Case T‑557/20
Single Resolution Board (SRB)
v
European Data Protection Supervisor (EDPS)
Judgment of the General Court (Eighth Chamber, Extended Composition), 26 April 2023
(Protection of personal data – Procedure for granting compensation to shareholders and creditors following the resolution of a bank – Decision of the EDPS in which it found that the SRB failed to fulfil its obligations concerning the processing of personal data – Article 15(1)(d) of Regulation (EU) 2018/1725 – Concept of personal data – Article 3(1) of Regulation 2018/1725 – Right of access to the file)
1. Action for annulment – Actionable measures – Concept – Measures producing binding legal effects – Measures altering the applicant’s legal situation – Revised decision of the European Data Protection Supervisor (EDPS) in which it found that the Single Resolution Board (SRB) failed to fulfil its obligations concerning the processing of personal data – Included
(Art. 263 TFEU; European Parliament and Council Directive 2018/1725, Art. 15(1)(d))
(see paragraphs 44-46, 50-54)
2. EU institutions – Protection of natural persons with regard to the processing of personal data – Regulation 2018/1725 – Concept of personal data – Any information relating to an identified or identifiable natural person – Right to be heard process launched by the Single Resolution Board (SRB) following the adoption of resolution actions concerning a bank – Comments submitted to the SRB made by the shareholders and creditors affected by those actions – Comments transmitted by the SRB to an independent third party for assessment – Decision of the European Data Protection Supervisor (EDPS) in which it found that the SRB failed to fulfil its obligations concerning the processing of the personal data of those shareholders and creditors – No examination by the EDPS of the content, the purpose or the effect of the comments – No determination by the EDPS as to whether it was possible for the independent third party to have legal means available to it which could in practice enable it to access the additional information necessary to re-identify the authors of the comments transmitted – Cancellation of the decision of the EDPS
(European Parliament and Council Regulations No 806/2014, Art. 20(16) and No 2018/1725, Art. 3(1))
(see paragraphs 64-75, 94-98, 100-106)
Résumé
In June 2017, the Single Resolution Board (SRB) adopted a resolution scheme in respect of Banco Popular Español SA, a bank, on the basis of Regulation No 806/2014. (1) In order to determine whether the shareholders and creditors affected by the resolution action would have received better treatment if that bank had entered into normal insolvency proceedings, that regulation requires the involvement of an independent third party who draws up a valuation of difference in treatment. (2) The SRB asked the firm Deloitte to carry out the valuation.
Once that valuation was drawn up, the SRB adopted a preliminary decision on whether compensation needed to be granted to the shareholders and creditors and launched a right to be heard process in order to allow it to adopt a final decision. (3) During that process, which was divided into two phases, the affected shareholders and creditors were first invited to express their interest in exercising their right to be heard, using an online registration form, and to provide supporting documentation proving their rights (‘the registration phase’). Second, the affected shareholders and creditors whose status had been verified by the SRB were able to submit their written comments on the SRB’s preliminary decision and the valuation (‘the consultation phase’). On the first day of the registration phase, the SRB published, on the web page for registering for the right to be heard process, a privacy statement concerning the processing of personal data in the context of that process.
The data collected during the registration phase were accessible to a limited number of SRB staff tasked with processing those data in order to determine the participants’ eligibility. Those data were not visible to the SRB staff tasked with processing the comments received in the consultation phase, during which those staff members only received comments identified by reference to an alphanumeric code allocated to each individual comment submitted using the form.
After aggregation, automatic filtering and categorisation of the comments, the SRB transmitted to Deloitte, for assessment, the comments on the valuation carried out. The comments transferred to Deloitte were solely those that were received during the consultation phase and that bore an alphanumeric code. On account of that code, only the SRB could link the comments to the data received in the registration phase. Deloitte had, and still has, no access to the database of data collected during the registration phase.
In that context, given that the privacy statement concerning the processing of personal data published by the SRB did not contain any mention of the transmission to third parties of the data collected via the form, the affected shareholders and creditors (‘the complainants’) submitted five complaints under Regulation 2018/1725 (4) to the European Data Protection Supervisor (EDPS). They alleged an infringement by the SRB of its information obligations relating to the processing of personal data under that regulation. (5)
The EDPS adopted an initial decision which, following a request for review by the SRB, was repealed and replaced by a revised decision in which the EDPS found that the SRB had infringed a provision of that regulation in that it had failed to inform the complainants, in its privacy statement, that their personal data might be disclosed to Deloitte. The SRB then brought an action before the Court seeking, inter alia, annulment of that revised decision of the EDPS.
Ruling in extended composition, the Court upholds the SRB’s action and annuls the EDPS’s revised decision, clarifying the concept of personal data in the light of the judgments of the Court of Justice in Nowak (6) and Breyer. (7)
Findings of the Court
In its judgment, the Court clarifies the concept of personal data, within the meaning of Article 3(1) of Regulation 2018/1725, defined as ‘any information relating to an identified or identifiable natural person’. In order for information to constitute personal data, two cumulative conditions must be satisfied: first, the information must ‘relate’ to a natural person and, second, that natural person must be ‘identified or identifiable’.
In the first place, the Court examines whether the EDPS was entitled to conclude that the information transmitted to Deloitte ‘related’ to a natural person within the meaning of that provision.
As a preliminary point, the Court notes that, in the revised decision, the EDPS classified as ‘personal data’ all the comments made by the affected shareholders and creditors in the context of the consultation phase, and did not limit his assessment solely to the information transmitted to Deloitte. In so far as the infringement by the SRB of its obligations concerning the processing of personal data under Regulation 2018/1725, as found in the revised decision, concerned only the fact that the SRB did not mention, in the privacy statement, that Deloitte was a potential recipient of certain data, the Court finds that it is appropriate to limit its examination to whether the information transmitted to Deloitte was personal data within the meaning of Article 3(1) of Regulation 2018/1725.
In that context, the Court recalls the aim of the legislature to assign a wide scope to the concept of personal data, which is not restricted to information that is sensitive or private, but potentially encompasses all kinds of information, not only objective but also subjective, in the form of opinions and assessments, provided that it ‘relates’ to the data subject.
In that regard, the Court also finds that, in its judgment in Nowak, cited above, the Court of Justice has previously had occasion to rule that that condition is satisfied where the information, by reason of its content, purpose or effect, is linked to a particular person. However, in the revised decision, the EDPS did not examine the content, the purpose or the effect of the information transmitted to Deloitte. It merely stated that the comments produced by the complainants during the consultation phase reflected their opinions or views and concluded, on that basis alone, that they constituted information relating to the complainants, which was sufficient to classify them as personal data. Admittedly, it cannot be ruled out that personal views or opinions may constitute personal data. However, it is apparent from the judgment in Nowak (8) that such a conclusion cannot be based on a presumption such as the one applied by the EDPS, but must be based on the examination of whether, by its content, purpose or effect, a view is linked to a particular person. It follows that, since the EDPS did not carry out such an examination, he could not conclude that the information transmitted to Deloitte constituted information ‘relating’ to a natural person within the meaning of Article 3(1) of Regulation 2018/1725.
In the second place, the Court examines the EDPS’s assessment of whether the information transmitted to Deloitte related to an ‘identified or identifiable’ natural person within the meaning of that provision.
In that regard, the Court finds that it is not disputed, first, that the alphanumeric code appearing on the information transmitted to Deloitte did not in itself allow the authors of the comments to be identified and, second, that Deloitte did not have access to the identification data received during the registration phase that would have allowed the participants to be linked to their comments by virtue of that code. The EDPS stated that the additional information necessary to identify the authors of the comments consisted of the alphanumeric code and the identification database. It is true that, having regard to the judgment in Breyer cited above, (9) the fact that the additional information necessary to identify the authors of the comments received during the consultation phase was held not by Deloitte, but by the SRB, does not appear such as to exclude a priori that the information transmitted to Deloitte constituted, for Deloitte, personal data. However, it is also apparent from that judgment that, in order to determine whether the information transmitted to Deloitte constituted personal data, it is necessary to put oneself in Deloitte’s position in order to determine whether the information transmitted to it relates to ‘identifiable persons’.
Therefore, pursuant to the judgment in Breyer cited above, (10) it was for the EDPS to examine whether the comments transmitted to Deloitte constituted personal data for Deloitte. Thus, according to the Court, the EDPS is incorrect to maintain that it was not necessary to ascertain whether the authors of the information transmitted to Deloitte were re-identifiable by Deloitte or whether such re-identification was reasonably possible. The Court states that, in the revised decision, the EDPS concluded that the fact that the SRB held additional information enabling the authors of the comments to be re-identified was sufficient to conclude that the information transmitted to Deloitte was personal data, while acknowledging that the identification data received during the registration phase had not been communicated to Deloitte. Accordingly, it is apparent from the revised decision that the EDPS merely examined whether it was possible to re-identify the authors of the comments from the SRB’s perspective and not from Deloitte’s. It is apparent from the judgment in Breyer cited above (11) that it was for the EDPS to determine whether the possibility of combining the information that had been transmitted to Deloitte with the additional information held by the SRB constituted a means likely reasonably to be used by Deloitte to identify the authors of the comments.
Therefore, since the EDPS did not investigate whether Deloitte had legal means available to it which could in practice enable it to access the additional information necessary to re-identify the authors of the comments, the EDPS could not conclude that the information transmitted to Deloitte constituted information relating to an ‘identifiable natural person’ within the meaning of Article 3(1) of Regulation 2018/1725. Consequently, the Court annuls the revised decision of the EDPS.