The Court of Justice of the EU has overturned a judgment by the General Court of the European Union on the anonymisation of personal data and its transfer to a third party, and has clarified the definition of personal data in this specific case, in a judgment (case C-413/23 P) handed down on Thursday 4 September.
In a judgment in April 2023, the General Court of the EU had overturned a decision by the European Data Protection Supervisor which held that the transfer of certain data (namely comments from former creditors and shareholders of Banco Popular Español) to the auditing firm Deloitte fell within the scope of Regulation (EU) 2018/1725 on the protection of personal data and was potentially unlawful.
The Court now considers that the General Court committed an “error” by failing to take into account the intrinsic personal nature of the comments transferred.
It points out that, in order to determine whether the obligation to provide information under Regulation (EU) 2018/1725 has been complied with, it is necessary to look at things from the point of view of the data controller: even if pseudonymisation makes the data unidentifiable from Deloitte’s point of view, the bank should have informed the data subjects, even after anonymisation.
However, the Court confirms that pseudonymisation of data can indeed reduce its personal nature, as long as it is legitimately anonymised.
This Court judgment clarifies the means of assessing the personal nature of data, namely by taking into account the link between the information and its author and the state of the data at the time of collection.
See the judgment: https://aeur.eu/f/ia4 (Original version in French by Isalia Stieffatre)