First look at SRB, on what is “personal data” and the relative nature of the concept. This part is all about how to determine if information relates to an “identifiable” natural person.
The EU Court of Justice stresses the importance, in the case of pseudonymisation, of technical and organisational measures (TOMs) “to ensure that the personal data are not attributed to an identified or identifiable natural person” (para. 74 & following). These TOMs aim at keeping the identifying information separately from the pseudonymised data.
If these TOMs are in place and do work (= prevent attribution to the data subject), “pseudonymisation may have an impact on whether or not those data are personal” (para. 75).
76: if the one doing the pseudonymisation has “additional information” that enables attribution to a data subject, the data itself remains personal in nature *for that controller*.
77: as regards a recipient to which the controller has transmitted pseudonymised data, however, those TOMs “may […] have the effect that, for that company, those comments are not personal in nature. However, that presupposes, first, that [the recipient] is not in a position to lift those measures during any processing of the comments which is carried out under its control. Second, those measures must in fact be such as to prevent [the recipient] from attributing those comments to the data subject including by recourse to other means of identification such as cross-checking with other factors, in such a way that, for the company, the person concerned is not or is no longer identifiable”.
The CJEU also quotes the OLAF case (C-479/22 P), stating that this judgment “bears out the interpretation that the existence of additional information enabling the data subject to be identified does not, in itself, mean that pseudonymised data must be regarded as constituting, in all cases and for every person, personal data” (para. 82)
It also quotes from Scania (C-319/22): “data which are in themselves impersonal may become ‘personal’ in nature where the controller puts them at the disposal of other persons who have means reasonably likely to enable the data subject to be identified. […] where those data are put at their disposal – those data are personal data both for those persons and, indirectly, for the controller.” (84)
Conclusion: “pseudonymised data must not be regarded as constituting, in all cases and for every person, personal data” (86)
In short: the CJEU confirms that “personal data” is a relative concept, but that (i) the recipient of pseudonymised data must never be able to access identifying data and (ii) the recipient must avoid sharing the data with someone able to reidentify it.
EDIT:
– LinkedIn Live debate replay: https://lnkd.in/dyQgMEAB
– In-depth analysis of the judgment: https://lnkd.in/eXk8tj7y
SRB judgment: https://lnkd.in/eXhnP4nG
Data protection GDPR privacy
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗