Privacy statement for audit missions
What is our legal framework?
All personal data is processed in accordance with European Union data protection law, that is to say in line with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
Why do we process personal data?
Personal data is processed in the context of the Directorate Internal Audit’s (D/IA) internal audit services as defined by the Executive Board in the ECB Audit Charter. That processing aims to identify, assess, evaluate and record any relevant information for assurance and consultancy activities. Any personal data that falls within the scope of these activities is collected from the ECB business areas. In general, D/IA processes personal data which is relevant for a specific task.
In particular, D/IA may process personal data to fulfil the following tasks:
- the implementation of the ECB’s audit plan and the Internal Auditors Committee (IAC) work programme by conducting and reporting on assurance and consultancy activities;
- the assessment of the implementation status of audit recommendations;
- the processing of incident reports from ECB business areas (excluding incident reports related to breaches of professional duties).
Furthermore, D/IA processes data in order to provide audit support (e.g. as the secretariat to the IAC) and to coordinate external audit services (e.g. by external auditors or the European Court of Auditors).
What is the legal basis for processing your personal data?
Your personal data is processed by the ECB in the performance of a task in the public interest, based on Article 5(1)(a) of Regulation (EU) 2018/1725, in conjunction with Protocol (No 4) on the Statute of the European System of Central Banks (ESCB) and the European Central Bank (OJ C 202, 7.6.2016, p. 230). and Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63) as further detailed in the ECB Audit Charter.
Who is responsible for processing your personal data?
The ECB is the controller for the processing of the personal data. The D/IA is responsible for the processing.
Who will receive your personal data?
The recipients of the data are the following:
- the respective data subjects;
- designated ECB staff members;
- designated staff members of the national central banks within the ESCB and national competent authorities within the Single Supervisory Mechanism (including secondees);
- externals (consultants, external auditors and trainees) participating in internal audit activities.
Upon request, members of the ECB Executive Board, Governing Council, Supervisory Board and the ECB Chief Services Officer may receive personal data.
Where applicable, on a need to know basis and in compliance with the relevant legal framework, bodies charged with monitoring or inspection tasks in accordance with Union law may receive personal data, e.g. the European Court of Auditors, the European Anti-Fraud Office, the European Public Prosecutor’s Office, national competent authorities, the European Data Protection Supervisor, the Ethics Committee, and the Audit Committee.
What type of personal data is collected?
D/IA has access to all personnel, records, information, systems and property deemed necessary to carry out its responsibilities in the context of audit missions and may process any related personal data.
The ECB may process the following personal data in relation to audit missions:
- identification data and contact details (e.g. name, postal address, etc.);
- education & professional training data;
- employment data;
- financial data;
- family, lifestyle and social circumstances;
- information on goods or services provided;
- information relating to any civil or administrative proceedings or any other regulatory investigation;
- information relating to any criminal proceedings;
- information relating to sanctions or any other administrative penalty;
- any other personal data relevant to a particular audit mission;
- special categories of data within the scope of Article 10 of Regulation (EU) 2018/1725 where justified.
How long will the ECB keep personal data?
The personal data is stored for a maximum of 15 years from the date of termination of the activity before being deleted unless the data is needed for a longer period of time for any potential follow-up actions, such as disciplinary or judicial proceedings.
As a rule, the information presented in audit reports is anonymised.
What are your rights?
You have the right to access your personal data and correct any data that is inaccurate or incomplete. You also have (with some limitations) the right to delete your personal data, to object to or to restrict the processing of your personal data in line with Regulation (EU) 2018/1725.
Who can you contact in case of queries or requests?
You can exercise your rights by contacting D/IA at [email protected]. You can also contact the ECB’s Data Protection Officer directly at [email protected] regarding all queries relating to personal data.
Addressing the European Data Protection Supervisor
If you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.
For more information, please consult the ECB’s register of data processing activities.