All personal data is processed in accordance with EU data protection law, namely Regulation (EU) of the European Parliament and of the Council of 13 September 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No. 45/2001 and Decision No 1247/2001 (the Data Protection Regulation, not yet published in the Official Journal).
The ECB collects sensitive information and personal data relating to individuals reporting a suspected breach and individuals alleged to have committed a breach, as well as other parties involved who are mentioned in reports submitted via the breach reporting mechanism (BRM). The ECB also processes the data of any individuals working for it or for a national competent authority, as well as the data of any other individuals mentioned in a breach report or in a resulting case file. If the ECB finds that these individuals have no relevance to the case, it will no longer process their data.
As it is possible to submit reports via the BRM without providing a name, individuals reporting a suspected breach are in no way obliged to disclose their personal data. However, during the process, it is not possible to rule out that the ECB may receive reports containing identification data (including an individual’s name and surname, date of birth, birthplace, address, telephone number, fax number, email address and IP address), professional data (including an individual’s profession, employer and function) or financial data (including salary statements, bank accounts and securities portfolios) for a variety of individuals.
The ECB is the controller for the processing of personal data, and the Enforcement Section within the Enforcement and Sanctions Division is the organisational unit responsible for processing these data.
The ECB has developed its BRM for use by anyone who, acting in good faith, has reasonable grounds to believe that a supervised entity or competent authority has breached the legal acts referred to in Article 4(3) of Council Regulation (EU) No 1024/2013 (the SSM Regulation) and wishes to submit relevant information to the ECB.
After a case file has been closed, all relevant personal data will be stored for a set retention period. If a report received by the ECB is considered relevant to the ECB’s supervisory tasks, the data will be stored for five years. If a report is not considered relevant to the ECB’s supervisory tasks but concerns the ECB’s other tasks, the data will be stored for twelve months. If the ECB decides that a report is not relevant to any of its tasks, the data will be deleted within three months.
The ECB is party to various cooperation agreements and will continue to enter into arrangements of this type with other authorities or international organisations, which could then request personal data from BRM case files. In such cases, the ECB is required to comply with specific rules on the transfer of personal data to recipients located in non-EU countries, where EU data protection law does not apply. These rules are set out in Chapter V of the Data Protection Regulation.
You have the right to access and rectify your personal data, to restrict or object to the processing of your data and, under certain conditions, to ask for your data to be deleted. You can exercise your rights by contacting the Enforcement Section at the following address:
European Central Bank
DG/SSB/ESA/EN – Enforcement Section
Breach reporting mechanism
You also have the right to contact the European Data Protection Supervisor at any time about the processing of your personal data.
If you have any questions about the processing of your personal data or your rights, you can contact the ECB’s Data Protection Officer (email@example.com).