Privacy statement for the Securities Financing Transactions Data Store (SFTDS) project
Data Protection legal framework applicable to the European Central Bank
All personal data are processed in accordance with EU Data Protection Law, i.e. in line with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
The European Central Bank as controller of processing personal data
The European Central Bank (ECB) is the controller for the processing of the personal data jointly with seven SFTDS member national central banks (NCBs) (Nationale Bank van België/Banque Nationale de Belgique, Deutsche Bundesbank, Banco de España, Banque de France, Banca d’Italia, Banque Centrale du Luxembourg and De Nederlandsche Bank). A memorandum of understanding has been signed between these parties, in the light of the joint controllership, governing the relevant responsibilities in the context of processing personal data and corresponding requests. The Directorate General Macroprudential Policy and Financial Stability is responsible for the processing of data within the ECB.
Purposes of processing personal data
The SFTDS project implements a single securities financing transactions (SFT) data store, which is expected to deliver important benefits for the ECB and the Eurosystem. In particular, the SFTDS would enhance capabilities for market finance monitoring and financial stability analysis. The SFTDS is being undertaken as an ECB project, in close cooperation with seven euro area NCBs.
While the occurrence of personal data in individual SFTs is highly unlikely, the possibility that the data store may contain personal data cannot be fully excluded. SFTs are typically conducted by financial corporations and to a lesser degree by non-financial corporations. However, there is a possibility that an individual person might conduct an SFT, as indicated in Regulation (EU) 2015/2365 (SFT Regulation); see Article 3(5)(a) explicitly referring to “natural persons”. Whereas corporations should be identified by a legal entity identifier (LEI), they could in exceptional cases be reported under a bank identifier code (BIC) or client ID. In the case of a natural person, a client ID should be used. In the unlikely case that a natural person’s name were to be reported directly or a code were to be used that allowed a person to be identified, this information would be included in the SFTDS. The data store will receive and retain all the granular raw data contained in the files compiled by trade repositories and may therefore contain such personal information.
Legal basis of processing operations
Your personal data are being processed by the ECB:
- for the performance of a task carried out in the public interest, based on Article 5(1)(a) of Regulation (EU) 2018/1725 in conjunction with Article 127(5) of the Treaty on the Functioning of the European Union in conjunction with Article 5 of the Protocol on the Statute of the European System of Central Banks and of the European Central Bank, Article 12(2) and (3) of the SFT Regulation and Commission Delegated Regulation (EU) 2019/357.
Categories of data processed by the ECB
The ECB processes the following personal data:
- client ID, which could in theory contain personal details (such as name and address);
- details of an SFT relating to a data subject which have been obtained from designated trade repositories in accordance with Article 12(2) of the SFT Regulation.
Recipients of the personal data
The recipients of the data are designated staff of the ECB and of SFTDS member NCBs.
Time limits for storing personal data
The personal data are stored for a maximum of five years and are deleted or properly anonymised thereafter.
Data subject rights
You have the right to access your personal data and correct any data that are inaccurate or incomplete. You also have (with some limitations) the rights to:
- delete your personal data;
- restrict or object to the processing of your personal data
in accordance with the relevant provisions of Regulation (EU) 2018/1725.
Contact Information for queries and requests
Addressing the European Data Protection Supervisor
You have the right to lodge a complaint with the European Data Protection Supervisor at any time if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data.