Access to European Union law
<a href="https://eur-lex.europa.eu/content/help/eurlex-content/experimental-features.html" target="_blank">More about the experimental features corner</a>
Choose the experimental features you want to try
EUR-Lex
Access to European Union law

This document is an excerpt from the EUR-Lex website

You are here
Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search

Document 32024D0902

    Decision (EU) 2024/902 of the European Central Bank of 12 March 2024 amending Decision (EU) 2021/1486 adopting internal rules concerning restrictions of rights of data subjects in connection with the European Central Bank’s tasks relating to the prudential supervision of credit institutions (ECB/2021/42) (ECB/2024/10)

    ECB/2024/10

    OJ L, 2024/902, 22.3.2024, ELI: http://data.europa.eu/eli/dec/2024/902/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

    Legal status of the document In force

    ELI: http://data.europa.eu/eli/dec/2024/902/oj

    European flag

    Official Journal
    of the European Union

    EN

    Series L

    2024/902

    22.3.2024

    DECISION (EU) 2024/902 OF THE EUROPEAN CENTRAL BANK

    of 12 March 2024

    amending Decision (EU) 2021/1486 adopting internal rules concerning restrictions of rights of data subjects in connection with the European Central Bank’s tasks relating to the prudential supervision of credit institutions (ECB/2021/42) (ECB/2024/10)

    THE EXECUTIVE BOARD OF THE EUROPEAN CENTRAL BANK,

    Having regard to the Treaty on the Functioning of the European Union,

    Having regard to the Statute of the European System of Central Banks and of the European Central Bank, and in particular Article 11.6 thereof,

    Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (1), and in particular Article 25 thereof,

    Whereas:

    (1)

    Pursuant to Article 3(6) of Decision (EU) 2021/1486 of the European Central Bank (ECB/2021/42) (2) a decision to restrict the rights of a data subject that is to be taken by the controller must be made at the level of the relevant business area head or deputy head in whose business area the main processing operation involving the personal data is carried out.

    (2)

    Article 3(6) of Decision (EU) 2021/1486 (ECB/2021/42) does not specify the circumstances in which such a decision to restrict the rights of a data subject should be made at the level of such a deputy head. It should therefore be clarified that these are cases where the relevant business area head is unavailable (for example if he or she is on annual or sick leave), or has an actual or perceived conflict of interest, or has access to relevant confidential information.

    (3)

    Further, Article 3(6) of Decision (EU) 2021/1486 (ECB/2021/42) does not contemplate the case of a business area with no deputy head. It should be clarified that in such a case and where the head of the relevant business area is unavailable, or has an actual or perceived conflict of interest, or has access to relevant confidential information, a decision to restrict the rights of a data subject should be made at the level of the line manager who is competent in the circumstances to do so.

    (4)

    Finally, Article 3(6) of Decision (EU) 2021/1486 (ECB/2021/42) does not specify the level at which a decision on the restriction of the rights of a data subject is to be made in the case of a function that is not allocated to a business area. It should be clarified that such a decision should be made at the level of the holder of the function in which the main processing operation involving the personal data is carried out.

    (5)

    Therefore, Decision (EU) 2021/1486 (ECB/2021/42) should be amended accordingly,

    HAS ADOPTED THIS DECISION:

    Article 1

    Amendments

    Article 3 of Decision (EU) 2021/1486 (ECB/2021/42) is amended as follows:

    (1)

    paragraph 6 is replaced by the following:

    ‘6.   A decision to restrict the rights of a data subject pursuant to paragraph 1 or 2 that is to be taken by the controller shall be made at the level of the relevant business area head in whose business area the main processing operation involving the personal data is carried out. If such main processing operation is carried out by a function that is not part of a business area, such a decision shall be made at the level of the holder of the function.’

    ;

    (2)

    the following paragraph 7 is added:

    ‘7.   For the purposes of paragraph 6, where the relevant business area head is unavailable due to absence, or has an actual or perceived conflict of interest, or has access to relevant confidential information, a decision to restrict the rights of a data subject pursuant to paragraph 1 or 2 that is to be taken by the controller shall be made by the deputy head of the business area in which the main processing operation involving the personal data is carried out.

    Where there is no such deputy head, such a decision shall be made by the line manager competent to do so in the case of absence, conflict of interest or access to relevant confidential information of the relevant business area head.’

    .

    Article 2

    Entry into force

    This Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

    Done at Frankfurt am Main, 12 March 2024.

    The President of the ECB

    Christine LAGARDE

    (1)   OJ L 295, 21.11.2018, p. 39.

    (2)  Decision (EU) 2021/1486 of the European Central Bank of 7 September 2021 adopting internal rules concerning restrictions of rights of data subjects in connection with the European Central Bank’s tasks relating to the prudential supervision of credit institutions (ECB/2021/42) (OJ L 328, 16.9.2021, p. 15).

    ELI: http://data.europa.eu/eli/dec/2024/902/oj

    ISSN 1977-0677 (electronic edition)

    Top