I received a few questions re the recent Danish & Polish positions on what is “personal data”. Here’s my take:
1. Summary of SRB, building on the CJEU’s Breyer/Scania/OLAF judgments
As highlighted in my deep dive on the SRB judgment of the EU Court of Justice (CJEU), information that is pseudonymised (= “Pseu’dData”) by an initial controller (A) and shared with a recipient (B) will *not* be personal data (= “PD”) from B’s perspective if two key conditions are met:
a) B is in effect unable to & prevented from (lawfully) getting back to the relevant natural persons; AND
b) B does not share that Pseu’dData with anyone (A or a new party C) who (based on what B knows or ought to reasonably expect)* is able to (re)identify the natural persons.
* My addition, but holding otherwise would make this all meaningless.
I highlighted in my analysis that SRB makes sense if B is *not* a processor.
Why?
Because B/processor acts under A/controller’s authority (if A still has the identifying data – ID’ingData). If a processor recipient were able to avoid the GDPR entirely, Art. 28 GDPR would become irrelevant in practice. [Read section V.1 of my article for more explanations.]
2. Danish authority: SRB reasoning doesn’t apply to processors
The Danish Data Protection Authority appears to share my view:
In a processor situation, [PD] that is pseudonymised by the controller will […] continue to be [PD] as long as the [Pseu’dData] is processed on behalf of the controller and according to the controller’s instructions, as [= “if”?] the controller has the key that leads back to the data subject” (translation)
The Danish DPA also tackles hybrid processing, i.e. situations where B as processor *also* processes that Pseu’dData for own purposes, as controller. The Danish DPA stresses that the sharing of the Pseu’dData with B must also be lawful *for A* as (initial) controller – i.e. A as pseudonymising controller must consider lawfulness before sharing Pseu’dData.
Fine, as long as LIAs are assessed reasonably.
3. Polish Supreme Administrative Court (NSA)
The judgment in case III OSK 2357/22 is worth the read, in particular its 6th last paragraph. It highlights that “identification” of the natural person (“establishing his or her identity”) must be the result of the combination of information and ID’ingData (“additional information” in the judgment) for that information to be PD.
The judgment is a good application of Breyer and Recital 26 GDPR.
Was it right to conclude that info re a dentist’s private practice is not personal data? Tough issue with SMEs in particular. The details concern the business, not the natural person. Lines have to be drawn somewhere, or every business info relates to its CEO/staff/… – which isn’t the aim of the GDPR.
In-depth article on SRB’s meaning and consequences: https://lnkd.in/e2eNmGUP
Danish DPA’s publication: https://lnkd.in/e6KKeFfc
Polish NSA judgment of 15 October 2025: https://lnkd.in/eHVBZ9yd
Data protection privacy
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗