01/06/2023 - Following a recent ruling by the European General Court, the definition of personal data has been further clarified, specifically regarding the question when certain data should or should not be considered to qualify as personal data. In this case, the Court determined that data are not personal data when they are transmitted to a recipient who does not have the means to re-identify the individuals and when there are no legal means to access this information. As a result, the transmitted data can be considered anonymous and are no longer classified as personal data. Additionally, the Court emphasizes in its ruling that not all opinions of an individual should be regarded as personal data, but rather whether this is the case should be assessed on a case-by-case basis.
In the case at hand, involving affected shareholders and creditors ("data subjects") against the Single Resolution Board (‘SRB’) ("data sender"), the Court rejects the decision of the European Data Protection Supervisor (‘EDPS’). The facts of the case are as follows: the data sender, SRB, collected data to identify the data subjects and stored this information in a database. Subsequently, SRB sent an electronic form to all data subjects to allow them to express their views. The form consisted of seven questions with limited space for answers. The responses to this form were shared with a consulting firm, Deloitte, which would analyze the answers. Before doing so, the names of the respondents were replaced with randomly generated codes consisting of 33 digits. These codes were developed for control purposes and to later verify if all comments had been considered. The forms were shared with Deloitte by uploading them to a secure virtual data server accessible to only a limited number of Deloitte employees.
The data subjects discovered that SRB had shared the forms with Deloitte and considered this to be a violation of Article 13 of the General Data Protection Regulation (‘GDPR’) as SRB had not informed them about this sharing. However, SRB argued that the shared forms contained anonymous data and, therefore, it was not necessary to inform the data subjects in their privacy statement about the sharing of this data with Deloitte. Deloitte never had access to the database where the data subjects' information was stored, and therefore, they could not be re-identified.
The EDPS ruled that the case involved pseudonymized data and that, in this regard, it did not matter that Deloitte did not have access to the database. According to the EDPS, SRB should have informed the data subjects. The Court dismissed this argument and aligned with the conclusions of the Breyer case, stating that the perspective of the recipient should be considered when determining whether data transmitted to a recipient should be considered to be personal data. The Court ruled that the EDPS should put itself in Deloitte's position to determine whether the information provided to them relates to "identifiable individuals." Since Deloitte did not have access to the database and the EDPS did not investigate whether Deloitte had legal means to access additional information, the Court concluded that Deloitte could not re-identify the data subjects. The fact that SRB, as the sender, had access to this information is deemed irrelevant by the Court and does not automatically qualify the transmitted data as personal data.
Regarding an individual's opinion, the Court stated that it should be assessed on a case-by-case basis whether a viewpoint qualifies as personal data based on "whether the research or viewpoint is related to a specific person." Since the EDPS did not conduct such an assessment, it cannot be concluded that the information provided to Deloitte related to a natural person.
Are you curious whether your organization processes data that qualifies as personal data? Or do you want to know whether your privacy statement meets all GDPR requirements? We have extensive experience assisting organizations of all shapes and sizes with satisfying their GDPR obligations.