Relationship between the GDPR and ePrivacy
In its judgment of 13 November 2025 in Case C-654/23, the Court of Justice of the European Union addressed a dispute between a Romanian company operating a legal news website and the Romanian national data protection supervisory authority. The case concerned whether the operator was entitled to send a daily email newsletter to users with a free account without their explicit consent, relying on the “soft opt-in” exemption under the ePrivacy Directive, and without the need to rely on a separate legal basis under the GDPR.
The company argued that user registration constituted a form of sale of a service, which entitled it to send offers of similar services without requiring specific consent.
The Court of Justice agreed with the company and confirmed that, in the digital environment, the concept of a sale does not necessarily involve the exchange of money. Where a user registers in order to gain access to content that would otherwise be unavailable, a contractual relationship is formed with the company. The user’s email address is therefore obtained in connection with the sale of a product or service, as the sending of such an informational newsletter constitutes the use of electronic mail for the purposes of direct marketing of the controller’s own similar products or services.
Accordingly, the operator may rely on its entitlement to send unsolicited communications relating to its own similar products or services (the so-called soft opt-in) without obtaining separate consent, provided that customers are given a simple and free means to object. Where the specific conditions set out in Article 13(2) of Directive 2002/58/EC (the ePrivacy Directive), which acts as a lex specialis, are met, the general lawfulness requirements under Article 6(1) GDPR do not apply to such processing.
Definition of Pseudonymisation
In its judgment of 4 September 2025 in Case C-413/23 P, the Court of Justice of the European Union ruled in a dispute between the European Data Protection Supervisor (EDPS) and the Single Resolution Board (the “Board”) concerning the resolution of the Spanish bank Banco Popular. The core issue was whether pseudonymised comments submitted by shareholders and creditors of the bank remained personal data after being transferred to an external consultant, where that recipient had no reasonably available means of re-identifying the individuals concerned, and whether information obligations towards data subjects therefore applied in relation to that transfer.
In the case at hand, before transmitting the data to its external consultant, the Board replaced the names of the individuals concerned with numerical codes, i.e. carried out pseudonymisation, as a result of which the consultant was unable to identify the individuals.
The Court of Justice concluded that the pseudonymised comments transmitted to the external consultant did not constitute personal data for that recipient, provided that it had no reasonably available means of identifying the data subjects. However, the Court emphasised that the data remained personal data for the Board itself, as it held the re – identification key. The Board was therefore not required to comply with information obligations in relation to the mere transfer of the pseudonymised data to the consultant; nevertheless, its data protection obligations as the original controller were not affected, and it was required to inform data subjects about the transfer of personal data in accordance with Articles 13 and 14 GDPR.
Digital Legal Update 01/2026 here.