Transparency remains mandatory, even when transferring pseudonymised personal data

This case concerned the resolution of a Spanish bank. In that context, the Single Resolution Board (SRB), the central resolution authority in the banking sector, collected responses from shareholders and creditors via an online form. Before sending these responses to Deloitte for analysis, the SRB pseudonymised them by replacing names with codes. Only the SRB had the key to trace these codes back to the specific individuals who had submitted the responses. Deloitte did not have this key.

Several of the data subjects turned to the European Data Protection Supervisor (EDPS), because they had not been informed by the SRB about the transfer of their personal data to Deloitte.

The Court highlights three important points:

1. A personal opinion is personal data
   The Court confirms that opinions or views, as expressions of someone’s thoughts, are inextricably linked to the person expressing them. As soon as the collecting party can identify the author, the opinion or view is personal data.
2. The concept of ‘personal data’ is contextual
   Whether data qualify as personal data depends on the means available to a specific party. For Deloitte, the data may have been anonymous, but for the SRB they remained personal data, since it had the key.
3. The duty to inform rests with the data controller
   The obligation to inform data subjects arises at the moment of data collection. Because the SRB could trace the data, it should have informed the data subjects at that time about the transfer to Deloitte, regardless of whether Deloitte could identify the individuals.

For organisations that collect and share personal data with third parties, this judgment is a wake-up call to thoroughly review their privacy policy:

• Transparency is not optional
  Even if you pseudonymise personal data before providing it to third parties, you must inform data subjects about this transfer. This must be explicitly stated in your privacy notice.
• Pseudonymisation is not a free pass
  The fact that the recipient of the personal data does not have access to the key does not release you from your obligations. For you, the data remain personal data as long as you have the ability to re-identify them.
• Context determines qualification, but not responsibility
  The legal qualification of personal data may be context-dependent, but your obligations as a data controller are not. When processing personal data, the obligations under the GDPR apply.

The judgment leaves room for data sharing but draws a clear line: the duty to inform cannot be undermined by applying pseudonymisation measures. For businesses, this means that a robust and clear privacy policy remains essential, even when personal data are pseudonymised.

Our IT, Privacy & Cybersecurity section assists companies daily with these kinds of issues. With our extensive experience, we ensure that your organisation complies with the GDPR and that your privacy policy is solid and future-proof.
Do you have questions or would you like to discuss what this judgment means for your company? Feel free to contact contact Hieke van Druten. 

Would you like a monthly overview of updates and blogs in your inbox? Then sign up for our newsletter!