EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Document 32022D2359

Decision (EU) 2022/2359 of the European Central Bank of 22 November 2022 adopting internal rules concerning restrictions of rights of data subjects in connection with the European Central Bank’s internal functioning (ECB/2022/42)

ECB/2022/42

OJ L 311, 2.12.2022, p. 176–198 (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

In force

ELI: http://data.europa.eu/eli/dec/2022/2359/oj

2.12.2022   

EN

Official Journal of the European Union

L 311/176


DECISION (EU) 2022/2359 OF THE EUROPEAN CENTRAL BANK

of 22 November 2022

adopting internal rules concerning restrictions of rights of data subjects in connection with the European Central Bank’s internal functioning (ECB/2022/42)

THE EXECUTIVE BOARD OF THE EUROPEAN CENTRAL BANK,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to the Statute of the European System of Central Banks and of the European Central Bank, and in particular Article 11.6 thereof,

Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (1), and in particular Article 25 thereof,

Whereas:

(1)

The European Central Bank (ECB) carries out its tasks in accordance with the Treaties.

(2)

In accordance with Article 45(3) of Regulation (EU) 2018/1725, Decision (EU) 2020/655 of the European Central Bank (ECB/2020/28) (2) sets out the general rules implementing Regulation (EU) 2018/1725 as regards the ECB. In particular, it specifies the rules relating to the appointment and role of the data protection officer of the ECB (DPO), including the DPO’s tasks, duties and powers.

(3)

In exercising the tasks conferred on the ECB, the ECB and in particular the organisational unit concerned acts as data controller in so far as it determines, alone or jointly with others, the purposes and means of the processing of personal data.

(4)

In connection with the internal functioning of the ECB, various business areas of the ECB (including Directorate General Human Resources (DG/HR), the Compliance and Governance Office (CGO), the Directorate Internal Audit (D/IA) and the Directorate General Legal Services (DG/L)) are entrusted with tasks within the legal framework governing employment at the ECB which involve the processing of personal data. Such tasks could include, for example, actions taken in relation to potential breaches of professional duties (including investigations of inappropriate behaviour pursuant to the ECB’s dignity at work framework and the follow-up of the reporting of any illegal activity or any breach of professional duties submitted via any channel, including inter alia, via the ECB’s whistleblowing tool); tasks relating to selection procedures; tasks undertaken by DG/HR in the performance of its functions relating to performance management, promotion, the direct appointment of ECB personnel, professional development including calibrations of talent within and across business areas, salary increases and bonuses and decisions on mobility and leave; the examination of internal appeals brought by ECB personnel (including through administrative review, grievance procedures, special appeal procedures or medical committees) and their follow-up; the CGO’s advisory tasks under the Ethics Framework of the ECB (set out in Part 0 of the ECB Staff Rules) and the CGO’s tasks relating to the monitoring for compliance purposes of private financial activities (including cooperation with any external service provider appointed pursuant to Article 0.4.3.3 of the ECB Staff Rules); and audits performed by the D/IA and the tasks performed in the context of Administrative Circular 01/2006 on internal administrative inquiries (3) when conducting investigative activities and administrative inquiries in situations which may have a possible disciplinary dimension involving ECB personnel (including the tasks of the persons conducting the inquiry or the members of the inquiry panel where they are required to gather evidence and establish the relevant facts).

(5)

Pursuant to Decision (EU) 2016/456 of the European Central Bank (ECB/2016/3) (4) the ECB must transmit to the European Anti-Fraud Office, at its request or on the ECB’s own initiative, information in the ECB’s possession which gives rise to a suspicion of the existence of possible cases of fraud, corruption or any other illegal activity affecting the Union's financial interest. Decision (EU) 2016/456 (ECB/2016/3) provides that in such a case interested parties are informed rapidly, if this will not be harmful to the investigation, and that, in any event, no conclusions referring by name to interested parties may be drawn without giving interested parties the opportunity to express their views on all the facts relating to them, including any evidence existing against them.

(6)

Pursuant to point (b) of Article 4 of Decision (EU) 2020/655 (ECB/2020/28) the DPO must investigate matters and incidents relating to data protection either on its own initiative or at the request of the ECB.

(7)

The Security and Safety Division within Directorate Administration is responsible for conducting investigations for the purposes of ensuring the protection of physical security at the ECB of person, premises and property, for gathering threat intelligence and for security incidents analysis.

(8)

The ECB has a duty of loyal cooperation with national authorities, including national criminal prosecution authorities. In particular, pursuant to Decision (EU) 2016/1162 of the European Central Bank (ECB/2016/19) (5), the ECB may, at the request of a national criminal investigation authority, provide confidential information held by it and related to the tasks conferred on the ECB by Council Regulation (EU) No 1024/2013 (6) or other ESCB/Eurosystem-related tasks to an NCA or NCB respectively for disclosure to the national criminal investigation authority in question under certain conditions.

(9)

Pursuant to Council Regulation (EU) 2017/1939 (7), the ECB must provide without delay any information to the European Public Prosecutor’s Office (EPPO) where a suspicion of an offence within its competence is identified.

(10)

The ECB must cooperate with the EU bodies exercising a supervisory, oversight or auditing function to which the ECB is subject, such as the European Data Protection Supervisor, the European Court of Auditors and the European Ombudsman, in the performance of their respective tasks. In this context, the ECB may process personal data to be able to respond to requests, consult with and provide information to such bodies.

(11)

Pursuant to the internal dispute resolution framework at the ECB, ECB personnel may contact a mediator at any time and by any means to request the mediator’s support in resolving or preventing a work-related dispute. That framework provides that all communication with the mediator is protected by confidentiality. Anything mentioned during the mediation process is regarded as privileged and each party involved in mediation must use such information solely for the purpose of the mediation process, without prejudice to any legal proceedings. Exceptionally, the mediator may disclose information when disclosure appears necessary to prevent an imminent risk of serious harm to the physical or mental integrity of a person.

(12)

The ECB strives to ensure working conditions which protect the health and safety of its personnel and respect their dignity at work by providing counselling services to support them. ECB personnel may solicit the services of a social counsellor with respect to any issues including emotional, personal and work-related issues. The social counsellor may not have access to the personal file of ECB personnel, unless explicitly authorised by them. No information received or statements made by an individual to the social counsellor may be disclosed, unless explicitly authorised by such individual or so required by the law.

(13)

In connection with its internal functioning, the ECB processes several categories of data that may be related to an identified or identifiable natural person. Non-exhaustive lists of those categories of personal data which are processed by the ECB in connection with its internal functioning are contained in the Annexes to this Decision. Personal data could also form part of an assessment including an assessment conducted by the responsible business area relating to the matter being examined, including, for instance, an assessment by DG/HR, DG/L, D/IA or by a disciplinary committee or an inquiry panel on a breach of professional duties.

(14)

In the context of recitals 4 to 13, it is appropriate to specify the grounds on which the ECB may restrict the rights of data subjects.

(15)

The aim of the ECB in performing its tasks is to pursue important objectives of general public interest of the Union. Therefore, the performance of such tasks should be safeguarded as contemplated by Regulation (EU) 2018/1725, in particular points (b), (c), (d), (f), (g) and (h) of Article 25(1).

(16)

In accordance with Article 25(1) of Regulation (EU) 2018/1725, restrictions of the application of Articles 14 to 22, 35 and 36 and, in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 22, Article 4 of that Regulation should be set out in internal rules or legal acts adopted on the basis of the Treaties. Accordingly, the ECB should set out the rules under which it may restrict the rights of data subjects in the performance of its tasks.

(17)

The ECB should justify why such restrictions of data subjects’ rights are strictly necessary and proportionate in a democratic society to safeguard the objectives pursued in the exercise of its official authority and the functions connected to it, and how the ECB respects the essence of fundamental rights and freedoms whilst imposing any such restriction.

(18)

Within this framework the ECB is bound to respect, to the maximum extent possible, the fundamental rights of data subjects, in particular those relating to the right of provision of information, access and rectification, right to erasure, restriction of processing, right of communication of a personal data breach to the data subject or confidentiality of communication as provided for in Regulation (EU) 2018/1725.

(19)

However, the ECB may be obliged to restrict the information provided to data subjects and the rights of other data subjects to protect the performance of its tasks, in particular its own investigations and procedures, the investigations and procedures of other public authorities and the fundamental rights and freedoms of other persons related to its investigations or other procedures.

(20)

The ECB should lift a restriction which has already been applied to the extent it is no longer needed.

(21)

The DPO should review the application of restrictions with a view to ensuring compliance with this Decision and with Regulation (EU) 2018/1725.

(22)

Whilst this Decision sets out the rules under which the ECB may restrict the rights of data subjects when the ECB processes personal data in connection with its internal functioning, the Executive Board has adopted a separate decision adopting internal rules concerning the restriction of rights in the performance of its supervisory tasks.

(23)

The ECB may be able to apply an exception in accordance with Regulation (EU) 2018/1725 which makes the need to consider a restriction unnecessary including in particular those set out in Articles 15(4), 16(5), 19(3) and 35(3) of that Regulation.

(24)

Derogations from the rights of data subjects referred to in Articles 17, 18, 20, 21, 22 and 23 of Regulation (EU) 2018/1725 for archiving purposes in the public interest may be provided for in internal rules or legal acts adopted on the basis of the Treaties by the ECB in relation to its archiving subject to the conditions and safeguards required in accordance with Article 25(4) of Regulation (EU) 2018/1725.

(25)

The European Data Protection Supervisor was consulted in accordance with Article 41(2) of Regulation (EU) 2018/1725 and delivered an opinion on 12 March 2021.

(26)

The Staff Committee has been consulted,

HAS ADOPTED THIS DECISION:

Article 1

Subject matter and scope

1.   This Decision sets out rules relating to the restriction of the rights of data subjects by the ECB when conducting personal data processing activities, as recorded in the central register, in connection with its internal functioning.

2.   The rights of data subjects which may be restricted are specified in the following Articles of Regulation (EU) 2018/1725:

(a)

Article 14 (transparent information, communication and modalities for the exercise of the rights of the data subject);

(b)

Article 15 (information to be provided where personal data are collected from the data subject);

(c)

Article 16 (information to be provided where personal data have not been obtained from the data subject);

(d)

Article 17 (right of access by the data subject);

(e)

Article 18 (right to rectification);

(f)

Article 19 (right to erasure (‘right to be forgotten’));

(g)

Article 20 (right to restriction of processing);

(h)

Article 21 (notification obligation regarding rectification or erasure of personal data or restriction of processing);

(i)

Article 22 (right to data portability);

(j)

Article 35 (communication of a personal data breach to the data subject);

(k)

Article 36 (confidentiality of electronic communications);

(l)

Article 4 in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 22 of Regulation (EU) 2018/1725.

Article 2

Definitions

For the purposes of this Decision, the following definitions apply:

(1)

‘processing’ means processing as defined in point (3) of Article 3 of Regulation (EU) 2018/1725;

(2)

‘personal data’ means personal data as defined in point (1) of Article 3 of Regulation (EU) 2018/1725;

(3)

‘data subject’ means an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(4)

‘central register’ means the publicly available repository of all personal data processing activities conducted at the ECB which is kept by the DPO and referred to in Article 9 of Decision (EU) 2020/655 (ECB/2020/28);

(5)

‘controller’ means the ECB, and in particular the competent organisational unit within the ECB which, alone or jointly with others, determines the purposes and means of the processing of personal data and which is responsible for the processing operation;

(6)

‘Union institutions and bodies’ means Union institutions and bodies as defined in point (10) of Article 3 of Regulation (EU) 2018/1725.

Article 3

Application of restrictions

1.   For personal data processing activities set out in Article 1(1) the controller may restrict the rights referred to in Article 1(2) to safeguard the interests and objectives referred to in Article 25(1) of Regulation (EU) 2018/1725, where the exercise of those rights would endanger any of the following:

(a)

the assessment and reporting of potential breaches of professional duties and, where necessary, their subsequent investigation and follow-up, including suspension from duties, the safeguarding of which is in accordance with points (b), (c), (f) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

(b)

the informal and/or formal dignity at work procedures, including the consideration of cases that may result in such a procedure as set out in Part 0.5 of the ECB Staff Rules, the safeguarding of which is in accordance with points (b), (c), (f) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

(c)

the proper performance of DG/HR’s functions under the employment law framework at the ECB relating to performance management, promotion procedures or the direct appointment of ECB personnel, selection procedures and professional development, the safeguarding of which is in accordance with points (c) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

(d)

the examination of internal appeals brought by ECB personnel (including through administrative review or grievance procedures, special appeal procedures or medical committees) and their follow up, the safeguarding of which is in accordance with points (b), (c) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

(e)

the reporting of any illegal activity or breach of professional duties via the ECB’s whistleblowing tool or the assessment of requests by the Compliance and Governance Office (CGO) for protection of whistle-blowers or witnesses from retaliation, the safeguarding of which is in accordance with points (b), (c), (f) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

(f)

the activities of the CGO under the Ethics Framework of the ECB set out in Part 0 of the ECB Staff Rules and the rules on selection and appointment set out in Part 1A of the ECB Staff Rules, and the monitoring for compliance purposes of private financial activities including both the functions exercised by the external service provider appointed pursuant to Article 0.4.3.3 of the ECB Staff Rules and the assessment and follow-up of potential breaches resulting from such monitoring by the CGO, the safeguarding of which is in accordance with points (b), (c), (f) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

(g)

audits undertaken by the Directorate Internal Audit, investigative activities and internal administrative inquiries, the safeguarding of which is in accordance with points (b), (c) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

(h)

the performance of the ECB’s functions pursuant to Decision (EU) 2016/456 (ECB/2016/3), in particular the duty of the ECB to report any information about illegal activity, the safeguarding of which is in accordance with points (b), (c), (g) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

(i)

investigations conducted by the DPO on processing activities carried out at the ECB pursuant to point (b) of Article 4 of Decision (EU) 2020/655 (ECB/2020/28), the safeguarding of which is in accordance with points (b) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

(j)

investigations for the purposes of ensuring physical security at the ECB of persons, premises and property, whether handled internally or with external support, the gathering of threat intelligence and security incidents analysis, the safeguarding of which is in accordance with points (b), (c), (d) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

(k)

judicial proceedings, the safeguarding of which is in accordance with points (b), (c) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

(l)

the cooperation between the ECB and national criminal investigation authorities, in particular the provision of confidential information held by the ECB for disclosure to a national criminal investigation authority at the request of the latter, the safeguarding of which is in accordance with points (b), (c), (d) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

(m)

the cooperation between the ECB and the EPPO pursuant to Regulation (EU) 2017/1939, in particular the duty of the ECB to provide information about offences, the safeguarding of which is in accordance with points (b), (c), (d) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

(n)

the cooperation with EU bodies exercising a supervisory, oversight or auditing function to which the ECB is subject, the safeguarding of which is in accordance with points (c), (d), (g) and/or (h) of Article 25(1) of Regulation (EU) 2018/1725;

(o)

the performance of a mediator’s tasks pursuant to the internal dispute resolution framework at the ECB, in particular giving support to help resolve or prevent a work-related dispute, the safeguarding of which is in accordance with point (h) of Article 25(1) of Regulation (EU) 2018/1725;

(p)

the provision of the counselling services by the social counsellor to support ECB personnel, the safeguarding of which is in accordance with point (h) of Article 25(1) of Regulation (EU) 2018/1725.

The categories of personal data in relation to which restrictions referred to in paragraph 1 may be applied are specified in Annexes I to XIV to this Decision.

2.   The controller may only apply a restriction where on a case-by-case assessment it concludes that the restriction:

(a)

is necessary and proportionate taking into account the risks to the rights and freedoms of the data subject; and

(b)

respects the essence of the fundamental rights and freedoms in a democratic society.

3.   The controller shall document its assessment in an internal assessment note which shall include the legal basis, the reasons for the restriction, the rights of the data subjects that are restricted, the data subjects affected, the necessity and proportionality of the restriction and the likely duration of the restriction.

4.   A decision to restrict the rights of a data subject pursuant to paragraph 1 to be taken by the controller shall be made at the level of the relevant business area head or deputy head in whose business area the main processing operation involving the personal data is carried out.

Article 4

Provision of general information on restrictions

The controller shall provide general information on the potential restriction of data subject rights as follows:

(a)

the controller shall specify the rights which may be restricted, the reasons for restriction and the potential duration;

(b)

the controller shall include the information referred to in point (a) in its data protection notices, privacy statements and records of processing activities as referred to in Article 31 of Regulation (EU) 2018/1725.

Article 5

Restriction of right of access by data subjects, right to rectification, right of erasure or restriction of processing

1.   Where the controller restricts, wholly or partially, the right of access, the right to rectification, the right of erasure or the right to restriction of processing, respectively referred to in Articles 17, 18, 19(1) and 20(1) of Regulation (EU) 2018/1725, it shall, within the period referred to in Article 11(5) of Decision (EU) 2020/655 (ECB/2020/28), inform the data subject concerned, in its written reply to the request, of the restriction applied, the principal reasons for the restriction, the possibility of lodging a complaint with the European Data Protection Supervisor and of seeking a judicial remedy in the Court of Justice of the European Union.

2.   The controller shall keep the internal assessment note referred to in Article 3(3) and, where applicable, the documents containing underlying factual and legal elements and make these available to the DPO and European Data Protection Supervisor on request.

3.   The controller may defer, omit or deny the provision of information concerning the reasons for the restriction referred to in paragraph 1 for as long as that provision of information would undermine the purpose of the restriction. As soon as the controller determines that providing the information no longer undermines the purpose of the restriction, the controller shall provide that information to the data subject.

Article 6

Duration of restrictions

1.   The controller shall lift a restriction as soon as the circumstances that justified that restriction no longer apply.

2.   Where the controller lifts a restriction pursuant to paragraph 1, the controller shall promptly:

(a)

to the extent it has not already done so, inform the data subject of the principal reasons on which the application of a restriction was based;

(b)

inform the data subject of his or her right to lodge a complaint with the European Data Protection Supervisor or to seek a judicial remedy before the Court of Justice of the European Union;

(c)

grant the data subject the right that was subject to the restriction that has been lifted.

3.   The controller shall reassess every six months the need to maintain a restriction applied pursuant to this Decision and shall document its reassessment in an internal assessment note.

Article 7

Safeguards

The ECB shall apply organisational and technical safeguards as set out in Annex XV to prevent abuse or unlawful access or transfer.

Article 8

Review by the DPO

1.   Where the controller restricts the application of a data subject’s rights, it shall continuously involve the DPO. In particular, the following shall apply:

(a)

the controller shall, without undue delay, consult the DPO;

(b)

on the DPO’s request, the controller shall provide the DPO with access to any documents containing underlying factual and legal elements, including the internal assessment note referred to in Article 3(3);

(c)

the controller shall document how the DPO was involved including relevant information that was shared, in particular the date of its first consultation as referred to in point (a);

(d)

the DPO may request the controller to review the restriction;

(e)

the controller shall inform the DPO in writing of the outcome of the review requested without undue delay and in any case before any restriction is applied.

2.   The controller shall inform the DPO when the restriction has been reassessed in accordance with Article 6(3) or when it has been lifted.

Article 9

Entry into force

This Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

Done at Frankfurt am Main, 22 November 2022.

The President of the ECB

Christine LAGARDE


(1)  OJ L 295, 21.11.2018, p. 39.

(2)  Decision (EU) 2020/655 of the European Central Bank of 5 May 2020 adopting implementing rules concerning data protection at the European Central Bank and repealing Decision ECB/2007/1 (ECB/2020/28) (OJ L 152, 15.5.2020, p. 13).

(3)  Administrative Circular 01/2006 was adopted on 21 March 2006 and is available on the ECB’s website.

(4)  Decision (EU) 2016/456 of the European Central Bank of 4 March 2016 concerning the terms and conditions for European Anti-Fraud Office investigations of the European Central Bank, in relation to the prevention of fraud, corruption and any other illegal activities affecting the financial interests of the Union (ECB/2016/3) (OJ L 79, 30.3.2016, p. 34).

(5)  Decision (EU) 2016/1162 of the European Central Bank of 30 June 2016 on disclosure of confidential information in the context of criminal investigations (ECB/2016/19) (OJ L 192, 16.7.2016, p.73).

(6)  Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p.63).

(7)  Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (‘the EPPO’) (OJ L 283, 31.10.2017, p.1).


ANNEX I

Assessment and reporting of potential breaches of professional duties and, where necessary, their subsequent investigation and follow-up

The restriction referred to in point (a) of Article 3(1) of this Decision may be applied in relation to the categories of data mentioned in the relevant records of processing, in particular, the following categories of personal data:

a)

identification data;

b)

contact data;

c)

professional data, including data concerning education, training and employment details;

d)

financial details (e.g. information about pay, allowances or private transactions);

e)

data concerning family, lifestyle and social circumstances;

f)

location data;

g)

data concerning goods or services provided;

h)

data on external activities;

i)

data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data or biometric data; data concerning health; or data regarding a natural person’s sex life or sexual orientation;

j)

any other data relating to the assessment and reporting of potential breaches of professional duties and, where necessary, subsequent investigation and follow-up.


ANNEX II

Informal and/or formal dignity at work procedures, including the consideration of cases that may result in such a procedure as set out in Part 0.5 of the ECB Staff Rules

The restriction referred to in point (b) of Article 3(1) of this Decision may be applied in relation to the categories of data mentioned in the relevant records of processing, in particular, the following categories of personal data:

a)

identification data;

b)

contact data;

c)

professional data, including data concerning education, training and employment details;

d)

financial details (e.g. information about pay, allowances or private transactions);

e)

data concerning family, lifestyle and social circumstances;

f)

location data;

g)

data concerning goods or services provided;

h)

data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data or biometric data; data concerning health; or data regarding a natural person’s sex life or sexual orientation;

i)

any other data relating to informal and/or formal dignity at work procedures, including the consideration of cases that may result in such a procedure as set out in Part 0.5 of the ECB Staff Rules.


ANNEX III

The performance of DG/HR’s functions under the employment law framework at the ECB

The restriction referred to in point (c) of Article 3(1) of this Decision may be applied in relation to the categories of data mentioned in the relevant records of processing, in particular the following categories of personal data:

a)

identification data;

b)

contact data;

c)

professional data, including data concerning education, training and employment details;

d)

financial details (e.g. information about pay, allowances or private transactions);

e)

data concerning family, lifestyle and social circumstances;

f)

location data;

g)

data concerning goods or services provided;

h)

data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data or biometric data; data concerning health; or data regarding a natural person’s sex life or sexual orientation;

i)

any other data included in, or relating to, considerations of individual cases, in particular those that may result in a decision adversely affecting ECB personnel and the examination of internal appeals brought by ECB personnel and their follow-up;

j)

any other data relating to selection procedures.


ANNEX IV

The examination of internal appeals and their follow-up

The restriction referred to in point (d) of Article 3(1) of this Decision may be applied in relation to the categories of data mentioned in the relevant records of processing, in particular the following categories of personal data:

a)

identification data;

b)

contact data;

c)

professional data, including data concerning education, training and employment details;

d)

financial details (e.g. information about pay, allowances or private transactions);

e)

data concerning family, lifestyle and social circumstances;

f)

location data;

g)

data concerning goods or services provided;

h)

data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data or biometric data; data concerning health; or data regarding a natural person’s sex life or sexual orientation;

i)

any other data included in, or relating to, considerations of individual cases, in particular those that may result in a decision adversely affecting ECB personnel and the examination of internal appeals brought by ECB personnel and their follow-up.


ANNEX V

The reporting of any illegal activity or any breach of professional duties submitted via any channel, including via the ECB’s whistleblowing tool, or the Compliance and Governance Office’s assessment of requests for protection of whistle-blowers or witnesses

The restriction referred to in point (e) of Article 3(1) of this Decision may be applied in relation to the categories of data mentioned in the relevant records of processing, in particular, the following categories of personal data:

a)

identification data;

b)

contact data;

c)

professional data, including data concerning education, training and employment details;

d)

financial details (e.g. information about pay, allowances or private transactions);

e)

data concerning family, lifestyle and social circumstances;

f)

location data;

g)

data concerning goods or services provided;

h)

data on external activities;

i)

data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data or biometric data; data concerning health; or data regarding a natural person’s sex life or sexual orientation;

j)

any other data relating to any alleged illegal activity or alleged breach of professional duties or to any request for the protection of whistle-blowers or witnesses.


ANNEX VI

Activities of the CGO under the ECB Staff Rules

The restriction referred to in point (f) of Article 3(1) of this Decision may be applied in relation to the categories of data mentioned in the relevant records of processing, in particular, the following categories of personal data:

a)

identification data;

b)

contact data;

c)

professional data, including data concerning education, training and employment details;

d)

financial details (e.g. information about private transactions);

e)

data concerning family, lifestyle and social circumstances;

f)

data on external activities;

g)

data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data or biometric data; data concerning health; or data regarding a natural person’s sex life or sexual orientation;

h)

any other data relating to any activities reported to, or investigated by, the CGO.


ANNEX VII

Audits undertaken by the Directorate Internal Audit and investigative activities or internal administrative inquiries

The restriction referred to in point (g) of Article 3(1) of this Decision may be applied in relation to the categories of data mentioned in the relevant records of processing, in particular, the following categories of personal data:

a)

identification data;

b)

contact data;

c)

professional data, including data concerning education, training and employment details;

d)

financial details (e.g. information about pay, allowances or private transactions);

e)

data concerning family, lifestyle and social circumstances;

f)

data on external activities;

g)

location data;

h)

data concerning goods or services provided;

i)

social and behavioural data and other types of data specific to the processing operation;

j)

information regarding administrative proceedings or any other investigations;

k)

electronic traffic data;

l)

video surveillance data;

m)

audio recordings;

n)

data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data or biometric data; data concerning health; or data regarding a natural person’s sex life or sexual orientation;

o)

data relating to criminal proceedings, any sanction or other administrative penalty;

p)

any other data relating to audits undertaken by the Directorate Internal Audit and any investigative activity or internal administrative inquiry.


ANNEX VIII

The performance of the ECB’s functions pursuant to Decision (EU) 2016/456 (ECB/2016/3)

The restriction referred to in point (h) of Article 3(1) of this Decision may be applied in relation to the categories of data mentioned in the relevant records of processing, in particular, the following categories of personal data:

a)

identification data;

b)

contact data;

c)

professional data, including data concerning education, training and employment details;

d)

financial details (e.g. information about pay or allowances, or private transactions);

e)

data concerning family, lifestyle and social circumstances;

f)

data on external activities;

g)

location data;

h)

data on goods or services provided;

i)

electronic traffic data;

j)

video surveillance data;

k)

audio recordings;

l)

data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data or biometric data; data concerning health; or data regarding a natural person’s sex life or sexual orientation;

m)

any other data relating to the performance of the ECB’s functions pursuant to Decision (EU) 2016/456 (ECB/2016/3).


ANNEX IX

Investigations conducted by the DPO pursuant to point (b) of Article 4 of Decision (EU) 2020/655 (ECB/2020/28)

The restriction referred to in point (i) of Article 3(1) of this Decision may be applied in relation to the categories of data mentioned in the relevant records of processing, in particular, the following categories of personal data:

a)

identification data;

b)

contact data;

c)

professional data, including data concerning education, training and employment details;

d)

financial details (e.g. information about pay or allowances, or private transactions);

e)

data concerning family, lifestyle and social circumstances;

f)

data on external activities;

g)

location of data;

h)

data concerning goods or services provided;

i)

electronic traffic data;

j)

data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data or biometric data; data concerning health; or data regarding a natural person’s sex life or sexual orientation;

k)

any other data relating to any investigation conducted by the DPO pursuant to point (b) of Article 4 of Decision (EU) 2020/655 (ECB/2020/28).


ANNEX X

Investigations for the purpose of ensuring physical security at the ECB of persons, premises and property, the gathering of threat intelligence and security incidents analysis

The restriction referred to in point (j) of Article 3(1) of this Decision may be applied in relation to the categories of data mentioned in the relevant records of processing, in particular, the following categories of personal data:

a)

identification data;

b)

contact data;

c)

professional data, including data concerning education, training and employment details;

d)

location data;

e)

data concerning family, lifestyle and social circumstances;

f)

electronic traffic data;

g)

video surveillance data;

h)

audio recordings;

i)

data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data or biometric data; data concerning health; or data regarding a natural person’s sex life or sexual orientation;

j)

data concerning pending criminal cases or criminal records;

k)

any other data relating to investigations for the purpose of ensuring physical security at the ECB of persons, premises and property, to threat intelligence or to security incidents analysis.


ANNEX XI

Judicial Proceedings

The restriction referred to in point (k) of Article 3(1) of this Decision may be applied in relation to the categories of data mentioned in the relevant records of processing, in particular, the following categories of personal data:

a)

identification data;

b)

contact data;

c)

professional data, including data concerning education, training and employment details;

d)

financial details (e.g. information about pay, allowances or private transactions);

e)

data concerning family, lifestyle and social circumstances;

f)

data on external activities;

g)

location of data;

h)

electronic traffic data;

i)

data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data or biometric data; data concerning health; or data regarding a natural person’s sex life or sexual orientation;

j)

any other data relating to judicial proceedings.


ANNEX XII

The cooperation between the ECB and national criminal investigation authorities, the EPPO and EU bodies exercising a supervisory, oversight or auditing function to which the ECB is subject

The restriction referred to in points (l) to (n) of Article 3(1) of this Decision may be applied in relation to all the categories of personal data mentioned in Annex I to XI, as well as the categories of data mentioned in the relevant records of processing, in particular, the following categories of personal data:

a)

identification data;

b)

contact data;

c)

professional data, including data concerning education, training and employment details;

d)

financial details (e.g. information about pay, allowances or private transactions);

e)

data concerning family, lifestyle and social circumstances;

f)

data on external activities;

g)

location data;

h)

data concerning goods or services provided;

i)

video surveillance data;

j)

electronic traffic data;

k)

audio recordings;

l)

data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data or biometric data; data concerning health; or data regarding a natural person’s sex life or sexual orientation;

m)

information regarding administrative proceedings or any other investigations;

n)

data relating to criminal proceedings, any sanction or other administrative penalty;

o)

any other data relating to the cooperation between the ECB and national criminal investigation authorities, the EPPO and EU bodies exercising a supervisory, oversight or auditing function to which the ECB is subject.


ANNEX XIII

The performance of the mediator’s tasks

The restriction referred to in point (o) of Article 3(1) of this Decision may be applied in relation to the categories of data mentioned in the relevant records of processing, in particular, the following categories of personal data:

a)

contact data;

b)

professional data, including data concerning education, training and employment details;

c)

financial details (e.g. information about pay, allowances or private transactions);

d)

data concerning family, lifestyle and social circumstances;

e)

social and behavioural data and other types of data specific to the processing operation;

f)

information regarding administrative proceedings or any other regulatory investigations;

g)

data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data or biometric data; data concerning health; or data regarding a natural person’s sex life or sexual orientation;

h)

any other data relating to the performance of the mediator’s tasks.


ANNEX XIV

The provision of the counselling services by the social counsellor

The restriction referred to in point (p) of Article 3(1) of this Decision may be applied in relation to the categories of data mentioned in the relevant records of processing, in particular, the following categories of personal data:

a)

contact data;

b)

professional data, including data concerning education, training and employment details;

c)

financial details (e.g. information about pay, allowances or private transactions);

d)

data concerning family, lifestyle and social circumstances;

e)

social and behavioural data and other types of data specific to the processing operation;

f)

information regarding administrative proceedings or any other regulatory investigations;

g)

data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data or biometric data; data concerning health; or data regarding a natural person’s sex life or sexual orientation;

h)

any other data relating to the provision of the counselling services by the social counsellor.


ANNEX XV

Organisational and technical safeguards at the ECB to prevent abuse or unlawful processing of personal data include:

(a)

as regard persons:

(i)

all persons who have access to non-public ECB information being responsible for knowing and applying the ECB’s policy and rules on the management and confidentiality of information;

(ii)

a security clearance process which ensures that only vetted and authorised persons have access to the ECB premises and its non-public information;

(iii)

IT, information and physical security awareness measures and trainings which are regularly held for ECB personnel and external service providers;

(iv)

ECB personnel being subject to strict rules of professional secrecy set out in the ECB Conditions of Employment and Staff Rules, the breach of which gives rise to disciplinary sanctions;

(v)

rules and obligations governing external service providers’ or contractors’ access to non-public ECB information which are set out in contractual arrangements;

(vi)

access controls including security zoning which are enforced ensuring that access of persons to ECB non-public information is authorised and restricted based on business needs and security requirements;

(b)

as regard processes:

(i)

processes being in place to ensure the controlled implementation, operation and maintenance of IT applications supporting the ECB’s business;

(ii)

using IT applications for the ECB’s business which comply with the ECB’s security standards;

(iii)

having a comprehensive physical security programme in operation which continuously assesses security threats and encompasses physical security measures to ensure an adequate level of protection;

(c)

as regard technology:

(i)

all electronic data being stored in IT applications complying with the ECB’s security standards and thus being protected against unauthorised access or alteration;

(ii)

IT applications being implemented, operated and maintained at a level of security commensurate to the IT applications’ confidentiality, integrity and availability needs, which are based on business impact analyses;

(iii)

the level of security of IT applications being regularly validated through technical and non-technical security assessments;

(iv)

access to ECB non-public information being granted in accordance with the need-to-know principle, and privileged access being strictly limited and tightly controlled;

(v)

controls being implemented to detect and follow up on actual and potential security breaches.


Top