The Eurozone Single Resolution Board has published a series of three opinions setting out its own internal rules for the circumstances in which it may restrict the rights of data subjects under Regulation (EU) 2018/1725, data protection legislation that is commonly understood as the public sector equivalent of the General Data Protection Regulation. The Regulation governs the use of personal data by EU institutions and agencies. The SRB is the central resolution authority within the European Banking Union with responsibility for ensuring an orderly resolution of failing banks. It processes several categories of personal data for a variety of reasons. The SRB’s Opinions establish that, in connection with these activities, it is entitled to restrict the rights of individuals under the data protection Regulation in the following circumstances:
- Where the SRB processes personal data in the course of conducting internal investigations, administrative inquiries or disciplinary proceedings relating to breaches of the SRB Code of Ethics and Staff Regulations;
- Where the SRB processes personal data in the course of investigating alleged psychological or sexual harassment by SRB employees; and
- Where the SRB processes personal data in the context of guaranteeing security at the SRB premises, for instance via video-surveillance, access control and visitors log books.
The rights that may be restricted include the right to transparent provision of information on the data held about a data subject to that data subject, the right of a data subject to be informed about whether their personal data is being processed and, if so, the purposes of that processing and the right for the data subject to demand that its personal data be rectified or erased. The SRB is only entitled to restrict the rights of data subjects in the circumstances specified above if it complies with the internal rules set out in the Opinions. These rules include that restrictions on the rights of data subjects: (i) may only be imposed to safeguard the prevention of criminal offences or breaches of ethics and the protection of the data subject or the rights and freedoms of others; (ii) must be necessary and proportionate; (iii) must be duly monitored and periodically revised every six months; and (iv) should be lifted as soon as the circumstances that justify them no longer apply. The SRB should also inform the Data Protection Officer of the SRB when it restricts the application of data subjects’ rights in accordance with the Opinion and publish information regarding the rights that may be restricted on its intranet.