Recipients of personal data must be named by the controller at the time of data collection – even if the personal reference is removed prior to downstream transfer. This was decided by the European Court of Justice (ECJ), which overturned a ruling by the General Court of the European Union (judgment of 4 September 2025, Case C-413/23 P).
The facts
The starting point for the ECJ ruling was the previous Banco Popular case in 2007, which related to the resolution process of a Spanish bank. As part of a compensation process, the Single Resolution Board (SRB) obtained statements from shareholders and creditors and forwarded them (pseudonymised) to an auditing firm as an external service provider.
Following complaints from data subjects, the European Data Protection Supervisor (EDPS) criticised, among other things, that the SRB had not named the auditing firm as a (potential) recipient in its privacy policy and had thus violated its duty to provide information.
In the ensuing legal dispute, the General Court overturned the revised EDPS decision, against which the EDPS lodged an appeal. Now, in turn, the ECJ has overturned the General Court’s ruling.
Current judgements on the GDPR
Read our regular reviews of data protection law rulings to stay up to date!
The ECJ ruling
According to the ECJ, whether transmitted data is personal is not assessed exclusively from the recipient’s point of view. The perspective of the controller at the time of collection is decisive for the obligation to provide information regarding (potential) recipients of the data. The identifiability of personal data must therefore be assessed from the perspective of the controller. If it is identifiable, all data protection obligations apply. The assumption, often encountered in practice, that data protection obligations no longer apply if there is no longer any personal reference at the end of processing is a dangerous misconception.
However, the ECJ states that pseudonymised data may no longer be personal data from the subjective perspective of a recipient, such as the auditing firm in the present case. The decisive factor is whether the identification of the data subjects can be effectively ruled out for the third party by appropriate measures – or not.
The ECJ further states that statements reflect the personal opinions of their authors and thus refer to identifiable individuals. Therefore, the EDPS was entitled to assume that the information transmitted to the third party constituted personal data.
Finally, the ECJ clarifies that even if Regulation 2018/1725 (for EU institutions) applies in the present case, this must also be applied to controllers subject to the GDPR in the course of harmonised interpretation.
Data protection assessment
Anyone who collects data as a controller must designate recipients in such a way that data subjects can make an informed decision as to whether they wish to provide data or object to its processing. It is not sufficient to provide information only at the time of or after the transfer. The fact that the data may no longer be personally identifiable to the recipient does not alter this obligation.
Effective pseudonymisation prior to transfer may mean that a recipient can no longer identify data subjects. However, the information remains personal for the controller, even if they themselves have no means of re-identification. For the obligations under the GDPR, the only thing that matters is the time of collection.
The practical implications of the decision are not yet fully clear.
It is logical that recipients of personal data who no longer have personal data may not have to fulfil their own data protection obligations.
However, the extent to which the interaction between the controller and the recipient is affected is already the subject of heated debate, particularly in relation to data processing relationships. Some service providers are already delighted to be freed from all constraints. On the other hand, controllers are wondering whether their responsibility still extends to service providers, who must be bound and monitored accordingly; possibly even quite independently of the GDPR via general duties of care. If a service provider loses data due to a lack of appropriate technical and organisational measures, this has consequences – and the question of whether the controller is solely liable or continues to be jointly liable with the service provider is crucial.
Controllers and data protection advisors can expect heated discussions ahead.
Conclusion
The ECJ is tightening the transparency requirement. Anyone who collects personal data must immediately name its (potential) recipients – even if disclosure is only planned after pseudonymisation. The absoluteness of the personal reference is softened in that, from the third party’s point of view, there does not have to be a personal reference, even though re-identification by the original controller is possible.
