CJEU - Case T-557/20 - SRB v. EDPS

From GDPRhub
CJEU - Case T-557/20 SRB v. EDPS
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law:
Article 3(1) Regulation (EU) 2018/1725
Decided: 26.04.2023
Parties: European Data Protection Supervisor (EDPS)
Single Resolution Board (SRB)
Case Number/Name: Case T-557/20 SRB v. EDPS
European Case Law Identifier:
Reference from:
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: n/a

The European General Court ordered for an EDPS decision to be annulled where it was decided that information transmitted to a third party together with alphanumeric codes constituted personal data.

English Summary[edit | edit source]

Facts[edit | edit source]

Following its decision concerning a resolution scheme, a controller (the Single Resolution Board or SRB) invited affected shareholders and creditors (the data subjects) to express their interest to be heard through an online form. In order to be heard, the shareholders and creditors had to submit supporting documentation to SRB, including proof of identity and ownership (the registration phase).

The identified shareholders and creditors submitted their comments to SRB (the consultation phase). These comments were examined by SRB and by a third party. SRB had published a privacy statement on its website, but it did not mention the third party as a recipient of the personal data collected in this consultation phase. Comments submitted by the shareholders and creditors were each assigned with an alphanumeric code. Some comments were transmitted to the third party with the alphanumeric code associated to the comment.

The EDPS received five (5) complaints from shareholders and creditors who had submitted comments (the complainants). The complainants' argued that SRB had not informed them about the fact that their comments collected in the consultation phase would be transmitted to a third party.

In its original decision, the EDPS found that SRB had infringed Article 15(1)(d) of the Regulation 2018/1725 (the Regulation) because it had not informed the complainants about the disclosure of their personal data to the third party in question. SRB argued that the information that was transmitted to the third party did not constitute personal data and requested the EDPS to revise its original decision.

In its revised decision, the EDPS upheld its view of SRB infringing its obligation to inform the data subjects about the recipients of their personal data. Furthermore, the EDPS specified that (1) the disclosed data constituted pseudonymous data (i.e. personal data) because SRB had also shared the alphanumeric codes with the third party – notwithstanding the fact that the third party had not receive additional information necessary to identify the the data subjects, and that (2) the third party is a recipient pursuant to Article 3(13) of the Regulation.

SRB seeked for an annulment of the EDPS’s decision before the European General Court.

Holding[edit | edit source]

The General Court agreed with the EDPS that the fact that the third party did not have the additional information necessary to identify the authors of the comments, does not alone exclude that the information transmitted would not constitute personal data.

However, the General Court , by citing Case C-582/14 Breyer, considered it is necessary to make the assessment from the view of the third party receiving the information in order to determine whether the information transmitted constituted personal data.

The General Court viewed that the EDPS was wrong to assess the question from the controller’s (SRB) view and not from the third party’s view who received the information in question. The EDPS should have determined whether the possibility of combining the information that had been transmitted to the third party with additional information held by the controller constituted “means likely reasonable” to be used by the third party for identifying the data subjects.

Eventually, the General Court ruled that the EDPS had not appropriately investigated whether the third party had legal means available to it which could, in practice, enable it to access the additional information necessary to re-identify the data subjects. Therefore, the General Court viewed that the EDPS could not conclude that the information transmitted to the third party constituted personal data within the meaning of Article 3(1) of the Regulation. The General Court ordered that the EDPS’s revised decision must be annulled, and so the controller was successful in its appeal.

Comment[edit | edit source]

Article 3(1) of the Regulation (EU) 2018/1725 corresponds to Article 4(1) GDPR which defines 'personal data'.

It should be highlighted, that in its holding, the General Court did not decide on whether the information transmitted indeed was personal data or not. The court merely decided that the EDPS had not initially conducted a proper investigation on the question, whether the third party in question had legal means available to it which could, in practice, enable it to access the additional information necessary to re-identify the data subjects.

Further Resources[edit | edit source]

Share blogs or news articles here!