In its judgment, the Court of Justice of the European Union clarifies that the obligation to inform about data transfers must be assessed from the controller's perspective at the time of data collection. While pseudonymised data does not automatically remain personal data for every recipient, this cannot circumvent the original transparency obligation towards the data subjects. Personal opinions are fundamentally to be considered personal data.
1. Introduction and Background of the Case
The core of the legal dispute is whether pseudonymised data, transferred by an EU authority to an external service provider, are to be considered "personal data" within the meaning of Regulation (EU) 2018/1725 (which is equivalent to the GDPR for EU institutions).
The case arose following the resolution of the Spanish bank Banco Popular Español by the Single Resolution Board (SRB). Subsequently, the SRB initiated a procedure to grant former shareholders and creditors the right to be heard before deciding on potential compensation. In this process, the SRB collected comments from the affected parties. For the evaluation of some of these comments, the SRB engaged the consulting firm Deloitte.
The SRB transferred 1,104 comments to Deloitte after having pseudonymised them: each comment was tagged with a unique alphanumeric code, but all directly identifying information was removed. Only the SRB held the "additional information" (the key) to re-link the codes to specific individuals.
Several affected individuals then filed complaints with the European Data Protection Supervisor (EDPS), as they had not been informed in the SRB's privacy statement that their data would be shared with Deloitte—a potential breach of the information obligation under Article 15(1)(d) of Regulation 2018/1725.
2. The decisions leading up to the verdict
a) Decision of the EDPS: The EDPS concluded that the data transferred to Deloitte were pseudonymised data and therefore personal data. He argued that the data were not anonymous because the SRB still had the ability to re-identify the individuals. Consequently, Deloitte was a "recipient" of personal data. Since the SRB had not named Deloitte in its privacy statement, the EDPS found a breach of the information obligation.
b) Judgment of the General Court (GC): The SRB challenged the EDPS's decision before the GC and was successful. The GC annulled the EDPS's decision, citing two key legal errors: 1. Lack of assessment of the "relates to" criterion: The GC ruled that the EDPS should have examined whether the information was linked to a person by its content, purpose, or effect. 2. Wrong perspective on identifiability: The GC held that the question of whether data is "identifiable" must be assessed from the perspective of the recipient (Deloitte).
3. The Judgment of the Court of Justice of the European Union (CJEU)
The CJEU set aside the GC's judgment and corrected its legal interpretation on crucial points.
a) On the "relates to" criterion: The CJEU clearly disagreed with the GC. It stated that personal opinions or views, as an expression of a person's thoughts, are necessarily closely linked to that person.
b) On the nature of pseudonymised data: The CJEU confirmed that "personal" is not an absolute characteristic of data. The same pseudonymised data can be considered non-personal for the recipient who does not have the key, while remaining personal for the sender.
c) On the relevant perspective for the information obligation: This is the central point of the judgment. For the obligation to inform data subjects about recipients of their data, identifiability must be assessed at the time of data collection and from the perspective of the controller (here: the SRB). The duty of transparency arises before the data is processed or pseudonymised.
4. Implications and Significance of the Decision
The CJEU's judgment has far-reaching consequences for the handling of pseudonymised data under the GDPR.
- Strengthening the duty of transparency: Controllers cannot evade their information obligations by arguing that the data are no longer personal for the recipient after transfer. The status of the data at the time of collection is decisive.
- Clarification on personal opinions: The CJEU provides legal clarity by stating that personal opinions inherently "relate to" a person.
- Confirmation of the relative concept of data: At the same time, the judgment confirms that "personal" is not an absolute quality. The data protection obligations (aside from the initial information obligation) can thus differ for the sender and the recipient.
Outcome: The CJEU set aside the judgment of the General Court. As the General Court had not examined all pleas in law, the case was referred back to it for a new decision.
