EDPS – CJEU Judgment (European Union, 2025)

In June 2017, the Single Resolution Board (SRB) adopted a resolution scheme in respect of Banco Popular Español SA. In order to determine whether the shareholders and creditors affected by the resolution action would have received better treatment if that bank had entered into normal insolvency proceedings, SRB asked Deloitte, an auditing and advisory company, to carry out the valuation. Once that valuation was drawn up, in August 2018, the SRB adopted a preliminary decision on whether compensation needed to be granted to the shareholders and creditors (participants), and launched a right to be heard process in order to allow it to adopt a final decision. The participants were invited to express their opinions using an online registration form which permitted SBR to verify their status as affected shareholders and creditors. In the context of that procedure, in June 2019, the SRB transferred some of those comments, in the form of pseudonymised data bearing an alphanumeric code, to Deloitte. Later in 2019, a number of affected participants submitted complaints to the European Data Protection Supervisor (EDPS). They alleged that the SRB had failed to inform them that the data collected through their responses on the forms would be transmitted to third parties, in breach of the terms of its privacy statement. In its decision in November 2020, the EDPS held that the pseudonymous data shared by the SRB constituted personal data because the SRB shared the alphanumeric code that allowed linking the replies to the participants. It found that Deloitte was a recipient of personal data and therefore SRB had infringed the obligation to provide information laid down in Regulation 2018/1725 by not including it in the privacy policy. The SRB brought an action for annulment of the EDPS’s decision before the General Court of the European Union, arguing that the information transmitted to Deloitte did not constitute personal data. The General Court of the European Union uph