Court of Justice clarifies the scope of the concept of personal data in the context of a transfer of pseudonymised data to third parties

Court of Justice clarifies the scope of the concept of personal data in the context of a transfer of pseudonymised data to third parties

 

04 September 2025

The European Court of Justice set aside the judgment of the General Court which had annulled the decision of the European Data Protection Supervisor.

Following the resolution of Banco Popular Español, on 7 June 2017, the Single Resolution Board (SRB) adopted a preliminary decision on whether or not it was necessary to grant compensation to the former shareholders and creditors of that bank as a result of that resolution. Since that decision was adopted without hearing those persons, the SRB subsequently organised a procedure to enable them to submit comments on that preliminary decision. In the context of that procedure, the SRB transferred some of those comments, in the form of pseudonymised data, to Deloitte, an auditing and advisory company tasked by the SRB with carrying out a valuation of the effects of the resolution procedure on shareholders and creditors.

A number of affected shareholders and creditors submitted complaints to the European Data Protection Supervisor (EDPS) on the grounds that the SRB had not informed them that data relating to them would be transmitted to third parties, namely Deloitte. The EDPS found that, in the present case, Deloitte was a recipient of the complainants’ personal data. In addition, he found that the SRB had infringed the obligation to provide information laid down in Regulation 2018/1725. The SRB then brought an action for annulment of the EDPS’s decision before the General Court of the European Union. The General Court upheld that action in part and annulled the decision in question.

Hearing an appeal brought by the EDPS, the Court of Justice has set aside the judgment of the General Court and referred the case back to it. The Court of Justice has found, in the first place, that the General Court erred in law in holding that the EDPS, in order to conclude that the information contained in the comments transmitted to Deloitte ‘related’, within the meaning of Regulation 2018/1725, to the persons who submitted those comments, should have examined the content, purpose or effects of those comments, whereas it was common ground that they expressed the personal opinion or point of view of their authors. According to the Court of Justice, the General Court’s interpretation misconstrues the particular nature of personal opinions or views which, as an expression of a person’s thinking, are necessarily closely linked to that person.

Accordingly, the Court of Justice has found that the identifiable nature of the data subject must be assessed at the time of collection of the data and from the point of view of the controller. The SRB’s obligation to provide information was applicable prior to the transfer of the data at issue and irrespective of whether or not those data were personal data, from Deloitte’s point of view, after any potential pseudonymisation.

Read more in detail here.