In judgment of 26 April 2023 (case T-557/20), the Court of Justice of the European Union (‘CJEU’) ruled that pseudonymised data transmitted to a recipient who does not have the means to identify the data subject is not personal data. This means that such information does not fall within the scope of the legislation on the protection of personal data.
Before entering into the merits of the judgment in comment, it seems appropriate to define what is meant by ‘pseudonymisation’. According to Article 4 of Regulation (EU) 2016/679 (better known by the acronym ‘GDPR’) pseudonymisation means ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person’.
The facts of the case
The case examined by the CJEU is examined below.
The case originates from several complaints received by the European Data Protection Supervisor (the ‘EDPS’) reporting specific conduct of the Single Resolution Board (‘SRB’).
Specifically, the SRB, after collecting through an electronic form some opinions of shareholders and creditors (the ‘data subjects’), had transferred the answers obtained to a consulting firm. Before forwarding it to the consulting firm, however, the SRB had pseudonymised this data by replacing the names of the data subjects with alphanumeric codes. However, the latter complained to the EDPS that the information notices on the processing of personal data provided by the SRB did not specify that their personal data would be shared with third parties.
The EDPS stated that, although the data thus disclosed did not allow the company to identify the authors of the survey, the data, although pseudonymised, should nevertheless be considered personal data, also in view of the fact that the outsourcer received the alphanumeric code that allowed it to link the replies received.
For these reasons, the EDPS held the consulting firm (the recipient of personal data) and the SRB liable for the breach referred to in Article 15 of the GDPR – governing the right of access of the data subject – for not having provided, among other things, information about the recipients or categories of recipients to whom the personal data would be disclosed.
The decision of the Court of Justice of the European Union
The judges of the CJEU overturned the EDPS’s decision. The CJEU, in fact, stated that the decision taken by the EDPS on the nature of the pseudonymised data was incorrect, as the EDPS had not verified whether or not the company to which the data had been disclosed was able to re-identify the data subjects. That verification should have taken place on the basis of the instruments it held, or did not hold, enabling it to identify natural persons.
To identify whether or not pseudonymised information disclosed to a recipient constitutes personal data, it is necessary to ‘consider the recipient’s perspective’. If the recipient does not have additional information enabling him/her to identify the data subjects or does not have legal means to access it, the disclosed data are considered to be anonymous data and therefore are not personal data. Therefore, they are excluded from the scope of application of the principles in force regarding data protection. On the contrary, the fact that the party disclosing the data has the means to identify the data subjects is irrelevant.
On these grounds, the Court of Justice annulled the EDPS’s decision and ordered it to pay the costs of the proceedings.
Other related insights:
GDPR: security measures to support data protection
An order of the Court of Cassation recognises that an employer may use security camera footage for disciplinary purposes
Employers may use security camera footage for disciplinary purposes. This has been confirmed by the Court of Cassation in Order of 23 March 2023, No 8375.
Remote control of workers’ activities
As is now well known, Article 4 of the Italian Workers’ Charter states that audio-visual equipment – or in any case instruments which may enable remote control of workers’ activities (which also includes video surveillance systems) – may be used by the employer exclusively for the following purposes
These instruments may be installed subject to a collective agreement with the trade unions and in any case may not be installed to monitor the employees’ work.
Use of video footage for disciplinary purposes
If the objective of Article 4 of the Workers’ Charter is to protect the worker from remote monitoring of his or her work performance, why has the Court of Cassation held that recordings can be used as the basis for a disciplinary complaint?
Continue reading the full version published in Wired
Human error is the data controller’s responsibility The Italian Data Protection Authority (“Garante”), in its 28 April 2022 injunction imposed a € 50,000 fine on the National Institute for Insurance against Accidents at Work (“INAIL” or the “Institute”) after three computer incidents. These incidents allowed users to access data relating to others.
INAIL, in its capacity as data controller, had notified the Data Protection Authority under art. 33 of the EU Regulation on personal data protection (the “Regulation”), three personal data breaches that occurred between 2019 and 2020. These breaches concerned the online service “Sportello Virtuale Lavoratori” (Virtual Workers’ Desk), which allows employees who have suffered an accident or are victims of occupational illnesses to view the progress of their files and measures issued by the Institute. The investigation initiated by the Data Protection Authority revealed that the “Sportello Virtuale Lavoratori” allowed some workers to accidentally consult the files of other workers and view personal information (e.g. first name, surname) and data relating to their health status (“sensitive data”). It was verified that one of the three reported violations was caused by a “human error” which, as stated in the order, “is
the data controller’s responsibility.”
Continue reading the full version published in Norme & Tributi Plus Diritto of Il Sole 24 Ore.
For proper whistleblowing management, it is essential to pay due attention to the protection of the personal data processed.
In achieving the necessary balance between the whistleblower’s need for confidentiality, the need to ascertain the wrongdoing and the whistleblower’s right to defence and cross-examination, the adoption of appropriate measures to ensure the protection and security of personal information is a key factor in achieving this balance.
Vittorio De Luca, Managing Partner of Studio De Luca & Partners commented: “The recent measure adopted by the Data Protection Authority is only the latest of the measures adopted on the subject which, as the Authority pointed out, is part of a broader inspection plan dedicated to verifying the utmost respect for the protection of personal data during the management of unlawful conduct reports. Without prejudice to this, proper management of the “whistleblowing system” is part of an effective corporate compliance strategy. Implementing organisation, management and control systems built based on the results of a preliminary risk analysis makes it possible to reduce the risk of offences being committed and the risk of incurring the heavy penalties provided for by applicable legislation. It is necessary to adopt corporate procedures and appropriate technical and organisational measures for the protection and security of the information of those involved without neglecting the importance of awareness-raising and training users of these systems and those in charge of managing and verifying the reports made. Reaching a high level of awareness and culture among corporates must be one of the first objectives to be achieved.”
In the last few days, Italian online services and sites, including the websites of the Senate and the Ministry of Defence, have suffered a cyber-attack from a group of Russian cybercriminals. Vittorio De Luca, from Studio De Luca & Partners said:
“Cyber-attacks are a daily occurrence and no one can consider themselves safe. Attacks on institutions cause a stir, but for years hundreds of companies suffered daily attacks from cybercriminals. These attacks have a considerable impact on productivity and lead to data theft, service disruption and image damage. Robust cyber security is essential to protect a company’s knowledge assets and ensure business continuity. GDPR requires small and large companies to conduct a survey of their cyber risk exposure and the impact they could have on their business. An “incident” response plan must be prepared, security policies and measures to protect the IT system must be adopted. There must be periodic audits. It is essential to raise employee awareness on cyber security through training sessions, so that they can recognise and deal with the various threats. Protection from cyber-attacks takes place in two phases – prevention and protection. If there is a successful attack, companies must inform the data protection authority, and initiate a data breach procedure within 72 hours of becoming aware of the violation.”
