EU General Court Considers Scope Of Concept Of Personal Data

• Published date: 02 August 2023
• Subject Matter: Privacy, Data Protection
• Law Firm: Matheson
• Author: Ms Davinia Brennan

The European General Court ("EGC") recently delivered a decision in case T-557/20, finding that the perspective of the data recipient is decisive when examining whether data that are transmitted to that recipient are to be regarded as pseudonymised data or anonymised data. The distinction is important as pseudonymised data constitutes "personal data" within the meaning of the GDPR, whilst anonymised data falls outside the scope of the GDPR. It remains to be seen whether the decision will be appealed to the Court of Justice of the European Union ("CJEU").

Background

Under the GDPR, "personal data" is defined in Article 4(1) as "any information relation to an identified or identifiable natural person". Recital 26 GDPR further states: "To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly." Article 3(1) and Recital 16 of Regulation 2018/1725, respectively, contain equivalent provisions, which are applicable to EU institutions and bodies when they process personal data.

Whilst pseudonymised data is deemed to be personal data to the extent that it can be linked back to a particular person, anonymised data falls outside the scope of the GDPR as it no longer allows a data subject to be re-identified. An important issue arose in this case as to when personal data may be considered to have been truly anonymised.

The Facts

The EU's Single Resolution Board ("SRB"), which ensures the restructuring of failing banks to minimise economic harm, conducted a hearing of creditors and shareholders of a Spanish bank in the context of the bank's resolution. SRB passed on the comments received to a consultancy firm, which it engaged to provide a valuation about whether shareholders and creditors would have received better treatment if the Spanish bank had entered into normal insolvency. When sharing the comments with the consultancy firm, SRB replaced the names of the respondents with alphanumeric codes.

Some of the respondents lodged complaints with the European Data Protection Supervisor ("EDPS"). The EDPS supervises processing of personal data by EU bodies, such as the SRB under EU Regulation 2018/1725, which contains similar provisions as the GDPR. The respondents argued that SRB had breached EU Regulation 2018/1725, by not informing them that their personal data (in the form of...