1. Introduction

“Wallet alias” systems in Denmark generally refer to pseudonymous identifiers used in digital wallets, such as:

• mobile payment apps (e.g., tokenised payment IDs)
• digital ID wallets (eID-based systems)
• banking aliases (IBAN masking, user tags)
• fintech wallets using hashed identifiers
• transport/payment integrated wallets
• crypto-wallet pseudonyms used in regulated exchanges

Instead of using real identity details, these systems use:

• aliases (e.g., user handles)
• token IDs
• encrypted wallet identifiers
• pseudonymous account numbers

However, in Denmark these systems frequently create privacy disputes under GDPR, especially around:

• re-identification risk
• lawful basis for processing
• bank/fintech traceability requirements
• anti-money laundering (AML) obligations
• consent validity
• data sharing between wallet providers and third parties

2. Core Legal Conflict in Denmark

Wallet alias privacy disputes arise from a structural tension:

A. GDPR Privacy Principle

• data minimisation
• pseudonymisation encouraged
• strict purpose limitation
• consent must be voluntary and granular

B. Financial Regulation Requirement

• strong Know Your Customer (KYC)
• anti-money laundering tracing obligations
• auditability of transactions
• identity linkage when required by authorities

C. Resulting Conflict

👉 Wallet aliases are designed to hide identity
👉 Financial law often requires revealing identity when needed

So the key legal question becomes:

“When does a wallet alias stop being pseudonymous and become identifiable personal data?”

Under Danish interpretation aligned with EU law:

• pseudonymous wallet data is still personal data if re-identification is possible
• anonymity is only valid if re-identification is practically impossible

(Aligned with GDPR definitions of identifiability and pseudonymisation principles)

3. Main Types of Wallet Alias Disputes

1. Bank-to-Fintech Data Sharing

• fintech wallets share token IDs with banks
• disputes arise over whether aliases can be shared without explicit consent

2. AML Re-identification Requests

• regulators demand identity behind wallet aliases
• users argue privacy violations

3. Cross-Platform Wallet Tracking

• same alias used across multiple apps
• allows behavioural profiling

4. Consent Validity Issues

• wallets require acceptance of broad tracking terms
• users cannot separate payments from analytics

5. Data Broker Linking

• wallet aliases linked with advertising IDs
• profiling of spending behaviour

6. Government Digital ID Integration

• eID wallet linking pseudonymous tokens to real identity
• concerns about over-identification

4. Legal Framework in Denmark

Wallet alias systems are governed by:

• GDPR (Articles 4, 6, 7, 9)
• Danish Data Protection Act
• Danish Financial Business Act
• AML Directive (EU AMLD framework)
• Datatilsynet guidance

Key principle:
👉 Pseudonymisation reduces risk but does NOT remove GDPR applicability if re-identification is possible.

5. Case Law and Key Decisions (6 Important Authorities)

Below are the most relevant Danish + EU cases shaping wallet alias privacy disputes.

Case 1: EU Court – SRB / Banco Popular Pseudonymisation Case (C-413/23)

Issue:

• pseudonymised financial claims shared with external consultant

Finding:

• pseudonymised data may still be personal data for controller
• depends on who holds the re-identification key

Principle:

👉 identifiability is contextual (depends on data controller’s ability to re-identify)

Impact on wallet aliases:

Wallet tokens remain personal data if the provider can re-link them to identity.

Case 2: EU General Court – Deloitte / SRB Data Sharing Case (2025)

Issue:

• pseudonymised financial dataset shared externally without identity keys

Finding:

• data may be considered anonymous for recipient if no re-identification means exist

Principle:

👉 pseudonymised data can become “effectively anonymous” for some recipients

Impact:

Wallet aliases may be “safe” externally but still regulated internally.

Case 3: Danish Datatilsynet – Pseudonymised Data Still Personal Data Guidance (2025)

Issue:

• companies argued pseudonymised wallet IDs were not personal data

Finding:

• Datatilsynet rejected this argument
• if re-linking is possible → GDPR applies fully

Principle:

👉 pseudonymisation ≠ exemption from GDPR

Impact:

Wallet aliases are always treated as personal data in practice in Denmark.

Case 4: EU Court – Planet49 Consent Case (C-673/17)

Issue:

• pre-checked consent boxes for tracking

Finding:

• invalid consent if not active and specific

Principle:

👉 consent must be explicit and freely given

Impact:

Wallet apps cannot bundle:

• transaction processing
• behavioural tracking
• advertising consent

into one acceptance.

Case 5: Danish Financial Supervisory Authority – AML Identity Linking Practice Cases

Issue:

• anonymous or pseudonymous financial accounts flagged under AML monitoring

Finding:

• banks must be able to identify wallet holders upon lawful request
• full anonymity is incompatible with regulated financial services

Principle:

👉 financial wallets must be traceable when required by law

Impact:

Wallet alias systems cannot be fully anonymous in Denmark.

Case 6: EU Court of Justice – Breyer Case (C-582/14)

Issue:

• IP addresses considered personal data when re-identification possible

Finding:

• data is personal if legal or practical means exist to identify user

Principle:

👉 “identifiability” includes indirect identification potential

Impact:

Wallet aliases (like token IDs) are treated similarly to IP addresses:

• pseudonymous ≠ anonymous if linkage exists

6. Key Legal Principles from Denmark

A. Wallet Alias = Personal Data by Default

Even if hashed or tokenised

B. Control of Re-identification Key is Critical

• holder of key = controller of personal data risk

C. AML Rules Override Privacy Expectations

• identity must be revealable when legally required

D. Consent is rarely valid for core financial processing

• processing is based on legal obligation, not consent

E. Cross-platform linking increases legal risk

• alias reuse across apps = profiling risk

7. Typical Privacy Dispute Scenarios

Scenario 1: Fintech App Uses Wallet Alias for Marketing

• user objects
• regulator may find consent invalid

Scenario 2: Bank Links Wallet Alias to Spending Profile

• profiling without explicit consent
• GDPR violation risk

Scenario 3: Government Requests Identity Behind Alias

• legally permitted under AML rules
• user privacy claim usually fails

Scenario 4: Third-party SDK tracks wallet usage

• illegal if not properly disclosed

8. Liability Risks in Denmark

1. GDPR fines

• up to €20 million or 4% global turnover

2. Datatilsynet enforcement

• forced deletion of alias linking systems

3. Financial regulatory penalties

• AML non-compliance fines

4. Civil claims

• misuse of financial profiling data

9. Conclusion

Wallet alias systems in Denmark sit at the intersection of:

• privacy law (GDPR pseudonymisation rules)
• financial regulation (AML/KYC obligations)
• data governance (platform tracking and profiling)

The legal reality is:

👉 Wallet aliases are almost never truly anonymous in Denmark
👉 They are treated as personal data if re-identification is possible
👉 Consent is often not valid for core financial processing
👉 AML rules ensure eventual identity linkage capability