In its recent judgement, the Court of Justice of the European Union (CJEU) examined three crucial aspects under legal framework of EU data protection: (i) whether an individual’s opinions can constitute personal data, (ii) whether pseudonymised data transmitted to a third party may still qualify as personal data, and (iii) the scope of a controller’s obligation to inform data subjects about recipients at the time of data collection. In this article, we have summarized the most important points of the judgement.
ILF’s Hungarian member, Smartlegal Schmidt&Partners summarizes this issue in the article.
Background and Procedural History
- The Banco Popular Resolution
In June 2017, The Single Resolution Board (SRB) resolved Banco Popular Español under the Single Resolution Mechanism Regulation. To assess whether affected shareholders and creditors would have been better off under ordinary insolvency proceedings, the SRB commissioned an independent valuation from Deloitte.
In this context, the SRB launched a “right to be heard” process. During the registration phase the participants provided identification documents and proof of shareholdings. During the consultation phase, they submitted comments on the draft decision.
The SRB transferred the comments to Deloitte after pseudonymisation. Specifically, the SRB separated the identifying registration data from the consultation comments, assigning each comment a 33-digit alphanumeric code. Only the aggregated, coded comments – without the underlying registration data- were shared with Deloitte.
- Proceedings before the EDPS and the General Court
Several affected individuals then filed complaints with the European Data Protection Supervisor (EDPS), alleging that the SRB breached the information obligation under the EUDPR[i] by failing to disclose in its privacy notice that comments – even in pseudonymised form – would be transmitted to Deloitte.
The EDPS reprimanded the SRB, holding that the comments constituted pseudonymised personal data and that Deloitte was a “recipient” that should have been named in the SRB’s information notice.
The SRB challenged the EDPS’s decision before the General Court, which annulled the revised decision, finding the EDPS had erred in classifying the information as “personal data”.
It reasoned that EDPS should have examined whether the information was linked to a person by its content, purpose, or effect and that the question of whether data is “identifiable” must be assessed from the perspective of the recipient and Deloitte would not have been able to identify the affected individuals.
The EDPS appealed to the CJEU, with the European Data Protection Board allowed to intervene in support of the EDPS.
The judgement of the CJEU
The CJEU set aside the judgment of the General Court and corrected its legal interpretation on three crucial points.
- Opinions and comments as personal data
The Court recalled that any information relating to an identifiable person—including opinions or comments— are necessarily closely linked to that person and can be personal data.
The CJEU referred to its earlier case of Nowak in which it concluded information relates to an identified or identifiable natural person where, by reason of its content, purpose or effect, it is linked to an identifiable person.
Based on the above, the General Court erred when it stated that EDP should have examined whether the information contained in the comments transmitted to Deloitte was linked to a person by its content, purpose, or effect, since it was common ground that they expressed the personal opinion or view of their authors.
- The nature of pseudonymised data
The CJEU stated that the nature of the data must be assessed in context considering whether the recipient has access to the means of re-identification.
This aligns with the recitals of the EUDPR, which states that personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person.
Therefore, the same pseudonymised data can be considered non-personal for the recipient who does not have the key, while remaining personal for the sender.
- The obligation to inform
The CJEU clarified that the identifiable nature of the data subject must be assessed at the time of collection of the data and from the point of view of the controller.
It stated that the obligation to provide information[ii] is part of the legal relationship between the data subject and the controller and, therefore, it concerns the information in relation to that data subject as it was transmitted to that controller, thus before any potential transfer to a third party.
Therefore, the SRB’s obligation to provide information was applicable in the present case prior to the transfer of the data at issue and irrespective of whether or not those data were personal data, from Deloitte’s point of view, after any potential pseudonymisation.
Key Implications and Takeaways
- Strict information obligations
Controllers collecting data must disclose all potential recipients—or categories of recipients—from the outset, even if the recipients will only process anonymised or pseudonymised data.
- Perspective and timing matter
Identifiability must be assessed at the time of collection, from the controller’s point of view—not from the standpoint of a later recipient.
- Clarification on personal opinions
Personal opinions and comments inherently “relate to” their authors and therefore qualify as personal data.
- Two-faced pseudonymised data
Pseudonymisation does not remove data from the scope of protection. The same pseudonymised data can be considered personal for the controller and non-personal for the recipient.
In this article we analysed the judgement C‑413/23 of the CJEU
Written by dr. Agnes Bartus
SMARTLEGAL is a team of agile business & litigation lawyers in Budapest, Hungary, helping international corporate clients and individual entrepreneurs doing business in Hungary. For more information please visit our website at smartlegal.hu
[i]Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC
[ii] Article 15(1)(d) of the EUDPR