Banking Supervision
Banking Supervision
Search
Search Options
Home Media Explainers Research & Publications Statistics Monetary Policy The €uro Payments & Markets Careers
Suggestions
Sort by

Privacy statement for the processing of personal data in the context of prudential supervision under the Single Supervisory Mechanism

The ECB processes personal data in the context of its prudential supervisory tasks, responsibilities and powers. This privacy statement explains how the ECB handles personal data within the general framework of its prudential supervisory activities.

This page also provides details of the personal data that are processed by the ECB in the context of authorisation procedures. That information can be found by clicking on the relevant procedure (licensing, qualifying holdings, fit and proper assessments, right of establishment, or withdrawal of authorisation) in the lists below.

What is our legal framework?

Council Regulation (EU) No 1024/2013 confers specific tasks on the European Central Bank (ECB) concerning policies relating to the prudential supervision of credit institutions on the basis of Article 127(6) of the Treaty on the Functioning of the European Union (TFEU).

For prudential supervisory purposes, the ECB has been entrusted with the specific tasks referred to in Article 4 of the SSM Regulation, within the framework of Article 6 of that Regulation, in relation to credit institutions established in (i) EU Member States whose currency is the euro and (ii) EU Member States whose currency is not the euro which have entered into close cooperation with the ECB in accordance with Article 7 of the SSM Regulation (the participating Member States). Regulation (EU) No 468/2014 (the SSM Framework Regulation) lays down rules and procedures governing cooperation between the ECB and the national competent authorities (NCAs) of the participating Member States.

As the ECB may collect and further process personal data in carrying out its supervisory tasks under the SSM Regulation, it is subject to EU data protection law - i.e Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, pp. 39-98).

Why do we process personal data?

The ECB collects and further processes personal data for the purposes of performing and exercising the prudential supervisory tasks, responsibilities and powers conferred upon it by the SSM Regulation (particularly Articles 4, 5, 6, 7, 8 and 18 of that Regulation). This covers a wide range of activities, including the following:

  • authorisation procedures:
    Licensing

    Under Article 4(1)(a) of the SSM Regulation, the ECB is exclusively competent to grant authorisation to take up the business of a credit institution in a participating Member State, subject to Article 14 of that Regulation. In this context, the ECB is tasked with ascertaining that entrants to the banking market are robust and comply with national and Union law. The ECB focuses, in particular, on applicant banks’ capital levels, their programme of operations, their structural organisation and the suitability of their managers and relevant shareholders. The requested personal data are thus necessary in order to assess the criteria for granting authorisation to take up the business of a credit institution.

    Qualifying holdings

    Under Article 4(1)(c) of the SSM Regulation, the ECB is exclusively competent to assess notifications indicating the acquisition of qualifying holdings in credit institutions in participating Member States, subject to Article 15 of that Regulation. The ECB decides whether to oppose such acquisitions on the basis of the assessment criteria set out in relevant Union and/or national law in accordance with the procedures and assessment periods set out therein. The requested personal data are thus necessary in order to assess the criteria for allowing the acquisition of qualifying holdings in credit institutions. Under Article 23(1)(a) to (e) of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013, the following criteria must be assessed in order to determine the suitability of the proposed acquirer and the financial soundness of the proposed acquisition:

    • the reputation and financial soundness of the proposed acquirer;
    • the fitness and propriety of any member of the management body and any member of senior management who will direct the business of the target credit institution as a result of the proposed acquisition;
    • whether the target credit institution will continue to comply with its prudential requirements;
    • whether there are reasonable grounds for suspecting that, in connection with the proposed acquisition, money laundering or terrorist financing is being or has been committed or attempted, or that the proposed acquisition could increase the risk thereof.
    Fit and proper assessments

    Under Article 4(1)(e) of the SSM Regulation, the ECB must ensure compliance with relevant Union law requiring credit institutions to have in place robust governance arrangements, including fit and proper requirements for persons responsible for the management of credit institutions. Thus, personal data are collected and processed for the purpose of assessing whether the persons responsible for the management of significant credit institutions satisfy those fit and proper requirements. The five criteria that are assessed in this regard concern the following: (i) the person’s experience; (ii) their reputation; (iii) conflicts of interest and independence of mind; (iv) the person’s time commitment to the institution in question; and (v) the collective suitability of the board as a whole.

    Withdrawal of authorisation

    Under Articles 4(1)(a) and 6(4) of the SSM Regulation, the ECB is exclusively competent to withdraw authorisations to pursue the business of a credit institution in a participating Member State, subject to Article 14 of that Regulation, in order to ensure that only credit institutions with (i) a sound economic basis, (ii) organisational arrangements that are capable of dealing with the specific risks inherent in deposit taking and the provision of credit and (iii) suitable directors carry out the activities of credit institutions. The requested personal data are thus necessary in order to assess whether the criteria for granting authorisation to pursue the business of a credit institution continue to be met.

    Right of establishment in another participating Member State

    Credit institutions established in participating Member States may exercise the right of establishment within the territory of another participating Member State. NCAs are required to inform the ECB (by means of the procedures set out in the SSM Framework Regulation) about all the information that significant credit institutions provide to them under Article 35(2) of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 (including, among other things, information on the persons who are set to be responsible for the management of the proposed branch and its key functions). All required personal data, as referred to in the forms set out in Commission Implementing Regulation (EU) No 926/2014 of 27 August 2014 laying down implementing technical standards with regard to standard forms, templates and procedures for notifications relating to the exercise of the right of establishment and the freedom to provide services according to Directive 2013/36/EU of the European Parliament and of the Council, is necessary so that the ECB can assess the suitability of the persons who are set to be responsible for the management or key functions of the proposed branch. In addition, NCAs also notify the ECB about information (which may include personal data) that is received from (i) less significant institutions that are exercising the right of establishment within the territory of another participating Member State and (ii) credit institutions established in non-participating Member States that are exercising the right of establishment in a participating Member State.

    Right of establishment in a non-participating Member State

    Significant credit institutions established in participating Member States may exercise the right of establishment within the territory of a non-participating Member State (referred to as “outgoing passporting”). In such situations, the ECB is required to exercise the powers of the competent authority of the home Member State in accordance with the procedures set out in Article 17(1) of the SSM Framework Regulation. The powers of the home Member State in respect of credit institutions’ right of establishment are set out in Article 35 of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 and include an assessment of the adequacy of the credit institution’s administrative structure. To that end, information on the persons who are set to be responsible for the management of the proposed branch and its key functions has to be provided by the credit institution. All required personal data, as referred to in the forms set out in Commission Implementing Regulation (EU) No 926/2014 of 27 August 2014 laying down implementing technical standards with regard to standard forms, templates and procedures for notifications relating to the exercise of the right of establishment and the freedom to provide services according to Directive 2013/36/EU of the European Parliament and of the Council, is necessary in order to assess the suitability of the persons who are set to be responsible for the management or key functions of the proposed branch. In addition, NCAs also notify the ECB about information received from less significant institutions regarding the exercise of the right of establishment within the territory of a non participating Member State, which may include personal data.

  • supervision of credit institutions’ compliance with relevant Union law imposing prudential requirements (e.g. own funds requirements, rules on credit to related parties, and rules governing remuneration policies and practices);
  • supervisory reviews (including stress tests) and their publication;
  • the application of requirements relating to capital buffers and other measures aimed at addressing systemic or macroprudential risks;
  • the transfer of personal data to other Union institutions, bodies or agencies, supervisory authorities, international organisations and third countries’ administrations.
  • in order to conduct quantitative research and analysis and statistical reporting at an aggregate level (in which case, personal data will be aggregated and sufficiently anonymised, such that individuals cannot be identified at the aggregate level);
  • by applying technology (including automated and standardised information processing, as well as automated phases of decision-making processes) in order to enhance the performance of its supervisory tasks. In that case, data subjects will not be subject to decisions based solely on automated processing which have legal effects (or other similarly significant effects) on them. All appropriate technical and organisational measures will be put in place to ensure compliance with Regulation (EU) 2018/1725.

The consequences of not providing the requested information will be determined on a case-by-case basis. Failure to provide information will lead to an assessment of the materiality of the missing information, and, if the ECB cannot conclude its assessment without this information, this may make it impossible for the ECB to take a positive decision.

What is the legal basis for processing your personal data?

The processing of personal data for the above-mentioned purposes is necessary under Article 5(1)(a) and (b) of Regulation (EU) 2018/1725, in conjunction with the SSM Regulation.

For specific details regarding the authorisation procedures, please see here:

Licensing

Under Articles 4(1)(a) and 6(4) of the SSM Regulation, the ECB is exclusively competent to authorise credit institutions to take up the business of a credit institution, subject to Article 14 of that Regulation. Under Article 14 of the SSM Regulation, an application for authorisation to take up the business of a credit institution must be submitted to the NCA of the Member State where the credit institution is to be established, in accordance with the relevant requirements set out in national law. The relevant NCA must assess the application and provide the ECB with a draft decision if all relevant criteria set out in national law are met. The ECB can only object to the draft decision if the conditions for authorisation set out in relevant Union law are not met. The conditions governing the granting of authorisation are assessed in accordance with Articles 8 to 14 of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 and/or applicable national law. Articles 73 to 79 of the SSM Framework Regulation establish the rules governing cooperation between the NCAs and the ECB as regards the licensing procedure.

Qualifying holdings

Under Articles 4(1)(c), 6(4) and 15 of the SSM Regulation, the ECB (i) is exclusively competent to assess notifications indicating the acquisition of qualifying holdings in credit institutions and (ii) must decide whether to oppose such acquisitions on the basis of the assessment criteria set out in the relevant Union legislation (Article 23(1)(a) to (e) of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013) and/or applicable national law, in accordance with the procedures and assessment periods set out therein. Articles 85 to 87 of the SSM Framework Regulation establish the rules governing cooperation between the NCAs and the ECB as regards the acquisition of qualifying holdings.

Fit and proper assessments

Under Article 4(1)(e) of the SSM Regulation, the ECB must, for the purpose of carrying out its tasks, ensure compliance with relevant Union and/or national law that requires credit institutions to have in place robust governance arrangements, including fit and proper requirements for persons responsible for the management of credit institutions. Under Article 16(2)(m) of the SSM Regulation, the ECB has the power to remove, at any time, members of credit institutions’ management bodies who do not fulfil the requirements set out in relevant Union law. Moreover, Article 91(1) of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 states that members of a credit institution’s management body must, at all times, be of sufficiently good repute and possess sufficient knowledge, skills and experience to perform their duties. Articles 93 and 94 of the SSM Framework Regulation set out the rules governing the ECB’s assessment of compliance with the fit and proper requirements for persons responsible for managing credit institutions. In order to ensure that fit and proper requirements are met at all times, the ECB may initiate a new assessment based on new facts or issues if it becomes aware of any new facts that could have an impact on a previous assessment of a member of a management body.

Withdrawal of authorisation

Under Article 4(1)(a) of the SSM Regulation, the ECB is tasked with deciding whether to withdraw authorisation to pursue the business of a credit institution, subject to Article 14 of that Regulation. This procedure may be initiated by either the relevant NCA or the ECB, and the national authority responsible for the resolution of credit institutions must also be involved. Articles 80 to 84 of the SSM Framework Regulation establish the rules governing cooperation between the NCAs and the ECB as regards the withdrawal of authorisation to pursue the business of a credit institution.

Right of establishment in another participating Member State

Article 17(1) of the SSM Regulation provides that, between participating Member States, the procedures set out in relevant Union law for credit institutions wishing to establish a branch within the territory of another Member State and the related competences of home and host Member States apply only for the purposes of tasks not conferred on the ECB by Article 4 of that Regulation. The procedures governing interaction between the NCAs and the ECB as regards significant credit institutions’ right of establishment within the territory of another participating Member State are set out in Article 11(1) and (3) of the SSM Framework Regulation. Under those provisions, the ECB must be informed of all information that significant credit institutions provide to the NCAs in accordance with Article 35(2) of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 (including information on the persons who are set to be responsible for the management of the proposed branch and its key functions). In accordance with Articles 11(4) and 13(1) of the SSM Framework Regulation, NCAs inform the ECB about notifications submitted by (i) less significant institutions that are exercising the right of establishment within the territory of another participating Member State and (ii) credit institutions established in non-participating Member States that are exercising the right of establishment in a participating Member State. When a significant branch is set up in a participating Member State by a credit institution established in a non-participating Member State, the ECB exercises the powers of the competent authority of the host Member State, pursuant to Article 14(1) of the SSM Framework Regulation.

Right of establishment in a non-participating Member State

Under Article 4(1)(b) of the SSM Regulation, the ECB is competent to carry out the tasks that the competent authority of the home Member State is required to perform under relevant Union law when a significant credit institution established in a participating Member State wishes to establish a branch in a non-participating Member State. The powers of the home Member State as regards credit institutions’ right of establishment are set out in Article 35 of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 and include an assessment of the adequacy of the credit institution’s administrative structure. To that end, information on the persons who are set to be responsible for the management of the proposed branch and its key functions has to be provided by the credit institution. The procedures governing interaction between the NCAs and the ECB as regards significant credit institutions’ right of establishment in non participating Member States are set out in Article 17(1) of the SSM Framework Regulation. In accordance with Article 4(1)(b) of the SSM Regulation and Article 17(2) of the SSM Framework Regulation, NCAs inform the ECB about notifications submitted by less significant institutions regarding exercise of the right of establishment in a non participating Member State.

Who is responsible for processing your personal data?

Under Article 3(8) of Regulation (EU) 2018/1725, the ECB is the controller of the data processing operations for various types of supervisory procedure in the context of the prudential supervision of significant institutions.

The ECB and the NCAs are joint controllers – in carrying out the prudential supervisory tasks conferred on them by the SSM Regulation and the SSM Framework Regulation – whenever they jointly determine the purpose and means of data processing operations. In line with Article 28 of Regulation (EU) 2018/1725 (as well as Article 26 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Data Protection Regulation), which applies to the processing of personal data by the NCAs), a specific arrangement will be agreed among the joint controllers that determines their responsibilities. The essence of that arrangement will be made public.

For specific details on the authorisation procedures, please see here:

Licensing

The ECB and the NCAs are joint controllers of the data processing operations relating to the granting of authorisation to take up the business of a credit institution (also referred to as “licensing”) in the context of the prudential supervision of significant and less significant institutions.

Qualifying holdings

The ECB and the NCAs are joint controllers of the data processing operations relating to qualifying holdings in the context of the prudential supervision of significant and less significant institutions.

Fit and proper assessments

The ECB is the controller of the data processing operations relating to fit and proper assessments in the context of the prudential supervision of significant institutions.

Withdrawal of authorisation

The ECB and the NCAs are joint controllers of the data processing operations relating to the withdrawal of authorisation to pursue the business of a credit institution in the context of the prudential supervision of significant and less significant institutions.

Right of establishment in another participating Member State

The ECB is the controller of the data processing operations relating to the right of establishment in another participating Member State in the context of the prudential supervision of significant institutions. In addition, NCAs inform the ECB when notifications are received from (i) less significant institutions that are exercising the right of establishment in another participating Member State and (ii) credit institutions established in non-participating Member States that are exercising the right of establishment in a participating Member State.

Right of establishment in a non-participating Member State

The ECB is the controller of the data processing operations relating to the right of establishment in a non-participating Member State in the context of the prudential supervision of significant institutions. In addition, NCAs inform the ECB when notifications are received from less significant institutions that are exercising the right of establishment in a non-participating Member State.

Who will receive your personal data?

When the ECB processes personal data for the above-mentioned purposes, the following persons have access to personal data on a strict need-to-know basis:

  • a limited number of ECB staff members (for the performance of their tasks, including tasks relating to the prudential supervision of credit institutions);
  • a limited number of NCA staff members (for the performance of tasks relating to the prudential supervision of credit institutions);
  • members of the ECB’s Supervisory Board and Governing Council;
  • external experts and contractors working on behalf of the ECB who are providing opinions, advice and support in the context of the prudential supervision of credit institutions (e.g. legal counsel);
  • a limited number of staff members of other Union institutions, bodies and agencies, supervisory authorities and national authorities (e.g. public prosecutors or authorities tackling money laundering).

What type of personal data are processed?

The ECB processes various different types of personal data, depending on the processing activity in question. Examples of such data include the following:

  • information relating to the reputations, knowledge, skills and experience of current and potential future board members of (i) supervised credit institutions and (ii) companies intending to acquire or dispose of qualifying holdings in supervised credit institutions. For specific details regarding authorisation procedures, please see here:
Licensing

The personal data that are processed in relation to licensing procedures include, among other things, data relating to the credit institution’s programme of operations and governance arrangements (which may include personal financial information, data on the suitability of qualifying shareholders or the 20 largest shareholders, and information on the suitability of members of management bodies). The EBA’s Draft Regulatory Technical Standards under Article 8(2) of Directive 2013/36/EU of the European Parliament and of the Council on the information to be provided for the authorisation of credit institutions, the requirements applicable to shareholders and members with qualifying holdings and obstacles which may prevent the effective exercise of supervisory powers (EBA/RTS/2017/08) provide full details of the information that will be required for licensing applications when they enter into force. Examples of personal data relating to the applicant credit institution, its current or future shareholders or members, current or future members of its management bodies, key function holders or internal control functions, or any other affiliated parties (as a result of outsourcing arrangements, funding arrangements, etc.) can be found in the sections on qualifying holdings and fit and proper assessments.

Qualifying holdings

Without prejudice to national law, the following types of personal data are processed in relation to the acquisition of qualifying holdings, with information covering both (i) proposed direct or indirect acquirers (natural persons or, in the case of legal persons, members of their management bodies) and (ii) persons linked to those proposed acquirers:

  • personal details (full name, ID card/passport number, nationality, etc.);
  • contact details (postal address, email address, phone number, etc.);
  • details of knowledge, skills and experience (e.g. information regarding practical, professional experience gained in previous positions and theoretical experience (knowledge and skills) gained through education and training);
  • reputational information, such as:
    • details of any criminal record, relevant criminal investigations/proceedings, relevant civil/administrative cases, or disciplinary action (including disqualification as a company director, bankruptcy, insolvency or similar proceedings);
    • a statement as to whether criminal proceedings are pending or the person or any organisation managed by him/her has ever been involved as a debtor in insolvency proceedings or comparable proceedings;
    • details of any investigations, enforcement proceedings or sanctions carried out or imposed by a supervisory authority;
    • information on any refusal of registration, authorisation, membership or a licence to carry out a trade, business or profession;
    • information on any withdrawal, revocation or termination of registration, authorisation, membership or a licence;
    • information on any expulsion by a regulatory or government body;
    • information on any dismissal from employment, a position of trust or a fiduciary relationship (or a similar situation), or any request to resign from such a position;
  • financial details, such as
    • information regarding the person’s financial position and strength, sources of revenue, assets and liabilities, pledges and guarantees;
    • ratings and public reports on companies controlled or directed by the person in question;
    • ratings and public reports on the person himself/herself;
  • information as to whether an assessment of the person’s reputation as an acquirer or someone who directs the business of a financial institution has already been conducted by another competent supervisory authority in the financial sector (including details of the identity of that authority and evidence of the outcome of that assessment);
  • information as to whether an assessment of the person’s reputation has already been conducted by another competent authority in a non-financial sector (including details of the identity of that authority and evidence of the outcome of that assessment);
  • details of any financial relationship (involving credit operations, guarantees, pledges, etc.) or non-financial relationship (e.g. a close familial relationship or cohabitation) with:
    • any current shareholder of the target institution;
    • any person entitled to exercise voting rights in the target institution;
    • the target institution itself or its group;
  • details of any other interest or activity that is in conflict with the target institution and possible solutions to such conflicts of interests.

Reference should also be had to the list of information recommended by the Joint Guidelines on the prudential assessment of acquisitions and increases of qualifying holdings in the financial sector (JC/GL/2016/01) as regards assessing the acquisition of a qualifying holding.

Furthermore, any personal data as listed in the relevant section that is required for a fit and proper assessment with regard to newly to be appointed members of the management body of the target institution can also be processed in the qualifying holding assessment.

Fit and proper assessments

Annex III to the Joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body and key function holders under Directive 2013/36/EU and Directive 2014/65/EU (EBA/GL/2017/12) contains a list of information to be provided to the competent authorities for each suitability assessment.

The following personal data are processed in relation to fit and proper assessments:

  1. personal data provided by appointees (either in writing in response to the fit and proper questionnaire or orally during interviews), such as:
    • personal details (full name, ID card/passport number, nationality, etc.);
    • contact details (postal address, email address, phone number, etc.);
    • details of knowledge, skills and experience (e.g. information regarding practical, professional experience gained in previous positions and theoretical experience (knowledge and skills) gained through education and training);
    • reputational information, such as details of any criminal record, relevant criminal investigations/proceedings, relevant civil/administrative cases or disciplinary action (including disqualification as a company director, bankruptcy, insolvency or similar proceedings);
    • details of any conflicts of interest (e.g. a close personal relationship with a member of a management body, a significant private business transaction with the credit institution in question or a position of significant political influence);
    • information on the appointee’s time commitment to the credit institution in question (including, where relevant, details of time dedicated to other professional or personal activities);
    • information on the collective suitability of the board (e.g. as regards the value that the appointee adds in terms of the overall composition of the board);
  2. personal data that come to the attention of the competent authority by other means (e.g. via the media);
  3. personal data relating to third parties (rather than the appointee);
  4. any comments by ECB or NCA staff members regarding the appointee’s performance during the fit and proper assessment (e.g. comments that reflect the supervisor’s opinion or assessment of the appointee – particularly as regards their knowledge and skills in the relevant field);
  5. information as to whether a fit and proper assessment has already been conducted by another competent supervisory authority (including details of the identity of that authority and evidence of the outcome of that assessment).
Withdrawal of authorisation

The following types of personal data (among others) may be processed when deciding whether to withdraw authorisation to pursue the business of a credit institution:

  • any personal data provided in the context of an assessment of qualifying holdings, the granting of authorisation or a fit and proper assessment (see relevant sections above) which are required in order to assess the potential withdrawal of authorisation;
  • any personal data that are contained in information about the activities of the institution, statements by the institution regarding its status, and other documents provided under applicable national law and the by-laws of the institution;
  • any personal data that are contained in information about on-site inspections, the Supervisory Review and Evaluation Process, whistleblowing, supervisory findings and measures, communication with the credit institution, and court orders and decisions.
Right of establishment

The personal data that are processed in relation to the right of establishment are as referred to in the forms set out in Commission Implementing Regulation (EU) No 926/2014 of 27 August 2014 laying down implementing technical standards with regard to standard forms, templates and procedures for notifications relating to the exercise of the right of establishment and the freedom to provide services according to Directive 2013/36/EU of the European Parliament and of the Council.

  • information relating to natural persons associated with supervised credit institutions (e.g. as staff members or customers) in the context of on and off-site supervision.

This list is however not exhaustive. For further information please contact the ECB using the information request form.

Where are your data transferred to, processed and stored?

In the context of supervisory cooperation, some personal data may be sent outside the European Economic Area (EEA) to international organisations, supervisory authorities and the administrations of third countries.

Such transfers may take place on the basis of an adequacy decision by the European Commission pursuant to Article 47 of Regulation (EU)2018/1725.

In the absence of an adequacy decision by the European Commission, personal data may, under Article 48(1) of Regulation (EU) 2018/1725, only be transferred to a third country or an international organisation if appropriate safeguards are provided and enforceable data subject rights and effective legal remedies for data subjects are available.

In the absence of an adequacy decision or appropriate safeguards, transfers of personal data to third countries may only take place exceptionally on the basis of specific derogations provided for in Article 50 of Regulation (EU) 2018/1725 (particularly Article 50(1)(d)).

Personal data are stored in a secure IT system that is protected by encryption and authentication features.

How long will the ECB keep personal data?

The ECB retains personal data for as long as they are needed for the specific supervisory purpose in question, as specified in the ECB’s retention rules.

Retention periods for authorisation procedures

The ECB stores personal data relating to authorisation procedures for the following maximum periods:

  • 15 years from the date of application or notification if a request is withdrawn before a formal decision has been reached;
  • 15 years from the date of a negative decision;
  • in the case of a positive decision, 15 years from the date on which the relevant data subject ceases to be a member of the credit institution’s management, a key function holder, a founding shareholder or a qualifying shareholder, or a manager or key function holder for a branch;
  • 15 years from the date of adoption where the ECB decides to withdraw authorisation to pursue the business of a credit institution.

If administrative or judicial proceedings are initiated, the above-mentioned retention periods may be extended, ending one year after such proceedings are concluded by means of a final decision.

Retention periods for personal data provided in relation to fit and proper assessments

The ECB stores personal data relating to fit and proper assessments for the following maximum periods:

  • a general retention period of seven years from the date on which the ECB communicates its decision to the Supervised Entity. This general retention period applies to the majority of fit and proper assessments. In cases where the application is withdrawn before an ECB decision has been taken, the retention period starts on the date of application or notification to the ECB;
  • a longer retention period may exceptionally apply in cases where there is a concrete justification: a) a related court action is pending; b) an administrative review is in progress, or c) where either national law or the Supervised Entity’s statutes allow for the renewal of terms of office of persons subject to a fit and proper assessment and the data in respect of the original fit and proper assessment is crucial for the ECB’s assessment of the renewal. In the case of a) and b) the retention period expires two years after the final court decision or final administrative review decision, respectively, and in the case of c) it expires seven years after the renewal;
  • a retention period of ten years from the date on which the ECB communicates the decision to the Supervised Entity would apply to very specific cases, such as negative decisions, and decisions with conditions not previously agreed with the relevant Supervised Entity.

Information on retention periods for specific personal data can be made available on request. For further information, please contact the ECB info@ecb.europa.eu.

What are your rights?

You have the right to access your personal data and correct any information that is inaccurate or incomplete. You also have (with some limitations) the right to have your personal data deleted, or to restrict or object to the processing of your personal data in accordance with Regulation (EU) 2018/1725.

Exceptions to and restrictions on these rights may apply in accordance with Regulation (EU) 2018/1725.

The ECB may restrict your rights to safeguard the interests and objectives referred to in Article 25(1) of Regulation (EU) 2018/1725.

Who can you contact in case of queries or requests?

You can exercise your rights by contacting the ECB at info@ecb.europa.eu.

Contact details for specific authorisation procedures

Data subjects can exercise their rights by e-mailing the ECB’s Authorisation Division or the Fit and Proper Division.

In accordance with Article14(3) of Regulation (EU) 2018/1725, the ECB as data controller must provide information on action taken on a data subject’s request to the data subject without undue delay and at the latest within one month of receiving the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The ECB must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

In accordance with Article 14(4) of Regulation (EU) 2018/1725, if the ECB does not take action on the request of a data subject, it must inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with the European Data Protection Supervisor and seeking a judicial remedy.

In case of conflict, you can also directly contact the ECB’s Data Protection Officer at dpo@ecb.europa.eu regarding all queries relating to personal data.

Adressing the European Data Protection Supervisor

If you believe that your rights as a data subject under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.

Further information

Additional information can be found in the European Data Protection Supervisor’s opinion of 3 November 2014 on the processing of personal data in prudential supervisory processes as part of the Single Supervisory Mechanism.

EDPS Opinion
Whistleblowing