Privacy statement for the breach reporting/whistleblowing mechanism

Legal framework for data protection applicable to the ECB

All personal data is processed in accordance with EU data protection law, namely Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies, and on the free movement of such data, and repealing Regulation (EC) No. 45/2001 and Decision No 1247/2002/EC.

What data does the ECB collect and how?

The ECB collects sensitive information and personal data relating to individuals reporting a suspected breach and individuals alleged to have committed a breach, as well as other parties involved who are mentioned in reports submitted via the breach reporting/whistleblowing mechanism. The ECB also processes the data of any individuals working for it or for a national competent authority, as well as the data of any other individuals mentioned in a breach report or in a resulting case file. If the ECB finds that these individuals have no relevance to the case, it will no longer process their data.

As it is possible to submit whistleblowing reports via the breach reporting/whistleblowing mechanism without providing a name, individuals reporting a suspected breach are in no way obliged to disclose their personal data. However, during the process, it is not possible to rule out that the ECB may receive reports containing identification data (including an individual’s name and surname, date of birth, birthplace, address, telephone number, fax number, email address and IP address), professional data (including an individual’s profession, employer and function) or financial data (including salary statements, bank accounts and securities portfolios) for a variety of individuals.

Who is responsible for processing personal data?

The ECB is the controller for the processing of personal data, and the Enforcement Section within the Enforcement and Sanctions Division is the organisational unit responsible for processing these data.

The EQS Group AG is the processor for the processing of personal data.

Why, and on what legal basis, do we process personal data?

The ECB has developed its breach reporting/whistleblowing mechanism for use by anyone who, acting in good faith, has reasonable grounds to believe that a supervised entity or competent authority has breached the legal acts referred to in Article 4(3) of Council Regulation (EU) No 1024/2013 (the SSM Regulation) and wishes to submit relevant information to the ECB.

Personal data are being collected and processed in line with Article 5(1) (a) of the Regulation 2018/1725 by Enforcement Section and Sanctions Division and the EQS Group AG.

Who has access to the information submitted and who is it disclosed to?

The information submitted to the secure external platform is processed on behalf of the ECB by the external provider EQS Group AG. Information which the informant/whistle-blower inserts online is submitted to a Cloud. Servers are located in Germany and the ECB’s users are the only persons who have access to the information which is provided by the informants/whistle-blowers

By providing the breach reporting/whistleblowing mechanism, the ECB aims to receive only information on breaches of relevant European Union law committed by supervised entities or competent authorities. Such reports are treated by the ECB as protected reports. This means that the special protection regime outlined in this privacy statement applies.

Within the ECB, the Enforcement Section deals with whistleblowing reports, and its members are bound by a strict confidentiality regime. The Enforcement Section decides on forwarding information to competent business areas within the ECB and/or to competent authorities (national supervisors) under the SSM Regulation.

Regarding protected reports the ECB will not reveal the identity of an informant/whistleblower or transfer her/his personal data without first obtaining her/his explicit consent, unless such a disclosure is required by a court order in the context of further investigations or subsequent judicial proceedings.

If the ECB receives information that does not relate to breaches of relevant EU law but concerns other tasks of the ECB, the report will be forwarded to the competent business area within the ECB.

If the ECB receives a report that it determines is not relevant, this report does not fall under the special protection regime outlined in this privacy statement (e.g. consumer protection).

How long do we keep personal data?

After a case file has been closed, all relevant personal data will be stored for a set retention period. If a report received by the ECB is considered relevant to the ECB’s supervisory tasks, the data will be stored for five years. If a report is not considered relevant to the ECB’s supervisory tasks but concerns the ECB’s other tasks, the data will be stored for twelve months. If the ECB decides that a report is not relevant to any of its tasks, the data will be deleted within three months.

Transfer of personal data to non-EU countries

The ECB is party to various cooperation agreements and will continue to enter into arrangements of this type with other authorities or international organisations, which could then request personal data from breach reporting/whistleblowing mechanism case files. In such cases, the ECB is required to comply with specific rules on the transfer of personal data to recipients located in non-EU countries, where EU data protection law does not apply. These rules are set out in Chapter V of the Data Protection Regulation.

Your rights

You have the right to access and rectify your personal data, to restrict or object to the processing of your data and, under certain conditions, to ask for your data to be deleted. You can exercise your rights by contacting the Enforcement Section at the following address:

European Central Bank

DG/SSB/ESA/EN – Enforcement Section

Breach reporting/whistleblowing mechanism

60640 Frankfurt

You also have the right to contact the European Data Protection Supervisor at any time about the processing of your personal data.

Further information

If you have any questions about the processing of your personal data or your rights, you can contact the ECB’s Data Protection Officer (dpo@ecb.europa.eu).