Dr. Daniel Schatz’s Post

CJEU decision provided clarity on the GDPR's definition of personal data when it is pseudonymized, and on the controller's responsibility when transferring it to a third party. CJEU sided: - individuals' personal opinions constitute personal information;  - the reidentification risk of processing and transferring personal data must be evaluated on a case-by-case basis at the time of collection. "(...) pseudonymized data must not be regarded as constituting, in all cases and for every person, personal data for the purposes of the application (of the GDPR) in so far as pseudonymization may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable."

👩⚖️⚖️CJEU Says: Pseudonymised Data Isn’t Always Personal Data👩⚖️⚖️ Context is everything. The latest ruling by the Court of Justice of the European Union (CJEU)  brings nuance to the GDPR, backs the European Data Protection Supervisor on stakeholder opinions, and clarifies when controllers must assess reidentification risk. A must-know moment for privacy pros and data sharers alike! 👉 Read this IAPP article for more information. https://lnkd.in/djkf4B5b

⚖️ CJEU’s EDPS v. SRB ruling – 3 key takeaways on pseudonymised data under GDPR (and probably no surprise to many of us privacy enthusiasts): 1️⃣ Opinions = personal data – Individual opinions in a dataset must be treated as personal data. 2️⃣ Case-by-case assessment – When sharing pseudonymised data, controllers must assess reidentification risks for the recipient and document their reasoning. 3️⃣ Transparency obligations remain – Controllers must inform data subjects about potential sharing, even if the data may no longer be personal data for the recipient. 👉 Bottom line: Pseudonymisation is not a safe harbour. Controllers disclosing such data still need to comply with GDPR. If you wish to read more see below. Geng To Law Goodwin https://lnkd.in/e3BUKKWj

Is GDPR finally getting a dose of some common sense? 🤔 A recent ruling from the EU Court of Justice delivers a significant clarification: 👉 pseudonymized data is not always personal data anymore. The court has established a practical, context-based approach. When pseudonymized data is transferred, its classification now depends on the recipient. If the third party receiving the data has no reasonable means to re-identify the individuals, it is not considered personal data from their perspective. However, this doesn't create a free pass for the original data controller. For the organization that holds the 'key' to the data, it remains personal data, and they are still fully responsible for it under GDPR. More on this 👉 https://lnkd.in/dcAacTXi #GPDR #Pseudonymisation #Personaldata

⚖️ When is pseudonymised data still personal? In her latest blog post, our colleague Giulia Provini analyses the recent CJEU judgment in EDPS v Single Resolution Board (C-413/23 P), which directly addresses this question. On 4 September 2025, the Court clarified that the classification of pseudonymised data depends on who holds it and what they can realistically do with it: ->For controllers: pseudonymised data remains personal if they retain the re-identification key. GDPR obligations apply in full. ->For recipients: if they lack the key and cannot reasonably re-identify individuals by other means, the same dataset may not count as personal data. ->Actor-specific assessment: identifiability is not absolute but contextual. The same data can be personal in one party’s hands and non-personal in another’s. The CJEU rejected a “one-size-fits-all” approach and reinforced a proportionate, case-by-case analysis. For organisations, this means pseudonymisation is never a shortcut to GDPR exemption. Each processing context must be evaluated carefully, with DPO or privacy counsel involvement. Read Giulia’s full analysis here: https://lnkd.in/eJ3hdzAU

⚖️ When is pseudonymised data still personal? In her latest blog post, our colleague Giulia Provini analyses the recent CJEU judgment in EDPS v Single Resolution Board (C-413/23 P), which directly addresses this question. On 4 September 2025, the Court clarified that the classification of pseudonymised data depends on who holds it and what they can realistically do with it: ->For controllers: pseudonymised data remains personal if they retain the re-identification key. GDPR obligations apply in full. ->For recipients: if they lack the key and cannot reasonably re-identify individuals by other means, the same dataset may not count as personal data. ->Actor-specific assessment: identifiability is not absolute but contextual. The same data can be personal in one party’s hands and non-personal in another’s. The CJEU rejected a “one-size-fits-all” approach and reinforced a proportionate, case-by-case analysis. For organisations, this means pseudonymisation is never a shortcut to GDPR exemption. Each processing context must be evaluated carefully, with DPO or privacy counsel involvement. Read Giulia’s full analysis here: https://lnkd.in/eJ3hdzAU

🔍 𝗖𝗝𝗘𝗨 𝗰𝗹𝗮𝗿𝗶𝗳𝗶𝗲𝘀 𝘄𝗵𝗲𝗻 𝗽𝘀𝗲𝘂𝗱𝗼𝗻𝘆𝗺𝗶𝘀𝗲𝗱 𝗱𝗮𝘁𝗮 𝗶𝘀 𝘀𝘁𝗶𝗹𝗹 𝗽𝗲𝗿𝘀𝗼𝗻𝗮𝗹 𝗱𝗮𝘁𝗮 📢 On 4 September 2025, the 𝗖𝗼𝘂𝗿𝘁 𝗼𝗳 𝗝𝘂𝘀𝘁𝗶𝗰𝗲 𝗼𝗳 𝘁𝗵𝗲 𝗘𝗨 (𝗖𝗝𝗘𝗨) issued a significant ruling in Case C-413/23 P, offering important clarity on what counts as 𝗽𝗲𝗿𝘀𝗼𝗻𝗮𝗹 𝗱𝗮𝘁𝗮 — especially in the context of 𝗽𝘀𝗲𝘂𝗱𝗼𝗻𝘆𝗺𝗶𝘀𝗲𝗱 𝗱𝗮𝘁𝗮 𝘀𝗵𝗮𝗿𝗲𝗱 𝘄𝗶𝘁𝗵 𝘁𝗵𝗶𝗿𝗱 𝗽𝗮𝗿𝘁𝗶𝗲𝘀. ⚖️ Key takeaways: 𝟭. 𝗣𝗲𝗿𝘀𝗼𝗻𝗮𝗹 𝗼𝗽𝗶𝗻𝗶𝗼𝗻𝘀 = 𝗽𝗲𝗿𝘀𝗼𝗻𝗮𝗹 𝗱𝗮𝘁𝗮 If a comment reflects a person’s 𝗼𝗽𝗶𝗻𝗶𝗼𝗻 𝗼𝗿 𝗽𝗼𝗶𝗻𝘁 𝗼𝗳 𝘃𝗶𝗲𝘄, it is inherently linked to their identity—even if pseudonymized. It still counts as 𝗽𝗲𝗿𝘀𝗼𝗻𝗮𝗹 𝗱𝗮𝘁𝗮 from the controller’s perspective. 𝟮️. 𝗣𝘀𝗲𝘂𝗱𝗼𝗻𝘆𝗺𝗶𝘀𝗲𝗱 ≠ 𝗮𝗻𝗼𝗻𝘆𝗺𝗼𝘂𝘀 (always) Pseudonymised data 𝗺𝗶𝗴𝗵𝘁 fall outside the definition of personal data for a recipient, but only 𝗜𝗳 𝗶𝗱𝗲𝗻𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗶𝘀 𝗻𝗼 𝗹𝗼𝗻𝗴𝗲𝗿 𝗿𝗲𝗮𝘀𝗼𝗻𝗮𝗯𝗹𝘆 𝗽𝗼𝘀𝘀𝗶𝗯𝗹𝗲. This depends on 𝘄𝗵𝗼 𝗵𝗼𝗹𝗱𝘀 𝘁𝗵𝗲 𝗸𝗲𝘆 to re-identification. 𝟯️. 𝗖𝗼𝗻𝘁𝗿𝗼𝗹𝗹𝗲𝗿’𝘀 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆 𝗰𝗼𝗺𝗲𝘀 𝗳𝗶𝗿𝘀𝘁 The duty to inform individuals (under Regulation 2018/1725) applies at the time of 𝗱𝗮𝘁𝗮 𝗰𝗼𝗹𝗹𝗲𝗰𝘁𝗶𝗼𝗻 — 𝗻𝗼𝘁 𝗮𝗳𝘁𝗲𝗿 it’s shared with a third party. It’s about what the 𝗰𝗼𝗻𝘁𝗿𝗼𝗹𝗹𝗲𝗿 𝗸𝗻𝗼𝘄𝘀, 𝗻𝗼𝘁 𝘄𝗵𝗮𝘁 𝘁𝗵𝗲 𝗿𝗲𝗰𝗶𝗽𝗶𝗲𝗻𝘁 𝘀𝗲𝗲𝘀. 🧠 This ruling reinforces that: 𝗖𝗼𝗻𝘁𝗲𝘅𝘁 𝗺𝗮𝘁𝘁𝗲𝗿𝘀. Whether data is "personal" depends on who’s processing it, what they know, and what they can do with it. 📄 More about in: https://lnkd.in/gud3auaF 🔎 At 𝗟𝗲𝘅𝗤𝗦, we help organizations interpret rulings like this and translate them into 𝗽𝗿𝗮𝗰𝘁𝗶𝗰𝗮𝗹 𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝘀𝘁𝗲𝗽𝘀. Whether you're handling pseudonymized datasets, working with vendors, or transferring data cross-border, clarity on personal data scope is key for GDPR and AI Act compliance. #LexQS #GDPR #CJEU #Pseudonymisation #PersonalData #PrivacyCompliance #AIAct #LegalTech #DataProtection #EDPS #DataGovernance #DigitalEU

Good to see this matter being resolved in the EU: "pseudonymised data must not be regarded as constituting, in all cases and for every person, personal data" Paves the way for ZKPs and other forms of privacy techniques to be adopted!

"India's Digital Personal Data Protection (DPDP) Act, passed in 2023, establishes a framework for protecting the digital personal data of citizens, implementing requirements for data processors and controllers based on principles like consent and data minimization. The Act aims to create a robust legal framework for data protection, with the draft Digital Personal Data Protection Rules designed to operationalize its provisions and further safeguard citizen rights. Key aspects include a consent-based approach, similar to the EU's GDPR, but with some differences in lawful bases for processing. Key Objectives and Principles Citizen Rights: The primary goal is to protect the fundamental right of individuals to privacy concerning their digital personal data.  Consent-Based Processing: The Act requires data to be processed with the free, specific, informed, unconditional, and unambiguous consent of the data subject, obtained through a clear affirmative action.  Data Minimization: Processing is limited to what is necessary for a specified purpose, and data is only retained for as long as required.  Key Provisions  Data Fiduciaries: Entities that process personal data must adhere to the Act's requirements. Data Subjects: Individuals whose data is processed have rights and obligations under the Act. Limited Lawful Bases: While similar to the GDPR in requiring consent, the DPDP Act, in contrast, does not permit processing based on legitimate interests or contractual necessity, emphasizing consent as the primary lawful basis."

📘 UK Data Use and Access Act 2025 Explained 📘 The UK has introduced its most significant data reform since the GDPR, modernizing how businesses handle personal data. From new rules on subject access requests to changes in automated decision-making and international data transfers, this law balances innovation with strong privacy rights. Here’s what you’ll learn: 1️⃣ How recognised legitimate interests expand lawful data use ✅ 2️⃣ Simplified rules for data subject access requests 🔍 3️⃣ Stronger transparency around automated decision-making 🤖 4️⃣ New standards for international transfers and research data 🌍 5️⃣ Expanded ICO enforcement powers and penalties ⚠️ 💡 Pro Tip: Review your privacy notices, international transfer safeguards, and ADM processes now to stay compliant. 👉 Read the full article here: https://lnkd.in/dE7EQaRC #UKData #Privacy #Compliance #DataProtection #GDPR #Innovation