.svg)
Last month, the Court of Justice of the European Union (CJEU) provided essential clarity regarding the definition of pseudonymized personal data in the case of the European Data Protection Supervisor (EDPS) vs the Single Resolution Board (SRB) (Case C-413/23 P), confirming the high bar for data controller accountability.
The appeal addressed key legal issues and reinforced the need for robust data governance, which we at Didomi view as a powerful use case for server-side proxying (also called proxification) as the most effective technical measure to ensure accountability and strategic control over data flows.
Continue reading to learn more about the judgment, its implications, and our interpretation of its consequences.
General context and content of the judgment
The case originated from the resolution procedure of Banco Popular Español. The Single Resolution Board (SRB) was tasked with determining potential compensation for affected shareholders and creditors. As part of the process, the SRB invited claimants to provide comments on its preliminary decision (the "right to be heard" procedure).
The SRB collected these written comments (or "tickets"), which were assigned unique alphanumeric codes. The SRB subsequently transferred a subset of these comments to the consulting firm Deloitte for a valuation (Valorisation 3). Crucially, the data transferred to Deloitte was pseudonymized; the SRB retained the key (i.e., the identification data collected during the inscription phase) linking the codes to the authors' identities, but this key was not sent to Deloitte.
The European Data Protection Supervisor (EDPS) found that the SRB had violated its obligation to inform data subjects because the claimants were not notified in the privacy declaration that their data might be shared with Deloitte.
The Tribunal (General Court) initially sided with the SRB, arguing that the data was sufficiently de-identified for the recipient (Deloitte). The CJEU, however, sided with the EDPS, annulling the Tribunal’s decision, confirming that the SRB had failed its transparency obligation. The case has been sent back to the General Court for rehearing.
Implications from the ruling regarding personal data
The Court of Justice held that the notion of personal data under Article 3(1) of Regulation 2018/1725 must be interpreted broadly, covering any information relating to an identified or identifiable person. It clarified that subjective expressions, such as opinions or comments, inherently relate to the person who expressed them and therefore constitute personal data, without the need to assess their content, purpose, or effect when they clearly reflect an individual’s views.
In the case of Banco Popular, the comments submitted by shareholders and creditors were considered personal data because they reflected their personal opinions, and the Single Resolution Board (SRB), as controller, could link these comments to identified persons through the registration data it held.
The Court then drew a distinction between pseudonymisation and anonymisation. It explained that pseudonymised data remains personal data as long as there exists additional information that allows the data to be attributed to a specific person. Pseudonymisation merely reduces the risk of identification by separating identifying information, but it does not eliminate that possibility.
However, when technical and organisational measures are implemented such that a recipient cannot reasonably identify the data subjects because, for instance, it lacks the key or any practical means of re-identification, the data may not be personal data from the recipient’s perspective. Thus, for the controller, the data remain personal, since it retains the capacity to identify the individuals, while for a recipient like Deloitte, they might not be, provided that the pseudonymisation effectively prevents re-identification.
Finally, the Court ruled that compliance with the obligation to inform under Article 15(1)(d) of Regulation 2018/1725 must be assessed from the controller’s point of view and at the time of data collection. The SRB therefore had to inform participants that their data could be transferred to Deloitte, even if Deloitte itself could not identify them. The decisive factor is whether the data are personal with regard to the controller, since the duty of transparency and the validity of consent depend on that perspective. The Court thus overturned the General Court’s judgment and confirmed that the SRB had processed personal data, meaning it was required to disclose the potential recipients of that data to the individuals concerned.
What does this ruling potentially mean for your organization?
For organizations that use external vendors (such as ad-tech providers or consultants), this judgment highlights the strict nature of the transparency requirement for the controller. However, the ruling simultaneously provides the regulatory framework to pursue true risk minimization aggressively:
- Accountability mandate: Organizations must be transparent regarding all potential data recipients at the time of data collection. The accountability falls squarely on the controller.
- The strategic use of pseudonymization: If a controller can implement measures so effective that the data sent to a recipient is no longer identifiable to that recipient, it may mean the data falls outside the scope of EU data protection law for that recipient.
The goal, therefore, is to transition data flows so that they are fundamentally controlled before being sent to third parties. This is where server-side comes in.
Server-side as a solution?
In light of the ruling, our server-side approach at Didomi seems to directly address the key concerns raised by the Court.
Control and minimization
We believe server-side architecture (proxification) is a necessary tool for organizations to regain control and implement robust governance, allowing publishers to control what data is sent to which third parties, thereby reducing the size and liability of their vendor list.
Achieving non-personal data status downstream
By using a server-side proxy, organizations can ensure that they do not send IP addresses and other sensitive identifiers directly to third parties.
Instead, if the organization only sends an ID that is not considered personal information because the recipient can’t link it back to a name and a surname, they achieve the critical legal separation outlined by the CJEU.
By allowing organizations to pseudonymize effectively, this technique could lead to fewer legal risks and governance concerns: For the downstream recipient, the data may no longer be personal data, potentially removing the need for consent specific to that processing activity.
How Didomi can help
Our team at Didomi recognizes that the high standards of accountability and transparency affirmed in this case require modern technical solutions. Relying solely on client-side consent mechanisms is insufficient when the risks of data leakage (like sending IP addresses) remain high and regulators are actively challenging this practice.
Our vision is centered on providing a comprehensive framework for compliance and data ethics:
- Complete transparency and consent: We provide privacy-enhancing solutions required to meet the explicit requirements of Article 15, ensuring data subjects are fully informed about all potential recipients before giving their consent.
- Enforced governance via server-side: Our server-side solutions serve as the technical enforcement layer for compliance, allowing organizations to implement proxification, thereby enforcing data minimization by transforming or removing identifiers before data leaves the controller's environment. This strategy helps mitigate regulatory challenges, such as those seen in German decisions regarding direct transfers of IP addresses via Google tools.
By providing our Consent Management Platform with robust server-side proxification, Didomi offers clients a strategic playbook to move beyond mere compliance checklists and proactively manage data identity and risk, turning legal necessity into a competitive advantage. Learn more:
{{discover-addingwell-by-didomi}}
.avif)
.avif.avif){kind=tracking}
