The Court held that when considering transmitted pseudonymized data, it is necessary to consider the recipient’s ability of re-identifying the data subjects. Where the data are shared in a form with a third party that does not allow re-identification anymore or where re-identification is not reasonably likely, then such data should not be considered to amount to personal data from the recipient’s aspect.
The SRB, namely the central resolution authority within the Banking Union, had placed Banco Popular Espanyol under resolution. In a preliminary decision, the SRB stated that for it to be able to take its final decision on whether the shareholders and creditors affected by the resolution should be granted compensation in accordance with Article 76(1)(e) of Regulation No 806/2014, it was inviting them to express their interest in exercising their right to be heard pursuant to Article 41(2)(a) of the Charter of Fundamental Rights of the EU.
The data collection for such right to be heard took place in two phases. First a registration phase, whereby the affected shareholders and creditors were invited to express their interest in exercising their right to be heard, using an online registration form.
As part of the registration phase the affected shareholders and creditors wishing to exercise their right to be heard had to provide the SRB with supporting documentation, proving that, on the resolution date, they owned one or more of the capital instruments of Banco Popular that were written down or converted and transferred to Banco Santander.
In the second phase, the affected parties whose status had been verified by the SRB were able to submit their comments with opinions on the preliminary decision, to which a valuation was annexed, the Valuation 3. The SRB appointed Deloitte as an independent valuer, to assess the relevant comments relating to Valuation 3, to provide it with a document containing its assessment, and to examine whether the Valuation 3 remained valid in the light of the comments received. In doing so, it transmitted certain data to Deloitte, and transmitted a correlated alphanumeric code.
Five complaints were raised by certain shareholders/creditors, to the effect that the SRB had failed to inform them that the data collected through the responses on the forms (containing their views) would be transmitted to third parties, in breach of the respective SRB privacy statement as such amounts to personal data transmission that was not correctly disclosed.
Following such complaints, the EDPS had decided that the SRB shared pseudonymized, but personal data nonetheless, with Deloitte without informing the affected individual of such data sharing.
Before the Court, the SRB argued that providing the relative information to the data subjects was not required because the data transmitted were anonymized and therefore, cannot be considered to amount to personal data for the recipient, notwithstanding the transmitted correlated alphanumeric code.
In delivering its judgement, the Court made extensive reference to the 2016 notable Breyer judgement (C-582/14), where the Court of Justice had interpreted the concept of personal data (at the time, before the GDPR) in the context of whether a dynamic internet protocol address constituted personal data vis-à-vis the online media services provider which had registered it.
In Breyer, the Court of Justice had held that it was necessary to ascertain whether that IP address could be treated as information relating to an ‘identifiable natural person’, taking into account, first, that it did not, in itself, give that service provider the possibility to identify the user who had consulted that website and, second, the fact that the necessary additional information which, if combined with the IP address, would enable the user to be identified, was held by the internet service provider.
The Court of Justice had noted that the references to the “means likely reasonable to be used” by both the controller and by “any other person”, suggests that for information to be treated as personal data, it is not required that all the information enabling the identification of the data subject must be in the hands of one person. The fact that the additional information necessary to identify the user of a website was not held by the online media services provider, but by that user’s ISP, did not appear to exclude that dynamic IP addresses registered by the online media service provider constituted personal data for that provider.
Nevertheless, the Court of Justice had held that it must be determined whether the possibility to combine a dynamic IP address with the additional information held by the ISP constituted a means likely reasonably to be used to identify a data subject.
In the present case, it was not disputed that the alphanumeric code appearing on the information transmitted to Deloitte did not, in itself, allow the authors of the comments to be identified. It was also not disputed that Deloitte did not have access to the identification data during the registration phase that would have allowed the participants to be linked to their comments by virtue of the alphanumeric code. The dispute revolved around whether the data including comments and alphanumeric code transmitted to Deloitte constituted personal data.
In delivering its judgement, the Court ruled in favour of the SRB and made two key rulings: