GC - T-557/20 - SRB v. EDPS

From GDPRhub
Revision as of 15:12, 8 May 2023 by 84.113.103.211 (talk)
CJEU - Case T-557/20 SRB v. EDPS
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law:
Article 3(1) Regulation (EU) 2018/1725
Decided: 26.04.2023
Parties: European Data Protection Supervisor (EDPS)
Single Resolution Board (SRB)
Case Number/Name: Case T-557/20 SRB v. EDPS
European Case Law Identifier:
Reference from:
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: n/a


The General Court ordered a decision by the EDPS to be annulled where the EDPS had concluded that information accompanied with alphanumeric codes transmitted to a third party constituted personal data.

English Summary

Facts

Following its decision concerning a resolution scheme, the controller Single Resolution Board (SRB) invited affected shareholders and creditors to express their interest to be heard in the process through an online form. The affected shareholders and creditors had to submit supporting documentation to SRB, including proof of identity and ownership (registration phase).

The eligible shareholders and creditors submitted their comments to SRB (consultation phase). The comments were examined by SRB and a third party. SRB had a privacy statement on its website which did not mention the third party in question as a recipient of the personal data from the consultation phase.

The comments submitted in the consultation phase were assigned with an alphanumeric code. Some of these comments were transmitted to the third party as well as the alphanumeric codes assigned to each transmitted comment.

EDPS received five (5) complaints from some of the shareholders and creditors who submitted comments during the consultation phase (complainants). The complainants argued that SRB had not informed them about the fact that their comments collected through the online form would be transmitted to a third party. In its original decision, EDPS found that SRB had infringed Article 15(1)(d) of the Regulation 2018/1725 on processing of personal data by the EU institutions, bodies, offices and agencies (the Regulation) because it did not inform the complainants about the disclosure of their personal data to a third party.

SRB argued that the information transmitted to the third party did not constitute personal data and requested EDPS to review its original decision.

In its revised decision, EDPS upheld its decision that SRB had infringed the obligation to inform about the recipients of personal data. Furthermore, the EDPS decided that (1) the disclosed data constituted pseudonymous data (i.e. personal data) because SRB had also shared the alphanumeric codes with the third party – even if the third party had not receive additional information necessary to identify the authors of the comments (data subjects), and that (2) the third party was a recipient pursuant to Article 3(13) of the Regulation.

SRB seeked for an annulment of the EDPS’s decision before the European General Court.

Holding

The General Court agreed with EDPS that the fact that the third party did not have the additional information necessary to identify the authors of the comments, does not alone exclude that the information transmitted would not constitute personal data.

However, the General Court , by citing Case C-582/14 Beyer, considered that it is necessary to make the assessment from the view of the third party in question, in order to determine wheter the information transmitted relates to “identifiable persons” in order to determine wheter the information constituted personal data.

The General Court viewed that EDPS was wrong to assess the question from the controller’s view and not from the third party’s view who received the information. EDPS should have determined wheter the possibility of combining the information that had been transmitted to the third party with additional information held by the controller constituted “means likely reasonable” to be used by the third party for identifying the data subjects.

Eventually, the General Court ruled that EDPS had not investigated wheter the third party had legal means available to it which could in practice enable it to access the additional information necessary to re-identify the data subjects. Therefore, EDPS could have not conclude that the information transmitted to the third party constituted personal data within the meaning of Article 3(1) of the Regulation.

The General Court decided that EDPS’s revised decision must be annulled, and so the controller was successful in its appeal.

Comment

Article 3(1) of the Regulation (EU) 2018/1725 corresponds to Article 4(1) GDPR which defines 'personal data'.

It should be highlighted, that in its holding, the General Court did not decide on wheter the information transmitted indeed was personal data or not. The court merely decided that EDPS had not initially conducted a proper investigation on the question, wheter the third party in question had legal means available to it which could, in practice, enable it to access the additional information necessary to re-identify the data subjects.

Further Resources

Share blogs or news articles here!