Privacy statement for anti-money laundering and combating the financing of terrorism (AML-CFT) activities
1. Description of the processing operation
This privacy statement provides information regarding the processing of personal data carried out by the European Investment Bank Group in the course of reviewing complaints related to AML-CFT activities.
Personal data submitted to the EIB Group under the EIB Group AML-CFT Framework and its implementing procedures are processed under the supervision of the EIB as the data controller in accordance with Regulation (EU) 2018/1725 of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (“Data Protection Regulation”).
2.What personal information do we collect and for what purpose and through which means
The data categories which may be collected by the EIB Group in this context are mainly limited to identification data, data related to criminal activities and/or other miscellaneous business information, and will be collected exclusively for AML-CFT purposes. The processing of personal data for the purpose of AML-CFT is considered by the AML Directive to be a matter of public interest and as such, the processing is lawful for the purposes of the Data Protection Regulation (Art. 5(1)(a) Regulation (EU) 2018/1725; Art. 43 AMLD).
Data subjects include persons who directly or indirectly own counterparties (or potential counterparties) of the EIB Group, as well as persons entrusted with control and management of such legal entities (e.g. beneficial owners, shareholders, chairpersons, chief executive officers, boards of directors, management committees, supervisory boards, local authority councils or equivalent).
Personal data are collected from the data subject directly or via other publicly available sources (“Open Sources”) such as newspapers, specialised databases operated by the private sector, specialised external service providers or websites, and all reasonable steps are taken to keep such data accurate and up to date. Data quality is also ensured by recourse to automated solutions providing up-to-date data automatically selected by market providers. Automated tools have built-in functionalities to avoid confusion linked to e.g. homonymy and transliteration. Data provided by such tools are further screened and cross-checked by EIB Group staff to ensure the adequacy, accuracy and materiality of data in the course of the on-going monitoring throughout the life of the business relationship, without using profiling techniques.
When data are requested for the purposes of AML-CFT, supply by the data subject is mandatory. Failure to provide the requested data may cause the data subject (and if applicable the counterparty linked to such data subject) to delay the operational processes of the EIB Group or, as the case may be, to become ineligible to enter into a business relationship with the EIB Group.
In accordance with Directive (EU) 2015/849, controls on data subjects include controls relating to due diligence requirements for counterparties (i.e. identity of the beneficial owner(s), ownership and control structure and purpose of the business relationship), as well as for the assessment relating to the Risk Based Approach (i.e. when applicable, qualification of the data subject as a “politically exposed person” (See definition in Art. 3 (9) Directive (EU) 2015/849 as amended and supplemented from time to time.) or possible administrative and criminal records or proceedings in connection with criminal activities).
3.What are your rights and how can you exercise them?
As a data subject, you are entitled to access, rectify and, for duly justified reasons, to block and erase these data (“Rights of the Data Subject”), and may exercise their rights by contacting the EIB Controller by email (email@example.com), or telephone (+352 43 79 88 00) (attention of EIB Data Protection Officer).
Data subjects also have the right of recourse to the European Data Protection Supervisor at any time.
Restrictions to such Rights of the Data Subject may be imposed in accordance with the provisions of the Data Protection Regulation (Article 25 (1)) and more particularly for the prevention, investigation, detection or prosecution of criminal activities. Such restrictions, if applicable, are dealt with by the EIB Data Protection Officer on a case-by-case basis and will only be applicable for as long as necessary. The data subject, to the extent possible under the Data Protection Regulation, will be informed of the reason why his/her rights are restricted.
Where applicable, the recipients of the data so collected are limited to members of the EIB Group governing bodies, EIB Group internal services, EU institutions and bodies (such as European Anti-Fraud Office (OLAF)) as well as, on the basis of a case by case analysis, national authorities including FIUs.