Pseudomized data might not be personal data if the recipient has no means of re-identifying the data subject Summary The decision of the Court of Justice of the As a part of a creditor hearing concerning the European Union (CJEU) resolution of a bank, the public authority known as the The Court decision did not examine whether the Single Resolution Board (SRB) sought comments from answers to the questions themselves could be individuals through an electronic form. To streamline considered as personal data. The Court emphasized the process, SRB outsourced a part of the work to a that the classification of personal opinions as third-party private entity, Deloitte. Before the transfer personal data should not be automatic and must be to Deloitte, SRB ensured that Deloitte had no means contingent upon specific circumstances. These include of re-identifying the data subjects by dividing the evaluating the content, purpose, and effect of the workflow into different phases. In the first phase, the opinion to determine whether it can be attributed to an SRB replaced the names in the forms with a 33-digit identifiable individual. The Court limited its examination alphanumeric code and filtered, categorized, and to whether the information transmitted to Deloitte was aggregated all comments so that commenters could personal data. not be distinguished. SRB then entered the second phase, which involved a transfer to Deloitte. The data The Court annulled the EDPS’ decision based on the was placed on a virtual server separated from the following arguments: data gathered in the registration phase, to which only • The EDPS should have assessed whether the directly involved Deloitte employees were granted comments constituted personal data from access. Deloitte’s perspective, stating that merely The alphanumeric code was developed for audit examining whether it was possible to re-identify purposes to verify and if necessary, to demonstrate that the authors of the comments from the SRB’s each comment had been handled and duly considered perspective, was insufficient. in the hearing process. • The CJEU stated that the EDPS should instead have Five complaints were issued to the European Data determined whether the possibility of combining Protection Supervisor (EDPS), arguing that SRB did not the information that had been transmitted to the fulfill its obligations to inform the data subjects on the third party, with the additional information held transfer, as the SRB privacy policy did not mention any by the SRB, constituted a means likely to be used such transfer. by the third party to identify the authors of the comments. The EDPS decided that SRB did not fulfill its obligations regarding the transfer of personal data to the data subjects, as the data in question was pseudonymized personal data, and SRB retained the necessary information to decode the data. On the other hand, SRB claimed that the assessment of whether the data transmitted to Deloitte constituted personal data, relied on a ‘risk of re-identification’. In this regard, SRB argued that Deloitte did not have any lawful means of accessing the information required for re-identification, making the risk of re-identification reasonably unlikely. Published: 26-04-23, Journal number: T-557/20 Tags: 07 Scope of the GDPR 142