EUROPEAN INVESTMENT BANK DECISION

of 6 February 2019

laying down internal rules concerning the processing of personal data by the Fraud Investigations Division within the Inspectorate General and the Office of the Chief Compliance Officer of the European Investment Bank in relation to the provision of information to data subjects and the restriction of certain of their rights

THE EUROPEAN INVESTMENT BANK (‘EIB’),

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 309,

Having regard to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (1),

Having regard to the opinions of the European Data Protection Supervisor (2),

Whereas:

(1) Under the EIB Anti-Fraud Policy (3) and the EIB's Fraud Investigations Division Charter (4), the EIB Fraud Investigations Division within the Inspectorate General (‘IG/IN’) has the mandate to investigate allegations of fraud, corruption, collusion, coercion, obstruction, money laundering and financing of terrorism (‘Prohibited Conduct’) involving all EIB's activities. IG/IN is mandated to investigate (i) members of EIB governing bodies, staff and consultants; (ii) EIB's project related parties; (iii) EIB corporate procurement related parties; and (iv) EIB borrowing and treasury related parties. The mandate of IG/IN also includes conducting proactive integrity reviews in areas of increased risk in order to improve the effectiveness and efficiency of the EIB's operations and activities.

(2) Under the EIB Staff Code of Conduct (5) and the EIB Whistleblowing Policy (6), as amended and supplemented from time to time, EIB staff members have the duty to report any breach of professional duties, including illegal activities, prohibited conduct and/or violations of the EIB Group's regulations, rules, policies or guidelines, including the EIB Staff Code of Conduct, to the competent services, depending on the nature of the breach, i.e. the EIB Office of the Chief Compliance Officer (‘OCCO’) and the Inspectorate General of the EIB (‘IG’).

(3) Under the Terms of Reference of the Group Chief Compliance Officer (‘ToR of the GCCO’) and the Integrity Policy and Compliance Charter (7), the remit of the Group Chief Compliance Officer is to identify, assess, advise on, monitor and report on the compliance risk of the EIB Group, that is, the risk of legal or regulatory sanctions, financial loss, or loss to reputation a member of the EIB Group may suffer as a result of its failure to comply with all applicable laws, regulations, staff codes of conduct and standards of good practice. In accordance with the ToRs of the GCCO, the GCCO conducts the necessary administrative inquiries into a possible breach by members of the staff of the Codes of Conduct of the EIB Group. The staff of the EIB Group has the duty to cooperate in the carrying out of such administrative inquiries in the manner specified by the Group Chief Compliance Officer.

(4) While carrying out their respective tasks, IG/IN and OCCO are bound to respect the rights of natural persons in relation to the processing of personal data recognised by Article 8(1) of the Charter of Fundamental Rights of the European Union and by Article 16(1) of the Treaty on the Functioning of the European Union, as well as by legal acts based on those provisions. At the same time, IG/IN and OCCO are required to comply with strict rules of confidentiality and professional secrecy referred to in the EIB Staff Regulations and in the EIB Staff Code of Conduct and to ensure the respect of procedural rights of persons concerned and witnesses, in particular the right of persons concerned to due process and the presumption of innocence.

(5) In certain circumstances, it is necessary to reconcile the rights of data subjects pursuant to Regulation (EU) 2018/1725 (‘Regulation’) with the purposes and needs of IG/IN and OCCO respective tasks, as well as with full respect for fundamental rights and freedoms of other data subjects. To that effect, Article 25 of Regulation provides IG/IN and OCCO with the possibility to restrict, pursuant to their respective mandates, the application of Articles 14 to 22, 35 and 36, as well as Article 4 thereof, insofar as its provisions correspond to the rights and obligations provided for in Articles 14 to 22. To do so, it is necessary to adopt internal rules under which the relevant data controller may restrict data subjects' rights in line with Article 25 of Regulation.

(6) The internal rules should apply to all processing operations carried out by IG/IN and OCCO in the performance of their respective mandates enshrined respectively in the EIB's Anti-Fraud Policy, the EIB's Fraud Investigations Division Charter, the Integrity Policy and Compliance Charter and in the Terms of Reference of the GCCO, throughout the entire process.

(7) In order to comply with Articles 14, 15 and 16 of Regulation, the relevant data controller should inform all individuals of its activities involving processing of their personal data and of their rights in a transparent and coherent manner in the form of the data protection notices published on the EIB website and the EIB Intranet, as well as to individually inform data subjects relevant to its activities — persons concerned, witnesses and informants.

(8) IG/IN and OCCO may need to apply certain grounds for restrictions referred to in Article 25 of the Regulation to data processing operations carried out in the framework of their tasks set out respectively in the (i) EIB Anti-Fraud Policy and Investigation Procedures for IG/IN (8); and (ii) ToRs of the GCCO for OCCO.

(9) The communication between OLAF and EIB is carried out in accordance with the Administrative Arrangement between the European Anti-Fraud Office and the European Investment Bank, of 31 March 2016.

(10) In addition, in order to maintain effective cooperation, IG/IN and OCCO may need to apply restrictions to data subjects' rights to protect information containing personal data originating from other EIB services, the European Union institutions, bodies, offices and agencies, competent authorities of Member States and third countries, as well as from international organisations. To that effect, IG/IN and OCCO should consult those other EIB services, institutions, bodies, offices, agencies, authorities and international organisations on the relevant grounds for and the necessity and proportionality of the restrictions.

(11) IG/IN and OCCO should handle all restrictions in a transparent manner and register each application of restrictions in the corresponding record system.

(12) Pursuant to Article 25(8) of the Regulation, the controllers may defer or refrain from providing information on the reasons for the application of a restriction to the data subject if this would in any way compromise the purpose of the restriction. In particular, where a restriction to the rights provided for in Articles 16 and 35 is applied, the notification of such a restriction would compromise the purpose of the restriction. In order to ensure that the data subject's right to be informed in accordance with Article 16 and 35 of Regulation (EU) 2018/1725 is restricted only as long as the reasons for the deferral last, the relevant data controller should regularly review its position.

(13) Where a restriction of other data subjects' rights is applied, the controller should assess on a case-by-case basis whether the communication of the restriction would compromise its purpose.

(14) The EIB has designated its own Data Protection Officer (‘DPO’) in accordance with Article 24 of Regulation (EC) No 45/2001 of the European Parliament and of the Council (9).

(15) The DPO may carry out an independent review of the application of the restrictions, with a view to ensuring compliance with this Decision,

HAS ADOPTED THIS DECISION:

CHAPTER I

FRAUD INVESTIGATIONS DIVISION OF THE INSPECTORATE GENERAL

Article 1

Subject matter and scope

1. This Chapter lays down the rules to be followed by the relevant data controller, as defined in Article 2(1) of the Decision, to inform data subjects of the processing of their data in accordance with Articles 14, 15 and 16 of Regulation (EU) 2018/1725.

It also lays down the conditions under which the relevant data controller may restrict the application of Articles 14 to 22 and 35 and 36, as well as Article 4, of the Regulation, in accordance with Article 25 of that Regulation.

2. This Chapter applies to the processing of personal data by IG/IN for the purpose of or in relation to the activities carried out in order to fulfil its tasks referred to in the EIB Anti-Fraud Policy and in the EIB's Fraud Investigations Division Charter.

3. In the framework of its mandate, IG/IN processes several categories of personal data, particularly identification data, contact data, professional data and case involvement data.

Article 2

Specification of the controller and safeguards

1. The controller of the processing operations is the Head of Division of IG/IN.

2. The personal data are stored in a secured electronic and physical environment, which prevents unlawful access or transfer of data to persons who do not have a need to know.

3. The personal data processed are retained for at least five years and up to 10 years after the closure of the investigation. Data related to unsubstantiated cases shall be retained for up to five years maximum.

4. Longer periods than the specified above are applied on exceptional and duly justified cases, subject to agreement of the DPO.

Article 3

Applicable exceptions and restrictions

1. Where IG/IN exercises its duties with respect to the data subjects' rights pursuant to the Regulation, it shall consider whether any of the exceptions laid down in that Regulation apply.

2. Subject to Articles 4 to 7 of this Decision, IG/IN may restrict the application of Articles 14 to 22 and 35, and 36 of the Regulation, as well as its Article 4 in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 22 of the Regulation where the exercise of those rights and obligations would jeopardise the purpose of IG/IN's investigation and other activities, including by revealing its investigative tools and methods, or would adversely affect the rights and freedoms of other data subjects.

3. Subject to Articles 4 to 7 of this Decision, IG/IN may restrict the rights and obligations referred to in paragraph 2 of this Article in relation to personal data obtained from other EIB service(s), OLAF or other European Union institutions, bodies, agencies and offices, competent authorities of Member States or third countries or from international organisations, in the following circumstances:

(a) where the exercise of those rights and obligations could be restricted by other EIB service(s), OLAF or other European Union institutions, bodies, agencies and offices on the basis of other acts provided for in Article 25 of the Regulation or in accordance with Chapter IX of that Regulation;

(b) where the exercise of those rights and obligations could be restricted by competent authorities of Member States on the basis of acts referred to in Article 23 of Regulation (EU) 2016/679 of the European Parliament and of the Council (10), or under national measures transposing Articles 13(3), 15(3) or 16(3) of Directive (EU) 2016/680 of the European Parliament and of the Council (11);

(c) where the exercise of those rights and obligations could jeopardise IG/IN's cooperation with third countries and international organisations in the conduct of its tasks.

Before applying restrictions in the circumstances referred to in points (a) and (b) of the first subparagraph, IG/IN shall consult the relevant EIB service(s), OLAF, European Union institutions, bodies, agencies, offices or the competent authorities of Member States unless it is clear to IG/IN that the application of a restriction is provided for by one of the acts referred to in those points.

Point (c) of the first subparagraph shall not apply where the interest of the European Union to cooperate with third countries or international organisations is overridden by the interests or fundamental rights and freedoms of the data subjects.

Article 4

Provision of information to data subjects

1. IG/IN shall publish on the EIB website a data protection notice that informs all data subjects of its activities involving processing of their personal data.

2. IG/IN shall individually inform all data subjects whom it considers to be persons concerned, witnesses or informants within the meaning of the EIB Anti-Fraud Policy and Investigation Procedures.

3. Where IG/IN restricts, wholly or partly, the provision of information to the data subjects referred to in paragraph 2, it shall record the reasons for the restriction, including an assessment of the necessity and proportionality of the restriction.

To that end, the record shall state how the provision of the information would jeopardise the purpose of IG/IN's investigative activities, or of restrictions applied pursuant to Article 3(3), or would adversely affect the rights and freedoms of other data subjects.

The record and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the European Data Protection Supervisor (EDPS) on request.

4. The restriction referred to in paragraph 3 shall continue to apply as long as the reasons justifying it remain applicable.

Where the reasons for the restriction no longer apply, IG/IN shall provide the information concerned and the reasons for the restriction to the data subject. At the same time, IG/IN shall inform the data subject of the possibility of lodging a complaint with the EDPS at any time or of seeking a judicial remedy in the Court of Justice of the European Union.

IG/IN shall review the application of the restriction at least every six months from its adoption and at the closure of the relevant investigation. Thereafter, the controller shall monitor the need to maintain any restriction on an annual basis.

Article 5

Right of access by data subject

1. Where data subjects request access to their personal data processed in the context of one or more specific cases or to a particular processing operation, in accordance with Article 17 of the Regulation, IG/IN shall limit its assessment of the request to such personal data only.

2. Where IG/IN restricts, wholly or partly, the right of access, referred to in Article 17 of the Regulation, it shall take the following steps:

(a) it shall inform the data subject concerned, in its reply to the request, of the restriction applied and of the principal reasons thereof, and of the possibility of lodging a complaint with the EDPS or of seeking a judicial remedy in the Court of Justice of the European Union;

(b) it shall record the reasons for the restriction, including an assessment of the necessity and proportionality of the restriction; to that end, the record shall state how the provision of the information would jeopardise the purpose of IG/IN's activities or of restrictions applied pursuant to Article 3(3), or would adversely affect the rights and freedoms of other data subjects.

The provision of information referred to in point (a) may be deferred, omitted or denied in accordance with Article 25(8) of the Regulation.

3. The record referred to in point (b) of the first subparagraph of paragraph 2 and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the EDPS on request. Article 25(7) of Regulation (EU) 2018/1725 shall apply.

Article 6

Right of rectification, erasure and of restriction of processing

Where IG/IN restricts, wholly or partly, the application of the right to rectification, erasure or the right to restriction of processing, referred to in Articles 18, 19(1) and 20(1) of Regulation (EU) 2018/1725, it shall take the steps set out in Article 5(2) of this Decision and register the record in accordance with Article 5(3) thereof.

Article 7

Communication of personal data breaches to the data subject

Where IG/IN restricts the communication of a personal data breach to the data subject, referred to in Article 35 of Regulation, it shall record and register the reasons for the restriction in accordance with Article 4(3) of this Decision. Article 4(4) of this Decision shall apply.

Article 8

Review by the Data Protection Officer

IG/IN shall inform, without undue delay, the DPO whenever it restricts the application of data subject's rights in accordance with this Decision and shall provide access to the record and the assessment of the necessity and proportionality of the restriction.

The DPO may request IG/IN in writing to review the application of the restrictions. IG/IN shall inform the DPO in writing about the outcome of the requested review.

CHAPTER II

OFFICE OF THE EIB GROUP CHIEF COMPLIANCE OFFICER

Article 9

Subject matter and scope

1. This Chapter lays down the rules to be followed by OCCO to inform data subjects of the processing of their data in accordance with Articles 14, 15 and 16 of Regulation (EU) 2018/1725.

It also lays down the conditions under which OCCO may restrict the application of Articles 14 to 22 and 35 and 36, as well as Article 4, of Regulation (EU) 2018/1725, in accordance with Article 25 of that Regulation.

2. This Chapter applies to the processing of personal data by OCCO for the purpose of or in relation to the activities carried out in order to fulfil its tasks referred to in the ToRs of the GCCO, the Integrity Policy and Compliance Charter and other internal rules and policies.

3. In the framework of its activities, OCCO processes several categories of personal data, particularly identification data, contact data, professional data and case involvement data.

Article 10

Specification of the controller and safeguards

1. The GCCO acts as the respective data controller.

2. The personal data are stored in a secured electronic and physical environment, which prevents unlawful access or transfer of data to persons who do not have a need to know.

3. The personal data processed by OCCO are retained for at least six months after the case is dismissed and up to five years after the closure of the administrative inquiry.

4. Longer periods than the specified above are applied on exceptional and duly justified cases, subject to agreement of the DPO.

Article 11

Applicable exceptions and restrictions

1. Where OCCO exercises its duties with respect to the data subjects' rights pursuant to Regulation (EU) 2018/1725, it shall consider whether any of the exceptions laid down in that Regulation apply.

2. Subject to Articles 12 to 15 of this Decision, OCCO may restrict the application of Articles 14 to 22, and 35 and 36 of Regulation (EU) 2018/1725, as well as its Article 4 in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 22 of the Regulation (EU) 2018/1725 where the exercise of those rights and obligations would jeopardise the purpose of OCCO administrative inquiries and other activities, including by revealing its administrative inquiry tools and methods, or would adversely affect the rights and freedoms of other data subjects.

3. Subject to Articles 12 to 15 of this Decision, OCCO may restrict the rights and obligations referred to in paragraph 2 of this Article in relation to personal data obtained from other EIB service(s), European Union institutions, bodies, agencies and offices, competent authorities of Member States or third countries or from international organisations, in the following circumstances:

(a) where the exercise of those rights and obligations could be restricted by other EIB service(s), European Union institutions, bodies, agencies and offices on the basis of other acts provided for in Article 25 of Regulation (EU) 2018/1725 or in accordance with Chapter IX of that Regulation;

(b) where the exercise of those rights and obligations could be restricted by competent authorities of Member States on the basis of acts referred to in Article 23 of Regulation (EU) 2016/679, or under national measures transposing Articles 13(3), 15(3) or 16(3) of Directive (EU) 2016/680;

(c) where the exercise of those rights and obligations could jeopardise OCCO's cooperation with third countries and international organisations in the conduct of its tasks.

Before applying restrictions in the circumstances referred to in points (a) and (b) of the first subparagraph, OCCO shall consult the relevant EIB service(s), European Union institutions, bodies, agencies, offices or the competent authorities of Member States unless it is clear to OCCO that the application of a restriction is provided for by one of the acts referred to in those points.

Article 12

Provision of information to data subjects

1. OCCO shall publish on the EIB Intranet a data protection notice that informs all data subjects of its activities involving processing of their personal data.

2. OCCO shall individually inform all data subjects whom it considers to be persons concerned, witnesses and informants.

3. Where OCCO restricts, wholly or partly, the provision of information to the data subjects referred to in paragraph 2, it shall record the reasons for the restriction, including an assessment of the necessity and proportionality of the restriction.

To that end, the record shall state how the provision of the information would jeopardise the purpose of OCCO's administrative inquiries or other activities, or of restrictions applied pursuant to Article 11(3), or would adversely affect the rights and freedoms of other data subjects.

The record and, where applicable, the documents containing underlying factual and legal elements shall be registered. They shall be made available to the EDPS on request.

4. The restriction referred to in paragraph 3 shall continue to apply as long as the reasons justifying it remain applicable.

Where the reasons for the restriction no longer apply, OCCO shall provide the information concerned and the reasons for the restriction to the data subject. At the same time, OCCO shall inform the data subject of the possibility of lodging a complaint with the EDPS at any time or of seeking a judicial remedy in the Court of Justice of the European Union.

OCCO shall review the application of the restriction at least every six months from its adoption and at the closure of the relevant administrative inquiry. Thereafter, the controller shall monitor the need to maintain any restriction on an annual basis.

Article 13

Right of access by data subject

1. Where data subjects request access to their personal data processed in the context of one or more specific cases or to a particular processing operation, in accordance with Article 17 of Regulation (EU) 2018/1725, OCCO shall limit its assessment of the request to such personal data only.

2. Where OCCO restricts, wholly or partly, the right of access, referred to in Article 17 of Regulation (EU) 2018/1725, it shall take the following steps:

(a) inform the data subject concerned, in its reply to the request, of the restriction applied and of the principal reasons thereof, and of the possibility of lodging a complaint with the EDPS or of seeking a judicial remedy in the Court of Justice of the European Union;

(b) record the reasons for the restriction, including an assessment of the necessity and proportionality of the restriction; to that end, the record shall state how the provision of the information would jeopardise the purpose of OCCO administrative inquiries or other activities or of restrictions applied pursuant to Article 11(3), or would adversely affect the rights and freedoms of other data subjects.

The provision of information referred to in point (a) may be deferred, omitted or denied in accordance with Article 25(8) of Regulation (EU) 2018/1725.

Article 14

Right of rectification, erasure and of restriction of processing

Where OCCO restricts, wholly or partly, the application of the right to rectification, erasure or the right to restriction of processing, referred to in Articles 18, 19(1) and 20(1) of Regulation (EU) 2018/1725, they shall take the steps set out in Article 13(2) of this Decision and register the record in accordance with Article 13(3) thereof.

Article 15

Communication of personal data breaches to the data subject

Where OCCO restricts the communication of a personal data breach to the data subject, referred to in Article 35 of Regulation (EU) 2018/1725, it shall record and register the reasons for the restriction in accordance with Article 12(3) of this Decision. Article 12(4) of this Decision shall apply.

Article 16

Review by the Data Protection Officer

OCCO shall inform, without undue delay, the DPO whenever it restricts the application of data subject's rights in accordance with this Decision and shall provide access to the record and the assessment of the necessity and proportionality of the restriction.

The DPO may request the controller in writing to review the application of the restrictions. OCCO shall inform the DPO in writing about the outcome of the requested review.

CHAPTER III

FINAL PROVISIONS

Article 17

Entry into force

This Decision was approved by EIB's Board of Directors on 6 February 2019 and shall enter into force on the day of its publication on EIB webpage.

Done at Luxembourg, 6 February 2019.

(1)

OJ L 295, 21.11.2018, p. 39

(2) The processing of personal data in the context of the IG/IN investigations and OCCO administrative inquiries was notified to the EDPS.

(3) https://www.eib.org/attachments/strategies/anti_fraud_policy_20130917_en.pdf

(4) http://www.eib.org/attachments/general/fraud_investigatons_charter_2017_en.pdf

(5) http://www.eib.org/en/infocentre/publications/all/staff-code-of-conduct.htm

(6) http://www.eib.org/en/infocentre/publications/all/eib-s-whistleblowing-policy.htm

(7) http://www.eib.org/en/infocentre/publications/all/integrity-policy-and-compliance-charter.htm

(8) http://www.eib.org/en/infocentre/publications/all/anti-fraud-procedures.htm

(9) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (

OJ L 8, 12.1.2001, p. 1

(10) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (

OJ L 119, 4.5.2016, p. 1

(11) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (

OJ L 119, 4.5.2016, p. 89