 Hello, dear ladies and gentlemen, and welcome to the second panel on this morning. I hope the coffee break was not too short, so you are rested and will stay with us. This panel will discuss the general data protection regulation and its relevance for banking supervision. As was mentioned by Chiara Civioli in her opening speech, the UKING union is based on the rule of law and fundamental rights are at the top of the core of such a legal order. Fundamental rights must, within the applicable limits, be respected by all the acts created within the legal framework of the union. Legislative acts, like regulations, for example, must comply with them as well as individual decisions. Data protection is a fundamental right enshrined in Article 8 of the Charter of Fundamental Rights of the Union. Consequently, also banking supervisors, including the CECD, must comply with the rules of data protection enshrined in the Charter, for national supervisors and national legal system may even establish additional obligations. The data protection-related obligations, in particular public authorities, are further elaborated in two regulations. The first is Regulation 2006-079, more commonly known as the General Data Protection Regulation, the GBPR. This regulation establishes the data protection framework applicable to organizations established in the EU, as well as to organizations based outside the EU that intentionally offer goods or services to the EU or monitor the behavior of the EUs with only the EU. The second regulation is Regulation 2018-1725, the so-called EU-GPR. This regulation establishes the rules applicable to the processing of personal data by EU institutions, bodies, offices and agencies, and is therefore applicable to the ECD. The rules of the EU-GPR are similar, though not always identical to the rules of the GBPR. However, whenever the provisions of the EU-GPR follow the same principle as the GBPR, those two sets of provisions should under the case of the European Court be interpreted homogeneously, in particular because the scheme of EU-GPR should be understood as equivalent to the scheme of the GBPR. So, for our discussions, they are very close together. This is the message and this is said in the recitified of the EU-GPR. The first dimension of the relationship between data protection and banking supervision is consequently how can banking supervisors ensure compliance with the obligations under the data protection rules? Such compliance may be sometimes raising practical issues. For example, in an on-site inspection, individual credit files shall be reviewed and such compliance may also require adjustments to the processes applied, but as we will hear, it is feasible. In this context, we will also see how divergent interests of the data subject, whose data are concerned, and the interests of supervisors, being controllers and processors in terms of the EU-GPR or GBPR, are balanced by the law or have to be balanced in a concrete case. The second dimension in the relationship between data protection and banking supervision may not be as often. Banking supervisors are subject to confidentiality obligations. The professional secrecy vision is established as a counterpart to the broad obligation of supervised entities to provide information to supervisors. It requires banking supervisors to keep confidential, not publicly known data, whose disclosure is likely to adversely affect either the proper functioning of the system or banking supervision or the interests of the person who provided information to the banks, not only for a third party. Therefore, the professional secrecy region shall in particular protect the legitimate interests of the supervised entities and may, as such, be required by fundamental rights, like the freedom to conduct a business. The right enshrined in Article 16 of the Charter protects also commercial secrets against the perpetrient environment of the bank and supervisor. In the majority of situations, the obligations of supervisors to keep certain information confidential and the obligation under data protection rules are inside. However, there may also be cases where a data subject may invoke rights under the GBPR or EU-GPR, which would require a supervisor not to comply with professional secrecy rules. This may, for example, be the case if an individual asks for access to personal data stored with the supervisor, which the supervisor received from an institution. In order to tackle these two dimensions, the presenters in this panel will first introduce the concepts of the EU-GPR and the GDPR. Thereafter, the professional secrecy obligations of banking supervisors and potential conflicts with rights of data subjects will be discussed. This will finally be followed by a view on the issue how a banking supervisor can issue a compliance with the data protection rules and the challenges connected there with, as well as on the role of the data protection officer in this context. The introduction in the basic principles and the definition of the data protection regulation, as well as a discussion of the most relevant rights of the rules under this legislation, will be provided to us by Carolina Rosette Church. Carolina is one of the person's best place to do this. She was one of the commissions with presenters in the inter- institutional negotiations with the parliament and the council and on the general data protection regulation. And currently is deputy head of the unit responsible for data protection as the European Commission and therefore is involved in the implementation of this. Carolina previously served as a member of the European Commission's legal services, focusing on competition law and international trade law and represented the commission in numerous cases before the European courts and the European panel. Carolina, thank you that you are with us today in Brussels in the hybrid sector. Carolina's presentation will be followed by Sandin Etokat. Sandin is principal legal counsel who supervises law division of the ECB. She works at the ECB since 2005 in various roles among them as secretary of the legal committee. Sandin started her professional life in private practice at the Brussels bath and helped also positions as teaching assistant at different units. The final presentation will be provided by Martin Daman, the data protection officer of the ECB and the European systemic risk board. Before joining the ECB, he worked for the international court of justice, the European police officer, Paul and a genocide researcher in Rwanda. You see we have a diverse background in this part. Finally, before giving the floor to Carolina, let me say a few words in terms of housekeeping. The presentations will be presented in one go and the floor will be open for discussions immediately thereafter. Please raise therefore already during the presentations your hand for questions. Please do that so that you keep your questions perhaps also in the order. Use for this the hand raising function in Webex. We will register this and grant the floor in the order of hands raised. In doing so, we will call you out and my colleagues administering the technical side, which I thank you here with very much will provide you the floor. Please remember then to unmute yourself and turn on the camera. Unfortunately, it will take them a moment until you can speak. When asking your questions, you are invited to mention your name and function before posing the question. Please mention your question also to whom it is addressed, if it's addressed to a specific panel member. Now, let me with our father, we may provide the floor to Carolina for our presentation that as a whole and then will be made available to the public via ECB's website. Carolina, the floor is yours. Thank you very much. I hope it will not be disturbing in any event without any further ado. I would like to start with the presentation and if we can move to the following slide. I would like to take you through the main objectives and major changes of something that it's not so new anymore and it's being applicable since 2018. So, why the change? Why the change from the Directive 95, from the previous regulation which was regulating the processing of personal data by the European institutions? Because of the need to adjust data protection rules to the changes in the digital age. The use of personal data, processing of personal data, generation of personal data grew exponentially within the last years and our legal framework needed to be on one hand harmonized, on the other hand amplified. We had the problem concerning the Directive of various implementations on the level of the member states so that in a situation where data was processed cross-border by big international companies, platforms as we refer to them nowadays, we were in a situation where depending on the member states different entities would be assessed to be the controller. We will hear what who are the controllers different to be processors. There was also a different interpretation bit of what is a personal data such. So, inducing, harmonizing, simplifying, inducing flexibility, ensuring that our rules are technologically neutral, that we do not stop the technological development, but that we frame it bearing in mind as we heard in the introduction that we are speaking here about fundamental right and not everything should be done and not everything should be allowed. Another element and one other consideration the commission had, tabling the proposal and then the two legislators, the council and the parliament, while preparing their positions on it, was to put the individuals more in control of what is going on with their data. Here we have seen, you see a big continuity between the rights provided for in the directive and then in the GDPR, in the directive 95 and in the GDPR. There were, however, some clarifications, updates and a new right of data portability added to it. What was at, what was guiding all the considerations and discussions in the commission while adopting the proposal in the council and in the parliament is to ensure that an individual can decide or to the extent possible because some legal basis provide for, well, the fact to cut down on possibility to decide when I think, I think here in particular when the processing is provided for by law, but to the extent possible make an individual aware of what is going with his or her data, how is it being used, who takes advantage of it, what kind of consequences can be drawn from processing of data and making individuals more aware of the vast amount of data they generate while using various devices. Finally, here at the point C, we've realized that in the new brave digital world, this division along the borders did not make sense, for the regulation, but also the need to have this one law being enforced in one way, to have one interpretation, which would be a peter than just waiting at the final interpretation by the court of justice when the enforcement was done only on the national level and there was no other means of inducing consistency in the interpretation of the terms and rules provided for in the directive 95. So what was done is to establish the cooperation mechanism, the mechanism of cooperation between indeed, thank you very much, I should have moved to the following slide, so the single set of rule regulation, I'm at point one interlocutor and one interpretation, one stop shop and consistency mechanism, one stop shop, the cooperation mechanism, what it provides for is that in all individual cases, in all cases concerning one complaint, one company, one controller, one undertaking, who's undertaking the processing, there will be only one interlocutor, one data protection authority to which will be equipped with full powers, effective powers, effective powers concerning investigation and concerning corrective measures, and that all the other authorities will be cooperating with this authority, which is called DELETE, the authority on the territory of which the controller or processor has its main establishment. This matched with consistency mechanism, so this one stop shop cooperation mechanism matched with consistency mechanism leads to unified interpretation of the data protection rules and application of those rules in individual cases before the whole litigation should there be one and goes through the national courts and then ultimately through the court of justice, how does it work, data protection authorities and which are concerned because they have data subjects which are affected by a certain kind of processing or because they have to receive the complaint and the authority on which territory the controller or processors have their main establishment will cooperate and agree on one interpretation of the regulation in this individual case. Should there be differences between them, there is a possibility to discuss it, if this possibility to discuss does not bear further fruits and the authorities can move to the level of the board European data protection board which gathers all the national data protection authorities and EDPS and find there a resolution of the dispute in such a case and European data protection board will adopt a decision which will be addressed to DELETE and concerned authorities providing for the interpretation of the regulation in this individual case. It's important to remember that this decision is addressed not to the undertakings so not to the controller process or a complainant should we be in a situation of rejection of complaint but to the authority DELETE and concerned authorities which on the basis of that decision which will provide for the legal interpretation of the terms relevant for the resolution of this case and the lead authority and concerned authorities will have to take this interpretation and apply it to the facts of the case while adopting the final decision. In this way we created a uniform interpretation and in order to ensure that we have a level playing field we ensured that the territorial scope of the regulation is such that whoever offers goods and services on the territory of the European Union and targets our citizens will have to apply the same laws so here we will not be any longer in the situation where third country companies will not be subject to the to the laws applicable in the European Union. On the other hand I'm at the last point cutting red tape and we cut down on notification require our authorization requirements we moved to something called accountability principle where the controller needs to assess itself in the light of its obligations under the GDPR and will be required to contact data protection authority only in very specific cases here I think in particular of the case of residual risk staying after data protection impact assessment was done. Let us move to the next slide where I will address points which concern the scope of the application of the GDPR so and I will take you in more detail through for example and that the first point that which defines the application of the GDPR and EU DPR they are applicable only when we speak about personal data in a situation we will hear what is personal data but in a situation we there is no longer personal data data is anonymized the GDPR and EU DPR do not apply material scope of the GDPR article to business operators also public authorities except when we speak about police and law enforcement authorities to which a police directive so called the lead law enforcement directive is applicable processing for national security purposes is also excluded from the application of GDPR because the EU law does not apply to it but here I flag and it's something very very much discussed nowadays in the light of all the Pegasus discussions which are growing like mushrooms in different member states this cannot be a bogus national security claim coming from the member states the jurisprudence of the court of justice is fairly clear on and they need to justify by the member state that it's a genuine national security purpose which is being pursued and invigilating journalists or MEPs member of the national and parliaments will very rarely qualify as such the GDPR also does not apply when the individuals process personal data for purely personal household activities it's an exception and as such it's to be interpreted in a very narrow way territorial scope article 3 I mentioned it already while discussing the previous slide when speaking about the level playing field to which extent the GDPR applies also to third country undertakings which are offering good services on the European territory or are targeting our residents the criteria for such a targeting is provided for in the in the GDPR and next slide if I may the difference and Klaus mentioned it already very shortly between the EU the GDPR and EU DPR why the need for EU DPR and if you may ask yourself well where GDPR apply to public sector also and why is there a need for the European institutions agencies and bodies to have a separate separate regulation well the specificities of our work and the fact that and that this is that we are speaking here about public sector only concerning the interpretation and so and of the EU DPR I'm referring in particular to recital whenever there is and the provision of the EU DPR follow the same principles of the GDPR which is the issues concerning the the transparency and rights and the provisions of the GDPR should be and those of the GDPR should be interpreted homogeneously and because the EU DPR is by no means to mean that the European institutions agents in the European institutions agencies and bodies are subject to less strict control concerning the legality of processing of personal data okay let us move to the definitions the next slide and I will cover the most relevant for our presentations today and our discussions today the definitions of the personal data what does it mean what is the difference between pseudonymization and anonymization which are very often mixed together and to very often and it's being misunderstood that and and aggregation and even very high level aggregation pseudonymization of data is sufficient in order to exclude the application of the GDPR or EU DPR I'll mention shortly categories of special categories of personal data and I will devote more time to the definitions of controller processors and joint controllership so what is personal data and personal data is a data which includes information which allows to identify and or any information actually which relates to an identified or identifiable living individual person GDPR does not apply to deceased persons it's up to the member states to to decide how the data of deceased person is to be protected so different pieces of information which collected together can lead to identification of particular person constitute personal data and personal data that has been identified encrypted and pseudonymized can also lead to re-undification of the person which can lead to re-undification of the person remains personal data and falls within the scope of the GDPR this is personal data is being protected regardless of the technology used for the processing of this data GDPR as I mentioned before is technologically neutral applies to both automated and manual processing provided that data is organized with a predefined criteria for example alphabetical order it does not matter how the data is stored so for example an IT system through a video surveillance or on paper or in all these cases the GDPR is anti-UDPR are applicable in this context what constitutes really processing it covers a wide range of operations performed on personal data and as you have already heard being at manualed being by automated means collection recording organization structuring alternation consultation use or otherwise making available it's a very very broad definition between this very broad notion of identified or identifiable and broad understanding of processing it's very difficult to find so and here I will move to pseudonymization versus anonymization to find data which will be truly non-personal when it in the beginning referred to an individual to give you a flavor according to the Court of Justice even dynamic IP addresses are being considered personal data even the very aggregated and very secured keys on our COVID apps are personal data therefore and the application of our COVID gateway and the the codes which the member states were exchanging was protected under the data protection legislation what is then the difference between pseudonymization and anonymization pseudonymization is a kind of safeguard it reduces the privacy risks because it provides it encrypts the data and it more makes it more difficult to somebody who for example does not possess the key to identify individuals nevertheless it's still personal data because it can be attributed to an individual or a person which has additional information and additional data set which two data sets much together will make and this from a data which a priori cannot lead to an individual will be able to to lead to an individual or to identifiable person now it the the data can be rendered anonymous it's not this in order for the data to be anonymous it must be truly anonymized in the sense of irreversible you can already imagine it's a very difficult exercise which is in delight of the recent recent technological developments very difficult to achieve on the other hand the GDPR in particular does not provide for an absolute test the measure is still the state of art knowledge and also the financial resources which would be necessary to deploy in order to re-identify to render anonymous data again personal so it's not an absolute test but a test which is which has there some openings and well the for example this this notion the European data protection board is discussing now guidelines concerning the anonymization techniques or the test for pseudonymization and anonymization and indeed the for example the test of the the the the costs which you see on your slide is not that of the financial capacities of an individual undertaking but it's an objective one and there exist and I would like to move here to the next slide special category of data so-called sensitive data which are protected even more this is a data which could create which the disclosure on the processing of which could create more significant risks to the personal fundamental rights and freedoms by for example leading to a discrimination on the grounds of sexual orientation and political views or some or because of health status and the processing of such a data so whatever can be done with it is subject to additional and specific conditions which are provided for in the GDPR in article 9 this is an explicit consent so a kind of consent which is even clearer than the consent which allows for the normal processing of personal data and an array of situations which provide for this possibility and a vast majority of them will need to be provided by law for example social security and public interest or some legitimate activities of foundations associations and so on and bearing in mind the time I would like to move to the next slide the so interesting for us and the definitions of controller processors the definition of joint controllership and the the rules under the GDPR and EU DPR which regulate the responsibility of this entities and and the relationship between them who's a data controller data controller is a natural illegal person who determines the purposes for which it and which for which the data is being is being processed and process it detains the purposes and means the controller peers the main responsibility of the processing under the EU DPR and GDPR in the setting of in the setting of public administration the the identity identification of the controller will be made very often on the basis of the law the law will provide who is the controller in the case this is not done it will be it will be derived from the from the tasks which the entity has to fulfill and yeah and the responsibilities which will be attached to it the processor is a person or an entity public or private body which will be responsible if we can go back to the slide on the and exactly which will be responsible for processing of data on the behalf of the controller the processing can be still the processor can use still another processor to process personal data on its behalf which is called a sub processor and going back because now it will be to now to the controller to the next slide and the controllers and responsibilities or choices concerning the processor a subject to at the test of sufficient guarantees controller can only use if it's not provided for by law which processors are to be used uh processors which provide sufficient guarantees the controller has also all the interest to do so because and bottom line the vast majority of the obligations under the GDPR and GDPR even more because there that's very often provided for by law and are attached to the controller and processor has very few obligations coming directly from the legislation and if something goes wrong it's the controller who will stand up for and for the compliance with GDPR and will be liable for compliance with all the aspects of the GDPR and food demonstrating such compliance joint controllership which i'm sorry i apologize for jumping in the car but in light of the time i would suggest that we perhaps leave the joint controllership for the discussion because i would guess there may be questions on that and perhaps we continue we just go to the slides to the rights and then because okay perfect the rights um if we can go to the slide concerning the rights um rights which are provided for i have here the article from the GDPR this same applies to the UDPR information access rectification in erasure the remaining ones are very rarely if at all used in the setting of public administration where the processing is provided for by law or attached to the task um to the task um exercised by the um by the uh authority information the individuals have to receive the information on the name purposes categories of personal data process legal basis of processing length of the of the how long the processing will take will take place whether data will be transferred outside of the U on the basic rights right to lodge the complaint right to should there be the processing taking place on the basis of consent and the right to the information concerning the right to withdraw the consent concerning the the access the individuals have the right to ask and obtain from the organization confirmation as whether the data is being processed whether this entity holds any data which concerns individual and the right to access of that data can be providing the form of copy and the individual which can have access to all relevant additional information concerning the the processing right of access should be easy and generally free of charge what happens if the data is insecure in the incorrect the data should not be here when it's incorrect incomplete or in or inaccurate individual can ask the undertaking company organization to correct such data and the the controller is obliged to do so without any due delay or justifying writing why it's not done and and the last one I would like to mention here is the M is the right of erasure and one can ask deletion of personal data when this data is no longer needed or where it has been used unlawfully in the setting of banking supervision it will be very it will be regulated by law how long such a data can be processed and how long it can be stored in concerning the restrictions of the exercise of the right of erasure I leave it to Martin who will take you through it I think I will stop at this stage and and I'm looking forward to the discussions and in particular further discussion on the joint controllership which yeah well I dwell too long on other issues and I'm not able to cover now thank you very much we thank you very much for this very rich presentation a lot of detail a lot of information on this substantive piece of regulation for me I would say we have to carry on three things and which we will elaborate no more it's the concept of personal data the concept of who is responsible and the concept of the rights of the data subjects and this will now be more discussed in the father presentations thank you Katarina I'm very grateful that you managed to expose the rights of data subjects because then it offers me an easy transition I would have been a bit embarrassed otherwise so Katarina then explained the the rights of data subjects over their personal data the question that I want to explore now is how these fundamental rights you can move directly to slide four is how these fundamental rights interact with the duty of professional secrecy that EU law imposes on supervisory authorities just to avoid misunderstandings my presentation will focus on professional secrecy and not on banking secrecy so I want to address possible obligations and possible conflicts between data protection obligations and the obligations that banks have to protect the confidentiality of the data entrusted upon them by their clients those of you who attended the 2020 editions of this legal conference may remember the panel on professional secrecy where it was explained that professional secrecy of supervisory authorities is not only meant to safeguard the private interests of banks but is also an idea say maybe first and foremost aim to protect a general public interest which is the proper functioning of the banking system and that is based on the assumption that if banks do not have the assurance that the data that they give to the supervisor will remain confidential then the flow of information between the supervised entities and the supervisor may be impaired and same as the flow of information between one supervisory authority in a member state and a supervisory authority in another member states in the context of the common market so this consideration this general public interest was confirmed by the court of justice in a series of preliminary rulings in the year 2018 has been particularly fruitful in that respect because we had three judgments of the court to have Bucioni, Paul Meister and UBSU erupted the same year so it's a little bit against this background that the question arises of how does this professional secrecy obligation which aims to foster an objective of general public interest how does it interact between a fundamental right which is the right to data protection are these antagonistic and if there are possible tensions how can they be resolved but before starting to address that question I think we need to ask I think we need to ask ourselves a question do supervisors profess personal data at all because personal data is information relating to a natural person and it's not immediately clear since the object of potential supervision so the supervised entities are legal persons it may sound counterintuitive that supervisors would process personal data on the other hand those of you who work in banking supervision know that of course legal persons are operated by natural persons that natural persons are the recipients of banking services that banks have exposures to natural persons and also the concept of processing in the data protection union framework is defined very broadly so it starts from the collection of the data to various forms of storing and it does not necessarily require that the authority who holds the data actively uses them so that explains that you can move to the next slide that supervisory authorities actually do hold or if I want to use a technically correct term process a fair amount of personal data for instance in the context of fit and proper assessments of members of the management body when assessing suitability of shareholders or proposed acquirers of qualifying holdings in the context of on-site inspections not to be on credit risks following a whistleblower complained and these data can range from financial or administrative data details of a natural person their criminal records and it can even cover information about the family relationships of individuals so that's when the the existence of conflicts of interests is assessed when assessing the suitability of members of the management body so therefore next slide please therefore you see that supervisors do hold personal data so that's the first takeaway from this presentation then comes the next preliminary question which is but is there any possible conflict because what supervisors when they are processing personal data their obligation under the data protection framework so their obligation vis-à-vis data subjects is to provide access to the data of the data subject itself so how can that possibly conflict with their professional secrecy it's not that they have an obligation to provide data concerning other data subjects and to answer this preliminary question we will move on the next slide to well first two things first a brief overview of the professional secrecy regime to see what it covers so where can there be a conflict and then a brief analysis of two in particular I singled out two rights of data subjects which are the right of access and the right of information so how the scope of these rights then can come into conflict with professional secrecy if you can go back to the previous slide yes the legal basis for professional secrecy regime lies in article 53 of the CRD which is made applicable to the CB through article 27 of the SSM regulation I will come back to this provision later when I will see the possible hierarchy between data protection and professional secrecy so just keep it in mind under article 53 you see it on the left hand side of the presentation in order to be covered by professional secrecy information must fulfill three main conditions it must be received by persons employed by supervisors in the course of their duties and information must be on a confidential nature you will see that I've put a little asterisk by close to persons employed that's just because the text of article 53 and that is a common feature of most provisions um laying down professional secrecy obligations so the text of article 53 gives the impression that the obligation is imposed only and foremost on natural persons you have the same uh characteristic in article 27 of the SSM regulation uh you have the same also in article 37 of the statute or article 339 of the treaty on the functioning of the EU and of course it doesn't mean that the supervisory authority is only bound is only bound by professional secrecy through the obligation that is imposed on on these natural persons so it's the authority itself is directly bound by the obligation if I take the example of the CRD you find confirmation of that in following um provisions uh notably those on exchange of information you also find uh a confirmation of this in uh in the case law of uh of the court uh of justice then another um textual comment um is that professional secrecy does not only cover information received by the supervisory authority but it also covers information which is produced by the supervisory authority so for instance the assessment that the supervisor makes on the basis of the data that it has received from the bank or that it has collected from other sources the supervisory authority's assessment is in itself covered by um professional secrecy then we have the second um condition uh that the information must be uh no it was the same slide the second condition which is that the information must be produced in the course of the exercise of supervisory duties and then just a small clarification uh this is of course broader than just financial information about the bank for instance when we have um when we receive information for the purpose of an assessment of reputation and professional competence in the context of assessment of um proposed acquisitions of qualifying holdings it's not information it does not necessarily cover information financial information about a bank it will cover information about um the criminal history of the proposed acquirer or um his education details but that is also uh information protected by um professional secrecy so not only information about uh numbers I mentioned earlier for instance um family relationships between individuals are also covered by professional secrecy when we receive that kind of information in the context of assessment of conflicts of interest so you will see that there's all or we already see that what seems to be two completely separate worlds the personal data of a natural person and then professional secrecy of a supervisory authority uh actually do have points um do have points of friction then I come to the third criteria which is that the information must be confidential the court has clearly said uh that or clearly clarified depending on your view that not all information that is held by a supervisory authority is confidential in nature so you need to add it as a third layer of uh assessment the concept of confidentiality is not defined in the capital requirements directive neither is it defined in any other um sectoral uh legislation so legislation and secondary legislation in the financial sector um and and and therefore the court uh provided a uniform definition of that concept of confidentiality in the Baumeister case so this is one of the the Kuwait 2018 uh cases that I mentioned earlier and the test is divided in two parts and the second part has two limits the first part is that to be confidential the information must not be public the second part is that you must assess that the disclosure of the information is likely to affect and there you have the two limbs first the interest of the person who provided the information or the interest of third parties these are the private interests covered in the first limb and the second limb is uh so it's an or it's not an e so it there's not cumulative conditions there are alternative these two ones um the proper functioning of the system for banking supervision if that interest is likely to be affected by disclosure then information is confidential I had promised you that I would do a quick overview of uh the rights of data subjects to see where uh these frictions but we've already seen that some might come so where they can arise data subjects first have the right to access their personal data in this respect uh the supervisor must sorry the controller must when it receives a request must inform the data subject about the legality of the processing and what is interesting to note is that it only needs to inform of the legal basis for the processing but in our case uh it would be sufficient to say that data is processed in the context of the performance of the ECB's task under the SSM regulation there's no need to identify the type of supervisory procedure so you do not need to say um we have been collecting your data uh in the context of uh uh reassessment of your fitness and property as a manager no you just say in the context of um the um the ECB's task under the SSM regulation the second thing that's what the second thing though the second thing on my slide but there are many other as you see information that the controller must give is uh inform about the content of uh the data and in this respect to to allow a bit what sorry to define a bit what the scope of this obligation is you have to think of the purpose the purpose of this obligation is to allow data subjects to check whether the information processed by the process the controller is correct so to exercise the right of rectification and therefore you must um provide the information that allows to exercise the right of verification one issue that arises in this context is whether the um data subject have the right to access the raw data or whether they have to be provided with a supervisor's assessment so I mean the controller's assessment the authority's assessment which is based on such data and here you have a standard view um which say according to which it would it is sufficient to provide data subjects with a full summary of the raw data and that is based on the consideration that the assessment which would be based on such raw data is not as such subject to a check of accuracy under the data protection legislation this is the view that was clarified by the court of justice and then you have another view which is broader which is currently to be found in draft guidelines of the european data protection board and which is that the access must cover not only the raw data but also the result of any subsequent analysis or assessment what is not very clear is whether the case law on which this broader view is based was a case law of general application in which case it might call for a review of the standard view which is in the first bullet point or whether this case law is really has to be limited to the type of cases that gave rise to this judgment of the court in which was the review of exam papers um and that story will tell us then there's a second right of data subjects that can give rise to frictions which is if you can go to the next slide um the right to be informed and i mean with that the right to be informed ex officio that is without having to ask for it um so the right to be informed that the um your personal data are processed and that right arises or that obligate the corresponding obligation arises for the controller when it is processing information that it did not directly receive from the data subject but that it received from a third party so it allows the data subject to know a little bit um what what is happening with um their data then comes a question do we have possible conflicts if we take stock of what we've seen so far concerning the scope of professional secrecy and the extent of the information that supervisors must provide to data subject i think that the intermediate conclusion is that there is little room for conflict why because the controller does not need to reveal the type of procedure in the context of which the data is processed so it would not need to reveal its supervisory strategy which would then fall under professional secrecy a second reason is that the information to be provided is data on natural persons and that it will only be provided to these persons who either ask it or in the case of information uh those persons who are concerned by the data so it's a bit difficult to imagine that such disclosure could affect the interest of this person the interest of third parties or the interest of the system for banking supervision which are the three conditions we saw earlier that under the Baumeister test um define what information is confidential and therefore um protected by professional secrecy in addition i would say that the data subject's right of access in that case this closure is in principle limited to the raw data and not to the subsequent assessment which is carried out by the supervisory authority by using this data so it seems that it's more likely that conflicts would arise and these are the two cases that i listed on the slide in the case where the supervisor is uh has the duty to inform that it processes information that it's received from a third party because that could have an alerting effect and then in certain cases that's the case of the credit fees it can even you can imagine that it can have an impact on the bank's reputation how these conflicts between the rights to be informed are treated i mean how this right to be informed is treated by the ECB in the context of its data protection obligations this will be addressed by Martin so you have to wait a little bit longer you can move on the on the next slide but still there remains situations even if the scope for conflict is i would say prima facie rather limited there remain situations where a conflict exists and we have when we have these situations how do we resolve these tensions does professional secrecy trump data protection because professional secrecy would pursue an objective of general public interest while data protection being a fundamental right is still directed only at the protection of one individual or is it the only way around do we consider that data protection being a fundamental right necessary trumps professional secrecy or is there a middle way a balancing exercise that has been done either by the legislator or that could be done in another way that would allow these two principles to coexist Martin will explain the interaction between the charts or the hierarchy between the charter and an article i mean and secondary legislation in general and the possible limits that secondary law can impose on fundamental rights under article 52 of the charter i will just i will just break the secret now that the result of this analysis is that article 53 does not meet the the test article 53 of the crd professional secrecy does not meet the tests to limit the fundamental rights so we have so we have to dig a little bit deeper you will see on my slide that i did not envisage a conflict between two fundamental rights because you could have on the one hand data protection as a fundamental right and then on the other hand you could also have the freedom to exercise a business article 16 of the charter or the protection of of a property rights article 15 these rights the second part would somehow in certain circumstances be covered by the interests the private interests protected by professional secrecy and i did not envisage that kind of conflict because i i failed to see a practical cases where i could imagine that providing to a data subject information about the data that we have about this person would constitute a breach of article 16 of the charter freedom to exercise a business or article 17 especially 17 to maybe intellectual property rights so that's just because maybe of my lack of imagination that this does not figure on the slide but if we come back to the secondary legislation that we have article sorry the european data protection regulation is silent about the articulation between professional secrecy and data protection it doesn't have a general exception that would exclude personal data covered by professional secrecy from its scope it has one specific exception covering professional secrecy but as it relates to the right of information i will leave to martin to explain but in any event it is a specific and not not the general exception in a specific context on the other hand the capital requirements directive in its article 62 does have provisions on data protection and it clearly imposes on competent authorities so on supervisors the obligation to respect the applicable EU data protection framework in the context of their supervisory tasks and there i come back to article 27 of the ssm regulation which i announced earlier you could say well but article 27 of the ssm regulation only makes the crd provisions applicable to the ecb as far as uh they concern professional secrecy and exchange of information but it doesn't have uh a renvoi to data protection but that uh i think is not um is not a very convincing argument because article 62 of the crd is precisely inserted in the section entitled exchange of information and professional secrecy so it's indirectly covered and we also have a confirmation of sorry it's implicitly covered and we also have a confirmation of this interpretation of the ssm regulation in its recital 27 that clearly states that the union data protection framework is fully applicable to the processing of personal data by the ecb for the purposes of the ssm regulation so the conclusion is that supervisors so we saw there is a limited scope where conflicts might remain and that this limited scope supervisors may not oppose their professional secrecy obligations to decline disclosure obligations to data subjects how however even in this case you can go to the next slide even in these cases where a conflict may exist we have a tool in article 25 of the eu dpr where the legislator has allowed uh institutions to balance uh certain interests martin will explain later what are the conditions to activate this provision in order to restrict the controllers data protection obligations this tool has been implemented by the ecb in a decision you have the reference number on the slide and this decision provides for certain restrictions of data subjects rights when the exercise of these rights would jeopardize or adversely affect the performance of the ecb supervisory task or the safety and soundness of banks and the stability of the financial system i would like just to conclude uh on that slide that you see from these two criteria these two cases where rights can be restricted there's a third one but also martin will address and it's less related to professional secrecy and these two are more related because they echo a lot of the bowmeister test the one thing that they do not echo is the first limb of the bowmeister test the protection of individual interests that would render information confidential and therefore subject to professional secrecy we do not have an exception in this decision implementing article 25 we do not have an exception that would allow to restrict the rights um to protect these information however theoretical a possible conflict may seem in case of a conflict one thing that should not be forgotten is that the controller can still apply certain provisions of the eudpr in order not to provide the information that would be for instance if the rights of the bank or third parties would be affected by disclosure but still this is not totally the same as the first part of the bowmeister test because the first part of the bowmeister test refers to the protection of an interest it's if the interest of a person is likely to be adversely affected while article 14 sorry article 174 of the eudpr sets the bar higher and requires a um a conflict with rights of a third party and not only interest i think that i have to stop because of time maybe we can address that later in case of thank you yeah thank you again very much for this also very rich presentation i would take four points here personal data can be uh data that is subject to professional secrecy obligations the two conflicts are access to personal data and right to be informed the solution may bring us back to the conflict to the hierarchy of norms which martin will discuss a bit more and article 24 may provide a reconciliation instrument so that brings us after exploring now the room for conflict between data protection and professional secrecy and having first not only impression on what are the data protection rules to the third part which mark will cover in particular how do we comply with these data protection rules as supervisors and what is the role of the data protection officer in this team thank you thank you very much class and also warm welcome from my side to all meeting participants on this beautiful sunny day here in frankfurt so we have seen that the data protection is a fundamental right um in the union and sundin mentioned that the two worlds the possible friction between um professional secrecy and data protection and so this really backs the question does data protection actually undermine effective banking supervision now i profoundly believe that the exceptions and restrictions that gdpr in eudpr makes available actually allow a reconciliation between the two and that transparency and professional secrecy are not mutually exclusive but complementary objectives next slide please now claus and also carolina mentioned that protection as a fundamental right meaning that all not only the legal acts but also all administrative decisions for example a fit and proper assessment um by and for example the ecb as a banking supervised but also national competent authorities must respect this principle observe its principles and also promote it but of course like almost all fundamental rights it's not an absolute right now the court of justice has specified that um when the a fundamental right is limited that the legal basis which permits this interference to the fundamental right must itself define the scope of the limitation so the mere fact that banking supervision is undoubtedly an objective in the general interest of the union is not sufficient to limit of course data protection so in the next slides we will actually explore how the right to that protection can be limited and under what circumstances well here um are a number of data subject rights that carolina already have introduced um and the first and very important exception is that the controller so the entity that holds the person data actually can then decline a data subject request in case if it is unfounded or excessive now these obligations of the controller have there must always be interpreted in the light of fairness and proportionality um and here there's a balance must be struck between on the one hand the data subjects rights and on the other hand the burden that is imposed upon the controller now very important is that to understand that as a data subject one must not justify explain why one makes use of a data subject request now in an ongoing case before the court of justice advocate general peter utzela um has made a statement saying that a fair balance leans towards greater attention being paid to the protection of data subjects um and and that is because there is the burden of demonstrating the unfundness or excessiveness and lies with the controller um and i think it is fair to say that we have seen in in recent years that the court of justice leans towards a very data subject-friendly interpretation of gdpr and udpr so what exactly is this excessiveness um and what would actually determine whether or not a request is excessive there's various elements first of all it depends on the sector um in which the controller operates it also depends on how often changes occur to personal data um it also depends better actually a refusal to such a data subject request um what damage would it constitute to the individual what is the period that is covered for example there's a court case from the berlin-brandenburg court saying a request that covers more than 50 years is excessive um and also of course the sensitivity and the quantity of personal data and i think as a rule of thumb one could say the higher the risk to the individual the narrower the exception should be interpreted and to make a very concrete example in an ongoing assessment of the fitness and propriety of um a future member of the management of a credit institution it is less likely that this is excessive because simply there constantly changes are made to personal data and there is very likely to be a lot of sensitive personal data for example a copy of a criminal record once the fit and proper assessment has been concluded and there's no further operation on personal data and ideally some of the sensitive personal data such as a criminal record has been omitted from the file repeated requests for access are more likely to be excessive when taking a look at different transparency obligations as a controller one has to provide certain information to a data subject for example the purposes of the processing the time limits and the contact details of the dpo and so forth um well first of all if the data subject has already information there is no obligation to provide this information again it's very natural actually but of course as always the burden of proof lies with the controller for example therefore sometimes it can be useful that one has proved that the privacy statement has been provided the next more important exception is in case in case um the um the provision of the information um is impossible or would involve a disproportionate effort and again and balance needs to be made it's not only focused on the controller but is also looking at what are the data subjects interest and then this balance must be struck here i would say as an example in banking supervision for example if a gst has a loan tape with information of individuals from several thousand individuals it would be impossible or at least disproportionate if ssm would have to individually inform all of these data subjects i think here the solution would be actually that it is the credit institution informing their customers that potentially the ssm as banking supervisor may obtain their personal data the next exception would be that the provision of the information is likely to run impossible or seriously impair the achievement of the objective now of course this presupposes that the processing satisfies all data protection principles such as legality and proportionality and so forth here as an example one could take for example the future european reporting system for material cft aml weaknesses the so-called eureka database on um animal laundering of course if data subjects would be informed as soon as their name is included in a database of suspicious transactions for money laundering of course this would completely undermine the objective of this database so this is for example and where this where this exception actually could be invoked of course these exceptions are always limited in time and must be re-evaluated regularly then the next exception would actually be when the provision of information that the obtaining or disclosure is explicitly laid down by union law and then this is also important this is added which provides appropriate measures to protect the data subject interests so for example let's take a look at the whistleblowing mechanism in article 23 ssm are that the ecb operates of course this is laid down in union law so this qualifies the first part of this exception however there's a second cumulative criterion which says that there needs to be these appropriate measures for data subjects these are not in article 23 ssm are and this is for example therefore probably not suited to reject a request to access whistleblowing reports what are our other solutions of course and that actually brings us to the last exception for the transparency obligations which is that where personal data must remain confidential subject to an obligation of professional secrecy regulated by union law which sandrin has previously explained in great detail now classic examples are of course a lower client relationship the protection of journalistic sources or medical confidentiality but also ecb staff also the members of the ecb governing bodies and staff of national central banks and competent authorities also have an obligation of professional secrecy now this is not a blank check to turn down any data subject request this actually only provides an opportunity to occasionally apply an exception when it must remain confidential but i think in a case of a whistleblowing report this is definitely a justified situation as a little side note data protection officers also are bound by the secrecy by the duty of secrecy and confidentiality in the performance of their tasks so for example if the dpo advises a gst and obtains person that of a bank employee then this bank the dpo doesn't need to inform the bank employee and can also turn down a request to access his or her data the most common most important data protection right is the right of access we have every year quite a number of those at the ecb now here as a little primary remark this is not the same as the right to public access to documents which is something different this is to access your own personal data now the first exception of course and this might sound very trivial but it is not is that it must be in the possession of the controller well first of all of course it's not in the possession of the controller in case it is deleted and here i emphasize again the duty of a controller of data minimization to delete data personal data that is not needed that is actually your way out of receiving personal data requests this is not having personal data in the first place so this is a very important aspect but the other part is also that sometimes the controller doesn't have the information yet one of the information a data subject may receive is for example who are you transferring my data to but this is not always known at the outset limiting the right to access in time for example to only the last one year when the data is stored for a much longer period of course it's not a fair balance and this was confirmed in the so-called wreckable case per quarter justice now the other exception is that the right to obtain a copy that adversely affects the rights and freedoms of others and here it's not just the mere fact that it affects but it needs to be adversely affect an other person now here's an example from the Finnish data protection authority we are requesting a copy of personal data from a spouse of a bank account that is actually adversely affecting her now i think if two um spouses have a case against each other before data protection authority probably data protection is the least of your concerns now if it says others who is it referring to this is of course um the any individual in the first place but it could also be the controller or the processor for example um in a gst report the names of members of staff of nca's for example might be mentioned it could be that we need to omit them if they if the provision of their names actually adversely affect them which brings us to the next data protection right which is the the right to um erasure um of course here the exception is exercising the right of freedom of expression and information very important for example requesting a newspaper to delete a name in a press article and also the establishment of exercise of legal claims um or the compliant with the legal obligation i think from banking supervision most importantly is the exception of the performance of a task carried out in the public interest banking supervision by definition is carried out in the public interest now as a counter example for example in a fit and proper assessment and principle um the data would be kept and there would be no grants to raise it however in case the candidate withdraws his or her application then of course SSM would have to demonstrate that there is still a legal obligation to retain the person that after the withdrawal that would have to be assessed case by case next slide please now these are the exceptions um that you will find in in gdpr u dpr and now i focus on restrictions and our restrictions are different in in several facets first of all the restrictions under gdpr they are actually and provided for by the union or member state law by way of a legislative measure and they are about all data subject rights now when it says legislative act and that does not mean that it needs to be adopted by the parliament i think the court of justice and also european court of human rights and has repeatedly stressed what is important is that this legal act is sufficiently clear and gives individuals an adequate indication of the circumstances in and conditions under which controllers are empowered to resort to such a restriction so that's really the element of forcibility now under eudpr the legal acts they are adopted on the base of the treaties or internal rules laid down by the union institutions like sunrin mentioned the ecb has adopted such decision last year for banking supervision now under eudpr oddly not all data subject rights can be restricted for example the right to object and also to automated individual decision making is not included under eudpr so there's some nuances there's some differences between both legal regimes what we see in practice is that national competent authorities tend to rely on exceptions because they are given by gdpr whereas EU institutions such as our banking supervision colleagues they tend to resort to restrictions because they are adopted by ourselves now restrictions always need to respect the essence of the fundamental rights and freedoms and it always must be necessary and proportionate in our democratic society that we enjoy now there's a quite long list of safeguards and that allow to take institutions to adopt restrictions i would only focus on two the first one is other important objectives of general public interest so this obviously includes banking supervision next slide please and then most importantly of course a monitoring inspection or regulatory function connected to even occasionally the exercise of an official authority so this is definitely also the case in banking supervision now also here interesting enough under eudpr we have a number of additional safeguards for example in terms of security of the union but also a common foreign policy which are not included under gdpr next slide please now as you might have seen already in in the previous slides there is a difference between gdpr and eudpr and for someone working as a dpo at the ecb who interacts of course on a daily basis with national competent authorities who fall under gdpr of course this is something that we day to day actually witness as i mentioned there are material differences for example the eudpr restricts the application um whereas gdpr restricts the scope of the obligation and rights the restrictions um are different and there's also a number of differences in the wording for example breaches of ethics for regulated professions is mentioned on a gdpr but not on eudpr now if we look at the restriction decisions as the ecb we have taken the restriction decisions nca's do not have such a possibility now whereas member states can actually decide to further restrict or further implement gdpr it is not fully harmonized two examples would be for example the processing of criminal convictions for rise between member states and that is important for example fit and proper assessments another example is that some member states allow the restriction of access and erasure rights of credit registers for example in spain now this really means that that we treat individuals differently just depending on the applicable restrictions so for example if a new board member of a credit institution member state a when he or she wants access fitness and propriety information it could be restricted whereas another member state there may not be the possibility to restrict it simply because of different national laws and then as a third avenue this person might also request access or other rights at the ecb when then the ecb restriction decision applies and this becomes particularly problematic in cases of joint controllership well in two words what is a joint controllership that is simply several controllers jointly determine the means and purposes so they jointly responsible for the processing they need to conclude an agreement and then jointly process personal data this is something for example that could be the case between ecb as banking supervisors and national competent authorities or ncbs now here's the first issue as a data subject one has always the right to address any controller this is for scene in article 26 paragraph 3 of eo dpr gdpr that actually no matter what the joint controllerhip agreement determines you can always address any controller if you want to access it now obviously as a data subject what you will do is you will access that controller where there is the least restrictive provisions in place so there's bears risk of forum shopping or you could issue simultaneous data subject requests and then possibly have different outcomes of course with joint controllers you have different data protection supervisory authorities at the ecb we follow under the edps whereas at national level you have one or more national data protection authorities which leads of course to a fractured interpretation of exceptional restrictions and in cases a complaint is lodged that probably data subjects might opt actually for the strictest data protection authority and we have seen that the enforcement of gdpr is one of its Achilles heels also the administrative fines um gdpr does not stipulate whether or not a public administration can be sanctioned this is for national law to determine so there's a lot of variety between member states whereas under eo dpr the edps can impose administrative fines for example upon the ecb and then lastly also for liability and the eo dpr does not specifically deal with non-compliance it just states that those who have suffered material or non-material damage they shall have a right to receive compensations whereas gdpr and this was very well known in 2018 this was one of the things that press focus very much on the very detailed and far-reaching rules on compensation and liability and also interesting in the context of joint controllership agreements that each controller or processor are held liable for the entire damage and also this is an important aspect and this is not the case for the ecb not falling on the gdpr so this is another example of a scattered landscape of restrictions and here the point i really wanted to make is that this raises questions about do we really treat union citizens equally when it is about the same person data process for the same purposes on the same individuals and yet it is treated differently simply because of a different responsible entity and obviously here my view is that i think further harmonization would be beneficial from a practitioner's perspective next slide please now as carolina mentioned in the outset gdpr really meant to cut down red tape as a principle of accountability plays a lot of responsibility on the controller to make this very difficult balance this between professional secrecy and data protection and i think here the dpo plays a very important role now i will not go into too much details of the tasks of the dpo i think half a century after the entry into force of gdpr i think the existence and the result that of dpo is acknowledged the form most we inform and advise we also monitor compliance i think that protection impact assessments are a very important tool to make those risk-based decisions we are also the liaison to supervisory authorities and this is again a difference with gdpr under udpr a dpo also has investigative powers this is not the case for dpo's under gdpr now given that the dpo is an important stakeholder to ensure that this right balance is struck in banking supervision next slide please and the law also has provided for a number of um safeguards the first one is actually that the dpo shall be involved in a properly and in a timely manner now sounds very intuitive and i think everybody would disagree but practice of course is not always the same this for example means that the dpo should be part of different working groups for example at this ecb the dpo is part of the operation risk committee or the project steering committee and it's also important that the dpo participates in meetings of senior middle management this is the advice of the article 29 data protection working party now sometimes it's very obvious that the dpo needs to be consulted for example in case of a data breach it's a legal obligation sometimes it's less obvious for example in banking supervision then banking supervisors are planning to share credit quality review data from on-site inspection or when they're considering using artificial intelligence for the sub-tech initiative or for example when wanting to use a public plot for banking supervision now the dpo provides an opinion one doesn't have to follow the opinion but also here the article 29 working party made very clear that in case of disagreement it is recommended to document the reasons for not following dpo advice the number of cases that we have seen in recent years in luxembourg for example a company was fined because the dpo was not sufficiently involved in the subsidiary company in luxembourg although the dpo participated in several meetings at group level but the dpo was not involved in a direct formal and permanent manner at operational level at the luxembourg company now in case you're still not convinced to involve your dpo it's not only an act of good administration it can also pay off financially the italian dpa lowered the amount of a sanction because the controller had involved the dpo and complied in good faith with his or her opinion then finally there's also an interest in case by the belgian data protection authority that the dpo must be consulted before a decision is made and given the necessary time to take and make an independent data protection risk assessment and must be informed of the final decision but of course and want to emphasize it once again and dpo is an advisor and is not responsible for the decision the next provision is an eudpr and gdpr as a controller must support the dpo now first of all it needs to be supported with the most precious resource of our times which is time i think the time that dpo's can do their work part time is is becoming less prevalent i think most most organization has a full-time dpo and we have seen in a 2020 report where we invest where we interviewed all national central banks that over half of the dpo's actually were a team or dpo was supported by a team now what determines a bit the what are the elements to determine the number of staff it's first of all and the level of risk to natural persons and i think the number of dpo's give given idea in banking supervision for example subtech fit and proper assessments are just two examples where we concluded dpo's it also depends on how sensitive is your processing activity for example are you processing criminal records which we do for fit and proper and the quantity of processing activities this 2020 report found that some nca's the the number of processing activities for rights between 16 to 550 processing activities across ncbs and of course the number of cross-border transfers because that has become after the so-called shrimp's too judgment a very complicated and phony issue and lastly what is also important is that it is important that designation of the dpo's officially communicated to staff so that staff can contact them here an example from last year where luxembourg public entity was fined because the contact details of the dpo were not easy to find and were only accessible in english which of course in luxembourg is not acceptable the other element is that the dpo shall have access to personal data that means not only supportive services such as human resources but also core business areas for example those staff response for granting authorization requests i think having a good network and regular interchanges with colleagues across the organization is key for successful data protection last element here is also that dpo's must be in a position to stay up to date about developments and there are plenty if you look at the docket of the court of justice the number of cases and data protection is skyrocketing at the moment and there must be also be allowed to participate in the necessary training in this 2020 report we found that only one-third of dpo's of ncbs and nca's have been issued actually with certification so there's room for improvement now the dpo shall also be independent very important and directly reported a highest management level that is certainly the case here at ecb also the dpo is bound by secrecy and confidentiality that's particularly important in case data subjects want to share or ask questions to the dpo and finally if the dpo has other tasks they may not result in a conflict of interest so for example what i know goes what we have seen in case laws for example somebody who's a dpo and an it manager that doesn't work also somebody who's a director audit or head of compliance and being in dpo are also not possible and independent of the title somebody who is actually tasked to delete personal data can also not be a dpo because it's an operational task and that would undermine the independence next slide please which brings me to my last slide and that is very shortly to wrap up a case study to show how these restrictions and exceptions how do they interact with a very concrete case so imagine the ecb receives a whistleblowing report which of course contains on the one-hand person data from the whistleblower him or herself as well as the names of potential wrongdoers and so thus as i need to inform the data subjects on the one hand and can those data subjects for example this suspected wrongdoer can they actually ask to access their information and here you see on the screen at least three so two exceptions and one restriction that could be invoked and the first one is of course that if we would do so at least in the beginning that is likely to run impossible or seriously impaired the achievement of the objective of the whistleblower mechanism then of course it would also undermine the obligation that person data must remain confidential and last we could invoke the restriction for the monitoring inspection and regulatory function and in cases applicable this will not always be the case in case the prevention investigation detection of prosecution of criminal offenses in case the whistleblowing report refers to a criminal offense know what is very important this is not something static this is not a one-off decision this is something that needs to be applied then received and then it needs to be re-evaluated at three times the ECB restriction decision for example says every six months because the exceptions and restrictions are a temporary measure whereas a fundamental right to data protection of course is indefinite which brings me to the end of my presentation the question was is data protection and banking supervision is this water and fire i believe that there are sufficient options available to protect the need of secrecy and confidentiality in banking supervision and that always a balance can be found and it is true that of course they pursue different interests and one could obliterate the other absolutely but i think like in real life with water and fire you need them both and when they complement each other their value is maximized Martin thank you very much for this presentation and in a real world i would give now all my whole the presenters a big applause so i give a if you allow me if you allow me close i'm sorry to come in because i would like to make if you allow me some comments on one of the slides of Martin when i'm not sure because i think i i do not fully agree if you allow me can we go back to the slide on the scouted landscape of i would say well then we come come to this open the question and i make one few housekeeping matters and then i give you the floor for the slide and we can first go to that slide which slide is it okay because i thought we were finishing now no questions now the interesting part is happening we will ask the the colleagues and we have a few questions from the audience and i don't know how you feel this was intense and so we have perhaps a moment to breathe and Martin thank you for ending on a positive note but there always can be struck a balance between data protections and the need to protect the secrecy from the banking supervisors perspective and based on this i would now open the floor for the questions and as i said i will give it first to you but for the housekeeping to the colleagues who has not yet raised its and i think our colleagues here deserve a lot of fans although they made a lot of things very clear but i'm sure there are still questions you should do it now a few colleagues have done but please feel free to do it now and then if you are given the floor please unmute yourself turn on the camera and wait a second before the line is there then you can start speaking and Karolina now the floor is yours to start the discussion it just well it i don't think it will be really like a discussion i would like to allow myself to make some remarks on the slides concerning the scattered application of the restrictions now i'm not sure we can first of all whatever concerns law enforcement activities it's outside of the scope of the application of the udpr of the gdpr so there i don't think we can speak really about an unequal treatment from this point of view because it's not um because it's not covered by the same um by the same legislative framework now indeed the member states retained on the article 23 the possibility to further specify the application of the gdpr in specific areas indeed there are some differences but again they are framed and they are framed by the same principles of the possibilities to restrict the application of the rights which which were mentioned before finally but concerning the points on particularly problematic for joint controllership the application of the one-stop shop and the application of the possibility to have one elite authority in joint controllerships is not excluded what i understood that martin you you you presumed that there will be all the several authorities which will need to um i don't think it's it's it's necessarily the case i fully agree it will be very problematic to find it but the lead authorities guidelines do not exclude the possibility to apply the one-stop shop and the identification of the lead authority in such uh in such setting and again um i i see your point but the restrictions which are uh which are possible on the level of the member states when the member states make use of article 23 are very framed thank you very much so this was just one a small uh well comment on this slide thank you good i don't see any no i think yeah i agree but i mean just as one small point of course is that yes the one-stop shop mechanism fully acknowledged but how would data protection authorities find out that one data subject exit data subject has made requests or complaints vis-a-vis several data protection authorities would they always then decide to come together and take joint action something to be seen in practice um the point was at least in theory this is possible but i acknowledge all the other points yes it is always framed of course within gdp and is always framed by the case law by the court of justice yeah and in concerning article 26 the joint controllers are obliged to set up an arrangement and in this arrangement they will need to identify the the the data protection authority which of course does not allow them to circum to contract out competent authorities but when they are processing and when they are starting the processing and they are informing data subjects in the light of article 12 13 14 gdpr and uh and uh well this is particularly problematic in this setting but um in in in a fully regulated for european institutional agencies and bodies it's a little bit clearer than they indicate which is the competent authority and then the authority scope will be again cooperating and sending the complaints to each other thank you guys to see and as the germans say the devil lies in the detail and the second thing you can see is that the experts can get here into a deep discussion which shall not exclude more general questions and let me therefore open the floor i think the first person on our list is antonio sigourini antonio if you could unmute and turn on the camera and antonio would to help you here and then you could please ask questions the floor is here thank you claus indeed i'm antonio sigourini i work at the ecb in the supervisory law division i have first one question for carolina because i think you've made an interesting question during the presentation which is why do we need a separate uh regulation only data for the EU institutions and uh to me that honestly i don't have uh experience in this field of the law prior to today it's still not entirely clear why this choice has been made by the legislator i think had we chosen had the legislator chosen to make one regulation for private entities and on other regulation for public institutions this would have been made easier to understand because of course one thing is processing data for business purposes one other thing is when this activity is conducted in within a public interest mandate but since we have really a distant body of rooms only applicable to EU institutions i was wondering if you could share something more with us on why this has been necessary and if you have made in mind one or two concrete examples of points of regulation where there are differences that are really necessary in light of the peculiar nature of of EU institutions i also have a second question which is more for martin and sandrin because your last slide on the case of the whistleblower the case study may be think of one other maybe similar example which is a case when we receive personal data from other EU supervisory authorities or maybe even from other non-EU supervisory authorities and in this case i think of course the need to protect the the information is probably even higher because if this is not the case then the you know open exchange of information between supervisory authorities which is essential to ensuring a common supervisory system in the EU and in general a good function of banking supervision would be compromised so i was wondering if you think one of the exceptions and restrictions you have you have you have described to us can help in these cases to avoid any right to inform any obligation to inform the data subject and any application to disclose such information in case of a request for access and if this could be not temporary but rather permanent given this particular need to ensure that cooperation between administrations is made to the extent necessary thank you very much i think then in the order you asked carolina may you start well i don't think i'll be able to add much more than what i said already before this is the specificity of the tasks of the european institution agencies and bodies and the fact that they work only on the basis of law or task which is indeed something specific generally for public administration but again it was it's in order to cater then for all public administrations on the national level this was not possible don't so there will be again a general regulation we would require another article along the lines of article 23 of the gdpr where the member states would legislate and provide for additional restrictions or grounds for processing so and well this is this is it the specificities and the needs of the european institutions agencies and bodies were easier to embrace in one regulation it was not economic from the legislative point of view to have then again something more lenient for or something different i was drawing something different for private sections of something different for for public sector when the public sector subject to the gdpr in any event will be working on the basis of law task and use the and the member states will be using article 23 in there the specificities or the justifications i think the martin's presentation was was addressing these points very much explaining when are the differences in the way certain rights can be exercised because it it cutters already for the fact that the law will provide for the for the restrictions and to that there will be no individual assessment bearing in mind certain considerations i hope it helps martin i don't know whether you'd like to add to it well what i could add of course the most obvious example is that as an EU institution we need a separate supervisor we cannot fall on a national supervisor so this is definitely i think the most tangible example why at least a separate chapter or a separate regulation is needed i think there's also simply some historic reasons for it there was already regulation 45 2001 in place which was far more innovative than the directive from 95 we had the dpo's and new institutions long before this was introduced by gdpr for for the rest and i think therefore also and remember gdpr was one of the most lobbied it was the most lobbied piece of EU legislation until that time and i think i think they were just happy you know to have something in place and didn't want put an additional step of including also EU institutions of course this not precluded in gdpr 2.0 you know this discussion is probably open and i think law enforcement everybody's convinced separate business case separate rules whether for a EU institution to from a railway agency to a medical agency to a central bank it's a very different kind of animal so there's definitely some some downsides to it but i must say that in practice of course the large majority of provisions eudpr gdpr are the same and the jurisprudence of the court of justice even if it's on a gdpr case of course applies mutas mutandis to eudpr and to us as EU institutions then maybe i can just continue with your your second question then it comes about data flows and the interaction the banking supervisors have across border now we have to distinguish whether this takes place within the european economic area because then actually that protection is really not a additional hurdle but then personal data flows outside the ee a then it either needs to be covered by a so-called adequacy decision so then the european commission has actually decided that there is an equivalent level of that protection available this is the case for example for for for canada soon for south korea and and other countries it is not the case anymore for the united states since the shams to judgment if there is not a decision then one needs to conclude so-called standard contractual clauses secs and then implement very concrete technical organizational measures to protect personal data now of course your question is shouldn't we permanently restrict the fact that you know data subject is being formed or can access the data when you receive such personal data or provided to another supervised authority and i would very vehemently say no definitely not we cannot have a permanent restriction for because of the fundamental right to data protection is a fundamental right so your starting point is always you have data subject rights and only under certain conditions we can temporarily restrict them and i think the existing exceptions and restrictions would apply in the sec exactly the same manner when you receive the person data from another authority because you process personal data as soon as you receive them i would even argue when personal data starts to flow there is so the more reason that the data subject can actually control or at least there is transparency about who processes personal data for what reasons but again if you receive personal data or say an ongoing investigation i think the existing exceptions and restriction would allow you to temporarily not grant access to such data i don't know sundarin if you would like to add something here um well actually i had a question for you um because uh and i'm thinking about uh information to the data subject when let's say vcb receive information collected by a third party so that we have this obligation one of the exceptions is we don't need to inform the data subject if the information that we received would be protected by professional secrecy that kind of exception is it permanent it's not permanent because it always requires a balancing act you always need to balance on the one hand the interest of the data subject which for every request or every data subject might be different and then why do you need professional secrecy so as i said in our presentation this is not a blank check we are protected by professional secrecy and therefore we will always decline any request so it always requires this ad hoc case-by-case assessment so if i understand well it means that you have to periodically reassess if that information is still protected by professional secrecy exactly that is very true which is which is which is in a way it coincides with the fact that uh in order to assess confidentiality under the powermeister test you always assess confidentiality at the moment where you are asked or supposed to disclose the data so if for instance you have information uh for 10 years then you need to uh you need to assess whether no that information is still confidential but then where we may meet is that the exception applying an exception in that specific case because otherwise as i said there's no general exception to professional secrecy but in that specific case of information to the data subject that we've received and we will process data that we're collected from a third party the exception is permanent but it has to be periodically reassess whether it still applies exactly because it could be that over time these reasons you know diminish and also maybe to put just an additional footnote here is that it could also be that the data subject is entitled to know that the banking supervisor processes his or data but that actually the right of access to the data is temporarily actually restricted so you know also within those data subject rights you need to make the assessment so you could be transparent without giving access for example and in the meantime we may have deleted the data that could well be happening yes and this is one my key piece of advice to to my colleagues in banking supervision is if you don't need to delete it because if you don't have it you don't need to provide it and that's your best insurance against data subject requests starter minimization and with the bonus effect of course that also your risk of a data breach which you know need to be notified within 72 hours to your supervisor of course also significantly reduces if you minimize to the strict minimum the personal data you have interesting discussion and more a fold than a question based on Antonias question perhaps you need also to think about our communication with other supervisors because they may not always be aware that the data provided to us maybe end up at the data subject so it's also something in expectation management relationship management that may be needed to take into account having said this I have one more public here on my list or the first one on my list is Andreas Witte and Andreas if you could unmute yourself take on the camera and then ask your question and all the others please you're there still room on our list actually the question would have been the same so it has been answered already it was about the parallelism of the eudpr and the and the GDPR and whether that parallelism should be should be maintained in the long run but I think we've covered that so so I think we're good thank you okay then going directly to the next one is Jan Bosch here Jan are you there and if then please unmute and turn on the camera and the floor is for you can you see me yes we can very well hi thank you yes so my question would be for Sandrine I would I would go a bit with the court cases here in the UPS the court clarified that in case there are conflict between on the one hand professional secrecy on the other hand the right of defense and the right to access the file it is for the competent authority to strike a balance between this opposing interest in light of the circumstances of the case considering that the right to data protection is also fundamental right can the same approach be envisaged when a data subject access request would impose to disclose information covered by professional secrecy and the exceptions or distinction in the data protection framework would not be applicable I think there are two things the first your question is the parallelism between the case of the court concerning the the rights of defense and in particular as far as the the right to access the file is an expression of of the rights of defense or is intended to protect the rights of defense first the that fundamental right the right to access the file which is under the heading of the rights of to good administration in article 41 2 of the charter the professional secrecy is specifically identified as one of the limitations to the right to to access the file second concerning the the idea that there could be a balancing exercise made by the the controller between the interest of the data subject on the one hand to have the data and the interest to continue protecting professional secrecy on the other hand I think that one of the specificities of the data protection legislation especially as far as the rights of data subjects are concerned is that they do not need to demonstrate that they have an interest in their request that in a way the right is a bit objective and I think that Martin you touched upon that issue so you cannot reject a request of a data subject because you would think they don't have interest or the interest they state does not exist I think what what you can do is to say that you don't have the data but that's that's about it so in a way and then it's a little bit difficult to think of a balancing exercise between one right where you do not have actually to to demonstrate an interest and how can you balance different different interests and that I think that in the case of data protection the interest so the respective interests in general taken in abstract the the respective interests of the data subjects and on the one hand and the guardian of professional secrecy on the other hand they have been balanced by the legislator notably in this article 25 of the EU DPR so the possibility to adopt restrictions to a data subject so that's one thing that so the balancing has been done by the legislation and since the legislator imposes that these restrictions are let down in a legal act of general application I think that's then again another element that distinguishes data protection from the exercise of the of the rights of defence you cannot do an ad hoc assessment if the only way that you can impose restrictions is by adopting legal act of general application so I think that it would be really difficult to construe the same kind of exception because because of the particularities of the of the data protection framework Martin was that with the general yeah excellent thank you thank you Jean thank you very much thank you for the discussions for the answers this is now the time where I do my hybrid applause to my panelists and our audience you stayed with us it was a very intense session I hope it gave you some insights food for thought and I hope you have now a good lunch so that you bring both together mine and buddy and thank you very much and those who will stay with us and in particular counting also for joining us remotely and for those who will stay with us we will start at 230 again have a good break thank you very much goodbye