Ga verder naar contentGa verder naar content en skip ook inhoudsopgave
In- en Uitvoer
Home

Decision (EU) 2022/2359 of the European Central Bank of 22 November 2022 adopting internal rules concerning restrictions of rights of data subjects in connection with the European Central Bank’s internal functioning (ECB/2022/42)

Decision (EU) 2022/2359 of the European Central Bank of 22 November 2022 adopting internal rules concerning restrictions of rights of data subjects in connection with the European Central Bank’s internal functioning (ECB/2022/42)

Article 1 Subject matter and scope

1.

This Decision sets out rules relating to the restriction of the rights of data subjects by the ECB when conducting personal data processing activities, as recorded in the central register, in connection with its internal functioning.

2.

The rights of data subjects which may be restricted are specified in the following Articles of Regulation (EU) 2018/1725:

  1. Article 14 (transparent information, communication and modalities for the exercise of the rights of the data subject);

  2. Article 15 (information to be provided where personal data are collected from the data subject);

  3. Article 16 (information to be provided where personal data have not been obtained from the data subject);

  4. Article 17 (right of access by the data subject);

  5. Article 18 (right to rectification);

  6. Article 19 (right to erasure (‘right to be forgotten’));

  7. Article 20 (right to restriction of processing);

  8. Article 21 (notification obligation regarding rectification or erasure of personal data or restriction of processing);

  9. Article 22 (right to data portability);

  10. Article 35 (communication of a personal data breach to the data subject);

  11. Article 36 (confidentiality of electronic communications);

  12. Article 4 in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 22 of Regulation (EU) 2018/1725.

Article 2 Definitions

For the purposes of this Decision, the following definitions apply:

  1. ‘processing’ means processing as defined in point (3) of Article 3 of Regulation (EU) 2018/1725;

  2. ‘personal data’ means personal data as defined in point (1) of Article 3 of Regulation (EU) 2018/1725;

  3. ‘data subject’ means an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

  4. ‘central register’ means the publicly available repository of all personal data processing activities conducted at the ECB which is kept by the DPO and referred to in Article 9 of Decision (EU) 2020/655 (ECB/2020/28);

  5. ‘controller’ means the ECB, and in particular the competent organisational unit within the ECB which, alone or jointly with others, determines the purposes and means of the processing of personal data and which is responsible for the processing operation;

  6. ‘Union institutions and bodies’ means Union institutions and bodies as defined in point (10) of Article 3 of Regulation (EU) 2018/1725.

Article 3 Application of restrictions

1.

For personal data processing activities set out in Article 1(1) the controller may restrict the rights referred to in Article 1(2) to safeguard the interests and objectives referred to in Article 25(1) of Regulation (EU) 2018/1725, where the exercise of those rights would endanger any of the following:

  1. the assessment and reporting of potential breaches of professional duties and, where necessary, their subsequent investigation and follow-up, including suspension from duties, the safeguarding of which is in accordance with points (b), (c), (f) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

  2. the informal and/or formal dignity at work procedures, including the consideration of cases that may result in such a procedure as set out in Part 0.5 of the ECB Staff Rules, the safeguarding of which is in accordance with points (b), (c), (f) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

  3. the proper performance of DG/HR’s functions under the employment law framework at the ECB relating to performance management, promotion procedures or the direct appointment of ECB personnel, selection procedures and professional development, the safeguarding of which is in accordance with points (c) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

  4. the examination of internal appeals brought by ECB personnel (including through administrative review or grievance procedures, special appeal procedures or medical committees) and their follow up, the safeguarding of which is in accordance with points (b), (c) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

  5. the reporting of any illegal activity or breach of professional duties via the ECB’s whistleblowing tool or the assessment of requests by the Compliance and Governance Office (CGO) for protection of whistle-blowers or witnesses from retaliation, the safeguarding of which is in accordance with points (b), (c), (f) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

  6. the activities of the CGO under the Ethics Framework of the ECB set out in Part 0 of the ECB Staff Rules and the rules on selection and appointment set out in Part 1A of the ECB Staff Rules, and the monitoring for compliance purposes of private financial activities including both the functions exercised by the external service provider appointed pursuant to Article 0.4.3.3 of the ECB Staff Rules and the assessment and follow-up of potential breaches resulting from such monitoring by the CGO, the safeguarding of which is in accordance with points (b), (c), (f) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

  7. audits undertaken by the Directorate Internal Audit, investigative activities and internal administrative inquiries, the safeguarding of which is in accordance with points (b), (c) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

  8. the performance of the ECB’s functions pursuant to Decision (EU) 2016/456 (ECB/2016/3), in particular the duty of the ECB to report any information about illegal activity, the safeguarding of which is in accordance with points (b), (c), (g) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

  9. investigations conducted by the DPO on processing activities carried out at the ECB pursuant to point (b) of Article 4 of Decision (EU) 2020/655 (ECB/2020/28), the safeguarding of which is in accordance with points (b) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

  10. investigations for the purposes of ensuring physical security at the ECB of persons, premises and property, whether handled internally or with external support, the gathering of threat intelligence and security incidents analysis, the safeguarding of which is in accordance with points (b), (c), (d) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

  11. judicial proceedings, the safeguarding of which is in accordance with points (b), (c) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

  12. the cooperation between the ECB and national criminal investigation authorities, in particular the provision of confidential information held by the ECB for disclosure to a national criminal investigation authority at the request of the latter, the safeguarding of which is in accordance with points (b), (c), (d) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

  13. the cooperation between the ECB and the EPPO pursuant to Regulation (EU) 2017/1939, in particular the duty of the ECB to provide information about offences, the safeguarding of which is in accordance with points (b), (c), (d) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

  14. the cooperation with EU bodies exercising a supervisory, oversight or auditing function to which the ECB is subject, the safeguarding of which is in accordance with points (c), (d), (g) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

  15. the performance of a mediator’s tasks pursuant to the internal dispute resolution framework at the ECB, in particular giving support to help resolve or prevent a work-related dispute, the safeguarding of which is in accordance with point (h) of Article 25(1) of Regulation (EU) 2018/1725;

  16. the provision of the counselling services by the social counsellor to support ECB personnel, the safeguarding of which is in accordance with point (h) of Article 25(1) of Regulation (EU) 2018/1725.

The categories of personal data in relation to which restrictions referred to in paragraph 1 may be applied are specified in Annexes I to XIV to this Decision.

2.

The controller may only apply a restriction where on a case-by-case assessment it concludes that the restriction:

  1. is necessary and proportionate taking into account the risks to the rights and freedoms of the data subject; and

  2. respects the essence of the fundamental rights and freedoms in a democratic society.

3.

The controller shall document its assessment in an internal assessment note which shall include the legal basis, the reasons for the restriction, the rights of the data subjects that are restricted, the data subjects affected, the necessity and proportionality of the restriction and the likely duration of the restriction.

4.

A decision to restrict the rights of a data subject pursuant to paragraph 1 that is to be taken by the controller shall be made at the level of the relevant business area head in whose business area the main processing operation involving the personal data is carried out. If such main processing operation is carried out by a function that is not part of a business area, such a decision shall be made at the level of the holder of the function.

5.

For the purposes of paragraph 4, where the relevant business area head is unavailable due to absence, or has an actual or perceived conflict of interest, or has access to relevant confidential information, a decision to restrict the rights of a data subject pursuant to paragraph 1 that is to be taken by the controller shall be made by the deputy head of the business area in which the main processing operation involving the personal data is carried out.

Where there is no such deputy head, such a decision shall be made by the line manager competent to do so in the case of absence, conflict of interest or access to relevant confidential information of the relevant business area head.

Article 4 Provision of general information on restrictions

The controller shall provide general information on the potential restriction of data subject rights as follows:

  1. the controller shall specify the rights which may be restricted, the reasons for restriction and the potential duration;

  2. the controller shall include the information referred to in point (a) in its data protection notices, privacy statements and records of processing activities as referred to in Article 31 of Regulation (EU) 2018/1725.

Article 5 Restriction of right of access by data subjects, right to rectification, right of erasure or restriction of processing

1.

Where the controller restricts, wholly or partially, the right of access, the right to rectification, the right of erasure or the right to restriction of processing, respectively referred to in Articles 17, 18, 19(1) and 20(1) of Regulation (EU) 2018/1725, it shall, within the period referred to in Article 11(5) of Decision (EU) 2020/655 (ECB/2020/28), inform the data subject concerned, in its written reply to the request, of the restriction applied, the principal reasons for the restriction, the possibility of lodging a complaint with the European Data Protection Supervisor and of seeking a judicial remedy in the Court of Justice of the European Union.

2.

The controller shall keep the internal assessment note referred to in Article 3(3) and, where applicable, the documents containing underlying factual and legal elements and make these available to the DPO and European Data Protection Supervisor on request.

3.

The controller may defer, omit or deny the provision of information concerning the reasons for the restriction referred to in paragraph 1 for as long as that provision of information would undermine the purpose of the restriction. As soon as the controller determines that providing the information no longer undermines the purpose of the restriction, the controller shall provide that information to the data subject.

Article 6 Duration of restrictions

Article 7 Safeguards

Article 8 Review by the DPO

Article 9 Entry into force

ANNEX IAssessment and reporting of potential breaches of professional duties and, where necessary, their subsequent investigation and follow-up

ANNEX IIInformal and/or formal dignity at work procedures, including the consideration of cases that may result in such a procedure as set out in Part 0.5 of the ECB Staff Rules

ANNEX IIIThe performance of DG/HR’s functions under the employment law framework at the ECB

ANNEX IVThe examination of internal appeals and their follow-up

ANNEX VThe reporting of any illegal activity or any breach of professional duties submitted via any channel, including via the ECB’s whistleblowing tool, or the Compliance and Governance Office’s assessment of requests for protection of whistle-blowers or witnesses

ANNEX VIActivities of the CGO under the ECB Staff Rules

ANNEX VIIAudits undertaken by the Directorate Internal Audit and investigative activities or internal administrative inquiries

ANNEX VIIIThe performance of the ECB’s functions pursuant to Decision (EU) 2016/456 (ECB/2016/3)

ANNEX IXInvestigations conducted by the DPO pursuant to point (b) of Article 4 of Decision (EU) 2020/655 (ECB/2020/28)

ANNEX XInvestigations for the purpose of ensuring physical security at the ECB of persons, premises and property, the gathering of threat intelligence and security incidents analysis

ANNEX XIJudicial Proceedings

ANNEX XIIThe cooperation between the ECB and national criminal investigation authorities, the EPPO and EU bodies exercising a supervisory, oversight or auditing function to which the ECB is subject

ANNEX XIIIThe performance of the mediator’s tasks

ANNEX XIVThe provision of the counselling services by the social counsellor

ANNEX XV