Structural measures improving the resilience of EU credit institutions

2014/0020(COD)

OPINION OF THE EUROPEAN DATA PROTECTION SUPERVISOR (EDPS).

The proposal on structural measures improving the resilience of EU credit institutions and on the proposal on the reporting and transparency of securities financing transactions form part of the wide-ranging overhaul of financial regulation and supervision which the EU has undertaken since the onset of the financial crisis.

Each proposal involves the processing of personal data including the publication of details about individuals who have been subject to sanctions for breaches of the proposed rules.

The EDPS regrets that he was not consulted prior to the adoption of the proposals. He recognises the legitimate public policy goal behind these proposals, and welcomes the fact that some data protection safeguards are envisaged.

However, the EDPS recommends a fuller integration of respect for the rights to privacy and the protection of personal data by means of the following changes:

  • the inclusion of a general provision for all processing of personal data;
  • an appropriate maximum term in the proposal on transparency of securities financing transactions (SFTs) for personal information to be retained by counterparties to an SFT;
  • regarding the provisions derogating from the obligation for confidentiality and professional secrecy in the proposal on transparency of SFTs: (i) clarification on whether or not personal data are within the scope of this derogation, and if so, the inclusion of a statement that those data may only be processed for compatible purposes and in accordance with applicable data protection rules; (ii) clarification whether personal data transfers to third countries are envisaged;
  • clarifying that the power to issue a public warning about identified individuals should not be exercised automatically but rather only on a case by case basis and where appropriate and proportionate;
  • regarding the provisions for publication of sanctions: (i) the inclusion of a requirement in both regulations to consider separately each case and its particular circumstances on the basis of necessity and proportionality prior to any decision to publish the identity of the person subject to a sanction; and (ii) specifying a maximum retention period for personal data published as part of information on sanction decisions on competent authorities' websites.