Privacy statement for the ECB’s whistleblowing platform
Legal framework for data protection applicable to the ECB
All personal data is processed in accordance with EU data protection law, namely Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies, and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
What data does the ECB collect and how is it collected?
The ECB collects sensitive information and personal data relating to individuals reporting a suspected breach of relevant European Union law. The ECB also collects sensitive information and personal data relating to individuals alleged to have committed a breach, as well as other parties involved who are mentioned in breach reports submitted via the whistleblowing platform. The ECB also processes the data of any individuals working for it, or for a national competent authority (national supervisor), as well as the data of any other individuals mentioned in a breach report or in a resulting case file. If the ECB finds that these individuals have no relevance to the case, it will no longer process their data.
Because it is possible to anonymously report breaches of relevant EU law via the whistleblowing platform, individuals reporting a suspected breach are in no way obliged to disclose their personal data. However, it is not possible to rule out the possibility that, during the process of investigating a report, the ECB may receive information containing identification data (including an individual’s name and surname, date of birth, birthplace, address, telephone number, fax number, email address and IP address), professional data (including an individual’s profession, employer and function) or financial data (including salary statements, bank accounts and securities portfolios).
Who is responsible for processing personal data collected via the whistleblowing platform?
The ECB is the controller for the processing of personal data collected via the whistleblowing platform, and the ECB’s Enforcement and Sanctions Division is the organisational unit responsible for processing these data.
Information submitted to the whistleblowing platform is also processed externally on behalf of the ECB by the secure third-party provider EQS Group AG. EQS Group AG does not have access to the content of submissions.
Why, and on what legal basis, does the ECB process personal data?
The ECB has developed its whistleblowing platform for use by anyone who, acting in good faith, has reasonable grounds to believe that a supervised entity or a competent authority (a national supervisor, also referred to as national competent authority, or the ECB) has breached the legal acts referred to in Article 4(3) of Council Regulation (EU) No 1024/2013 (the SSM Regulation) and wishes to submit relevant information to the ECB.
Personal data are collected and processed in line with Article 5(1)(a) of Regulation 2018/1725 by the Enforcement and Sanctions Division and EQS Group AG.
Who has access to the information submitted and who is it disclosed to?
Information submitted via the whistleblowing platform is processed externally on behalf of the ECB by EQS Group AG, a third-party provider. Information submitted via the whistleblowing platform is processed via a cloud storage system with servers located in Germany. Only ECB users have access to the information submitted.
Within the ECB, the Enforcement and Sanctions Division is responsible for handling reports submitted via the whistleblowing platform, and its members are bound by a strict confidentiality regime. The Enforcement and Sanctions Division decides whether to forward information to competent business areas within the ECB and/or to competent authorities (national supervisors) under the SSM Regulation.
The ECB’s intent in providing the whistleblowing platform is only to receive information concerning breaches of relevant European Union law committed by a supervised bank, national supervisor or the ECB itself.
If the ECB receives reports related to breaches of relevant EU law, the information will be forwarded to the competent business area within the ECB and/or to national supervisors. However, such reports are treated by the ECB as “protected reports”. This means that the ECB will not reveal the identity or personal data of any person or persons responsible for submitting a protected report via the whistleblowing platform without first obtaining their explicit consent – unless such a disclosure is required by a court order in the context of further investigations or subsequent judicial proceedings.
If the ECB receives reports unrelated to breaches of relevant EU law but which nevertheless concern other tasks of the ECB, the information will be forwarded to the competent business area within the ECB. The ECB’s general data protection standards will apply.
If the ECB receives reports that it determines are related to breaches of provisions of non-relevant EU law (e.g. anti-money laundering and combatting the financing of terrorism, consumer protection or the supervision of payment services) and which do not concern other tasks of the ECB, it will delete the personal data received without forwarding any information. The ECB’s general data protection standards will apply.
However, breaches of provisions of non-relevant EU law may reveal breaches of prudential requirements. For example, breaches of anti-money laundering and combatting the financing of terrorism (AML/CFT) provisions can be symptoms of unsound governance and internal control mechanisms, the structure of which is laid out in rules related to the prudential supervision of credit institutions. Therefore such reports can be treated by the ECB as “protected reports” related to breaches of relevant EU law on a case-by-case basis, and the information is forwarded to the competent business areas within the ECB and/or to national supervisors under the SSM Regulation.
In addition, information received from breach reports may be forwarded by the ECB to national authorities responsible for anti-money laundering if (i) the reports contain information that is relevant and necessary for the performance of the tasks of such authorities as foreseen by the Multilateral Agreement on the practical modalities for exchange of information between the ECB and AML/CFT competent authorities and (ii) the information relates to a supervised entity’s internal system and controls.
How long does the ECB keep personal data submitted via the whistleblowing platform?
After a case file has been closed, all relevant personal data will be stored for a set retention period as outlined below.
If a report received by the ECB is considered relevant to the ECB’s supervisory tasks, the data will be stored for five years. If a report is not considered relevant to the ECB’s supervisory tasks, but nevertheless concerns the ECB’s other tasks, the data will be stored for twelve months. If the ECB decides that a report is not relevant to any of the ECB’s tasks, the data will be stored for three months.
Transfer of personal data to non-EU countries
The ECB is party to various cooperation agreements and will continue to enter into arrangements of this type with other authorities or international organisations. These organisations may request personal data from whistleblowing case files on reported breaches of EU law. In such cases the ECB is required to comply with specific rules on the transfer of personal data to recipients located in non-EU countries, where EU data protection law does not apply. These rules are set out in Chapter V of the Data Protection Regulation.
You have the right to access and rectify your personal data, to restrict or object to the processing of your data and, under certain conditions, to ask for your data to be deleted. You can exercise your rights by contacting the following address:
European Central Bank
Directorate General SSM Governance and Operations – Enforcement and Santions Division
You also have the right to contact the European Data Protection Supervisor at any time about the processing of your personal data.
You can contact the ECB’s Data Protection Officer (firstname.lastname@example.org) if you have any questions about the processing of your personal data or your rights.