European Union: General Court of European Union issued judgement in case concerning EDPS decision on SRB's data sharing practices

On 26 April 2023, the General Court of the European Union (Court) issued a judgment in Case T-557/20. It concerns an investigation that the European Data Protection Service (EDPS) had conducted into the Single Resolution Board (SRB), one of the EU's banking agencies. The SRB shared data it had collected using a survey with the consulting firm Deloitte, using code names. The EDPS found that SRB violated Article 15 of Regulation 2018/1725 because it had failed to inform its complainants that their data would be shared with Deloitte. The EDPS then revised its decision a few months later and decided not to implement a reprimand it had issued because of that violation. Moreover, the EDPS specified in its revised ruling that the data shared with Deloitte was not personal data but pseudonymised. The data was not shared using personal names but using alphanumeric codes. Deloitte did not have the necessary data to re-identify the participants. The SRB opened the lawsuit demanding that the original decision of EDPS be considered illegal and the revised decision be annulled. In its decision, the General Court allowed for the annulment of the revised decision but rejected SRB's request to declare the original decision illegal since this would not fall within the court's jurisdiction. Specifically, the General Court found that the EDPS had not carried out the proper examinations to determine either that the data in question was 'related' to a natural person or related to an 'identified or identifiable' natural person.