EUROPEAN INVESTMENT BANK - DATA PROTECTION STATEMENT – EXTERNAL WHISTLEBLOWING REPORTING PLATFORM
1. Controller
This data protection statement provides information regarding the purpose of the processing carried out by the Investigations Division (IG/IN) of the European Investment Bank, hereafter the “EIB” or “we” in the course of receiving reports on breaches of EIB rules and policies in the context of the external whistleblowing reporting platform.
In the course of this activity the processing of personal data does not involve the existence of automated decision-making, including profiling.
2. Purpose of the processing
This data protection statement describes how the EIB, in the course of this activity, processes personal data relating to individuals who are reporting, or subject of a report received through the external whistleblowing reporting platform.
The EIB performs tasks in the exercise of the authority vested to it in accordance with the Provisions of the Treaties and its Statute.
The EIB processes your personal data as reasonably necessary so that it can conduct and manage receipt of whistleblowing reports in a reasonable and proper manner, in accordance with applicable law and regulations. Personal data are processed in accordance with Regulation (EC) 2018/1725 of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (hereafter, the EU DPR).
Specifically, EIB processes the personal data for the below purpose(s) as described in the record.
IG/IN is the controller of the external reporting platform and performs a preliminary review to identify the applicable policy for the facts reported on the platform.
On the basis of its mandate, IG/IN’s purpose of this specific processing activity is that of enabling investigation of the reported breaches according to EIB’s policies; to protect persons (Whistleblowers) reporting any illegal behavior, serious misconduct or infringement of the Bank’s rules, policies and guidelines, or action harmful for the Bank’s reputation or mission; to protect Whistleblowers against retaliation (through confidentiality of identity, entitlement to file a complaint if subject to any retaliation, disciplinary action); and to protect persons allegedly suspected of any of those acts.
3. Legal Basis of the processing
The legal basis for the processing operation is:
- Article 325 of the Treaty on the Functioning of the European Union (“TFEU”);
- Article 18 of the EIB Statute and articles 2 and 28 of the EIF Statutes;
- Regulation (EU, EURATOM) 2018/1046 of the European Parliament and of the Council;
- EIB Board of Governors Decision of 27 July 2004 concerning EIB’s cooperation with OLAF;
- EIB Group Anti-Fraud Policy;
- EIB Group Staff Code of Conduct;
- EIB Group Dignity at Work Policy;
- EIB Group Whistleblowing Policy.
4. Categories of data subjects
The following categories of individuals (data subjects) are/may be concerned by the processing under point 2 above:
EIB Group staff, borrowers, promoters, contractors, suppliers, beneficiaries, consultants, any other person participating or seeking to participate in the EIB Group projects or activities, or any other stakeholder, having reported or being suspected of any illegal behavior, serious misconduct or infringement of EIB’s rules, policies and guidelines, or of any action harmful for EIB’s reputation or mission.
5. What personal data do we process?
The use of the reporting system takes place on a voluntary basis. If you submit a report via the whistleblowing system, we process the following personal data and information:
- Identification data of the subject;
- Case involvement data, such as allegations, summary of facts and evidence related to the Prohibited Conduct or any other misconduct involving the subject, statements and records made by or attributed to individuals in the context of an investigation, communications or notes mentioning the data subject in relation to the events under investigation, information concerning personal relationships;
- Professional data such as the positions, functions and organisations of an individual (current and history).
6. Where do we obtain your personal data?
The data is obtained from the data subjects reporting through the platform alleged breaches of the EIB Group Anti- Fraud Policy, EIB Group Dignity at Work Policy or EIB Group Staff Code of Conduct.
7. To whom is your data disclosed?
Within the EIB, the Investigations Division is responsible for handling reports submitted via the whistleblowing platform, and its members are bound by a strict confidentiality regime.
The EIB’s intent on providing the whistleblowing platform is to receive information concerning possible breaches of EIB’s Group Anti-Fraud Policy, EIB Group Dignity at Work Policy and EIB Group Staff Code of Conduct. Reports concerning the EIB Group Dignity at Work Policy and EIB Group Staff Code of Conduct will be shared with the relevant services within the EIB Group (HR and Office of the Group Chief Compliance Officer).
If the EIB receives reports unrelated to breaches of the relevant policies, but which nevertheless concern other tasks of the EIB Group, the information may be forwarded to the competent business area within the EIB Group. The EIB’s general data protection standards will apply.
In addition, information received from reports may be forwarded by the EIB to the EPPO, OLAF or other national and supranational authorities responsible for investigating prohibited conduct if the reports contain information that is relevant and necessary for the performance of the tasks of such authorities.
The data will also be processed by the external provider EQS Group AG/EQS Group AG via the whistleblowing platform. The data is processed via a private cloud storage system with secure servers located in Germany. Neither the external provider nor other third parties have access to decrypted information.
8. How long do we keep your personal data?
We keep your data only for as long as is necessary for the purposes described in this privacy statement and in line with the relevant policies.
Your personal data may be retained for at least five years and up to ten years after the closure of the investigation. For more specific information as to the period for which we will keep your personal data, please contact us (see the section headed "Contact us", below).
9. What are your rights and how can you exercise them?
Your rights are set out in sections 3 to 5 of the EU DPR.
- You have the right to obtain from the controller confirmation as to whether or not your personal data are being processed, and, if so, to access your personal data by contacting the controller or through the EIB DPO (right of access);
- You have the right to request the controller to rectify any inaccurate data and/or have incomplete personal data completed (right for rectification);
- You have the right to request the controller to erase your personal data as per Article 19 of the EU DPR (right to be forgotten);
- You have the right to request the controller to restrict the processing of your personal data in the following cases (right to restriction of processing):
(i) if you contest the accuracy of your data;
(ii) if the processing of the data is unlawful and you oppose to their erasure;
(iii) if the controller no longer needs the personal data referred to for the purposes of the processing but you require them for the establishment, exercise or defence of legal claims; or
(iv) if you have objected to the processing of your data and EIB seeks to establish whether the controller has legitimate grounds overriding your right to restriction. - You have the right to object to the processing of personal data, on grounds relating to your particular situation, unless EIB demonstrates compelling legitimate grounds for the processing of or for the establishment, exercise or defence of legal claims;
- You have the right to receive your personal data from the EIB in a structured, commonly used and machine-readable format to allow you to transmit your data to another controller without hindrance from the EIB (right to data portability);
- When the legal basis of the processing is the consent, the data subject has the right to withdraw his/her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
- You have the right to lodge a complaint with the European Data Protection Supervisor (www.edps.europa.eu) at any time (right to lodge a complaint).
10. Contact us
If you have any questions about our processing of your personal data, or wish to exercise any of the rights described above, please contact us: investigations@eib.org or the EIB's Data Protection Officer, Mr. Pelopidas Donos, by email at p.donos@eib.org or at the following address:
Mr. Pelopidas Donos
European Investment Bank
98-100 Boulevard Konrad Adenauer
L-2950 Luxembourg (Grand Duchy of Luxembourg)
11. Use of the reporting portal
Communication between your computer and the reporting system takes place over an encrypted connection (SSL). Your IP address will not be stored during your use of the reporting system. In order to maintain the connection between your computer and the BKMS® System, a cookie is stored on your computer that merely contains the session ID (a so-called session cookie). This cookie is only valid until the end of your session and expires when you close your browser.
It is possible to set up a post-box within the reporting system that is secured with an individually chosen pseudonym/ username and password. This allows you to send reports to the responsible employee at EIB either by name or in an anonymous, safe way. This system only stores data inside the reporting system, which makes it particularly secure. It is not a form of regular e-mail communication.
When submitting a report or an addition, you can simultaneously send attachments to the responsible employee of EIB. If you wish to submit an anonymous report, please take note of the following security advice: files can contain hidden personal data that could compromise your anonymity. Remove this data before sending. If you are unable to remove this data or are unsure how to do so, copy the text of your attachment into your report text or send the printed document anonymously to the address listed in the footer, citing the reference number received at the end of the reporting process.
