Pseudonymised data in clinical trials

On 4 September 2025, the Court of Justice of the European Union (CJEU) delivered its long-awaited judgment in the case of the European Data Protection Supervisor (EDPS) v Single Resolution Board (SRB) (Case C-413/23 P, ECLI:EU:C:2025:59). The Court clarified the circumstances in which a dataset stripped of direct identifiers but remaining key-coded should be treated as 'personal data' under EU data protection law. Healthcare organisations have long relied on pseudonymised trial and pharmacovigilance (PV) data to collaborate with contract research organisations (CROs), regulators, and academic partners. However, there has been uncertainty about whether these coded datasets still fall within the scope of the General Data Protection Regulation (GDPR), and whether recipients must comply with all its obligations. This article summarises the Court’s findings and explores what they mean for life sciences teams.

Why does the ruling matter for health data?

Clinical trials, observational studies and pharmacovigilance systems collect sensitive personal data. Sponsors often assign a code to each participant or reporter and keep the linking key separate, enabling analysis to be carried out without revealing names or contact details. Pseudonymisation is therefore distinct from anonymisation: an anonymised dataset cannot be attributed to a person by any means, whereas pseudonymised data could be traced back to an individual if the key is available. Recital 16 of Regulation 2018/1725 (the EU institutions’ data protection regulation) explains that, while pseudonymisation reduces risk, it does not remove data from the protection regime if the data can still be attributed to a natural person using additional information.

Before the EDPS v SRB case, two CJEU cases shaped the debate. In Breyer (C-582/14, ECLI:EU:C:2016:779), the Court considered whether a dynamic IP address constituted personal data for a website operator. The Court held that the address was personal data because the operator had legal channels to obtain the subscriber’s identity from the internet service provider. The test for identifiability requires an assessment of “all the means likely reasonably to be used” by the controller or another person. The Court noted that if identification is prohibited by law or would require disproportionate effort, the data may not be personal. In Gesamtverband Autoteile-Handel v Scania (C-319/22, ECLI:EU:C:2023:837), the Court held that a vehicle identification number (VIN) is not personal data for manufacturers, but it becomes personal data if an independent operator has reasonable means to associate the VIN with the owner. These judgments emphasised the relative nature of identifiability: the same data may or may not be personal, depending on who holds it and what means they have.

Healthcare sponsors welcomed the Scania ruling because it suggested that a key-coded dataset could fall outside the scope of the GDPR if the recipient cannot re-identify participants. However, confusion was sown by the General Court’s decision in SRB v EDPS. That case concerned the SRB’s procedure for compensating Banco Popular shareholders. The SRB collected comments from affected shareholders and transmitted coded comments to an auditing firm, without listing such firm as a recipient in its privacy notice. The EDPS found that the SRB had violated its information obligations. However, the General Court annulled this decision, suggesting that the EDPS should have assessed whether the data were personal from the auditing firm’s perspective. This implied that, regardless of the controller’s obligations, pseudonymised data might be non-personal for a recipient, fuelling debates in clinical-research circles. EDPS v SRB clarifies this issue and provides clearer guidance. 

The Court's decision

On appeal, the CJEU partly upheld the EDPS’s arguments and set aside the General Court’s judgment. The Court reaffirmed that pseudonymised data are not automatically personal data for every recipient. Article 3(6) of Regulation 2018/1725 defines pseudonymisation as processing that prevents attribution to a person without additional information being used, provided that this information is kept separately and subject to technical and organisational measures. The Court emphasised that pseudonymisation is not part of the definition of personal data, but rather a technique to reduce risk. Whether a recipient is processing personal data depends on whether they can identify the data subject using reasonable means, taking into account the costs, time, and available technology.

In the case, SRB retained the key linking codes to individual shareholders, but the auditing firm did not receive that key. The Court explained that, if technical and organisational measures prevented auditors from obtaining the key or cross-referencing the data with other datasets, the comments would no longer be personal to that firm. Conversely, if the auditors could reasonably link the comments to individuals through other data, the dataset would remain personal.

Relative identifiability in practice

The judgment summarises earlier cases and confirms that identifiability is context-specific. In Breyer, for example, a dynamic IP address constituted personal data because the website operator had the means to identify the user. In Scania, by contrast, a vehicle identification number was not personal data for the manufacturer, but it became personal data when an independent operator could link it to a specific owner. Taken together, these cases establish that the same pseudonymised dataset may constitute personal data for one entity but not for another, as identifiability depends on the actor's means.

The Court explained that an assessment must consider all objective factors, including costs, time, and available technology, and whether the recipient or any other person could realistically obtain the additional information needed to re-identify individuals. If identification is legally impossible or would require a disproportionate effort, the data may fall outside the scope of the GDPR. Therefore, EDPS v SRB reassures research organisations that pseudonymisation can reduce compliance burdens. However, it also underscores that each data transfer requires a fresh appraisal of the recipient’s re-identification capabilities, and that transparency obligations remain even where recipients cannot identify individuals.

Clinical trials and CRO collaborations

Life-sciences sponsors often outsource trial management and data analysis to CROs. Trial datasets usually comprise coded information, with the sponsor keeping the key. EDPS v SRB implies that a CRO may be outside the scope of the GDPR when it cannot realistically re-identify participants. It must not have access to the coding key or other data that would enable re-identification, and the dataset should lack quasi-identifiers, particularly in rare disease or small cohort studies. Contracts should confirm that the CRO cannot obtain the key and prohibit attempts at re-identification.

Unlike the CRO, the sponsor remains the controller of personal data at the point of collection. It must inform participants that coded data will be shared, conduct data-protection impact assessments, and ensure that sharing respects ethical and regulatory requirements.

Pharmacovigilance and real-world evidence

Adverse event reports are another area where pseudonymisation is widely used. Sponsors assign case identifiers and often work with external vendors to process and submit reports to regulators. Under EDPS v SRB, a vendor who receives only coded PV data is not processing personal data if they cannot access the key or combine the narrative with other variables to identify individuals. This requires the key to be stored internally with strict access controls, narratives to be written with limited detail that could enable re-identification, and vendors to be prohibited from seeking additional information. However, real-world evidence projects frequently link trial data with health record or registry data. Such linkage increases the chance of re-identification, especially in small populations. Controllers should therefore treat linked datasets as personal data and apply GDPR safeguards. In Scania, the Court emphasised that data becomes personal when the recipient has the means to identify the individual.

In conclusion, the CJEU's ruling in EDPS v SRB that pseudonymised data are not automatically personal to every recipient provides welcome clarity for life sciences collaborations. This means that CROs, PV vendors and regulators processing key-coded data may be exempt from certain GDPR obligations if they lack the means to re-identify individuals. However, the ruling does not deregulate health data. Sponsors and controllers remain subject to the GDPR at the point of collection. They must be transparent about data recipients, securely manage keys, minimise shared data and re-evaluate identifiability as technology evolves. In practice, pseudonymisation should be treated as a risk-reduction measure, not a guarantee of anonymity. With careful governance, life sciences teams can reap the benefits of secondary research and real-world evidence while respecting participants' privacy and complying with EU law.