OPINION OF THE EUROPEAN DATA PROTECTION
SUPERVISOR (EDPS).
The proposal on structural measures improving the
resilience of EU credit institutions and on the proposal on the reporting and transparency of
securities financing transactions form part of
the wide-ranging overhaul of financial regulation and supervision
which the EU has undertaken since the onset of the financial
crisis.
Each proposal involves the processing of personal data
including the publication of details about individuals who have
been subject to sanctions for breaches of the proposed
rules.
The EDPS regrets that he was not consulted prior to
the adoption of the proposals. He recognises the legitimate public
policy goal behind these proposals, and welcomes the fact that some
data protection safeguards are envisaged.
However, the EDPS recommends a fuller integration
of respect for the rights to privacy and the protection of personal
data by means of the following changes:
- the inclusion of a general provision for all
processing of personal data;
- an appropriate maximum term in the proposal on
transparency of securities financing transactions (SFTs) for
personal information to be retained by counterparties to an
SFT;
- regarding the provisions derogating from the
obligation for confidentiality and professional secrecy in the
proposal on transparency of SFTs: (i) clarification on whether or
not personal data are within the scope of this derogation, and if
so, the inclusion of a statement that those data may only be
processed for compatible purposes and in accordance with applicable
data protection rules; (ii) clarification whether personal data
transfers to third countries are envisaged;
- clarifying that the power to issue a public
warning about identified individuals should not be exercised
automatically but rather only on a case by case basis and where
appropriate and proportionate;
- regarding the provisions for publication of
sanctions: (i) the inclusion of a requirement in both
regulations to consider separately each case and its particular
circumstances on the basis of necessity and proportionality prior
to any decision to publish the identity of the person subject to a
sanction; and (ii) specifying a maximum retention period for
personal data published as part of information on sanction
decisions on competent authorities' websites.