When Does Data Stop Being Personal Data?

Authors: Maria Aholainen Read time: 4 min

Few questions in data protection law carry as much practical weight as this one: when does data stop being personal data? The answer determines whether the GDPR applies at all and with it, whether individuals hold rights of access; whether data can be shared with third parties or transferred outside the EU without GDPR safeguards; and what is permissible in AI development. In short, the boundary between personal data and non-personal data is the watershed of data protection law.

The stakes are only rising. With AI, this boundary is becoming more important and harder to draw. A data that is genuinely anonymous today may simply not be tomorrow.

Personal Data or Not?

Under the GDPR, “personal data” means any information relating to an identified or identifiable person. A person is “identifiable” if they can be identified, directly or indirectly, for example, by reference to a name or an identification number. In practice, this is a broad concept: data does not need to carry a name or an identification number to qualify as personal data. A combination of data points can be enough if, taken together, they allow an individual to be singled out.

Anonymised data, by contrast, is data that does not relate to an identified or identifiable person. The GDPR does not apply to such truly anonymous information.

Ultimately, the central question is whether a natural person is identifiable and to answer it, account must be taken of all the means reasonably likely to be used to identify that individual, directly or indirectly.

EDPB Guidance on Anonymisation Expected Soon

The EDPB is expected to publish guidelines on anonymisation in July 2026. The guidelines will hopefully bring some clarity to hard questions about the boundary between personal data and non-personal data.

In anticipation of the forthcoming guidelines, it is worth reflecting on what has already emerged from the EDPB’s stakeholder event on Anonymisation and Pseudonymisation, held in December 2025. In February 2026, the EDPB published its Report on the Event, which identifies the areas where participants considered further clarification to be most urgently needed:

• Perspective: From whose perspective should identifiability be assessed: from the controller’s or the recipient’s perspective?
• Technical measures: What does “reasonably likely to be used” mean in terms of technical measures? For example, what privacy-enhancing technologies (PETs) can be relied upon, and what are appropriate approaches to key management (e.g., for encryption or tokenisation)?
• Contract: can contractual obligations prohibiting re-identification suffice?
• Onward disclosures: How do actual or foreseeable onward disclosures affect identification risks?

The forthcoming guidelines will need to be read alongside the EDPB’s draft opinion on pseudonymisation (01/2025) and the SRB Judgment, both of which have already begun to reshape how these questions should be approached.

The SRB Judgment: A Turning Point

The impetus for the new guidelines lies in a landmark ruling by the Court of Justice of the EU (“CJEU”). On 4 September 2025, in Case C-413/23 (EDPS v SRB), the Court delivered its interpretation of what constitutes “personal data”. The CJEU clarified that pseudonymised data do not constitute personal data in all cases and for every organisation. Pseudonymisation may, depending on the circumstances, effectively prevent persons other than the controller from identifying the person. Personal data in the hands of one party is not necessarily personal data in the hands of another.

The Digital Omnibus: Raising the Stakes

Timing is everything. The Digital Omnibus package, published by the Commission in November 2025, proposes, amongst other things, an amendment to the definition of personal data to clarify that information relating to a person shall not be personal for a given entity where that entity cannot identify the person, taking into account the means reasonably likely to be used by that entity. This proposal follows the CJEU’s reasoning in SRB but may go further than the SRB judgment itself.

The proposed amendment to definition of personal data has not gone without challenge. The EDPB and the EDPS (see their Joint Opinion 2/2026) warned that narrowing the definition of personal data creates a legal gap: once data is no longer regarded as personal, GDPR safeguards automatically cease to apply. Their central concern is that the proposal would allow more data, in particular certain pseudonymised data, to be processed without the consent of the individuals concerned, primarily with a view to facilitating AI training.

This question will not be settled by any single legislative reform: however the law ultimately evolves, the threshold issue of when data qualifies as personal will remain a defining and enduring tension in the application of EU data protection law.

Is Your Data Still Personal Data?

If you need help assessing whether the data in your hands constitutes personal data, or what steps your organisation should take to ensure its anonymisation practices withstand scrutiny, we would be happy to help.