Written by: Haim Ravia, Dotan Hammer
The Court of Justice of the European Union (CJEU), in its judgment of an appeal brought by the European Data Protection Supervisor (EDPS), considered whether public comments and unique alphanumeric codes constituted personal data.
The issue was reviewed under the regulation governing the processing of personal data by EU institutions, which is the equivalent of the GDPR that applies to EU bodies and agencies. The question was whether the pseudonymized data that the Single Resolution Board (SRB), a regulatory agency in the EU, transmitted to the third party, Deloitte, constituted personal data.
With respect to the criterion that the data “relate” to a person, the CEJU held that when information expresses the personal opinions or views of the authors (such as the comments submitted during the right to be heard process), it is necessarily closely linked to that person.
Regarding the question of whether the data was “identifiable,” the CJEU made a crucial distinction based on perspective. Although data that has undergone pseudonymization by SRB as the controller it may not be personal data for a recipient entity like Deloitte, if it is unable to identify the data subject. Therefore, the data could be considered non-personal from Deloitte’s perspective. However, the status of the data from Deloitte’s perspective is not relevant for assessing the SRB’s core obligation of transparency to data subjects.
The Court ruled that for the purpose of the controller’s (SRB’s) duty to provide information to data subjects about potential recipients, at the time of collection, the identifiable nature of the data subject must be assessed from the point of view of the controller (the SRB). Since the SRB possessed all the necessary additional information to link the unique alphanumeric codes to the authors’ identification data, the information constituted personal data for the SRB, and the SRB’s duty to inform the data subject applies.
Click here to read the CJEU’s decision in Case C‑413/23 P European Data Protection Supervisor (EDPS) v. Single Resolution Board (SRB) (September 4, 2025)
