EDPS v SRB and Pseudonymisation: What It Means for Subject Access Requests

The recent judgment in EDPS v SRB (Case C-413/23 P, EU:C:2025:645) changes how we think about personal data. The court confirmed that opinions and views are personal data when they relate to an individual. It also ruled that pseudonymisation does not always take data outside the law. If your organisation handles Subject Access Requests, you must reassess what you disclose and how you decide whether information is personal.

Why This Matters Now

Organisations rely heavily on pseudonymisation for data sharing and analytics. At the same time, more people are exercising their rights and submitting SARs. The Two Birds article “Can pseudonymisation make data anonymous” explains that removing identifiers does not guarantee anonymity. The CJEU confirmed this point. Pseudonymised data remains personal if you hold the key to re-identify. Only when re-identification is practically impossible can you treat it as anonymous. This ruling matters because it affects what you disclose, what you explain in privacy notices, and how you manage third-party sharing. Getting this wrong can lead to complaints and regulatory action.

What’s Changed

The judgment provides two clear answers. First, opinions and comments that relate to a person are personal data. You must treat them as such. Second, pseudonymised data stays within scope when you hold re-identification keys or other means to link it back. A recipient who cannot realistically re-identify may treat it as anonymous, but only after checking risk carefully. The Two Birds article stresses that true anonymity is rare. You must consider technology, cost, time, and available information. These factors can change over time, so reviews should be ongoing.

Impact on Data Protection and SARs

This case has a direct impact on Subject Access Requests. When a person asks for their data, you must include any opinions or feedback about them. You must also check pseudonymised data and disclose it if you can re-identify the subject. Your privacy notices must explain what happens to the data you collect, including sharing with third parties in pseudonymised form. Clear notices build trust and show compliance. You must also assess identifiability using real-world conditions, not theory. If re-identification is reasonably likely, treat the data as personal and respond to the SAR.

What You Should Do Now

Start by reviewing your SAR process. Make sure your teams treat opinions as personal data and include them in disclosures where no exemption applies. Map where you use pseudonymisation. Record who holds keys and how you control access. Update your privacy notices so people know when you share data and how you protect it. Train staff on assessing identifiability using practical tests. Keep a record of each decision where you exclude pseudonymised data from a SAR. When in doubt, disclose or seek advice. You can also run a GDPR audit to test your process and identify gaps. Data protection training helps teams apply the rules consistently and with confidence.

Our View

We welcome this judgment because it gives clarity. Opinions are clearly personal data, and pseudonymisation is not a free pass. The question is always whether you can identify the person, not what you call the dataset. We recommend a risk-based approach. Treat data as personal unless you have strong evidence that re-identification is not possible. Keep your privacy notices up to date and document your decisions. This approach will reduce risk, speed up SAR responses, and build trust with individuals.

FAQs

Are opinions always personal data for SARs?

Yes. If an opinion relates to a person you can identify, treat it as personal data and consider it for disclosure.

When can pseudonymised data be treated as anonymous?

Only when you cannot re-identify the data subject and re-identification is not reasonably likely in practice. You must be able to show your reasoning.

Do privacy notices need updating?

Yes. You must tell people if you share their data, including in pseudonymised form, and explain how you protect it.

What records should we keep when excluding data?

Keep a short note explaining the context, what re-identification methods exist, why you ruled out identifiability, and who approved the decision.

Contact Us

If you need help improving your SAR process or reviewing pseudonymisation risks, we can support you. Explore our GDPR Audits, Data Protection Training, Data Protection Support, or SAR Support services today.