Privacy statement for the processing of personal data related to fit and proper assessments under European banking supervision

1. Data Protection legal framework applicable to the European Central Bank

The European Central Bank (ECB) adopts decisions regarding the suitability of the members of the management bodies of significant credit institutions following fit and proper assessments in accordance with Regulation (EU) No 1024/2013 (the SSM Regulation).

In this context, the ECB collects and further processes personal data in line with EU data protection law.

SSM Regulation
Regulation (EU) 2018/1725

2. The ECB as controller of processing personal data

Within the meaning of point (8) of Article 3 of Regulation (EU) 2018/1725, the ECB is the controller of the data processing operations in the context of prudential supervision of significant institutions.

3. Purposes for processing personal data by the ECB

Personal data is collected and processed for the purpose of assessing whether the persons responsible for the management of significant credit institutions meet the "fit and proper" requirements, i.e. whether they possess sufficient knowledge, skills and experience to fulfil their duties and are of sufficiently good repute.

4. Lawfulness of the ECB’s data processing operations

The processing of personal data for the aforementioned purposes is necessary within the meaning of Article 5(1)(a) and (b) of Regulation (EU) 2018/1725, in conjunction with Article 127(6) of the Treaty of Functioning of the European Union, the SSM Regulation, Regulation (EU) No 468/201 (the SSM Framework Regulation) and Directive 2013/36/EU (CRD IV).

SSM Framework Regulation

In particular, the ECB must ensure compliance with the relevant Union law that imposes requirements on credit institutions, including the requirement to have in place robust governance arrangements, including the fit and proper requirements for the persons responsible for the management of credit institutions (Article 4(1)(e) of the SSM Regulation). For the purpose of carrying out its tasks, the ECB has the power to remove at any time members from the management body of credit institutions who do not fulfil the requirements set out in the acts of the relevant Union law (Article 16(2)(m) of the SSM Regulation).

Moreover, Article 91(1) of CRD IV states that members of the management body shall at all times be of sufficiently good repute and possess sufficient knowledge, skills and experience to perform their duties.

Articles 93 and 94 of the SSM Framework Regulation set out the rules on the assessment by the ECB regarding the compliance with the fit and proper requirements for persons responsible for managing credit institutions. In order to ensure that fit and proper requirements are met at all times, the ECB may initiate a new assessment based on new facts or issues or if the ECB becomes aware of any new facts that may have an impact on the initial assessment of the relevant member of the management body.

5. Categories of personal data processed by the ECB

The following personal data is processed in relation to fit and proper assessments.

  1. Personal data provided by the applicants (in written form - see the Fit and Proper Questionnaire - or during interviews) which relate to:
    • personal details, such as full name, ID/passport number, nationality
    • contact details, such as address, email, phone number
    • knowledge, skills and experience, such as information regarding practical, professional experience gained in previous occupations and theoretical experience (knowledge and skills) gained through education and training
    • reputation, such as criminal record
    • conflicts of interest, such as any close personal relationship with a member of a management body, any significant private business transactions with the supervised entity, positions of significant political influence, etc.
    • time commitment, such as other professional or personal commitments or circumstances (e.g. involvement in a court case)
    • collective suitability of the board, such as the added value of a particular candidate in relation to the overall composition of the board
  2. Personal data that has come to the knowledge of the competent authority by other means (e.g. via the media)
  3. Personal data that is not related to the applicant but to third parties
  4. Any comments by the ECB and/or NCA staff members regarding the performance of the applicant during the fit and proper procedure (e.g. comments that reflect the opinion or the assessment of the examiner on the individual performance of the applicant, particularly in relation to their knowledge and competences in the relevant field)

6. Access to personal data collected and processed by the ECB

For the purposes set out in Section 3, access to personal data is given to the following persons:

  • staff of the NCAs
  • ECB staff of Joint Supervisory Teams (ECB Directorate General Microprudential Supervision I or II)
  • dedicated staff members of the ECB Directorate General Microprudential Supervision III, Directorate General Secretariat to the Supervisory Board and the Authorisation Division of the Directorate General Secretariat to the Supervisory Board
  • members of the Supervisory Board and of the Governing Council of the ECB
  • other dedicated ECB staff members providing opinions and advice in the context of fit and proper assessments, such as the staff of Directorate General Legal Services
  • external experts and contractors working on behalf of the ECB who provide opinions and advice in the context of fit and proper assessments, such as external legal counsel
  • a limited number of staff members of other Union institutions, bodies, agencies, supervisory authorities and national authorities (e.g. criminal prosecutors, Anti- Money Laundering authorities)

7. Transfers of personal data to third countries

In the context of supervisory cooperation with authorities outside the European Economic Area (EEA), your personal data may be transferred outside the EEA upon request of a third country authority. In the absence of an adequacy decision, personal data may be transferred outside the EEA only if appropriate safeguards are in place, as set out in Article 48 of Regulation (EU) 2018/1725. In exceptional cases, international transfers of personal data may also take place based on the derogation provided for by Article 50 of Regulation (EU) 2018/1725.

8. Retention period

Personal data are stored as follows:

  • for fifteen years from the date of application or notification if the application is withdrawn before a formal decision is reached
  • for fifteen years from the date of a negative decision
  • for fifteen years from the date the data subjects cease to be members of the management bodies of the supervised entity in the case of a positive ECB decision
  • for fifteen years from the date of the most recent ECB decision in case of reassessment based on new facts

In the event that administrative or judicial proceedings are initiated, the retention period is extended and ends one year after such proceedings are concluded by a final decision.

9. Your rights as a data subject

You have the right to access your personal data and correct any data that is inaccurate or incomplete. You also have (with some limitations) the right to delete your personal data and to restrict or object to the processing of your personal data in line with Regulation (EU) 2018/1725.

10. Contact information in case of queries and requests

You can exercise your rights by emailing the ECB’s Authorisation Division at

For all queries relating to personal data, please contact the ECB’s Data Protection Officer at

11. Addressing the European Data Protection Supervisor

If you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.

European Data Protection Supervisor

12. Changes to this Privacy Statement

This Privacy Statement may be changed to take into account new legal developments.