope of the Swedish FDI Act is expanded – is your business affected?
MCF's new regulation (MCFFS 2026:13) expands the scope of the Swedish FDI Act from 15 July 2026. Is your business affected? Read about the key changes.
-
Read more news and insights?