EDPS – CJEU Judgment (European Union, 2025)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The Court of Justice ruled that the Single Resolution Board shared personal data without properly informing participants. This matters because it highlights the importance of transparency when handling personal information. Companies must ensure they communicate clearly about how data will be used.
What happened
The Single Resolution Board shared pseudonymised data with Deloitte without informing participants that their data would be transmitted.
Who was affected
Participants who submitted comments regarding the resolution scheme for Banco Popular Español SA.
What the authority found
The court found that the shared pseudonymised data was still personal data and that the SRB failed to inform participants as required by data protection rules.
Why this matters
This ruling emphasizes that organizations must be transparent about data sharing practices. It sets a precedent for how personal data is defined and handled in similar cases.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In June 2017, the Single Resolution Board (SRB) adopted a resolution scheme in respect of Banco Popular Español SA. In order to determine whether the shareholders and creditors affected by the resolution action would have received better treatment if that bank had entered into normal insolvency proceedings, SRB asked Deloitte, an auditing and advisory company, to carry out the valuation. Once that valuation was drawn up, in August 2018, the SRB adopted a preliminary decision on whether compensation needed to be granted to the shareholders and creditors (participants), and launched a right to be heard process in order to allow it to adopt a final decision. The participants were invited to express their opinions using an online registration form which permitted SBR to verify their status as affected shareholders and creditors. In the context of that procedure, in June 2019, the SRB transferred some of those comments, in the form of pseudonymised data bearing an alphanumeric code, to Deloitte. Later in 2019, a number of affected participants submitted complaints to the European Data Protection Supervisor (EDPS). They alleged that the SRB had failed to inform them that the data collected through their responses on the forms would be transmitted to third parties, in breach of the terms of its privacy statement. In its decision in November 2020, the EDPS held that the pseudonymous data shared by the SRB constituted personal data because the SRB shared the alphanumeric code that allowed linking the replies to the participants. It found that Deloitte was a recipient of personal data and therefore SRB had infringed the obligation to provide information laid down in Regulation 2018/1725 by not including it in the privacy policy. The SRB brought an action for annulment of the EDPS’s decision before the General Court of the European Union, arguing that the information transmitted to Deloitte did not constitute personal data. The General Court of the European Union uph
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for EDPS in EU
This is the only recorded case for this entity in this jurisdiction.
Details
Judgment Date
4 September 2025
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-9490About this data
Cite as: Cookie Fines. EDPS - European Union (2025). Retrieved from cookiefines.eu
Last updated: