JUDGMENT OF THE COURT (First Chamber)

4 September 2025 ( * )

( Appeal – Protection of natural persons with regard to the processing of personal data – Procedure for granting compensation to shareholders and creditors of a banking institution following the resolution of that institution – Decision of the European Data Protection Supervisor finding that the Single Resolution Board failed to fulfil its obligations relating to the processing of personal data – Regulation (EU) 2018/1725 – Article 15(1)(d) – Obligation to inform the data subject – Transmission of pseudonymised data to a third party – Article 3(1) – Concept of ‘personal data’ – Article 3(6) – Concept of ‘pseudonymisation’ )

In Case C‑413/23 P,

APPEAL under Article 56 of the Statute of the Court of Justice of the European Union, brought on 5 July 2023,

European Data Protection Supervisor (EDPS), represented initially by P. Candellier, G. Devin, X. Lareo, D. Nardi and T. Zerdick, and subsequently by P. Candellier, X. Lareo, D. Nardi, N. Stolić and T. Zerdick, acting as Agents,

appellant,

supported by:

European Data Protection Board, represented by C. Foglia, M. Gufflet, G. Le Grand and I. Vereecken, acting as Agents, and by E. de Lophem, avocat, G. Ryelandt, advocaat, and P. Vernet, avocat,

intervener in the appeal,

the other party to the proceedings being:

Single Resolution Board (SRB), represented by H. Ehlers, M. Fernández Rupérez and A. Lapresta Bienz, acting as Agents, and by M. Braun, H.-G. Kamann, Rechtsanwälte, and F. Louis, avocat,

applicant at first instance,

supported by:

European Commission, represented by A. Bouchagiar and H. Kranenborg, acting as Agents,

intervener in the appeal,

THE COURT (First Chamber),

composed of F. Biltgen, President of the Chamber, T. von Danwitz (Rapporteur), Vice-President of the Court, acting as Judge of the First Chamber, A. Kumin, I. Ziemele and S. Gervasoni, Judges,

Advocate General: D. Spielmann,

Registrar: M. Longar, Administrator,

having regard to the written procedure and further to the hearing on 7 November 2024,

after hearing the Opinion of the Advocate General at the sitting on 6 February 2025,

gives the following

Judgment

1 By his appeal, the European Data Protection Supervisor (EDPS) asks the Court of Justice to set aside the judgment of the General Court of the European Union of 26 April 2023, SRB v EDPS (T‑557/20, EU:T:2023:219; ‘the judgment under appeal’), by which the General Court annulled the revised decision of the EDPS of 24 November 2020 adopted following the request from the Single Resolution Board (SRB) for review of the decision of the EDPS of 24 June 2020 concerning five complaints submitted by several complainants (Cases 2019-947, 2019-998, 2019-999, 2019-1000 and 2019-1122) (‘the decision at issue’).

I. Legal context

2 Recitals 5, 16, 17 and 35 of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ 2018 L 295, p. 39) are worded as follows:

‘(5) It is in the interest of a coherent approach to personal data protection throughout the [European] Union, and of the free movement of personal data within the Union, to align as far as possible the data protection rules for Union institutions, bodies, offices and agencies with the data protection rules adopted for the public sector in the Member States. Whenever the provisions of this Regulation follow the same principles as the provisions of Regulation (EU) 2016/679 [of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; “the GDPR”)], those two sets of provisions should, under the case-law of the [Court of Justice], be interpreted homogeneously, in particular because the scheme of this Regulation should be understood as equivalent to the scheme of Regulation (EU) 2016/679.

…

(16) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person, to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

(17) The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data protection obligations. The explicit introduction of “pseudonymisation” in this Regulation is not intended to preclude any other measures of data protection.

…

(35) The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.’

3 Article 3(1), (6), (8) and (13) of Regulation 2018/1725, headed ‘Definitions’, provides:

‘For the purposes of this Regulation, the following definitions apply:

(1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

…

(6) “pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

…

(8) “controller” means the Union institution or body or the directorate-general or any other organisational entity which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by a specific Union act, the controller or the specific criteria for its nomination can be provided for by Union law;

…

(13) “recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing’.

4 Article 4 of that regulation, headed ‘Principles relating to processing of personal data’, provides, in paragraph 2:

‘The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’

5 Article 14 of that regulation, headed ‘Transparent information, communication and modalities for the exercise of the rights of the data subject’, states, in paragraph 1:

‘The controller shall take appropriate measures to provide any information referred to in Articles 15 and 16 and any communication under Articles 17 to 24 and 35 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.’

6 Article 15 of that regulation, headed ‘Information to be provided where personal data are collected from the data subject’, provides as follows:

‘(1) Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

…

(d) the recipients or categories of recipients of the personal data, if any;

…

(2) In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or, where applicable, the right to object to processing or the right to data portability;

…

(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

…’

7 Article 24 of Regulation 2018/1725 sets out the circumstances in which an individual decision may be based on automated processing, including profiling.

8 Article 26 of that regulation, headed ‘Responsibility of the controller’, provides, in paragraph 1 thereof:

‘Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.’

II. Background to the dispute

9 The background to the dispute is set out in paragraphs 2 to 32 of the judgment under appeal and can be summarised as set out below.

10 On 7 June 2017, the SRB, in its executive session, adopted Decision SRB/EES/2017/08 concerning a resolution scheme in respect of Banco Popular Español, S.A. on the basis of Regulation (EU) No 806/2014 of the European Parliament and of the Council of 15 July 2014 establishing uniform rules and a uniform procedure for the resolution of credit institutions and certain investment firms in the framework of a Single Resolution Mechanism and a Single Resolution Fund and amending Regulation (EU) No 1093/2010 (OJ 2014 L 225, p. 1) (‘the SRM Regulation’).

11 In that decision, the SRB, considering that the conditions laid down by Article 18(1) of the SRM Regulation were satisfied, decided to place Banco Popular Español SA (‘Banco Popular’) under resolution. Accordingly, the SRB decided to write down and convert Banco Popular’s capital instruments pursuant to Article 21 of that regulation and to apply the sale of business tool under Article 24 of that regulation by transferring the shares to a purchaser.

12 On the same day, the European Commission adopted Decision (EU) 2017/1246 endorsing the resolution scheme for Banco Popular Español S.A. (OJ 2017 L 178, p. 15).

13 Following the resolution of Banco Popular, the SRB asked the auditing and advisory company Deloitte to undertake a valuation of difference in treatment, provided for in Article 20(16) to (18) of the SRM Regulation, carried out in order to determine whether the shareholders and creditors of Banco Popular would have received better treatment if the bank had entered into normal insolvency proceedings (‘Valuation 3’). On 14 June 2018, Deloitte sent that valuation to the SRB.

14 On 6 August 2018, the SRB published on its website its Notice of 2 August 2018 regarding its preliminary decision on whether compensation needs to be granted to the shareholders and creditors in respect of which the resolution actions concerning Banco Popular Español, S.A. have been effected and the launching of the right to be heard process (SRB/EES/2018/132) (‘the preliminary decision’), and a non-confidential version of Valuation 3. On 7 August 2018, an announcement with regard to that notice was published in the Official Journal of the European Union (OJ 2018 C 277 I, p. 1).

15 In the preliminary decision, the SRB stated that, in order for it to be able to take its final decision on whether the shareholders and creditors affected by the resolution of Banco Popular (‘the affected shareholders and creditors’) should be granted compensation in accordance with Article 76(1)(e) of the SRM Regulation, it was inviting the affected shareholders and creditors to express their interest in exercising their right to be heard pursuant to Article 41(2)(a) of the Charter of Fundamental Rights of the European Union (‘the Charter’).

A. The right to be heard process

16 According to the information in the preliminary decision, the right to be heard process had to take place in two phases.

17 In the first phase (‘the registration phase’), the affected shareholders and creditors were invited to express their interest in exercising their right to be heard, using an online registration form which had to be completed by 14 September 2018. In that phase, the affected shareholders and creditors wishing to exercise their right to be heard had to provide the SRB with supporting documentation proving that on the date of Banco Popular’s resolution they owned one or more of the capital instruments of that bank that were written down or converted and transferred to Banco Santander SA in the context of the resolution. The supporting documentation to be provided included proof of identity and proof of ownership of one of those capital instruments on 6 June 2017. The SRB then had to verify whether each person that had expressed an interest did in fact qualify as an affected shareholder or creditor.

18 On 6 August 2018, the first day of the registration phase, the SRB also published, on the web page for registering for the right to be heard process and on its website, a privacy statement concerning the processing of personal data in the context of that process (‘the privacy statement’).

19 In the second phase (‘the consultation phase’), the persons whose status as affected shareholders and creditors had been verified by the SRB were able to submit their comments on the preliminary decision, to which Valuation 3 was annexed. On 16 October 2018, the SRB announced on its website that from 6 November 2018 the affected shareholders and creditors would be invited to submit their written comments on the preliminary decision during the consultation phase.

20 On 6 November 2018, the SRB sent an email to the affected shareholders and creditors containing a unique personal link to an online form, which comprised seven questions, with limited space for answering, enabling the affected shareholders and creditors to submit comments on the preliminary decision and on the non-confidential version of Valuation 3 by 26 November 2018.

21 The SRB examined the relevant comments from affected shareholders and creditors with regard to the preliminary decision. It asked Deloitte, in its capacity as independent valuer, to assess the relevant comments relating to Valuation 3, to provide it with a document containing its assessment, and to examine whether that valuation was still valid in the light of those comments.

B. The processing of data collected by the SRB in the context of the right to be heard process

22 The data collected during the registration phase, that is to say, proof of the identity of the affected shareholders and creditors and proof of ownership of written down or converted and transferred capital instruments of Banco Popular, were accessible to a limited number of SRB staff, namely those tasked with processing those data in order to determine whether the affected shareholders and creditors were eligible for compensation.

23 The members of SRB staff responsible for the processing of the comments received during the consultation phase had access neither to the data collected in the registration phase – with the result that the comments were separated from the personal information of the affected shareholders and creditors who submitted them – nor to the data key or to information by which the identity of the affected shareholder or creditor could be traced by reference to the unique alphanumeric code assigned to each individual comment submitted via the form. That alphanumeric code consisted of a 33-digit globally unique identifier randomly generated at the time the responses to the form were received.

24 As a first step, the SRB automatically filtered 23 822 comments, each of which was allocated a unique alphanumeric code, submitted by 2 855 participants in the process. Two algorithms identified 20 101 comments as being identical. In the present instance, the comment submitted first was considered the original comment and was assessed in the analysis phase, and the identical comments received subsequently were identified as duplicates.

25 As a second step, the SRB identified the comments submitted which came within the scope of the right to be heard procedure in so far as they could have an influence on the preliminary decision or Valuation 3. Next, it divided those comments into those to be examined by the SRB because they related to the preliminary decision and those to be examined by Deloitte because they related to Valuation 3. At the end of that step, the SRB had identified 3 730 individual comments, which it classified according to their relevance and theme.

26 As a third step, the comments relating to the preliminary decision were handled by the SRB while those relating to Valuation 3, that is to say, 1 104 comments, were transferred to Deloitte on 17 June 2019, using a secure SRB-dedicated virtual data server. The SRB uploaded the files to be shared with Deloitte to the virtual server and granted access to those files to a limited and controlled number of Deloitte staff, namely those who were directly involved in the examination of the comments relating to Valuation 3.

27 The comments transferred to Deloitte were filtered, categorised and aggregated. Where the comments were duplicates of earlier comments, only one version was transmitted to Deloitte. This meant that individual comments that had been duplicated could not be distinguished within a single theme, and Deloitte was unaware whether a comment had been made by one or more participants in the right to be heard process.

28 The comments transferred to Deloitte were solely those that were received during the consultation phase and that bore an alphanumeric code. However, it was only the SRB who was able, via that code, to link the comments to the data, in particular to the identification data of the authors of the comments, received during the registration phase. The alphanumeric code was developed for audit purposes to verify, and if necessary to demonstrate, in legal proceedings, that each comment had been handled and duly considered. Deloitte did not have access to the database of data collected during the registration phase, nor during the right to be heard process, and still did not have access to it on the date on which the judgment under appeal was delivered.

C. The procedure before the EDPS

29 In October and December 2019, the affected shareholders and creditors who had responded to the form submitted five complaints to the EDPS under Regulation 2018/1725. In those complaints, they alleged an infringement of Article 15(1)(d) of that regulation, on the ground that the SRB had failed to inform them that the data collected through the responses on the forms would be transmitted to third parties, namely Deloitte and Banco Santander, in breach of the terms of the privacy statement.

30 Following a procedure in which the SRB provided various explanations at the request of the EDPS and the complainants submitted observations, the EDPS adopted, on 24 June 2020, a decision concerning five complaints submitted by several complainants against the Single Resolution Board (Cases 2019-947, 2019-998, 2019-999, 2019-1000 and 2019-1122) (‘the initial decision’). In that decision, the EDPS found that the SRB had infringed Article 15 of Regulation 2018/1725 because it had failed to inform the complainants, in its privacy statement, that their personal data might be disclosed to Deloitte. As a result, he issued the SRB with a reprimand for that infringement, under Article 58(2)(b) of that regulation.

31 On 22 July 2020, the SRB asked the EDPS to review the original decision under Article 18(1) of the Decision of the European Data Protection Supervisor of 15 May 2020 adopting the Rules of Procedure of the EDPS (OJ 2020 L 204, p. 49). The SRB provided, inter alia, a detailed description of the right to be heard process and of how the comments submitted by four of the identified complainants during the consultation phase had been analysed. It argued that the information transmitted to Deloitte did not constitute personal data within the meaning of Article 3(1) of Regulation 2018/1725.

32 On 5 August 2020, the EDPS informed the SRB that, in the light of new information provided, he had decided to re-examine the original decision and would adopt a decision replacing it.

33 On 24 November 2020, following the review procedure, during which the complainants submitted observations and the SRB provided additional information at the request of the EDPS, the latter adopted the decision at issue.

34 By that decision, the EDPS revised the initial decision in the following terms:

‘1. The EDPS finds that the data the SRB shared with Deloitte were pseudonymous data, both because the comments in [the consultation phase] were personal data and because the SRB shared the alphanumeric code that allows linking the replies given in [the registration phase] with the ones given in [the consultation phase] – notwithstanding the fact that the data provided by the participants to identify themselves in [the registration phase] were not disclosed to Deloitte.

2. The EDPS finds that Deloitte was a recipient of the complainants’ personal data under Article 3(13) of [Regulation 2018/1725]. The fact that Deloitte was not mentioned in SRB’s [privacy statement] as a potential recipient of the personal data collected and processed by the SRB as the controller in the context of the [right to be heard] process constitutes an infringement of the information obligations laid down in Article 15(1)(d) [of Regulation 2018/1725].

3. In light of all the technical and organisational measures set up by the SRB to mitigate the risks for the individuals’ right to data protection in the context of the [right to be heard] process, the EDPS decides not to exercise any of his corrective powers laid down in Article 58(2) of [Regulation 2018/1725].

4. The EDPS nevertheless recommends the SRB to ensure that the data protection notice in future [right to be heard] processes covers the processing of personal data in both the registration phase and the consultation phase, and includes all potential recipients of the information collected, in order to fully comply with the obligation to inform data subjects in accordance with Article 15 [of Regulation 2018/1725].’

III. The procedure before the General Court and the judgment under appeal

35 By application lodged at the Registry of the General Court on 1 September 2020, the SRB brought an action seeking, first, annulment of the decision at issue and, second, a declaration that the initial decision was illegal.

36 In support of the first head of claim, the SRB raised two pleas in law, the first of which alleged infringement of Article 3(1) of Regulation 2018/1725 in so far as the information transmitted to Deloitte did not constitute personal data, and the second alleging infringement of the right to good administration, enshrined in Article 41 of the Charter.

37 By the judgment under appeal, the General Court rejected, on the ground of lack of jurisdiction, the second head of claim seeking a declaration that the initial decision was illegal, in so far as the SRB sought a declaratory judgment and not the annulment of an act.

38 However, the General Court declared the first head of claim admissible. Turning to the substance, it upheld the first plea of the action and annulled the decision at issue without examining the second plea in law.

IV. Procedure before the Court and forms of order sought

39 By decision of the President of the Court of 20 October 2023, the European Commission was granted leave to intervene in support of the SRB. By order of the President of the Court of 29 November 2023, the European Data Protection Board was granted leave to intervene in support of the form of order sought by the EDPS.

40 The EDPS, supported by the European Data Protection Board, asks the Court to:

– set aside the judgment under appeal;

– deliver final judgment on the dispute;

– order the SRB to pay the costs of the appeal proceedings and of the proceedings before the General Court.

41 The SRB, supported by the Commission, contends that the Court should:

– dismiss the appeal;

– in the alternative, annul the decision at issue;

– in the further alternative, refer the case back to the General Court; and

– order the EDPS to pay the costs of the appeal proceedings and of the proceedings before the General Court.

V. The appeal

42 In support of his appeal, the EDPS, supported by the European Data Protection Board, raises two grounds of appeal, the first alleging infringement of Article 3(1) and (6) of Regulation 2018/1725, as interpreted by the Court of Justice, and the second alleging infringement of Article 4(2) and Article 26(1) of that regulation.

A. The first ground of appeal

43 By his first ground of appeal, the EDPS submits, in essence, that, by holding that he had incorrectly concluded, in the decision at issue, that the information at issue in the present case constituted personal data, the General Court erred in law in its interpretation of Article 3(1) and (6) of Regulation 2018/1725. That ground is divided into two parts. The first part concerns the condition, laid down in Article 3(1) of that regulation, that the information ‘relates’ to a natural person, and the second part concerns the condition, laid down in that same provision, relating to the ‘identifiable’ nature of that person.

1. The first part of the first ground of appeal , alleging mis interpretation of the condition, laid down in Article 3(1) of Regulation 2018/1725, that the information must ‘relate’ to a natural person

(a) Arguments of the parties

44 By the first part of the first ground of appeal, the EDPS submits that, contrary to what the General Court held, in paragraphs 60 to 74 of the judgment under appeal, the information transmitted to Deloitte did relate to a natural person within the meaning of Article 3(1) of Regulation 2018/1725.

45 In the first place, the EDPS submits that, contrary to what follows from paragraph 70 of the judgment under appeal, data protection authorities cannot be required to carry out, in all cases, an examination of the content, purpose or effect of information in order to ascertain whether it relates to a natural person. According to the EDPS, such an examination could not, in particular, be required as regards the comments transmitted by the SRB to Deloitte, since, in his view, it was clear that those comments ‘relate to’ a natural person in that they expressed the personal views of some creditors and shareholders of Banco Popular on their potential entitlement to compensation under Article 76(1)(e) of the SRM Regulation.

46 In the second place, contrary to the finding in paragraph 71 of the judgment under appeal, the EDPS maintains that, in order to conclude that the data in question were personal data, he relied not only on the nature of the comments transmitted to Deloitte, but also on the fact that the alphanumeric code had also been transmitted to that company.

47 In the third place, the EDPS claims that the judgment under appeal is marred by a contradiction in so far as the General Court, on the one hand, found in paragraph 7 of that judgment that the very purpose of the comments transmitted to Deloitte was to allow specific natural persons, namely the affected shareholders and creditors, to exercise their right to be heard with a view to potential compensation under Article 76(1)(e) of the SRM Regulation. Contrary to that first finding, the General Court held, on the other hand, in paragraph 73 of that judgment, that the EDPS had relied on presumptions that all the comments transmitted to Deloitte constituted personal data, without demonstrating that they related to natural persons.

48 The SRB, supported by the Commission, contends that that line of argument must be rejected.

49 In the first place, according to the case-law arising from the judgments of 20 December 2017, Nowak (C‑434/16, EU:C:2017:994, paragraphs 34 and 35), and of 4 May 2023, Österreichische Datenschutzbehörde and CRIF (C‑487/21, EU:C:2023:369, paragraphs 23 and 24), objective or subjective information, in the form of opinions and assessments, could constitute personal data provided that that information ‘relates’ to the person in question. In addition, according to that case-law, information relates to an identified or identifiable natural person where, by reason of its content, purpose or effect, it is linked to an identifiable person. Accordingly, the General Court was correct when it held, in paragraphs 70 to 74 of the judgment under appeal, that the EDPS disregarded that case-law when he merely stated that the comments transmitted to Deloitte reflected the opinions or views of the affected shareholders and creditors, therefore without having examined whether, by their content, purpose or effect, those comments were linked to an identifiable person.

50 In the second place, the EDPS’s claim that the nature of those comments as personal data necessarily follows from their purpose constitutes a new factual claim, made for the first time before the appeal court, which is therefore inadmissible. In any event, that claim is ineffective since the EDPS did not examine that point in the decision at issue.

51 As regards, in the third place, the alleged contradiction in the grounds in paragraphs 7 and 73 of the judgment under appeal, the SRB submits that the description in paragraph 7 of that judgment does not contain any information on the content, purpose or effect of the comments transmitted to Deloitte and, therefore, does not contradict the conclusion set out in paragraph 73 of that judgment.

(b) Findings of the Court

52 As a preliminary point, it should be noted that the definition of the concept of ‘personal data’ set out in Article 3(1) of Regulation 2018/1725 is essentially identical to that in Article 4(1) of the GDPR, which itself has a scope that is essentially identical to that set out in Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31). In order to ensure uniform and consistent application of EU law, it is therefore necessary to ensure that Article 3(1) of Regulation 2018/1725, Article 4(1) of the GDPR and Article 2(a) of Directive 95/46 are interpreted in the same way (see, to that effect, judgments of 7 March 2024, OC v Commission , C‑479/22 P, EU:C:2024:215, paragraph 43, and of 7 March 2024, IAB Europe , C‑604/22, EU:C:2024:214, paragraph 33 and the case-law cited).

53 Article 3(1) of Regulation 2018/1725 provides that ‘personal data’ is to mean ‘any information relating to an identified or identifiable natural person’.

54 The Court has held that the use of the expression ‘any information’ in the definition of the concept of ‘personal data’ in that provision and in Article 4(1) of the GDPR reflects the aim of the EU legislature to assign a wide scope to that concept, which potentially encompasses all kinds of information, not only objective but also subjective, in the form of opinions and assessments, provided that it ‘relates’ to the data subject (judgments of 4 May 2023, Österreichische Datenschutzbehörde and CRIF , C‑487/21, EU:C:2023:369, paragraph 23 and the case-law cited; of 7 March 2024, OC v Commission , C‑479/22 P, EU:C:2024:215, paragraph 45; and of 4 October 2024, Agentsia po vpisvaniyata , C‑200/23, EU:C:2024:827, paragraph 130).

55 Information relates to an identified or identifiable natural person where, by reason of its content, purpose or effect, it is linked to an identifiable person (judgments of 20 December 2017, Nowak , C‑434/16, EU:C:2017:994, paragraph 35; of 7 March 2024, OC v Commission , C‑479/22 P, EU:C:2024:215, paragraph 45; and of 7 March 2024, IAB Europe , C‑604/22, EU:C:2024:214, paragraph 37 and the case-law cited).

56 In the present case, despite the General Court noting, in paragraph 70 of the judgment under appeal, that the EDPS had not examined the content, purpose or effect of the information contained in the comments transmitted to Deloitte, it is nevertheless apparent from paragraphs 71 and 72 of that judgment that the finding that those comments reflected the opinions or views of the data subjects had required that the EDPS first examine the content of those comments. On the basis of that finding, the EDPS concluded that they constituted information relating to those subjects. According to the case-law referred to in paragraph 55 of the present judgment, an examination of the content of information need not necessarily be supplemented by an analysis of the purpose and effects of that information, as indicated by the use of the conjunction ‘or’ linking the various criteria referred to in that case-law.

57 However, in paragraphs 73 and 74 of the judgment under appeal, the General Court held that the EDPS could not classify the information contained in the comments transmitted to Deloitte as personal data solely on the basis of the finding that they were personal opinions or views, but that he should also have examined the content, purpose and effect of the opinions expressed therein, in order to determine whether they were linked to a particular person.

58 That assessment by the General Court misconstrues the particular nature of personal opinions or views which, as an expression of a person’s thinking, are necessarily closely linked to that person.

59 The interpretation adopted in the preceding paragraph is supported by the case-law arising from the judgment of 20 December 2017, Nowak (C‑434/16, EU:C:2017:994), which concerned, inter alia, an examiner’s comments on the written answers of a candidate at a professional examination. In paragraphs 42 to 44 of that judgment, although the Court assessed the content, purpose and effect of those comments in order to find that they constituted information relating to the candidate who was the subject of those comments, it found, in essence, that those comments also related to the examiner who was the author of them, since they expressed the opinion or assessment of that examiner.

60 It follows that the General Court erred in law in holding, in paragraphs 73 and 74 of the judgment under appeal, that the EDPS, in order to conclude that the information contained in the comments transmitted to Deloitte ‘related’, within the meaning of Article 3(1) of Regulation 2018/1725, to the persons who submitted those comments, should have examined the content, purpose or effects of those comments, since it was common ground that they expressed the personal opinion or view of their authors.

61 Accordingly, without it being necessary to examine the arguments summarised in paragraphs 46 and 47 of the present judgment, the first part of the first ground of appeal must be upheld.

2. The second part of the first ground of appeal, alleging a misinterpretation of the condition, laid down in Article 3(1) of Regulation 2018/1725, that the information must relate to an ‘identifiable’ natural person

62 By the second part of the first ground of appeal, the EDPS submits that, in paragraphs 76 to 106 of the judgment under appeal, the General Court incorrectly held that he could not find that the information contained in the comments transmitted to Deloitte related to an ‘identifiable’ natural person, within the meaning of Article 3(1) of Regulation 2018/1725. That part consists of two separate complaints.

(a) The first complaint in the second part of the first ground of appeal

(1) Arguments of the parties

63 First of all, the EDPS recalls that, under Article 3(1) of Regulation 2018/1725, the controller or ‘another person’ must be able to identify a data subject concerned by the information in question. In the absence of any indication as to the person who must be able to carry out that identification, it is sufficient that the data subject can be identified. In the present case, it is not disputed that the comments transmitted to Deloitte, which were available to the SRB, constitute personal data. In addition, it is apparent from Article 3(6) of that regulation, read in conjunction with recital 16 thereof, that pseudonymised data constitute personal data, and that that is the case simply because of the existence of additional information enabling them to be attributed to a particular person.

64 According to the EDPS, the findings in paragraphs 90 and 91 of the judgment under appeal do not take sufficient account of the wording of those provisions and of the distinction between anonymisation and pseudonymisation. In that regard, the European Data Protection Board states that, according to the interpretation adopted by the General Court, personal data change in nature when they are transmitted to an entity outside the controller, which does not have the additional information enabling the data subject to be identified. That interpretation would allow such a controller unduly to remove personal data from the scope of EU law on the protection of such data, even where the processing by the external entity would expose the data subjects to significant risks.

65 Next, the EDPS claims that, by introducing the concept of pseudonymisation, the EU legislature clarified that, in order to exclude personal data from the scope of EU law on the protection of such data, it is not sufficient to separate those data from the additional information enabling the data subject to be identified.

66 Lastly, the EDPS recalls that the concept of personal data must be interpreted broadly, which is, in his view, necessary in order for data protection law to have its practical effect. In so far as the General Court’s interpretation would allow pseudonymised data incorrectly to be regarded as anonymous data, it would be liable to undermine the high level of protection pursued by the EU legislature and required by the Charter. According to the European Data Protection Board, the interpretation adopted by the General Court also entails the risk that pseudonymised data could be processed without restrictions under the GDPR and Regulation 2018/1725, including the sharing, publication and transfer to third countries of those data.

67 The SRB, supported by the Commission, disputes that line of argument.

(2) Findings of the Court

68 The first complaint of the second part of the first ground of appeal is, in essence, based on the consideration that pseudonymised data such as the comments transmitted to Deloitte constitute, in all cases, personal data solely because of the existence of information enabling the data subject to be identified, without it being necessary to examine specifically whether, despite pseudonymisation, the person to whom those data relate is identifiable.

69 In that regard, it must be borne in mind that, under Article 3(1) of Regulation 2018/1725, information must relate to an ‘identified or identifiable’ natural person in order to be classified as personal data within the meaning of that provision. Accordingly, the application of that regulation presupposes, in principle, an examination of whether the data subject is identified or identifiable by the information in question.

70 That interpretation is borne out by the fifth and sixth sentences of recital 16 of Regulation 2018/1725, according to which the definition of the concept of ‘personal data’ does not include ‘anonymous information, namely information which does not relate to an identified or identifiable natural person’, or to ‘personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable’ (see, by analogy, judgment of 5 December 2023, Nacionalinis visuomenės sveikatos centras , C‑683/21, EU:C:2023:949, paragraph 57).

71 As regards, specifically, pseudonymised data, the Court notes, in the first place, that those data are not mentioned in the legislative definition of the concept of ‘personal data’ in Article 3(1) of Regulation 2018/1725, but that their characteristics are apparent from Article 3(6) of that regulation. The latter provision defines the concept of ‘pseudonymisation’ as ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person’.

72 As the Advocate General observed, in essence, in points 46 and 48 of his Opinion, pseudonymisation is therefore not part of the definition of ‘personal data’, but refers to the establishment of technical and organisational measures to reduce the risk of a data set being correlated with the identity of data subjects. According to recital 17 of that regulation, pseudonymisation ‘can [only] reduce the risks’ of such correlation for those data subjects and, in doing so, ‘help controllers and processors to meet their data protection obligations’.

73 In the second place, it is apparent from the wording of Article 3(6) of Regulation 2018/1725 that the concept of ‘pseudonymisation’ presupposes the existence of information enabling the data subject to be identified. The very existence of such information precludes data that have undergone pseudonymisation from being regarded, in all cases, as anonymous data, which is excluded from the scope of that regulation.

74 The fact remains that, in the third place, the requirement that the identifying information be kept separately and that it be subject to technical and organisational measures ‘to ensure that the personal data are not attributed to an identified or identifiable natural person’, laid down in Article 3(6) of that regulation, indicates that the objective of pseudonymisation is, among other things, to prevent the data subject from being identified solely by means of pseudonymised data.

75 Accordingly, provided that such technical and organisational measures are actually put in place and are such as to prevent the data in question from being attributed to the data subject, in such a way that the data subject is not or is no longer identifiable, pseudonymisation may have an impact on whether or not those data are personal within the meaning of Article 3(1) of Regulation 2018/1725.

76 In that regard, the Court notes that, as is usually the case for controllers who have pseudonymised data, the SRB does, in the present case, have additional information enabling the comments transmitted to Deloitte to be attributed to the data subject, with the result that, in its view, those comments are, in spite of pseudonymisation, still personal in nature.

77 As regards Deloitte, to which the SRB transmitted pseudonymised comments, the technical and organisational measures referred to in Article 3(6) of Regulation 2018/1725 may, as the SRB essentially submits, have the effect that, for that company, those comments are not personal in nature. However, that presupposes, first, that Deloitte is not in a position to lift those measures during any processing of the comments which is carried out under its control. Second, those measures must in fact be such as to prevent Deloitte from attributing those comments to the data subject including by recourse to other means of identification such as cross-checking with other factors, in such a way that, for the company, the person concerned is not or is no longer identifiable.

78 That interpretation is borne out by recital 16 of Regulation 2018/1725 which, after setting out, in its first sentence, that ‘the principles of data protection should apply to any information concerning an identified or identifiable natural person’, states, in its second sentence, that ‘personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person’.

79 Accordingly, following those statements relating to personal data and pseudonymised data, the third sentence of that recital specifies that, in order to determine whether a natural person is identifiable, account should be taken of ‘all the means reasonably likely’ to be used by the controller or by ‘another person’ to identify the natural person ‘directly or indirectly’. In addition, the fourth sentence of that recital sets out that, to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of ‘all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments’.

80 As the Advocate General observed, in essence, in point 51 of his Opinion, those clarifications relating to the assessment of whether or not the data subject is identifiable would be deprived of any practical effect if pseudonymised data were to be regarded as constituting, in all cases and for every person, personal data for the purposes of the application of Regulation 2018/1725.

81 In that regard, the Court notes that, as regards a press release which contained a certain number of statements relating to a person without naming him or her, the Court of Justice did not confine itself, in its judgment of 7 March 2024, OC v Commission (C‑479/22 P, EU:C:2024:215, paragraphs 52 to 64), to finding that the EU body which published that press release had all the information enabling that person to be identified, but examined whether the statements contained in that press release reasonably enabled the public concerned to identify that person, in particular by combining those statements with information available on the internet.

82 In addition, the Court has previously held that a means of identifying the data subject is not reasonably likely to be used where the risk of identification appears in reality to be insignificant, in that the identification of that data subject is prohibited by law or impossible in practice, for example because it would involve a disproportionate effort in terms of time, cost and labour (see, to that effect, judgment of 7 March 2024, OC v Commission , C‑479/22 P, EU:C:2024:215, paragraph 51 and the case-law cited). That case-law bears out the interpretation that the existence of additional information enabling the data subject to be identified does not, in itself, mean that pseudonymised data must be regarded as constituting, in all cases and for every person, personal data for the purposes of the application of Regulation 2018/1725.

83 In the same vein, the Court has, in essence, held, in particular in the judgments of 19 October 2016, Breyer (C‑582/14, EU:C:2016:779, paragraphs 44, 47 and 48), and of 7 March 2024, IAB Europe (C‑604/22, EU:C:2024:214, paragraphs 43 and 48), that data that are inherently impersonal and have been collected and retained by the controller were nevertheless connected to an identifiable person, since the controller had legal means of obtaining additional information from another person making it possible to identify the data subject. In such circumstances, the fact that the information enabling the data subject to be identified was in the hands of other people did not actually to prevent that subject from being identified in such a way that the subject was not identifiable for the controller.

84 Above all, according to the case-law arising from the judgment of 9 November 2023, Gesamtverband Autoteile-Handel (Access to vehicle information) (C‑319/22, EU:C:2023:837, paragraphs 46 and 49), data which are in themselves impersonal may become ‘personal’ in nature where the controller puts them at the disposal of other persons who have means reasonably likely to enable the data subject to be identified. It is apparent, in particular, from the latter judgment that – where those data are put at their disposal – those data are personal data both for those persons and, indirectly, for the controller.

85 Consequently, in the light of the case-law referred to in the preceding paragraph, the EDPS is incorrect in so far as he submits that the fact that pseudonymised data are not, as the case may be, personal in nature for persons to whom the controller transfers the pseudonymised data makes it unduly possible to remove those data from the scope of EU law on the protection of personal data. According to that case-law, that fact has no bearing on the assessment of the personal nature of those data in the context, inter alia, of a potential subsequent transfer of those data to third parties. Accordingly, in so far as it cannot be ruled out that those third parties have means reasonably allowing them to attribute pseudonymised data to the data subject, such as cross-checking with other data at their disposal, the data subject must be regarded as identifiable as regards both that transfer and any subsequent processing of those data by those third parties. In such circumstances, pseudonymised data should be considered to be personal in nature.

86 It follows that, contrary to what the EDPS maintains, pseudonymised data must not be regarded as constituting, in all cases and for every person, personal data for the purposes of the application of Regulation 2018/1725, in so far as pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable.

87 That interpretation is not called into question by the fact relied on by the EDPS that the fourth sentence of recital 16 of Regulation 2018/1725 refers to the controller or ‘another person’. It follows from the very wording of that sentence, recalled in paragraph 79 of the present judgment, that it refers only to persons who have or may have access to the means reasonably likely to be used for the purposes of identifying the data subject. As has been noted in paragraphs 75 to 77 of the present judgment, pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable.

88 As regards the EDPS’s argument based on the objective of ensuring a high level of protection of personal data, although the wording of Article 3(1) of Regulation 2018/1725 reflects the EU legislature’s objective of attributing a broad meaning to the concept of ‘personal data’, that concept is not unlimited since that provision requires, inter alia, that the data subject be identified or identifiable.

89 In particular, as the Advocate General observed in point 58 of his Opinion, Regulation 2018/1725 contains obligations, such as the obligation to provide information to the data subject laid down in Article 15 of that regulation, compliance with which requires the data subject to be identified. Such obligations cannot be imposed on an entity which is in no way in a position to carry out that identification.

90 Consequently, the first complaint in the second part of the first ground must be rejected as unfounded.

(b) The second complaint in the second part of the first ground of appeal

(1) Arguments of the parties

91 By the second complaint in the second part of the first ground of appeal, the EDPS submits that the General Court disregarded the case-law arising from the judgment of 19 October 2016, Breyer (C‑582/14, EU:C:2016:779).

92 In the first place, the General Court disregarded the objective nature of the condition relating to the ‘identifiable’ nature of the data subject, by holding, in paragraphs 97, 99 and 100 of the judgment under appeal, in particular, that the EDPS should have examined whether the comments transmitted to Deloitte constituted, from Deloitte’s point of view, personal data. According to the EDPS, it follows from paragraphs 47 and 48 of the judgment of 19 October 2016, Breyer (C‑582/14, EU:C:2016:779), that the mere existence of legal channels potentially enabling identification of the data subject is sufficient to conclude that that data subject is identifiable. In the present case, the SRB was, he alleges, in a position to identify the data subjects, a fact of which the General Court did not take sufficient account when applying the case-law arising from that judgment.

93 In the second place, the EDPS submits that, in that judgment, whether or not the data subject was identifiable was assessed from the perspective of the controller, in the absence of any relationship between that controller and the entities holding the additional information enabling that person to be identified. By contrast, in the present case, Deloitte is not the controller and is, moreover, bound by a contract to the SRB. In view of those differences, the EDPS considers that he was not required to carry out a full assessment of the means reasonably likely to enable Deloitte to identify the data subjects.

94 In any event, even if he were nevertheless required to assess whether Deloitte was in a position to identify the authors of the comments which had been transmitted to it, the EDPS maintains that there was nothing to prevent Deloitte from identifying them.

95 The SRB, supported by the Commission, disputes that line of argument.

96 In the first place, in paragraphs 96, 97 and 100 of the judgment under appeal, in particular, the General Court correctly relied on an approach according to which the identifiable nature of the data subject must be examined in relation to each person and each controller concerned who processes the relevant information. In the context of the obligation to provide information laid down in Article 15(1)(d) of Regulation 2018/1725, that examination should be viewed from the perspective of the recipient of the information at issue.

97 In the second place, the SRB submits that the line of argument based on the alleged differences between the present case and that which led to the judgment of 19 October 2016, Breyer (C‑582/14, EU:C:2016:779), is inadmissible. It claims that that line of argument calls into question the General Court’s findings of fact in paragraphs 94 and 95 of the judgment under appeal that Deloitte did not have access to the identifying information necessary to identify the complainants.

(2) Findings of the Court

98 In paragraphs 97 to 100 of the judgment under appeal, in particular, the General Court held, in essence, that, in accordance with the case-law arising from the judgment of 19 October 2016, Breyer (C‑582/14, EU:C:2016:779), the EDPS should have examined whether the comments transmitted to Deloitte constituted, from Deloitte’s point of view, personal data. In reaching that finding, the General Court noted, inter alia, that the infringement of Article 15(1)(d) of Regulation 2018/1725, established in the decision at issue, concerned the transfer by the SRB of those comments to Deloitte and not solely the fact that they were held by the SRB.

99 As a preliminary point, the Court notes that Article 3(1) of Regulation 2018/1725 does not expressly specify the relevant perspective for assessing the identifiable nature of the data subject, whereas recital 16 of that regulation refers, without distinction, to the ‘controller’ or ‘another person’. In addition, it is settled case-law that, for information to be treated as ‘personal data’, it is not required that all the information enabling the identification of the data subject must be in the hands of one person (see, to that effect, judgments of 19 October 2016, Breyer , C‑582/14, EU:C:2016:779, paragraph 43, and of 7 March 2024, OC v Commission , C‑479/22 P, EU:C:2024:215, paragraph 48).

100 According to the case-law resulting, inter alia, from the judgment of 19 October 2016, Breyer (C‑582/14, EU:C:2016:779), recalled in paragraphs 81 to 84 of the present judgment, the relevant perspective for assessing whether the data subject is identifiable depends, in essence, on the circumstances of the processing of the data in each individual case.

101 In the present case, the Court recalls that, in the decision at issue, the EDPS found that, by failing to mention Deloitte as a potential recipient of the comments in the privacy statement set out at the time when they were collected, the SRB had failed to fulfil its obligation to provide information under Article 15(1)(d) of Regulation 2018/1725.

102 Article 15(1) of that regulation determines the information which the controller must provide to the data subject, where personal data are collected from the data subject, while specifying that that information must be provided to the data subject ‘at the time when personal data are obtained’. It follows from the very wording of that provision that that information must be provided by the controller immediately, that is to say, when those data are collected (see, by analogy, judgment of 29 July 2019, Fashion ID , C‑40/17, EU:C:2019:629, paragraph 104 and the case-law cited).

103 As regards, specifically, the information relating to the potential recipients of the personal data, referred to in Article 15(1)(d) of that regulation, that is information to be provided, among others, when the data are collected from the data subject.

104 Article 14(1) of Regulation 2018/1725 provides that the controller is to take appropriate measures to ensure, in particular, that the information referred to, inter alia, in Article 15 of that regulation is provided to the data subject in a concise, transparent, comprehensible, and easily accessible form, and is formulated in clear and plain language to enable the data subject to understand fully the information sent to him or her (see, by analogy, judgments of 4 May 2023, Österreichische Datenschutzbehörde and CRIF , C‑487/21, EU:C:2023:369, paragraph 38, and of 11 July 2024, Meta Platforms Ireland (Representative action) , C‑757/22, EU:C:2024:598, paragraphs 55 and 56).

105 The importance of compliance with such an information obligation is confirmed by recital 35 of Regulation 2018/1725, the first and second sentences of which state that the principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes, it being stressed that the controller should also provide any other information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context in which the personal data are processed, as is provided for in Article 15(2) of that regulation (see, by analogy, judgment of 11 July 2024, Meta Platforms Ireland (Representative action) , C‑757/22, EU:C:2024:598, paragraph 57 and the case-law cited).

106 Thus, where the collection of such data from the data subject is – as, in the present case, in the context of the procedure relating to the right to be heard – based on that data subject’s consent, the validity of the consent given by that data subject depends, inter alia, on whether that data subject has previously obtained the information in the light of all the circumstances surrounding the processing of the data in question to which he or she was entitled, under Article 15 of Regulation 2018/1725, and which allow him or her to give consent in full knowledge of the facts (see, by analogy, judgment of 11 July 2024, Meta Platforms Ireland (Representative action) , C‑757/22, EU:C:2024:598, paragraph 60 and the case-law).

107 Moreover, as regards a situation in which there is an obligation incumbent on the data subject to provide personal data to the controller, recital 35 of that regulation specifies, in the fourth sentence, that the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data; that bears out the importance of the information required under Article 15 of that regulation, specifically at the moment that those data are collected from the data subject.

108 In those circumstances, it appears that one of the purposes of the obligation to provide the data subject – at the time of collection of the personal data linked to him or her – with information relating to the potential recipients of those data is to enable that data subject to decide, in full knowledge of the facts, whether to provide or, on the contrary, refuse to provide the personal data being collected from him or her.

109 The Court adds that, as the Commission maintained, in essence, at the hearing, the information relating to potential recipients is indeed also essential in order for the data subject to be able to defend his or her rights against those recipients subsequently. However, the obligation to provide that information at the time of the collection of personal data ensures, inter alia, that those data are not collected by the controller against the will of the data subject, or even transferred to third parties against his or her will.

110 It follows that, as the Advocate General observed in point 69 of his Opinion, the obligation to provide information laid down in Article 15(1)(d) of Regulation 2018/1725 is part of the legal relationship between the data subject and the controller and, therefore, it concerns the information in relation to that data subject as it was transmitted to that controller, thus before any potential transfer to a third party.

111 Accordingly, it must be held that, for the purposes of applying the obligation to provide information laid down in Article 15(1)(d) of Regulation 2018/1725, the identifiable nature of the data subject must be assessed at the time of collection of the data and from the point of view of the controller.

112 It follows that, as the Advocate General observed, in essence, in point 79 of his Opinion, the SRB’s obligation to provide information was applicable in the present case prior to the transfer of the data at issue and irrespective of whether or not those data were personal data, from Deloitte’s point of view, after any potential pseudonymisation.

113 That interpretation is not called into question by the SRB’s argument based on the wording of Article 15(1)(d) of Regulation 2018/1725, which refers to the ‘recipients … of the personal data’. Accordingly, as is apparent from paragraphs 102 to 108 of the present judgment, that provision governs the controller’s obligation to provide information at the time when such data are collected. The question whether the controller has, at that time, met its obligation to provide information cannot depend on possibilities of identifying the data subject, which may, where appropriate, be open to any recipient after a subsequent transfer of the data in question.

114 As the Advocate General observed, in essence, in point 77 of his Opinion, the SRB’s line of argument that it is necessary to put oneself in the recipient’s position in order to review compliance with that obligation to provide information would have the effect of shifting the timing of that review. In so far as that review necessarily relates to personal data already transferred to the recipient, that line of argument also disregards the purpose of the obligation to provide information, which is intrinsically linked to the relationship between the controller and the data subject.

115 Accordingly, the General Court erred in law in holding, in paragraphs 97, 98, 100, 101 and 103 to 105 of the judgment under appeal, that, in order to assess whether the SRB had complied with its obligation to provide information under Article 15(1)(d) of Regulation 2018/1725, the EDPS should have examined whether the comments transmitted to Deloitte constituted, from Deloitte’s point of view, personal data.

116 It follows that, without there being any need to examine the EDPS’s arguments summarised in paragraphs 93 and 94 of the present judgment, the second complaint in the second part of the first ground of appeal must be upheld.

B. The second ground of appeal

117 Since the first part and the second complaint of the second part of the first ground of appeal are well founded, there is no need to examine the EDPS’s second ground of appeal, alleging infringement of Article 4(2) and Article 26(1) of Regulation 2018/1725.

118 Since the first ground of appeal has thus been upheld, the judgment under appeal must be set aside.

VI. The action before the General Court

119 In accordance with the second sentence of the first paragraph of Article 61 of the Statute of the Court of Justice of the European Union, if the decision of the General Court is set aside, the Court of Justice may itself give final judgment in a matter, where the state of the proceedings so permits.

120 In the present case, the state of the proceedings permits final judgment to be given as regards the first plea in law of the action, alleging infringement by the EDPS of Article 3(1) of Regulation 2018/1725, in so far as the information transmitted to Deloitte did not constitute personal data. In the light of the findings in paragraphs 58 to 60 of the present judgment, the EDPS was entitled, first, to find, without erring in law, that the comments transmitted to Deloitte constituted information relating to natural persons, namely the authors of those comments. Second, as was held in paragraph 111 of this judgment, in the context of the application of the obligation to provide information laid down in Article 15(1)(d) of that regulation, the identifiable nature of the data subject must be assessed by putting oneself in the controller’s position. It is not disputed between the parties that the SRB had, as controller, all the information necessary to identify the authors of those comments. It follows from the foregoing that, contrary to the SRB’s contention, the information at issue constitutes personal data. Consequently, the first plea must therefore be rejected as unfounded.

121 By contrast, the state of the proceedings does not permit final judgment to be given on the second plea in law, since that plea involves factual assessments which were not made by the General Court.

122 Consequently, the case must be referred back to the General Court so that the second plea in law can be examined.

VII. Costs

123 As the case is to be referred back to the General Court, it is appropriate to reserve the costs relating to the appeal.

On those grounds, the Court (First Chamber) hereby:

1. Sets aside the judgment of the General Court of the European Union of 26 April 2023, SRB v EDPS (T ‑ 557/20, EU:T:2023:219);

2. Refers Case T ‑ 557/20 back to the General Court of the European Union;

3. Reserves the costs.

Biltgen

von Danwitz

Kumin

Ziemele

Gervasoni

Delivered in open court in Luxembourg on 4 September 2025.

A. Calot Escobar

F. Biltgen

Registrar

President of the Chamber

* Language of the case: English.