
"Under the GDPR, "personal data" is broadly defined and includes both directly identifiable information (e.g., names, contact details) and indirectly identifiable information (e.g., IP address, unique IDs). "Pseudonymous data" constitutes personal data if individuals can be identified using "reasonably likely" means - taking into account all objective factors such as cost, time, and available technology. By contrast, "anonymous data" is information which does not relate to an identified or identifiable individual."
"The distinction is important because only personal data is subject to the requirements of the GDPR. However, what constitutes anonymous data (and whether pseudonymous data can be considered anonymous) has - up until now - been an area of extensive debate, with differing interpretations and ultimately two main schools of thought: The absolute approach which considers that, provided a known third party holds additional information, the pseudonymous data would be considered personal data, regardless of the likelihood of attribution."
On 4 September 2025 the CJEU held that pseudonymous data is not automatically personal data; the decisive factor is whether the controller can realistically re-identify the individual. The ruling recognizes that effective technical and organisational measures can prevent re-identification and thus remove data from the scope of personal data. The judgment arose under Regulation 2019/1725 and the CJEU confirmed the same interpretation applies under the GDPR. Personal data includes directly and indirectly identifiable information. Pseudonymous data is personal where identification is "reasonably likely" considering objective factors. Anonymous data does not relate to an identified or identifiable person.
Read at Data Matters Privacy Blog
Unable to calculate read time
Collection
[
|
...
]