Privacy statement for the processing of personal data for authorisation, fit and proper, enforcement and sanction procedures under the Single Supervisory Mechanism

The ECB processes personal data in the context of its prudential supervisory tasks, responsibilities and powers. This privacy statement explains how the ECB handles personal data for authorisation, fit and proper, enforcement and sanction procedures.

What is our legal framework?

All personal data are processed in accordance with European Union data protection law, that is to say in line with Regulation (EU) 2018/1725 (‘EUDPR’).

Why do we process personal data?

Council Regulation (EU) No 1024/2013 (SSM Regulation) confers specific tasks on the European Central Bank (ECB) concerning policies relating to the prudential supervision of credit institutions on the basis of Article 127(6) of the Treaty on the Functioning of the European Union.

For prudential supervisory purposes, the ECB has been entrusted with the specific tasks referred to in Article 4 of the SSM Regulation, within the framework of Article 6 of that Regulation, in relation to credit institutions established in (i) EU Member States whose currency is the euro and (ii) EU Member States whose currency is not the euro but which have entered into close cooperation with the ECB in accordance with Article 7 of the SSM Regulation (participating Member States). Regulation (EU) No 468/2014 (SSM Framework Regulation) lays down the rules and procedures governing cooperation between the ECB and the national competent authorities (NCAs) of the participating Member States.

The ECB collects and processes personal data for the purposes of performing and exercising the prudential supervisory tasks, responsibilities and powers conferred upon it by the SSM Regulation (in particular Articles 4, 5, 6, 7, 8, 9 and 18 of that Regulation). This covers a wide range of activities, including the following:

Licensing

Under Article 4(1)(a) of the SSM Regulation, the ECB is exclusively competent to grant authorisation to take up the business of a credit institution in a participating Member State, subject to Article 14 of that Regulation. In this context, the ECB is tasked with ascertaining whether entrants to the banking market are robust and comply with national and Union law. The ECB focuses on applicant banks’ capital and liquidity levels, their programme of operations, their structural organisation and the suitability of their managers and relevant shareholders (or members). The requested personal data are therefore a prerequisite for assessing whether the criteria for granting authorisation to take up the business of a credit institution are met. For example, the processing of personal information is inherent to the suitability assessment of qualified shareholders and board members, as it entails an assessment of the individual’s reputation and, by definition, this can only be performed by processing personal data (e.g. work experience, previous convictions, etc.).

Qualifying holdings

Under Article 4(1)(c) of the SSM Regulation, the ECB is exclusively competent to assess notifications of the acquisition of qualifying holdings in credit institutions in the participating Member States, subject to Article 15 of that Regulation. The ECB decides whether to oppose such acquisitions based on the assessment criteria set out in relevant Union and/or national law in accordance with the procedures and assessment periods set out therein. The requested personal data are therefore a prerequisite for assessing the criteria that permit the acquisition of qualifying holdings in the relevant credit institutions. Under Article 23(1)(a) to (e) of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013, the following criteria must be assessed to determine the suitability of the proposed acquirer and the financial soundness of the proposed acquisition:

• the reputation and financial soundness of the proposed acquirer;
• the fitness and propriety of any member of the management body who will direct the business of the target credit institution as a result of the proposed acquisition;
• whether the target credit institution will continue to comply with its prudential requirements;
• whether there are reasonable grounds for suspecting that, in connection with the proposed acquisition, money laundering or terrorist financing is being or has been committed or attempted, or that the proposed acquisition could increase the risk thereof.

Approval or exemption of (mixed) financial holding companies

Under Article 4(1)(g) of the SSM regulation, the ECB is exclusively competent to carry out supervision on a consolidated basis over credit institutions’ parent companies established in one of the participating Member States, including over financial holding companies and mixed financial holding companies. In line with Article 21(a) of Directive 2013/36/EU, the ECB is competent to approve or exempt (mixed) financial holding companies of significant supervised entities or significant supervised groups. The ECB assessment focuses on the fitness and propriety of the members of the management body of the (mixed) financial holding company, as well as the internal distribution of tasks within the group, the suitability of shareholders and the structural organisation.

Mergers and divisions

Under Article 4(1)(d) of the SSM Regulation and Article 27(i) of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 as amended by Directive 2024/1619 of the European Parliament and of the Council of 31 May 2024, the ECB is exclusively competent to assess notifications of (i) mergers involving significant credit institutions and (mixed) financial holding companies when the ECB is the competent authority responsible for supervising the entities resulting from the merger, and (ii) divisions when the ECB is the competent authority in charge of the supervision of the entity being divided. The following criteria must be assessed to ensure the soundness of the prudential profile of the financial stakeholders following the completion of the proposed operation:

• the reputation of the financial stakeholders involved in the proposed operation;
• the financial soundness of the financial stakeholders involved in the proposed operation, in particular in relation to the type of business pursued and envisaged for the entity resulting from the proposed operation;
• whether the entity resulting from the proposed operation will be able to comply and continue to comply with the prudential requirements;
• whether the implementation plan of the proposed operation is realistic and sound from a prudential perspective;
• whether there are reasonable grounds to suspect that, in connection with the proposed operation, money laundering or terrorist financing is being or has been committed or attempted, or that the proposed operation could increase the risk thereof.

Also in this case, the assessment of the above criteria may entail the processing of personal data.

Fit and proper assessments

Under Article 4(1)(e) of the SSM Regulation, the ECB must ensure compliance with the relevant Union law requiring credit institutions to have in place robust governance arrangements, including fit and proper requirements for persons responsible for the management of credit institutions. Therefore, personal data are collected and processed for the purpose of assessing whether the persons responsible for the management of significant credit institutions satisfy those fit and proper requirements. The five criteria that are assessed in this regard concern the following: (i) the person’s experience; (ii) their reputation; (iii) conflicts of interest and independence of mind; (iv) the person’s time commitment to the institution in question; and (v) the collective suitability of the board as a whole.

Withdrawal of authorisation

Under Articles 4(1)(a) and 6(4) of the SSM Regulation, the ECB is exclusively competent to withdraw authorisations to pursue the business of a credit institution in a participating Member State, subject to Article 14 of that Regulation, in order to ensure that only credit institutions with (i) a sound economic basis, (ii) organisational arrangements that are capable of dealing with the specific risks inherent in deposit-taking and the provision of credit and (iii) suitable directors/shareholders carry out the activities of credit institutions. The requested personal data are therefore needed to assess whether the criteria for granting authorisation to pursue the business of a credit institution continue to be met.

Right of establishment in another participating Member State

Credit institutions established in participating Member States may exercise the right of establishment within the territory of another participating Member State. To do this, the NCAs are required to inform the ECB (by means of the procedures set out in the SSM Framework Regulation) about all the information that significant credit institutions provide to them under Article 35(2) of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 (including, among other things, information on the persons who are set to be responsible for the management of the proposed branch and its key functions). All required personal data, as referred to in the forms set out in Commission Implementing Regulation (EU) No 926/2014 of 27 August 2014 laying down implementing technical standards with regard to standard forms, templates and procedures for notifications relating to the exercise of the right of establishment and the freedom to provide services according to Directive 2013/36/EU of the European Parliament and of the Council, are needed so that the ECB can assess the suitability of the persons who are set to be responsible for the management or key functions of the proposed branch. In addition, the NCAs are also expected to notify the ECB about information (which may include personal data) that is received from (i) less significant institutions that are exercising the right of establishment within the territory of another participating Member State and (ii) credit institutions established in non-participating Member States that are exercising the right of establishment in a participating Member State.

Right of establishment in a non-participating Member State

Significant credit institutions established in participating Member States may exercise the right of establishment within the territory of a non-participating Member State (referred to as “outgoing passporting”). In such situations, the ECB is required to exercise the powers of the competent authority of the home Member State in accordance with the procedures set out in Article 17(1) of the SSM Framework Regulation. The powers of the home Member State in respect of credit institutions’ right of establishment are set out in Article 35 of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 and include an assessment of the adequacy of the credit institution’s administrative structure. To that end, information on the persons who are set to be responsible for the management of the proposed branch and its key functions must be provided by the credit institution. All required personal data, as referred to in the forms set out in Commission Implementing Regulation (EU) No 926/2014 of 27 August 2014 laying down implementing technical standards with regard to standard forms, templates and procedures for notifications relating to the exercise of the right of establishment and the freedom to provide services according to Directive 2013/36/EU of the European Parliament and of the Council, are needed to assess the suitability of the persons who are set to be responsible for the management or key functions of the proposed branch. In addition, the NCAs are also expected to notify the ECB about information received from less significant institutions regarding the exercise of the right of establishment within the territory of a non-participating Member State, which may include personal data.

Freedom to provide services in another participating Member State

Credit institutions established in participating Member States may exercise the freedom to provide services within the territory of another participating Member State. The NCAs are required to inform the ECB (by means of the procedures set out in the SSM Framework Regulation) about all the information that credit institutions provide to them under Article 39(1) of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013, including information on the intended activities. All required personal data, as referred to in the forms set out in Commission Implementing Regulation (EU) No 926/2014 of 27 August 2014 laying down implementing technical standards with regard to standard forms, templates and procedures for notifications relating to the exercise of the right of establishment and the freedom to provide services according to Directive 2013/36/EU of the European Parliament and of the Council, are needed so that the ECB can assess the said notification and ensure compliance with the applicable regulatory requirements.

Freedom to provide services in a non-participating Member State

Significant credit institutions established in participating Member States may exercise the freedom to provide services within the territory of a non-participating Member State. In such situations, the ECB is required to exercise the powers of the competent authority of the home Member State in accordance with the procedures set out in Article 17(1) of the SSM Framework Regulation. The powers of the home Member State in respect of credit institutions’ freedom to provide services are set out in Article 39 of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013. All required personal data, as referred to in the forms set out in Commission Implementing Regulation (EU) No 926/2014 of 27 August 2014 laying down implementing technical standards with regard to standard forms, templates and procedures for notifications relating to the exercise of the right of establishment and the freedom to provide services according to Directive 2013/36/EU of the European Parliament and of the Council, are needed to assess the said notification and ensure compliance with the applicable regulatory requirements. In addition, the NCAs are also expected to notify the ECB about information received from less significant institutions regarding the exercise of the right of establishment within the territory of a non-participating Member State, which may include personal data.

Notification of changes procedures

Personal data are processed to assess any notifications of changes to the information submitted in the context of the right of establishment and the freedom to provide services in accordance with Commission Implementing Regulation (EU) No 926/2014 and Directive 2013/36/EU of the European Parliament and of the Council.

Enforcement and sanctions

The ECB may impose pecuniary sanctions in the event of breaches of directly applicable acts of Union law, such as the Capital Requirements Regulation, ECB supervisory decisions or ECB regulations. It may also require NCAs to open sanctioning proceedings in the event of breaches of national law implementing EU directives committed by significant institutions, as well as for the imposition of non-pecuniary sanctions on those institutions, or the imposition of sanctions (pecuniary or non-pecuniary) on individuals. In addition, the ECB is empowered to adopt enforcement measures with a view to compel supervised entities to comply with prudential requirements in the event of ongoing breaches. In particular, the ECB may impose periodic penalty payments per day of infringement until compliance is achieved or restored, for a maximum of six months. It may also adopt national enforcement measures, either directly or via instructions to the NCAs, depending on the options available under national law in the relevant Member State.

• Supervision of credit institutions’ compliance with relevant Union law imposing prudential requirements (e.g. own funds requirements, rules on credit to related parties, and rules governing remuneration policies and practices).
• Supervisory reviews (including stress tests) and their publication.
• The application of requirements relating to capital buffers and other measures aimed at addressing systemic or macroprudential risks.
• The transfer of personal data to other Union institutions, bodies or agencies, supervisory authorities, international organisations and third countries’ administrations.
• The conduct of quantitative research and analysis and statistical reporting at the aggregate level (in which case, personal data will be aggregated and sufficiently anonymised, such that individuals cannot be identified at the aggregate level).

What is the legal basis for processing your personal data?

Your personal data are processed by the ECB in the performance of a task carried out in the public interest, based on Article 5(1)(a) of EUDPR, in conjunction with the SSM Regulation (Articles 4, 5, 6, 7, 8, 9 and 18).

Details on the legal basis:

Licensing

Under Articles 4(1)(a) and 6(4) of the SSM Regulation, the ECB is exclusively competent to authorise credit institutions to take up the business of a credit institution, subject to Article 14 of that Regulation. The relevant applications are assessed in accordance with Articles 8 to 14 of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 and/or applicable national law. Articles 73 to 79 of the SSM Framework Regulation establish the rules governing cooperation between the NCAs and the ECB as regards the licensing procedure.

Qualifying holdings

Under Articles 4(1)(c), 6(4) and 15 of the SSM Regulation, the ECB is exclusively competent to assess notifications regarding the acquisition of qualifying holdings in credit institutions. The ECB shall decide whether to oppose such acquisitions on the basis of the assessment criteria set out in the relevant Union legislation (Article 23(1)(a) to (e) of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013) and/or applicable national law in accordance with the procedures and assessment periods set out therein. Articles 85 to 87 of the SSM Framework Regulation establish the rules governing cooperation between the NCAs and the ECB as regards the acquisition of qualifying holdings.

Approval or exemption of (mixed) financial holding companies

Under Article 4(1)(g) and 6(4) of the SSM Regulation and Article 8 of the SSM Framework Regulation, the ECB is exclusively competent to carry out supervision on a consolidated basis over credit institutions’ parent companies established in one of the participating Member States, including over financial holding companies and mixed financial holding companies. Parent (mixed) financial holding companies in a Member State, EU parent (mixed) financial holding companies and other (mixed) financial holding companies that are required to comply with Directive 2013/36/EU and Regulation (EU) No 575/2013 on a sub-consolidated basis shall seek either an approval or an exemption in accordance with Article 21a of Directive 2013/36/EU.

Mergers and divisions

Under Article 4(1)(d) of the SSM Regulation and Article 27(i) of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 as amended by Directive 2024/1619 of the European Parliament and of the Council of 31 May 2024, the ECB is exclusively competent to assess notifications regarding (i) mergers involving significant credit institutions and (mixed) financial holding companies when the ECB is the competent authority responsible for supervising the entities resulting from the merger, and (ii) divisions when the ECB is the competent authority in charge of the supervision of the entity being divided. The ECB shall decide whether to oppose such operations on the basis of the assessment criteria set out in the relevant Union legislation (Article 27(j) of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 as amended by Directive 2024/1619 of the European Parliament and of the Council of 31 May 2024) and/or applicable national law in accordance with the procedures and assessment periods set out therein.

Fit and proper assessments

Under Article 4(1)(e) of the SSM Regulation, the ECB must, for the purpose of carrying out its tasks, ensure compliance with relevant Union and/or national law that requires credit institutions to have in place robust governance arrangements, including fit and proper requirements for persons responsible for the management of credit institutions. Under Article 16(2)(m) of the SSM Regulation, the ECB has the power to remove, at any time, members of credit institutions’ management bodies who do not fulfil the requirements set out in relevant Union law. Moreover, Article 91(1) of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 states that members of a credit institution’s management body must, at all times, be of sufficiently good repute and possess sufficient knowledge, skills and experience to perform their duties. Article 91 (8) of the same directive provides that each member of the management body shall act with honesty, integrity and independence of mind to effectively assess and challenge the decisions of the senior management where necessary and to effectively oversee and monitor management decision-making. The ECB, in assessing compliance with the fit and proper requirements for persons responsible for managing credit institutions, may process special categories of personal data as specified under paragraphs 72 to 86 of the joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body and key function holders under Directive 2013/36/EU and Directive 2014/65/EU in line with Articles 10 and 11 of the EUDPR. Articles 93 and 94 of the SSM Framework Regulation set out the rules governing the ECB’s assessment of compliance with the fit and proper requirements for persons responsible for managing credit institutions. In order to ensure that fit and proper requirements are met at all times, the ECB may initiate a new assessment based on new facts or issues if it becomes aware of any new facts that could have an impact on a previous assessment of a member of a management body.

Withdrawal of authorisation

Under Article 4(1)(a) and 6(4) of the SSM Regulation, the ECB is tasked with deciding whether to withdraw authorisation to pursue the business of a credit institution subject to Article 14 of that Regulation. This procedure may be initiated by either the relevant NCA or the ECB, and the national authority responsible for the resolution of credit institutions shall also be involved. Articles 80 to 84 of the SSM Framework Regulation establish the rules governing cooperation between the NCAs and the ECB as regards the withdrawal of authorisation to pursue the business of a credit institution.

Right of establishment in another participating Member State

Under Article 11(1) and (3) of the SSM Framework Regulation, the ECB must be informed of all information that significant credit institutions provide to the NCAs in accordance with Article 35(2) of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 (including information on the persons who are set to be responsible for the management of the proposed branch and its key functions). In accordance with Articles 11(4) and 13(1) of the SSM Framework Regulation, the NCAs must inform the ECB about notifications submitted by (i) less significant institutions that are exercising the right of establishment within the territory of another participating Member State and (ii) credit institutions established in non-participating Member States that are exercising the right of establishment in a participating Member State.

Right of establishment in a non-participating Member State

Information on the persons who are set to be responsible for the management of the proposed branch and its key functions must be provided by the credit institution. In accordance with Article 4(1)(b) of the SSM Regulation and Article 17(2) of the SSM Framework Regulation, the NCAs must inform the ECB about notifications submitted by less significant institutions that are exercising the right of establishment in a non-participating Member State.

Freedom to provide services in another participating Member State

Article 17(1) of the SSM Regulation provides that, between participating Member States, the procedures set out in relevant Union law for credit institutions wishing to establish a branch within the territory of another Member State and the related competences of home and host Member States apply only for the purposes of those tasks that are not conferred on the ECB by Article 4 of that Regulation. The procedures governing interaction between the NCAs and the ECB as regards significant credit institutions’ right of establishment within the territory of another participating Member State are set out in Article 12(1) of the SSM Framework Regulation. Under those provisions, the ECB must be informed of all information that significant credit institutions provide to the NCAs in accordance with Article 39(1) of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 (including information on the contact person in the credit institution and their contact details). In accordance with Articles 12(2) and 15 of the SSM Framework Regulation, the NCAs must inform the ECB about notifications submitted by (i) less significant institutions that are exercising the freedom to provide services within the territory of another participating Member State and (ii) credit institutions established in non-participating Member States that are exercising the freedom to provide services in a participating Member State.

Freedom to provide services in a non-participating Member State

Under Article 4(1)(b) of the SSM Regulation, the ECB is competent to carry out the tasks that the competent authority of the home Member State is required to perform under relevant Union law when a significant credit institution established in a participating Member State wishes to provide cross-border services in a non-participating Member State. The powers of the home Member State as regards credit institutions’ freedom to provide services are set out in Article 39 of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013. The procedures governing interaction between the NCAs and the ECB as regards significant credit institutions’ freedom to provide services in non-participating Member States are set out in Article 17(1) of the SSM Framework Regulation. In accordance with Article 4(1)(b) of the SSM Regulation and Article 17(2) of the SSM Framework Regulation, the NCAs must inform the ECB about notifications submitted by less significant institutions regarding the freedom to provide services in a non-participating Member State.

Notification of changes procedures

The processing of personal data for the notification of change procedures is based on the ECB’s supervisory tasks under Article 11(5) of Regulation (EU) No 468/2014 (SSM Framework Regulation), Article 33 and Article 39(1) of Directive 2013/36/EU, which require credit institutions to submit a notification when they intend to establish a branch or provide cross-border services respectively. Further, Article 8 of Commission Implementing Regulation (EU) No 926/2014 as amended by Commission Implementing Regulation (EU) 2022/193, stipulates the standard forms, templates, and procedures for notification of changes in a branch’s particulars.

Enforcement and sanctions

For the purpose of carrying out the tasks conferred on it, the ECB may impose sanctions, adopt enforcement measures (such as periodic penalty payments), or request the NCAs to open enforcement and/or sanctioning proceedings in accordance with Articles 9 and 18 of the SSM Regulation, Articles 1(6) and 4b of Council Regulation (EC) No 2532/98, and Article 129 of the SSM Framework Regulation. Pursuant to Article 10 of the SSM Regulation and Articles 125 to 139 of the SSM Framework Regulation, for the purpose of investigating alleged breaches, as referred to in Article 18 of the SSM Regulation, the ECB may require natural or legal persons to provide all information necessary. Pursuant to Article 136 of the SSM Framework Regulation, in the event of suspected criminal offences, the ECB shall request the responsible NCA to refer the matter to the appropriate authorities for investigation and possible criminal prosecution.

Who is responsible for processing your personal data?

Under Article 3(8) of Regulation (EU) 2018/1725, the ECB is the controller for the processing of your personal data for various types of supervisory procedure in the context of the prudential supervision of significant institutions.

The ECB and the NCAs are joint controllers – in carrying out the prudential supervisory tasks conferred on them by the SSM Regulation and the SSM Framework Regulation – whenever they jointly determine the purpose and means of their data processing. In line with Article 28 of Regulation (EU) 2018/1725 (as well as Article 26 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Data Protection Regulation), which applies to the processing of personal data by the NCAs), a specific arrangement will be agreed among the joint controllers which determines their responsibilities. The essence of that arrangement will be made public.

The specific details of the authorisation procedures are as follows:

Licensing

The ECB and the NCAs are joint controllers for the processing of your personal data in relation to the granting of authorisation to take up the business of a credit institution (also referred to as “licensing”) in the context of the prudential supervision of significant and less significant institutions.

Qualifying holdings

The ECB and the NCAs are joint controllers for the processing of your personal data in relation to qualifying holdings in the context of the prudential supervision of significant and less significant institutions.

Approval or exemption of (mixed) financial holding companies

The ECB and the NCAs are the joint controllers for the processing of your personal data in relation to the approval or exemption of (mixed) financial holding companies of significant supervised entities or significant supervised groups.

Mergers and divisions

The ECB and the NCAs are the joint controllers for the processing of your personal data in relation to mergers and divisions (i) in the case of mergers when the resulting entity is a significant supervised entity, (ii) in the case of divisions when the entity being divided is a significant supervised entity.

Fit and proper assessments

The ECB is the controller for the processing of your personal data in relation to fit and proper assessments in the context of the prudential supervision of significant supervised entities.

Withdrawal of authorisation

The ECB and the NCAs are joint controllers for the processing of your personal data in relation to the withdrawal of authorisation to pursue the business of a credit institution in the context of the prudential supervision of significant and less significant institutions.

Right of establishment in another participating Member State

The ECB and the NCAs are the joint controllers for the processing of your personal data in relation to the right of establishment in another participating Member State in the context of the prudential supervision of significant institutions. In addition, the NCAs must inform the ECB when notifications are received from (i) less significant institutions that are exercising the right of establishment in another participating Member State and (ii) credit institutions established in non-participating Member States that are exercising the right of establishment in a participating Member State.

Right of establishment in a non-participating Member State

The ECB and the NCAs are the joint controllers for the processing of your personal data in relation to the right of establishment in a non-participating Member State in the context of the prudential supervision of significant institutions. In addition, the NCAs must inform the ECB when notifications are received from less significant institutions that are exercising the right of establishment in a non-participating Member State.

Freedom to provide services in another participating Member State

The ECB and the NCAs are the joint controllers for the processing of personal data in relation to the freedom to provide services in another participating Member State within the context of prudential supervision of significant institutions. In addition, the NCAs must inform the ECB when notifications are received from (i) less significant institutions that are exercising the freedom to provide services in another participating Member State and (ii) credit institutions established in non-participating Member States that are exercising the freedom to provide services in a participating Member State.

Freedom to provide services in a non-participating Member State

The ECB and the NCAs are the joint controllers for the processing of personal data in relation to the freedom to provide services in a non-participating Member State in the context of the prudential supervision of significant institutions and less significant institutions.

Notification of change procedures related to the right of establishment in another participating Member State

The ECB and the NCAs are the joint controllers for the processing of personal data in relation to the notification of change procedures related to the right of establishment in another participating Member State in the context of the prudential supervision of significant institutions. In addition, the NCAs must inform the ECB when notifications of changes are received from (i) less significant institutions that are exercising the right of establishment in another participating Member State and (ii) credit institutions established in non-participating Member States that are exercising the right of establishment in a participating Member State.

Notification of change procedures related to the right of establishment in a non-participating Member State

The ECB and the NCAs are the joint controllers for the processing of personal data in relation to the notification of change procedures related to the right of establishment in a non-participating Member State in the context of the prudential supervision of significant institutions. In addition, the NCAs must inform the ECB when notifications of changes are received from less significant institutions that are exercising the right of establishment in a non-participating Member State.

Notification of change procedures related to the freedom to provide services in Ianother participating Member State

The ECB and the NCAs are the joint controllers for the processing of personal data in relation to the notification of change procedures related to the freedom to provide services in another participating Member State within the context of prudential supervision of significant institutions. In addition, the NCAs must inform the ECB when notifications of changes are received from (i) less significant institutions that are exercising the freedom to provide services in another participating Member State and (ii) credit institutions established in non-participating Member States that are exercising the freedom to provide services in a participating Member State.

Notification of change procedures related to freedom to provide services in a non-participating Member State

The ECB and the NCAs are the joint controllers of the processing of personal data in relation to the notification of change procedures related to the freedom to provide services in a non-participating Member State in the context of the prudential supervision of significant institutions. In addition, the NCAs must inform the ECB when notifications of changes are received from less significant institutions that are exercising the freedom to provide services in a non-participating Member State.

As regards enforcement and sanctions the ECB is the controller for the processing of personal data in relation to enforcement and sanction proceedings conducted in accordance with Articles 9 and 18 of the SSM Regulation, Articles 1(6) and 4b of Council Regulation (EC) No 2532/98 and Article 129 of the SSM Framework Regulation.

Who will be the recipients of your personal data?

The recipients of your personal data (including entities who have access to that personal data) are

• a limited number of ECB staff members (for the performance of their tasks, including tasks relating to the prudential supervision of credit institutions);
• a limited number of NCA or NCB staff members (for the performance of tasks relating to the prudential supervision of credit institutions);
• the members of the ECB’s Supervisory Board and Governing Council;
• external experts and contractors working on behalf of the ECB who give opinions, advice and support in the context of the prudential supervision of credit institutions (e.g. legal counsel);
• a limited number of staff members of other Union institutions, bodies and agencies, supervisory authorities and national authorities (e.g. public prosecutors or authorities tackling money laundering). Personal data processed for the purposes of conducting suitability assessments may be shared with the European Supervisory Authorities (ESAs), via the ESAs’ Information System established in accordance with Article 31a of the founding regulation of each authority (Regulation (EU) 1093/2010 for the EBA, Regulation (EU) 1094/2010 for the EIOPA and Regulation (EU) 1095/2010 for the ESMA);
• other EEA authorities or third-country authorities whose confidentiality and professional secrecy regimes have been assessed as equivalent to the EU in accordance with EBA Guidelines EBA/GL/2022/04 may exceptionally also be recipients of personal data.

What categories of personal data are collected?

The ECB processes the following personal data relating to authorisation procedures. This includes information relating to the reputation, knowledge, skills and experience of current and potential future board members of (i) supervised credit institutions and (ii) companies intending to acquire or dispose of qualifying holdings in supervised credit institutions.

The specific details of the authorisation procedures are as follows:

Licensing

Personal data processed in relation to licensing procedures include data relating to the applicant credit institution’s members of the management body, key function holders and shareholders (or members) to ascertain whether they meet the applicable requirements (e.g. in terms of reputation, financial soundness, etc.). The Commission Delegated Regulation (EU) 2022/2580 of 17 June 2022 supplementing Directive 2013/36/EU of the European Parliament and of the Council with regard to the regulatory technical standards specifying the information to be provided in the application for the authorisation as a credit institution, and specifying the obstacles which may prevent the effective exercise of supervisory functions of competent authorities provides full details of the information that will be required for licensing applications. Examples of personal data relating to the applicant credit institution, its current or future shareholders or members, current or future members of its management bodies, key function holders or internal control functions, or any other affiliated parties (as a result of outsourcing arrangements, funding arrangements, etc.) can be found in the sections on qualifying holdings and fit and proper assessments.

Qualifying holdings

Without prejudice to national law, the following types of personal data are usually processed in relation to the acquisition of qualifying holdings, with information covering both (i) proposed direct or indirect acquirers (natural persons or, in the case of legal persons, members of their management bodies) and (ii) persons linked to those proposed acquirers:

• personal details (full name, ID card/passport number, nationality, etc.);
• contact details (postal address, email address, phone number, etc.);
• details of knowledge, skills and experience (e.g. information regarding practical, professional experience gained in previous positions and theoretical experience (knowledge and skills) gained through education and training);
• reputational information, such as:
  • details of any criminal record, relevant criminal investigations/proceedings, relevant civil/administrative cases, or disciplinary action (including disqualification as a company director, bankruptcy, insolvency or similar proceedings);
  • a statement as to whether criminal proceedings are pending or the person or any organisation managed by such person has ever been involved as a debtor in insolvency proceedings or comparable proceedings;
  • details of any investigations, enforcement proceedings or sanctions carried out or imposed by a supervisory authority;
  • information on any refusal of registration, authorisation, membership or a licence to carry out a trade, business or profession;
  • information on any withdrawal, revocation or termination of registration, authorisation, membership or a licence;
  • information on any expulsion by a regulatory or government body;
  • information on any dismissal from employment, a position of trust or a fiduciary relationship (or a similar situation), or any request to resign from such a position;
• financial details, such as:
  • information regarding the person’s financial position or soundness, sources of revenue, assets and liabilities, pledges and guarantees;
  • ratings and public reports on companies controlled or directed by the person in question;
  • ratings and public reports on the said person;
• information as to whether an assessment of the person’s reputation as an acquirer or someone who directs the business of a financial institution has already been conducted by another competent supervisory authority in the financial sector (including details of the identity of that authority and evidence of the outcome of that assessment);
• information as to whether an assessment of the person’s reputation has already been conducted by another competent authority in a non-financial sector (including details of the identity of that authority and evidence of the outcome of that assessment);
• details of any financial relationship (involving credit operations, guarantees, pledges, etc.) or non-financial relationship (e.g. a close family relationship or cohabitation) with:
  • any current shareholder of the target institution;
  • any person entitled to exercise voting rights in the target institution;
  • the target institution itself or its group;
  • details of any other interest or activity that is in conflict with the target institution and possible solutions to such conflicts of interests.

For further details, please also refer to the list of information recommended by the Joint Guidelines on the prudential assessment of acquisitions and increases of qualifying holdings in the financial sector (JC/GL/2016/01) as regards assessing the acquisition of a qualifying holding.

Furthermore, any personal data as listed in the relevant section that is required for a fit and proper assessment with regard to newly to be appointed members of the management body of the target institution can also be processed as part of the qualifying holding assessment.

Approval or exemption of (mixed) financial holding companies

The types of personal data processed in relation to the approval or exemption of (mixed) financial holding companies include data relating to the suitability of the applicant’s members of the management body (see below the types of personal data mentioned in relation to fit and proper assessments) and shareholders/members (see above the types of personal data mentioned in relation to qualifying holdings) to ascertain whether they meet the applicable requirements (e.g. in terms of reputation, financial soundness, etc.).

Mergers and divisions

Without prejudice to national law, the following types of personal data related to the involved financial stakeholders are generally processed in relation to mergers and divisions:

• personal details (full name, ID card/passport number, nationality, etc.);
• contact details (postal address, email address, phone number, etc.);
• details of knowledge, skills and experience (e.g. information regarding practical, professional experience gained in previous positions and theoretical experience (knowledge and skills) gained through education and training);
• reputational information, such as:
  • details of any criminal record, relevant criminal investigations/proceedings, relevant civil/administrative cases, or disciplinary action (including disqualification as a company director, bankruptcy, insolvency or similar proceedings);
  • a statement as to whether criminal proceedings are pending or the person or any organisation managed by such person has ever been involved as a debtor in insolvency proceedings or comparable proceedings;
  • details of any investigations, enforcement proceedings or sanctions carried out or imposed by a supervisory authority;
  • information on any refusal of registration, authorisation, membership or a licence to carry out a trade, business or profession;
  • information on any withdrawal, revocation or termination of registration, authorisation, membership or a licence;
  • information on any expulsion by a regulatory or government body;
  • information on any dismissal from employment, a position of trust or a fiduciary relationship (or a similar situation), or any request to resign from such a position;
• information as to whether an assessment of reputation of the financial stakeholders involved in the operation has already been conducted by another competent supervisory authority in the financial sector (including details of the identity of that authority and evidence of the outcome of that assessment);
• information as to whether an assessment of reputation of the financial stakeholders involved in the operation has already been conducted by another competent authority in a non-financial sector (including details of the identity of that authority and evidence of the outcome of that assessment).

Fit and proper assessments

Annex III to the Joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body and key function holders under Directive 2013/36/EU and Directive 2014/65/EU (EBA/GL/2017/12) contains a list of information to be provided to the competent authorities for each suitability assessment. The personal data processed include:

• personal details (full name, ID card/passport number, nationality, etc.);
• contact details (postal address, email address, phone number, etc.);
• signature of appointee, gender, job titles, functions, (if applicable) professional association memberships;
• professional data, such as education, training, employment or other positions held by the appointee and the members of the management body for which the appointee is nominated;
• other professional data, such as any other business activities of the appointee;
• details of any criminal record, information on criminal investigations or proceedings, relevant civil or administrative proceedings, or disciplinary actions, including disqualification as a company director, bankruptcy, insolvency or similar procedures;
• financial details of the appointee; details of any personal, professional and financial relationships of close relatives with the supervised entity for which the appointee is nominated, its parent entity or its subsidiaries;
• information as to whether a fit and proper assessment has already been conducted by another competent supervisory authority and information about the outcome of this assessment;
• any remarks made by the ECB or NCA staff members regarding the performance of the appointee in their current or previous role that may have an impact on the current fit and proper procedure;
• Information on the conduct of the appointee in their current role that may be relevant in the context of reassessments.

Withdrawal of authorisation

The following types of personal data may be processed when deciding whether to withdraw authorisation to pursue the business of a credit institution:

• any personal data provided in the context of an assessment of qualifying holdings, the granting of authorisation or a fit and proper assessment (see relevant sections above) which are required in order to assess the potential withdrawal of authorisation;
• any personal data included in information about the activities of the institution, statements by the institution regarding its status, and any other documents provided under applicable national law and the by-laws of the institution;
• any personal data included in information about on-site inspections, the Supervisory Review and Evaluation Process, whistleblowing, supervisory findings and measures, communication with the credit institution, or court orders and decisions.

Right of establishment and freedom to provide services

The personal data processed in relation to the right of establishment and freedom to provide services are those referred to in the forms set out in Commission Implementing Regulation (EU) No 926/2014 of 27 August 2014 as amended by Commission Implementing Regulation (EU) 2022/193 laying down implementing technical standards with regard to standard forms, templates and procedures for notifications relating to the exercise of the right of establishment and the freedom to provide services according to Directive 2013/36/EU of the European Parliament and of the Council. Information relating to natural persons associated with supervised credit institutions (e.g. staff members or customers) in the context of on and off-site supervision.

Enforcement and sanctions

The ECB processes the following personal data:

• personal details (full name, ID card/passport number, nationality and signature, address and phone number);
• education, training and employment details;
• financial details;
• any criminal records, including (suspected) criminal offences, convictions, information on criminal investigations and proceedings, relevant civil and administrative proceedings, and disciplinary actions;
• personal data that have come to the knowledge of the ECB by other means (e.g. via the media).

Will your personal data (in a clear or encrypted form) be processed (e.g. transferred, accessed or stored) in third countries or by international organisations?

In the context of supervisory cooperation, some personal data may be sent outside the European Economic Area to international organisations, supervisory authorities and the administrations of third countries.

Such transfers may take place on the basis of an adequacy decision by the European Commission pursuant to Article 47 of Regulation (EU)2018/1725.

In the absence of an adequacy decision by the European Commission, personal data may, under Article 48(1) of Regulation (EU) 2018/1725, only be transferred to a third country or an international organisation if appropriate safeguards are provided and enforceable data subject rights and effective legal remedies for data subjects are available.

In the absence of an adequacy decision or appropriate safeguards, transfers of personal data to third countries may only take place exceptionally on the basis of specific derogations provided for in Article 50 of Regulation (EU) 2018/1725 (particularly Article 50(1)(d)).

Personal data are stored in a secure IT system that is protected by encryption and authentication features.

The ECB may use technology (including automated and standardised information processing, usage of large language models, artificial intelligence, and textual analysis techniques, as well as automated phases of decision-making processes) in order to enhance the performance of its authorisation, fit and proper, enforcement and sanction procedures. In that case, data subjects will not be subject to decisions based solely on automated processing which have legal effects (or other similarly significant effects) on them. All appropriate technical and organisational measures will be put in place to ensure compliance with Regulation (EU) 2018/1725.

How long will the ECB keep personal data?

Your personal data will be stored for the following maximum time frames:

Authorisation procedures

15 years from the date that the relevant procedure is closed.

Fit and proper assessments

7 years from the date on which the ECB communicates its decision to the supervised entity. This general retention period applies to the majority of fit and proper assessments. In cases where the application is withdrawn before an ECB decision has been taken, the retention period starts on the date of application or notification to the ECB.

A longer retention period may exceptionally apply in cases where there is concrete justification: a) a related court action is pending; b) an administrative review is in progress, or c) where either national law or the supervised entity’s statutes allow for the renewal of terms of office of persons subject to a fit and proper assessment and the data in respect of the original fit and proper assessment is crucial for the ECB’s assessment of the renewal. In the case of a) and b) the retention period expires 2 years after the final court decision or final administrative review decision, respectively, and in the case of c) it expires seven years after the renewal.

A retention period of 10 years from the date on which the ECB communicates the decision to the supervised entity would apply to very specific cases, such as negative decisions, and decisions with conditions not previously agreed with the relevant supervised entity.

Enforcement and sanctions

10 years after a case file has been closed. For cases finalised with an ECB decision to sanction an institution, the retention period shall be 15 years after the case file has been closed.

Please note that personal data may be held by the ECB’s archives in accordance with Decision (EU) 2023/1610 of the European Central Bank of 28 July 2023 establishing the historical archives of the European Central Bank.

What are your rights?

You have the right to access your personal data and correct any data that is inaccurate or incomplete. You also have (with some limitations) the right to delete your personal data and to object to or to restrict the processing of your personal data in line with EUDPR. The ECB may restrict your rights to safeguard the interests and objectives referred to in Article 25(1) EUDPR.

Who can you contact for queries or requests?

You can exercise your rights by contacting, respectively:

You can also directly contact the ECB’s Data Protection Officer at dpo@ecb.europa.eu for all queries relating to your personal data.

Addressing the European Data Protection Supervisor

If you consider that your rights under the EUDPR have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.