Banking Supervision
Banking Supervision
Search
Zoekopties
Home Media Explainers Onderzoek & publicaties Statistieken Monetair beleid De euro Betalingsverkeer & markten Werken bij de ECB
Suggesties
Sorteren op
Niet beschikbaar in het Nederlands

Privacy statement for the ECB’s whistleblowing platform

Objective of the whistleblowing platform and data protection

The European Central Bank (ECB) has developed a breach reporting mechanism, known as the whistleblowing platform, to be used by anyone who, acting in good faith, has reasonable grounds to believe that a supervised entity or competent authority has breached the legal acts referred to in Article 4(3) of Council Regulation (EU) No 1024/2013[1] (the SSM Regulation) and wishes to submit relevant information to the ECB.

Since the ECB is an EU Institution, Regulation (EU) No 2018/1725 of the European Parliament and of the Council[2] and Decision ECB/2020/655[3] on data protection apply. For the purposes of the applicable data protection rules, the ECB is the data controller.

What data does the ECB collect and how?

The ECB processes personal data relating to persons – informants, accused persons, persons who may be able to provide further information (witnesses) and other involved persons – who are mentioned in whistleblowing reports submitted via the whistleblowing platform. It also processes personal data of members of staff of the ECB, national competent authorities (NCAs) or national central banks (NCBs),[4] and people mentioned in breach reports who are not staff members, such as agency staff. Personal data of such persons are processed even if these persons are of no relevance to the case and their rights are not affected by the information provided.

The ECB does not place informants under any obligation to disclose personal data, since the platform allows reports to be submitted anonymously. However, it cannot be ruled out that, during the process, the ECB may receive reports containing personal data[5], employment data[6], financial data[7], data on education or training data, or data on any (suspected) offences and criminal convictions for the persons mentioned above.

Who has access to the information submitted and who is it disclosed to?

The ECB is the controller of the personal data, and the unit responsible for the processing (the whistleblowing unit) is the Enforcement and Sanctions Division of the Directorate General SSM Governance and Operations. Its members are bound by a strict confidentiality regime.

The whistleblowing unit does not investigate reports itself but assesses whether a report is relevant to the ECB or an NCA from the perspective of competences, as outlined in the SSM Regulation. If the whistleblowing unit concludes that a report is relevant, it forwards the report, or elements of it, to a NCA or the relevant business area within the ECB, accompanied by a note setting out the relevant elements of the case.

A note issued by the whistleblowing unit does not contain the personal data of an informant, unless the informant has given their explicit consent or if the disclosure is required by a court order. Personal data of accused persons, potential witnesses or third persons that are considered by the whistleblowing unit to be relevant for the follow-up action to be taken by the recipients of the note may only be transmitted on a need-to-know basis.

The ECB divides the reports it receives into three categories:

  1. relevant for the ECB’s tasks related to the Single Supervisory Mechanism (SSM);
  2. relevant for the ECB’s tasks unrelated to the SSM;
  3. not relevant.

The ECB’s intent, in providing the whistleblowing platform, is to receive only reports on breaches of relevant Union law[8] committed by supervised entities or competent authorities which fall into category (a). Category (a) reports are treated by the ECB as “protected” reports, which means that the special protection regime outlined in this privacy statement applies. If a report of this type is relevant for an NCA, the ECB must forward the report to it.

If the ECB receives information that does not relate to a breach of relevant Union law but concerns other tasks of the ECB (category (b) reports), the information will be forwarded to the competent business area within the ECB.

If the ECB receives a report that it determines is not relevant (category (c) report), it will delete any personal data after the applicable retention period has expired, without forwarding any information.

For reports falling into categories (b) and (c), the ECB’s general data protection standards apply.

How does the ECB protect and safeguard your personal data?

Whistleblowing reports are submitted through a dedicated web platform operated by an external service provider operating as the data processor via a cloud storage system.[9] Any personal data shared via this web platform, which enables communication between the informant and the ECB, are encrypted and cannot therefore be accessed by the external service provider. The external service provider must provide the ECB with all information necessary to demonstrate compliance with the obligations stemming from Regulation 2018/1725.

The information received by the whistleblowing unit is stored in a case file in the ECB’s secured and protected records and information management system (IMAS). The file is only accessible to a limited number of staff members. Once the information has been stored in IMAS, any personal data stored on the web platform is deleted. The ECB may apply technology (including automated and standardised information processing, large language models, artificial intelligence and textual analysis techniques, as well as automated phases of decision-making processes) to enhance the performance of its supervisory tasks. In that case, data subjects – i.e. identified or identifiable natural persons – will not be subject to decisions based solely on automated processing which have legal effects (or other similarly significant effects) on them. Furthermore, the ECB may use the European Commission’s AI-based multilingual services, such as eTranslation (machine translation), summarisation, speech-to-text, named-entity recognition, anonymisation and document categorisation. All appropriate technical and organisational measures are put in place to ensure compliance with Regulation (EU) 2018/1725.

How long does the ECB keep your personal data?

After a case file has been closed, all relevant personal data will be stored for the applicable retention period. If a report that the ECB receives is considered relevant to the ECB’s SSM-related tasks, the data will be stored for 15 years. If a report received is considered either relevant to the ECB’s tasks unrelated to the SSM or not relevant, the data will be stored for a period of three months after the case file has been closed.

Confidentiality waiver

The ECB is not allowed to reveal an informant’s identity without first obtaining that person’s explicit consent, unless such disclosure is required by a court order in the context of further investigations or subsequent judicial proceedings. By accepting the confidentiality waiver in the online form, you agree to allow the ECB to forward your personal data to the relevant NCA. If you accept the confidentiality waiver, the ECB will only forward your personal data to the relevant NCA:

  1. if the NCA files a request stating its reasons for needing these personal data, e.g. if it needs additional information from you in order to properly follow up on the report you submitted;
  2. if the ECB considers these reasons to be relevant and proportionate.

By accepting the confidentiality waiver, you do not give consent to a transfer of your personal data to recipients other than the relevant NCA.

Transfer of personal data to third countries

The ECB is party to various cooperation agreements with other authorities and international organisations. These organisations may request personal data from whistleblowing case files on reported breaches of EU law. In such cases, the ECB is required to comply with specific rules on the transfer of personal data to recipients located in non-EU countries, where EU data protection law does not apply. These rules are specified in Chapter V of Regulation (EU) 2018/1725.

How can you verify, modify or delete your personal data?

You have the right to access, correct, complete or request deletion of your personal data held by the ECB by lodging another report or sending a notification to the ECB via the whistleblowing platform. The additional information is then added to the information already received.

Right of recourse

Queries or complaints relating to the processing of data collected via the whistleblowing platform should be addressed to the ECB in its capacity as data controller and/or to the ECB’s Data Protection Officer (dpo@ecb.europa.eu). You also have the right to have recourse to the European Data Protection Supervisor (edps@edps.europa.eu).

  1. Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63).

  2. Regulation (EU) No 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

  3. Decision (EU) 2020/655 of the European Central Bank of 5 May 2020 adopting implementing rules concerning data protection at the European Central Bank and repealing Decision ECB/2007/1 (ECB/2020/28) (OJ L 152, 15.5.2020, p. 13)..

  4. Personal data of NCB/NCA staff members may be included in files/emails submitted to the ECB by NCBs/NCAs, at the discretion of the respective NCB/NCA.

  5. Personal data include a person’s first name(s) and surname, date of birth, birthplace, address, nationality, signature, ID card number, passport number, telephone number and email address.

  6. Employment data include a person’s profession, employer and function.

  7. Financial data include salary statements, bank accounts and securities portfolios.

  8. For further information on the term “relevant Union law” please see the web page on important legal information.

  9. For more information see the ECB’s web page on whistleblowing.

Klokkenluiders