Are alphanumeric codes personal data or not? Clarifying the Distinctions Between the Bindl and SRB Cases | Preiskel & Co (2025)

Recent decisions in EU data protection law, specifically Bindl[1] and SRB[2], highlight critical considerations in defining personal data and data exchanges. This blog aims to explain how the Bindl and SRB cases provide increased clarity on how organizations can pragmatically work with other businesses with the appropriate data protection measures in place to ensure the data handling in these cases relies on non-personal data.

Exploring the SRB Appeal

The SRB cases[3] confirm the subjective “in-whose-hands” test established in the Breyer[4] case for determining whether alphanumeric codes are considered personal data. This means that whether data is classified as personal data or not depends on who holds it and the “legal means” at their disposal to reidentify the information. See our previous blog on this here.

The appeal in the SRB case[5] focused on whether pseudonymized data shared by the Single Resolution Board (SRB) with its consultants, Deloitte, qualifies as personal data. The key points of the appeal are:

  1. Pseudonymized Data: The appeal argued that pseudonymized data may not be considered personal data in the hands of a party that does not have the legal means to reidentify the data. The definition of de-identified information is that which has the appropriate safeguards in place in the hands of the recipient to not link to the identity of an individual.[6]
  2. Contextual Analysis: The court emphasized that whether data is personal depends on the context, including whether the recipient has organizational measures to prohibit their reidentification of specific data subjects.
  3. Legal Means and Resources: The court considered whether the recipient had the legal means and resources to reidentify the data subject.
  4. Burden of Proof: The burden of proof was on the applicant to demonstrate that the recipient had the legal means to reidentify the data subject.[7]

Where risk of this is “non-existent or insignificant” the Advocate General stated that pseudonymised data in the recipient’s hands falls outside the definition of personal data. As long as the data recipient does not have additional information or any “reasonable” technical, physical, and legal means to reidentify the data subjects, pseudonymised data will not be considered personal data in their hands.

This stands in contrast to the European Data Protection Board’s recent draft guidelines on pseudonymisation,[8] which fail to consider the safeguards a recipient may have in place, and hence suggest that pseudonymised data is always personal.

For disclosing controllers, pseudonymised data is still considered personal data if they retain access to a mapping table to reverse the pseudonymization, necessitating compliance with Article 13(1)(e) GDPR. According to the Advocate General, information about potential “categories of recipients” of such pseudonymised personal data must be provided at the time of data collection, which could influence any processing of data that remains personal data. Once the data is de-identified, by definition it is no longer personal data, and hence the recipient has the ability to utilize this data for broader purposes.

Understanding the Bindl Case – so does an IP address constitute personal data?

In the Bindl case,[9] the European Commission (“EC”) was required to compensate the claimant for the EC’s “loss of control” over personal data, which included IP addresses. This ruling marked a significant precedent for data privacy, but it simultaneously raised some confusion regarding whether an IP address alone constitutes personal data or not.

It is important to note that the case reveals the court did not determine that the mere transfer of an IP address inherently qualifies as personal data in the possession of any recipient.[10] Instead, the classification of an IP address as personal data is contingent upon the recipient’s ability to reidentify the data subject, considering the legal means, costs, time, and resources required for reidentification (i.e., emphasizing a context-specific analysis).

The court reaffirmed that purely hypothetical and indeterminate damage does not give rise to compensation. However, a loss of control over personal data is sufficient for a claim, leading to a partial ruling in favour of the claimant.

This case is significant as it is the first time an EU court has awarded compensation for non-material damage caused by a violation of international data transfer rules. The court found that the EC failed to provide appropriate safeguards for the data transfer, resulting in a “loss of control” over personal data for the claimant.

Further Analysis of the Bindl Case

The EC had shared the claimant’s IP address and browser information with Amazon Web Services (AWS) via Amazon CloudFront and Meta Platforms (Facebook) when the claimant used the “Sign in with Facebook” option on the EC’s website.[11] It seems the EC did not satisfy its obligations under Article 46 of the GDPR on the adequacy or appropriate safeguards (in contracts) for integrating Facebook for authentication.[12]

  • In relation to the “Conference on the Future of Europe” website and Facebook: Both entities had the legal means to link authentication to the IP address, making it personal data in their hands.
  • Amazon’s CDN: For Amazon, the situation regarding IP addresses was different for two reasons:
    • Direct Reason: The applicant did not prove that Amazon transferred any “personal data” to a server in the US without configuration, even though it was undisputed that a transfer of the same IP address occurred.[13]
    • Subtle Reason: Amazon acted only as a processor and did not go beyond its “normal operation”.[14]

This subtle reason is why the IP address was considered an issue for Facebook as a controller transfer but not for Amazon as a processor transfer. Following the reasoning in the SRB case, it was not proven that the exchange of an IP address was a transfer of the claimant’s personal data to any recipient who had the legal means to reidentify the data subject, absent an authentication or reidentification process.[15] The mere risk of access to personal data by a third party recipient does not amount to a transfer of personal data. It highlights the importance of proving that the recipient has the legal means to reidentify the data subject and that such reidentification involves a disproportionate effort in terms of time, cost, and manpower. Further, the burden of proof rests on the claimant to demonstrate that the conduct complained of was the determining cause of the damage suffered. This means that the claimant must prove that the unlawful data transfer directly resulted in the non-material damage claimed.

This reasoning underscores the need for a contextual analysis when determining whether an IP address constitutes personal data and the importance of the applicant proving the causal link between the data transfer and any alleged damage. This mirrors the ICO’s in-whose-hands test” for evidence-based risk analysis: “the same information can be personal data to one organisation, but anonymous information in the hands of another organisation. Its status depends greatly on its circumstances, both from your perspective and in the context of its disclosure…. It is not always possible to reduce identifiability risk to a level of zero, and data protection law does not require you to do so.[16]

Key Takeaways:

  • Recipient’s Ability to Reidentify: Only recipients who have the legal means to reidentify the IP address with an individual’s identity (e.g., authentication services) are considered to have received personal data. If a contract prohibits reidentification or if the recipient is a service provider, the transfer of an IP address does not constitute a transfer of personal data. Each case will depend on fact specific circumstances, including accounting for the risk of identification by “singling out” of individuals, rather than internet-connected devices.
  • Appropriate Safeguards: The court did not find that the mere transfer of an IP address is always personal data. Accordingly, Amazon received only technographic, not personal data. In contrast, it found that the EC did not have appropriate safeguards with its authentication service partner, who had the legal means as co-controller to reidentify the IP address.[17]
  • Authentication Services: The fact that the claimant was already a Facebook user and chose to use this option for authentication does not alter whether the EC had appropriate safeguards with its authentication partners. It is foreseeable that with low cost, time, and manpower, the IP address could be linked to identity.
  • Internal Documentation: If the EC had referenced internal documentation that it had appropriate safeguards and publicly promised on its website that its use of authentication services relied on such safeguards to prohibit onward use of identity-linked data beyond the initial authentication service, the court might have dismissed all claims.

Conclusion

It is crucial to understand that the Bindl decision clarifies that IP addresses are not always considered personal data. Instead, the decision highlights the need for appropriate safeguards, especially when involving B2B solution providers and authentication services. The focus should be on the risk of harm, and when the data in question is not personal, on what safeguards are in place such as de-identification and other organizational measures.

Please see the following related Preiskel & Co blog posts:

  1. Important EU Court decision for publishers and AdTech suppliers
  2. Transatlantic convergence? Recent cases on advertising and privacy from the USA and UK
  3. European Court reaffirms what ‘personal data’ means in new judgment
  4. Clarifying when Digital Identifiers should be considered Personal Data

Please contact Tim Cowen if you have any questions regarding the above.

The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.

This article is written in English language. Preiskel & Co LLP is not responsible for any translation of all or part of its content into any language.

[1] Bindl v European Commission (Case T-354/22) [2025] ECLI:EU:T:2025:4 (GC)

[2] European Data Protection Supervisor v Single Resolution Board (Case C-413/23 P) [2025] ECLI:EU:C:2025:59 (CJEU)

[3] Single Resolution Board v European Data Protection Supervisor (Case T-557/20) [2023] ECLI:EU:T:2023:219 (GC) and European Data Protection Supervisor v Single Resolution Board (Case C-413/23 P) [2025] ECLI:EU:C:2025:59 (CJEU)

[4] Patrick Breyer v Bundesrepublik Deutschland (Case C-582/14) [2016] ECLI:EU:C:2016:779 (CJEU)

[5] European Data Protection Supervisor v Single Resolution Board (Case C-413/23 P) [2025] ECLI:EU:C:2025:59 (CJEU)

[6] T-557/20 SRB v. EDPS (April 26 2023). EU General Court declared the exchange of de-identified emails to a recipient was not Personal Data in the hands of the recipient, even though in the hands of the sender the data was Personal Data and could be reidentified. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62020TJ0557

[7] Bindl v European Commission (Case T-354/22) [2025] ECLI:EU:T:2025:4 (GC), Paragraph 146.

[8] https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2025/guidelines-012025-pseudonymisation_en, see paragraph 22

[9] Bindl v European Commission (Case T-354/22) [2025] ECLI:EU:T:2025:4 (GC)

[10] Ibid, paragraph 135.

[11] Ibid, paragraph 125.

[12] Ibid, paragraph 197.

[13] Ibid, paragraph 161.

[14] Ibid, paragraphs 33-35 and 157.

[15] Ibid, paragraphs 126 and 130.

[16] Draft Anonymisation, Pseudonymisation and Privacy Enhancing Technologies Guidance, Chapter 2: How do we ensure anonymization is effective? (October 2021), pages 11-12 (emphasis added)

[17] See also ‘Op-Ed: Data protection damages without proof, courtesy of shortcuts in legal reasoning (Case T-354/22, Bindl)’ by Peter Craddock found here noting “Paragraph 191 of the judgment suggests that the Commission did not demonstrate anything in this respect: ‘the Commission has neither demonstrated nor claimed that there was an appropriate safeguard’.”

Are alphanumeric codes personal data or not? Clarifying the Distinctions Between the Bindl and SRB Cases | Preiskel & Co (2025)
Top Articles
Heroes Awakening Codes for June 2024 - Try Hard Guides
Whisper of Shadow Fallener Tier List for June 2024
Best Build for Magda in Watcher of Realms (Gear, Stat Prio, Artifact & Awaken Prio) - AllClash
Latest Posts
Awaken Chaos Era Tier List: BEST Heroes Ranked
Tier List | Solo Leveling: Arise | Prydwen Institute
Recommended Articles
Article information

Author: Fr. Dewey Fisher

Last Updated:

Views: 6343

Rating: 4.1 / 5 (62 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Fr. Dewey Fisher

Birthday: 1993-03-26

Address: 917 Hyun Views, Rogahnmouth, KY 91013-8827

Phone: +5938540192553

Job: Administration Developer

Hobby: Embroidery, Horseback riding, Juggling, Urban exploration, Skiing, Cycling, Handball

Introduction: My name is Fr. Dewey Fisher, I am a powerful, open, faithful, combative, spotless, faithful, fair person who loves writing and wants to share my knowledge and understanding with you.