A recent ruling by the General Court of the European Union has defined the conditions under which pseudonymized data may not be considered personal data. The measure has interesting implications for health care.
The judgment was issued following the appeal lodged by the Single Resolution Board – SRB (the central crisis resolution authority within the European banking union) against the European Data Protection Supervisor – EDPS) which had accused the first of having violated the GDPR for having transferred pseudonymized questionnaires to a consultancy firm without obtaining any consent from the people who had completed them.
The European Supervisor had taken his decision because the questionnaires that had been sent contained an alphanumeric code with which users had registered on the SRB portal and from which it was possible to trace the identity of those who had completed them.
The Tribunal ruled that, in line with the 2016 decision of the Court of Justice of the European Union regarding the “Dynamic IP addresses as personal data”, to determine whether or not the pseudonymized information transmitted to a recipient constitutes personal data, it is necessary “consider the perspective of the recipient of the data communication”.
In this case, if the recipient of the data does not have additional information that allows him to re-identify the data subjects and does not have legal means to access this information, the transmitted data can be considered anonymised and, as such, outside the scope of application of the GDPR.
For the General Court of the European Union the fact that the data transmitter has the means to re-identify the data subjects is irrelevant, since it does not mean that the personal data transmitted “from the sender” are also automatically considered personal data for the “recipient“.
The ruling is also of great importance for healthcare where pseudonymized data is often managed. The reasoning of the General Court of the European Union applied in this judgment opens the door to the possibility of process pseudonymised data without the patient’s consent provided that the conditions expressed above exist. This is an important simplification that allows the use of data for purposes not envisaged by the consent given by the patients as well as their treatment by software that can operate with pseudonymised data.
It remains to be seen whether, following this ruling, our National Authority for the protection of personal data will issue a note or guidelines to establish the principle and the areas of applicability.