The European Central Bank (ECB) adopts decisions regarding the suitability of the members of the management bodies of significant credit institutions following fit and proper assessments in accordance with Regulation (EU) No 1024/2013 (the SSM Regulation).
In this context, the ECB collects and further processes personal data in line with EU data protection law.
Within the meaning of point (8) of Article 3 of Regulation (EU) 2018/1725, the ECB is the controller of the data processing operations in the context of prudential supervision of significant institutions.
Personal data is collected and processed for the purpose of assessing whether the persons responsible for the management of significant credit institutions meet the "fit and proper" requirements, i.e. whether they possess sufficient knowledge, skills and experience to fulfil their duties and are of sufficiently good repute.
The processing of personal data for the aforementioned purposes is necessary within the meaning of Article 5(1)(a) and (b) of Regulation (EU) 2018/1725, in conjunction with Article 127(6) of the Treaty of Functioning of the European Union, the SSM Regulation, Regulation (EU) No 468/201 (the SSM Framework Regulation) and Directive 2013/36/EU (CRD IV).
In particular, the ECB must ensure compliance with the relevant Union law that imposes requirements on credit institutions, including the requirement to have in place robust governance arrangements, including the fit and proper requirements for the persons responsible for the management of credit institutions (Article 4(1)(e) of the SSM Regulation). For the purpose of carrying out its tasks, the ECB has the power to remove at any time members from the management body of credit institutions who do not fulfil the requirements set out in the acts of the relevant Union law (Article 16(2)(m) of the SSM Regulation).
Moreover, Article 91(1) of CRD IV states that members of the management body shall at all times be of sufficiently good repute and possess sufficient knowledge, skills and experience to perform their duties.
Articles 93 and 94 of the SSM Framework Regulation set out the rules on the assessment by the ECB regarding the compliance with the fit and proper requirements for persons responsible for managing credit institutions. In order to ensure that fit and proper requirements are met at all times, the ECB may initiate a new assessment based on new facts or issues or if the ECB becomes aware of any new facts that may have an impact on the initial assessment of the relevant member of the management body.
The following personal data is processed in relation to fit and proper assessments.
For the purposes set out in Section 3, access to personal data is given to the following persons:
In the context of supervisory cooperation with authorities outside the European Economic Area (EEA), your personal data may be transferred outside the EEA upon request of a third country authority. In the absence of an adequacy decision, personal data may be transferred outside the EEA only if appropriate safeguards are in place, as set out in Article 48 of Regulation (EU) 2018/1725. In exceptional cases, international transfers of personal data may also take place based on the derogation provided for by Article 50 of Regulation (EU) 2018/1725.
Personal data are stored as follows:
In the event that administrative or judicial proceedings are initiated, the retention period is extended and ends one year after such proceedings are concluded by a final decision.
You have the right to access your personal data and correct any data that is inaccurate or incomplete. You also have (with some limitations) the right to delete your personal data and to restrict or object to the processing of your personal data in line with Regulation (EU) 2018/1725.
You can exercise your rights by emailing the ECB’s Authorisation Division at Authorisation@ecb.europa.eu.
For all queries relating to personal data, please contact the ECB’s Data Protection Officer at firstname.lastname@example.org.
If you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.
This Privacy Statement may be changed to take into account new legal developments.