Investigations run by the EIB Group’s Fraud Investigations Division (“IG/IN”) are administrative investigations for the purpose of detecting and preventing fraud, corruption and any other prohibited conduct affecting EIB Group’s activities. The EIB Group consists of the European Investment Bank and the European Investment Fund.
The legal basis for the processing operation is:
Article 325 of the Treaty on the Functioning of the European Union (“TFEU”);
Article 18 of the EIB Statute and articles 2 and 28 of the EIF Statutes;
Regulation (EU, EURATOM) 2018/1046 of the European Parliament and of the Council;
EIB Board of Governors Decision of 27 July 2004 concerning EIB’s cooperation with OLAF;
What personal information do we collect, for what purpose, and through which technical means?
In the context of its investigations, IG/IN collects identification data, professional data and case involvement data. This data may be used to assess allegations of Prohibited Conduct and determine whether any misconduct or wrongdoing was committed. It may also be used for contact purposes.
The data may be collected on the basis of a report by an EIB Group staff member or an external informant, including anonymous or confidential sources, and on the basis of publicly available information. The data may be collected by any of the means provided in the EIB and EIF Anti-Fraud Policies including by accessing any relevant information, documentation and premises of the EIB Group and/or the projects financed by the EIB Group, and by asking oral information from any relevant person.
The evidence collected is relevant to the matter under investigation and collected for the purpose of the investigation; it will include inculpatory and exculpatory evidence.
Who has access to your information and to whom is it disclosed?
Responsible IG/IN staff has access to your data. In addition, your data may be transferred to designated persons in the EIB Group, EU institutions, bodies, offices and agencies, international organisations and/or the relevant authorities in Member States, candidate countries or third countries in order to ensure the appropriate conduct of the investigation and in compliance with Articles 4 to 6, 9 to 11, and 47 to 50 of Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union Institutions, bodies, offices and agencies and on the free movement of such data.
How do we protect and safeguard your information?
In order to protect your personal data, a number of technical and organisational measures have been put in place.
IG/IN premises are part of a secured physical area only accessible to IG/IN staff and security services in order to prevent any unauthorised access to equipment and data. The IT systems used by IG/IN are subject to the IT security policy of the EIB which includes measures to protect the EIB IT infrastructures and systems. In addition, administrative measures include the obligation that service providers sign non-disclosure and confidentiality agreements.
How long do we keep your data?
Your personal data may be retained in IG/IN’s case files for at least five years and up to ten years after the closure of the investigation. If the related allegations were not substantiated, your personal data may be retained for a maximum of five years from the closure of the case.
How can you verify, modify or delete your information?
You are entitled to access, rectify and (in certain circumstances) restrict the processing of the data we hold regarding you. You may exercise these rights by contacting the EIB or the EIF, acting as data controllers in the context of their respective investigations, at the following e-mail address: firstname.lastname@example.org. Upon request and within three months from its receipt, you may obtain a copy of your personal data undergoing processing. Exceptions and restrictions under article 25 of Regulation (EU) 2018/1725 and relevant EIB decision may apply to EIB investigations. The relevant EIB decision is available here.
Right of recourse
You have the right to have recourse to the European Data Protection Supervisor (email@example.com) at any time if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by IG/IN.