Ga verder naar contentGa verder naar content en skip ook inhoudsopgave
SduIn- en Uitvoer
Home

Decision (EU) 2021/1486 of the European Central Bank of 7 September 2021 adopting internal rules concerning restrictions of rights of data subjects in connection with the European Central Bank’s tasks relating to the prudential supervision of credit institutions (ECB/2021/42)

Decision (EU) 2021/1486 of the European Central Bank of 7 September 2021 adopting internal rules concerning restrictions of rights of data subjects in connection with the European Central Bank’s tasks relating to the prudential supervision of credit institutions (ECB/2021/42)

Article 1 Subject matter and scope

1.

This Decision sets out rules relating to the restriction of the rights of data subjects by the ECB when conducting personal data processing activities as recorded in the central register in the performance of its supervisory tasks pursuant to Regulation (EU) No 1024/2013.

2.

The rights of data subjects which may be restricted are specified in the following Articles of Regulation (EU) 2018/1725:

  1. Article 14 (transparent information, communication and modalities for the exercise of the rights of the data subject);

  2. Article 15 (information to be provided where personal data are collected from the data subject);

  3. Article 16 (information to be provided where personal data have not been obtained from the data subject);

  4. Article 17 (right of access by the data subject);

  5. Article 18 (right to rectification);

  6. Article 19 (right to erasure (‘right to be forgotten’));

  7. Article 20 (right to restriction of processing);

  8. Article 21 (notification obligation regarding rectification or erasure of personal data or restriction of processing);

  9. Article 22 (right to data portability);

  10. Article 35 (communication of a personal data breach to the data subject);

  11. Article 36 (confidentiality of electronic communications);

  12. Article 4 in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 22 of Regulation (EU) 2018/1725.

Article 2 Definitions

For the purposes of this Decision, the following definitions apply:

  1. ‘processing’ means processing as defined in point (3) of Article 3 of Regulation (EU) 2018/1725;

  2. ‘personal data’ means personal data as defined in point (1) of Article 3 of Regulation (EU) 2018/1725;

  3. ‘data subject’ means an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

  4. ‘central register’ means the publicly available repository of all personal data processing activities conducted at the ECB which is kept by the ECB’s DPO and referred to in Article 9 of Decision (EU) 2020/655 (ECB/2020/28);

  5. ‘controller’ means the ECB, and in particular the competent organisational unit within the ECB which, alone or jointly with others, determines the purposes and means of the processing of personal data and which is responsible for the processing operation.

  6. ‘Union institutions and bodies’ means Union institutions and bodies as defined in point (10) of Article 3 of Regulation (EU) 2018/1725.

Article 3 Application of restrictions

1.

The controller may restrict the rights referred to in Article 1(2) to safeguard the interests and objectives referred to in Article 25(1) of Regulation (EU) 2018/1725, in particular where the exercise of those rights would jeopardise or otherwise adversely affect:

  1. the performance of the ECB’s supervisory tasks under Regulation (EU) No 1024/2013, including the proper functioning of the supervisory system;

  2. the safety and soundness of credit institutions and the stability of the financial system within the Union and each Member State;

  3. the effectiveness of the reporting of breaches in accordance with Article 23 of Regulation (EU) No 1024/2013.

2.

To safeguard the interests and objectives referred to in Article 25(1) of Regulation (EU) 2018/1725, the controller may restrict the rights referred to in Article 1(2) in relation to personal data obtained from other Union institutions and bodies and competent authorities of Member States or third countries or international organisations, in any of the following circumstances:

  1. where the exercise of those rights could be restricted by other Union institutions and bodies, from which the personal data was obtained, on the basis of other acts provided for in Article 25 of Regulation (EU) 2018/1725 or in accordance with Chapter IX of that Regulation or with the founding acts of other Union institutions and bodies;

  2. where the exercise of those rights could be restricted by the competent authorities of Member States, from which the personal data was obtained, on the basis of acts referred to in Article 23 of Regulation (EU) 2016/679 of the European Parliament and of the Council(1), or under national measures transposing Articles 13(3), 15(3) or 16(3) of Directive (EU) 2016/680 of the European Parliament and of the Council(2);

  3. where the exercise of those rights could jeopardise or otherwise adversely affect the ECB’s cooperation with third countries or international organisations, from which the information was obtained, in the conduct of its tasks, unless the ECB’s interest in cooperation is overridden by the interests or fundamental rights and freedoms of the data subjects.

3.

Before applying a restriction in the circumstances referred to in paragraphs 2(a) and (b), the controller shall:

  1. take note of arrangements concluded with the relevant Union institutions and bodies or the competent authorities of Member States; and

  2. consult with the relevant Union institutions and bodies or the competent authorities of Member States unless it is clear to the controller that the application of that restriction is provided for by one of the acts or measures referred to in paragraphs 2(a) and (b).

4.

The controller may only apply a restriction where on a case-by-case assessment it concludes that the restriction:

  1. is necessary and proportionate taking into account the risks to the rights and freedoms of the data subject; and

  2. respects the essence of the fundamental rights and freedoms in a democratic society.

5.

The controller shall document its assessment in an internal assessment note which shall include the legal basis, the reasons for the restriction, the rights of the data subjects that are restricted, the data subjects affected, the necessity and proportionality of the restriction and the likely duration of the restriction.

6.

A decision to restrict the rights of a data subject pursuant to paragraph 1 or 2 that is to be taken by the controller shall be made at the level of the relevant business area head in whose business area the main processing operation involving the personal data is carried out. If such main processing operation is carried out by a function that is not part of a business area, such a decision shall be made at the level of the holder of the function.

7.

For the purposes of paragraph 6, where the relevant business area head is unavailable due to absence, or has an actual or perceived conflict of interest, or has access to relevant confidential information, a decision to restrict the rights of a data subject pursuant to paragraph 1 or 2 that is to be taken by the controller shall be made by the deputy head of the business area in which the main processing operation involving the personal data is carried out.

Where there is no such deputy head, such a decision shall be made by the line manager competent to do so in the case of absence, conflict of interest or access to relevant confidential information of the relevant business area head.

Article 4 Derogations

1.

For processing for scientific or historical research purposes or statistical purposes, the controller may apply derogations in accordance with Article 25(3) of Regulation (EU) 2018/1725. To that end, the controller may derogate from the rights referred to in Articles 17, 18, 20 and 23 of Regulation (EU) 2018/1725 in accordance with the conditions provided for in Article 25(3) of that Regulation.

2.

For processing for archiving purposes in the public interest, the controller may apply derogations in accordance with Article 25(4) of Regulation (EU) 2018/1725. To that end, the controller may derogate from the rights referred to in Articles 17, 18, 20, 21, 22 and 23 of Regulation (EU) 2018/1725 in accordance with the conditions provided for in Article 25(4) of that Regulation.

3.

Such derogations shall be subject to appropriate safeguards in accordance with Article 13 of Regulation (EU) 2018/1725 and Article 8 of this Decision.

Article 5 Provision of general information on restrictions

The controller shall provide general information on the potential restriction of data subject rights as follows:

  1. the controller shall specify the rights which may be restricted, the reasons for restriction and the potential duration;

  2. the controller shall include the information referred to in point (a) in its data protection notices, privacy statements and records of processing activities as referred to in Article 31 of Regulation (EU) 2018/1725.

Article 6 Restriction of right of access by data subjects, right to rectification, right of erasure or restriction of processing

Article 7 Duration of restrictions

Article 8 Safeguards

Article 9 Review by the data protection officer

Article 10 Entry into force

ANNEX