EUROPEAN INVESTMENT BANK - PRIVACY STATEMENT – EXTERNAL WHISTLEBLOWING REPORTING PLATFORM
1. Description of the processing operation
This privacy statement provides information regarding the processing of personal data carried out by the European Investment Bank in the course of receiving reports on breaches of EIB rules and policies in the context of the external whistleblowing reporting platform.
It describes how the EIB, in the course of those activities, processes personal data relating to individuals who are reporting or subject of a report received through the External Whistleblowing Reporting Platform.
2. Legal basis and the controller
Personal data are processed by the EIB (“EIB” or “responsible Controller inside the EIB”) in accordance with Regulation (EC) 2018/1725 of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
In accordance with Article 309 of the Treaty on the Functioning of the European Union, the task of the European Investment Bank shall be to contribute, by having recourse to the capital market and utilising its own resources, to the balanced and steady development of the internal market in the interest of the Union.
The data processing is necessary so that the EIB can carry out its tasks in the public interest in investigating possible breaches of its policies based on reports received from Whistleblowers. In some cases, processing is also necessary so that the EIB can comply with its legal obligations. In particular, the processing in the course of this activity relies on the EIB Policies:
- Whistleblowing Policy
- Anti-Fraud Policy
- Dignity at Work Policy
- Codes of Conduct
The reporting system is operated by a specialised company, Business Keeper GmbH, Bayreuther Str. 35, 10789 Berlin in Germany, on behalf of EIB. This company does not have access to the data.
3. Why do we process your personal data
The EIB processes your personal data as reasonably necessary so that it can conduct and manage receipt of Whistleblowing reports in a reasonable and proper manner, in accordance with applicable law and regulation. Specifically, we process your personal data for the following purposes:
IG/IN investigates credible allegations of Prohibited Conduct in EIB-financed operations as such term is defined in the EIB Anti-fraud Policy.
Data is to be processed and may only be used for the purpose of investigating individuals, organisations, firms or other entities found to have engaged in Prohibited Conduct and implementing the relevant recommendations issued by the competent investigators of IG/IN.
On the basis of its mandate, IG/IN’s purpose of this specific processing activity is that of enabling investigation of the reported breaches according to EIB’s policies (Anti-Fraud Policy, Dignity at Work Policy, Codes of Conduct) and protecting persons (Whistleblowers) reporting any illegal behavior, serious misconduct or infringement of the Banks’s rules, policies and guidelines, or action harmful for the Bank’s reputation or mission, to protect Whistleblowers against retaliation (through confidentiality of identity, entitlement to file a complaint if subject to any retaliation, disciplinary action) and to protect persons allegedly suspected of any of those acts.
Investigation of breaches of the following EIB Policies:
- Article 325 of the Treaty on the Functioning of the European Union (“TFEU”);
- Article 18 of the EIB Statute and articles 2 and 28 of the EIF Statutes;
- Regulation (EU, EURATOM) 2018/1046 of the European Parliament and of the Council;
- EIB Board of Governors Decision of 27 July 2004 concerning EIB’s cooperation with OLAF;
- Policy on preventing and deterring prohibited conduct in European Investment Bank activities and Policy on preventing and deterring prohibited conduct in European Investment Fund activities (“EIB Group Anti-Fraud Policy – (https://www.eib.org/en/publications/anti-fraud-policy”).
- EIB Group Dignity at Work Policy (https://www.eib.org/en/publications/dignity-at-work-policy)
- EIB Group Staff Code of Conduct (https://www.eib.org/en/publications/eib-group-staff-code-of-conduct)
4. What personal data do we process?
Use of the reporting system takes place on a voluntary basis. If you submit a report via the whistleblowing system, we collect the following personal data and information:
- Identification data of the subject (generally provided by EIB project promoters, borrowers and other interested parties);
- Case involvement data, such as allegations, summary of facts and evidence related to the Prohibited Conduct involving the subject, statements and records made by or attributed to individuals in the context of an investigation, communications or notes mentioning the data subject in relation to the events under investigation, information concerning personal relationships (collected by IG/IN in accordance with EDPS opinion of 14 October 2010 on procedures related to fraud investigation in the EIB Group, Ref. C 2009-0459);
- Professional data such as the positions, functions and organisations of an individual (current and history).
- Recommendations of IG/IN investigators;
- Decisions of the EIB Management Committee in connection with investigations.
- Any exclusion/debarment decisions relating to the subject of investigation and references to the authority that issued the exclusion/debarment decision.
5. Where do we obtain your personal data?
The data is obtained from the data subjects reporting through the platform alleged breaches of the Anti- Fraud Policy, Dignity at Work Policy or Codes of Conduct.
6. To whom is your data disclosed?
The EIB is the controller for the processing of personal data collected via the whistleblowing platform from the whistleblowers, and the Investigation Division within the EIB’s Inspectorate General is the organisational unit responsible for processing these data.
Within the EIB, the Investigations Division is responsible for handling reports submitted via the whistleblowing platform, and its members are bound by a strict confidentiality regime.
The EIB’s intent in providing the whistleblowing platform is only to receive information concerning possible breaches of EIB’s Anti-Fraud Policy, Dignity at Work Policy and Codes of Conduct. Reports concerning the Dignity at Work Policy will be shared with the Director of Personnel. Reports concerning the Codes of Conduct will be shared with the Chief Compliance Officer.
If the EIB receives reports unrelated to breaches of the relevant policies, but which nevertheless concern other tasks of the EIB, the information may be forwarded to the competent business area within the EIB. The EIB’s general data protection standards will apply.
In addition, information received from reports may be forwarded by the EIB to the EPPO, OLAF or other national and supranational authorities responsible for investigating prohibited conduct if the reports contain information that is relevant and necessary for the performance of the tasks of such authorities.
The data will also be processed by the external provider: Business Keeper GmbH/EQS Group AG via the whistleblowing platform. The data is processed via a private cloud storage system with secure servers located in Germany. Neither the external provider nor other third parties have access to decrypted information.
7. How long do we keep your personal data?
We keep your data only for as long as is necessary for the purposes described in this privacy statement. Your personal data may be retained for at least five years and up to ten years after the closure of the investigation. For more specific information as to the period for which we will keep your personal data, please contact us (see the section headed "Contact us", below).
8. What are your rights and how can you exercise them?
Your rights are set out in the Regulation (EU) No 2018/1725.
You have the right to ask us to (i) provide you with a copy of your personal data; (ii) correct your personal data; (iii) erase your personal data; or (iv) restrict our processing of your personal data. You can also object to our processing of your personal data.
You can also lodge a complaint about our processing of your personal data with the European Data Protection Supervisor (edps@edps.europa.eu) at any time if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the EIB.
9. Contact us
If you have any questions about our processing of your personal data, or wish to exercise any of the rights described above, please contact us: investigations@eib.org or the EIB's Data Protection Officer, Mr. Pelopidas Donos, by email at p.donos@eib.org or at the following address:
Mr. Pelopidas Donos
European Investment Bank
98-100 Boulevard Konrad Adenauer
L-2950 Luxembourg (Grand Duchy of Luxembourg)
10. Use of the reporting portal
Communication between your computer and the reporting system takes place over an encrypted connection (SSL). Your IP address will not be stored during your use of the reporting system. In order to maintain the connection between your computer and the BKMS® Incident Reporting, a cookie is stored on your computer that merely contains the session ID (a so-called session cookie). This cookie is only valid until the end of your session and expires when you close your browser.
It is possible to set up a post-box within the reporting system that is secured with an individually chosen pseudonym/ user name and password. This allows you to send reports to the responsible employee at EIB either by name or in an anonymous, safe way. This system only stores data inside the reporting system, which makes it particularly secure. It is not a form of regular e-mail communication.
When submitting a report or an addition, you can simultaneously send attachments to the responsible employee of EIB. If you wish to submit an anonymous report, please take note of the following security advice: Files can contain hidden personal data that could compromise your anonymity. Remove this data before sending. If you are unable to remove this data or are unsure how to do so, copy the text of your attachment into your report text or send the printed document anonymously to the address listed in the footer, citing the reference number received at the end of the reporting process.