Privacy Statement for the processing of personal data related to the selection of candidates for appointment to the Advisory Scientific Committee

1. Data protection legal framework applicable to the European Systemic Risk Board

The European Systemic Risk Board (ESRB) is subject to and processes personal data in accordance with EU Data Protection Law.^[1]

Regulation (EU) 2018/1725

2. The European Systemic Risk Board as controller of processing personal data

For the purposes of Regulation (EU) 2018/1725, the ESRB is the controller for the processing of personal data related to the call for expressions of interest from external experts to be appointed as members of the Advisory Scientific Committee (ASC) of the ESRB. The ESRB Secretariat is the organisational unit responsible for processing these data.

3. Purposes for processing personal data by the European Systemic Risk Board.

The ESRB collects and processes personal data for the purposes of (i) selecting candidates for appointment to the ASC, in accordance with Article 12 of Regulation (EU) No 1092/2010^[2] , Article 11 of Decision ESRB/2011/1^[3] and Decision ESRB/2011/2^[4] , and (ii) selecting candidates for inclusion in the reserve list provided for in Article 4 of Decision ESRB/2011/2.

4. Lawfulness of the European Systemic Risk Board’s data processing operations

The legal basis for processing your personal data is Article 5.1(a) and (d) of Regulation (EU) 2018/1725 for the appointment and the selection of the members of the ASC respectively. By answering the call for expressions of interest for appointment to the ASC, data subjects consent to the collection and processing of their personal data when submitting their application. Candidates may withdraw that consent at any time by contacting info@esrb.europa.eu . Any further processing of personal information will cease once consent has been withdrawn. Processing of personal data that took place prior to a withdrawal of consent will remain lawful.

5. Categories of personal data processed by the European Systemic Risk Board:

The following categories of personal data may be processed in relation to the selection of candidates for appointment to the ASC:

• personal details (e.g. full name, date of birth, ID/passport number);
• contact details (e.g. email address, postal address, business/mobile telephone number, fax number);
• education and training details; (e.g. expertise, technical skills, languages, educational background, professional experience, test results);
• employment details (e.g. company, organisational unit, your position/function);
• financial details (e.g. bank account details, VAT number);
• family, lifestyle and social circumstances (e.g. declarations of honour, certificates for social security contributions and taxes paid, extracts from judicial records);
• trade union membership: Article 12(1) of Regulation (EU) No 1092/2010 and Article 3 of Decision ESRB/2011/2 require ASC members to be selected on the basis of their general competence and diverse experience in academic fields or other sectors, in particular SMEs or trade unions, or as providers or consumers of financial services. Accordingly in their application form, applicants are required to provide information on any skills and/or experience in relevant academic fields or other sectors, in particular in small and medium-sized enterprises or trade-unions, or as providers or consumers of financial services.

6. Access to personal data collected and processed by the European Systemic Risk Board

Access to personal data is given to the following persons:

• the ad hoc review panel for the pre-selection which is composed of senior staff level representatives of national central banks of the Member States, which are institutions from which the ESRB draws its members of the General Board and representatives from the ESRB Secretariat;
• the Steering Committee;
• the General Board.

7. Retention periods for personal data

Personal data of successfully selected candidates for appointment to the ASC are retained by the ESRB Secretariat for a period of 5 years after the expiry of their mandate.

Personal data of candidates on the reserve list are retained for a period of 2 years from approval of the reserve list, the validity of which may be extended until a new call for expressions of interest is published.

Personal data of unsuccessful candidates are retained for a period of 2 years following completion of the selection procedure.

Personal data of unsuccessful candidates are retained for a period of 2 years following completion of the selection procedure.

In the event of a legal dispute, any retention period referred to in this section will be extended for 2 years after completion of all relevant legal proceedings.

8. Your rights as a data subject

You have the right to access your personal data and correct any data that is inaccurate or incomplete. You have also the right to delete your personal data, to restrict or object to the processing of your personal data in accordance with Regulation (EU) 2018/1725.

9. Contact information in case of queries and requests

For more information or to exercise your rights as referred to in section 8, please contact info@esrb.europa.eu . For all queries relating to personal data, please contact the ECB’s Data Protection Officer at dpo@ecb.europa.eu .

10. Addressing the European Data Protection Supervisor

If you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time. European Data Protection Supervisor at any time.

11. Changes to this Privacy Statement

This Privacy Statement may be changed to take into account new legal developments.