Erscheinung:19.02.2019 | Topic Compliance Information on data processing regarding the fit and proper assessment of members of the management board (WA)
The Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin) processes personal data to meet its legal and (pre-)contractual obligations. This also includes data which BaFin collected from you. To promote awareness regarding data processing and your rights and to comply with our duty to provide information in accordance with Article 13 and Article 14 of the EU General Data Protection Regulation (GDPR), BaFin informs you as follows:
1. Contact details for BaFin and BaFin’s Data Protection Officer
Bundesanstalt für Finanzdienstleistungsaufsicht
Graurheindorfer Str. 108
53117 Bonn
Postfach 1253
53002 Bonn
Phone: +49 (0) 228-4108–0
Fax: +49 (0) 228-4108–1550
E-mail: poststelle@bafin.de or De-mail: poststelle@bafin.de-mail.de
BaFin’s Data Protection Officer can be reached at: datenschutz@bafin.de
2. Purpose of processing
Fit and proper assessment of the person concerned with regard to the duties of a member of the management board.
3. Legal basis for the processing of data
Article 5 of Commission Implementing Regulation (EU) 2017/1945, Article 4 of Commission Delegated Regulation (EU) 2017/1943, section 24 (1) no. 1 of the German Banking Act (Kreditwesengesetz – KWG) and section 24 (1) no. 2 of the KWG (if a management board member retires) in conjunction with section 1 (2) and sections 5 et seq. of the German Reports Regulation (Anzeigenverordnung).
4. Categories of processed personal data
The personal data held about you include:
Names, date of birth, address details, contact details, details concerning reputation, professional qualifications/CV, details concerning further activities and available time.
5. Intention to transfer the personal data to recipients in a third country or to an international organisation
BaFin does not intend to transfer your data to a recipient in a third country (non-EU member states and countries outside the European Economic Area) or to an international organisation.
6. Recipient of data
The data are processed within BaFin by the employees responsible for the fit and proper assessment. In addition, the data are transmitted to the Deutsche Bundesbank in the context of joint supervision.
7. Time period for storing your data
10 years after your authorisation expires; in the event of a supervisory board member’s retirement from the supervisory board, 2 years after their retirement.
8. Your rights as a data subject
In principle, as a data subject, you have the right of access to personal data (Article 15 of the GDPR), the right to rectification (Article 16 of the GDPR), the right to erasure (Article 17 of the GDPR) and the right to restriction of processing (Article 18 of the GDPR), the right to data portability (Article 20 of the GDPR) and the right to object to the processing (Article 21 of the GDPR). Moreover, you have a right to lodge a complaint with the data protection authority competent for BaFin, i.e. the Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragte(r) für den Datenschutz und die Informationsfreiheit).
9. Automated individual decision-making, including profiling
There is no automated individual decision-making.
10. Source of personal data
To the extent the personal data is not provided by you as the applicant, the applying institution or its legal representative is the source of your personal data.
11. Basis for the provision of your data and consequences in the event of failure to provide your personal data
Article 5 of Commission Implementing Regulation (EU) 2017/1945, Article 4 of Commission Delegated Regulation (EU) 2017/1943, section 24 (1) no. 1 (or no. 2 if a management board member retires) of the KWG and in conjunction with sections 1 (2) and 5 et seq. of the German Reports Regulation.
The information is mandatory. A culpable violation of the notification obligations of a member of the management board under the KWG is an administrative offence that may be punished with a fine of up to one hundred thousand euros (section 56 (2) no. 1i and (6) no. 4 of the KWG). In individual cases, the violation of notification obligations may lead to measures in accordance with section 36 (2) of the KWG.