Data Protection Statement for Investigations carried out by the Investigations Division

1. Controller

This data protection statement provides information regarding the purpose of the processing carried out by the EIB Group’s Investigations Division (“IG/IN”), hereafter the “EIB” or “we” in the course of Investigations conducted for the purpose of detecting and preventing fraud, corruption and any other prohibited conduct affecting EIB Group’s activities.

In the course of this activity the processing of personal data does not involve the existence of automated decision-making, including profiling. 

2. Purpose of the processing

This data protection statement provides information regarding the purpose of the processing carried out by the EIB in the course of investigations of prohibited conduct and other types of misconduct. The EIB performs tasks in the exercise of the authority vested to it in accordance with the Provisions of the Treaties and its Statute.

The EIB processes your personal data as necessary so that it can conduct and manage investigations, in a reasonable and proper manner, in accordance with applicable laws and regulations. Personal data are processed in accordance with Regulation (EC) 2018/1725 of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (hereafter, the EU DPR).

Specifically, EIB processes the personal data for the below purpose(s) as described in the record:

IG/IN investigates credible allegations of prohibited conduct on EIB Group-financed operations and carries out Proactive Integrity Reviews (PIRs) on any EIB Group operation or activity as defined in the EIB Group Anti-fraud Policy. Upon request, IG/IN conducts internal investigations on alleged breaches of the EIB Group Staff Code of Conduct and the EIB Group Dignity at Work Policy. IG/IN conducts its investigations on the basis of the EIB Investigation Procedures. Investigations run by IG/IN are administrative investigations.

3. Legal Basis of the processing

The legal basis of the processing operation is:

• Article 325 of the Treaty on the Functioning of the European Union (TFEU);
• Article 18 of the EIB Statute and Articles 2 and 28 of the EIF Statutes;Regulation (EU, Euratom) 2018/1046 of 18 July 2018;
• EIB Board of Governors’ Decision of 27 July 2004 concerning the EIB’s cooperation with OLAF;
• EIB Group Anti-fraud Policy;
• EIB Group Fraud Investigations Division Charter.

Additional EIB Policies of relevance are:

• Guide to Procurement for projects financed by the EIB 
• European Investment Bank Group Whistleblowing Policy
• EIB Group Dignity at Work Policy
• EIB Group Staff Code of Conduct
• EIB Exclusion Policy

4. Categories of data subjects

The following categories of individuals (data subjects) are/may be concerned by the processing under section 2 above:

Data subjects concerned: - Individuals who are involved in a case under investigation or under a PIR by the EIB; - Individuals who have a relation with the individual designated as part of an EIB Group investigation; - Individuals registered in the Commission’s Early Detection and Exclusion System (EDES).

Other categories of data subjects: - Promoters, borrowers, contractors, suppliers, beneficiaries, consultants, intermediaries, agents, advisers or other interested parties in an EIB Group-financed project and the affiliates of the above; - Tenderers, contractors, suppliers, service providers and other persons or entities procured by the EIB Group for its own account and their subcontractors, if any; - EIB Group members of governing bodies and staff.

5. What personal data do we process?

In the context of its investigations, IG/IN collects identification data, professional data and case involvement data. This data may be used to assess allegations of prohibited conduct and determine whether any misconduct or wrongdoing was committed. It may also be used for contact purposes.

Specifically, the categories of data processed may comprise:

• Identification data of the subject;
• Case involvement data, such as allegations, summary of facts and evidence related to the prohibited conduct or other misconduct involving the subject, statements and records made by or attributed to individuals in the context of an investigation or a PIR, communications or notes mentioning the data subject in relation to the events under investigation, information concerning personal relationships;
• Professional data such as the positions, functions and organisations of an individual (current and history);
• Any exclusion/debarment decisions relating to the subject of investigation and references to the authority that issued the exclusion/debarment decision.

6. Where do we obtain your personal data?

The data may be collected on the basis of a report by an EIB Group staff member or an external informant, including anonymous or confidential sources, on the basis of publicly available information and in the context of PIRs as foreseen by art 62 and 63 of the EIB Group Anti-fraud Policy. The data may be collected by any of the means provided in the EIB Group Anti-fraud Policy including by accessing any relevant information, documentation and premises of the EIB Group and/or the projects financed by the EIB Group, and by asking oral information from any relevant person.

7. To whom is your data disclosed?

Responsible IG/IN staff has access to your data. In addition, your data may be transferred to designated persons within the EIB Group as well as EU institutions, bodies, offices and agencies, international organisations and/or the relevant authorities in Member States, candidate countries or third countries in order to ensure the appropriate conduct of the investigation and in compliance with Articles 4 to 6, 9 to 11, and 47 to 50 of Regulation (EU) 2018/1725. 

Any data collected can be provided to or accessed by authorities foreseen by law (EPPO/OLAF/ECA/EDPS/OMBUDSMAN/CJEU/national Courts). Public authorities which may receive personal data in the framework of a particular investigation in accordance with Union or Member State law shall not be regarded as recipients. The processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

8. International Transfers

Your data may be transferred to entities established outside the EU or the European Economic Area as per section 7) above and the below safeguards are in place:

Derogations and / or Memoranda of Understanding between EIB and third countries (Regulation (EU) 2018/1725), Articles 47, 48 and 50d), e).

9. How long do we keep your personal data?

We keep your data only for as long as is necessary for the purposes described in this data protection statement and in line with the relevant policies. Your personal data may be retained in IG/IN’s case files for at least five years and up to ten years after the closure of the investigation. If the related allegations were not substantiated, your personal data may be retained for a maximum of five years from the closure of the case.

10. What are your rights and how can you exercise them?

Your rights are set out in sections 3 to 5 of the EU DPR.

• You have the right to obtain from the controller confirmation as to whether or not your personal data are being processed, and, if so, to access your personal data by contacting the Controller or through the EIB DPO (right of access);
• You have the right to request the controller to rectify any inaccurate data and/or have incomplete personal data completed (right for rectification);
• You have the right to request the controller to erase your personal data as per Article 19 of the EU DPR (right to be forgotten);
• You have the right to request the controller to restrict the processing of your personal data in the following cases (right to restriction of processing):
  • (i) if you contest the accuracy of your data;
  • (ii) if the processing of the data is unlawful and you oppose to their erasure;
  • (iii) if the controller no longer needs the personal data referred to for the purposes of the processing but you require them for the establishment, exercise or defence of legal claims; or
  • (iv) if you have objected to the processing of your data and EIB seeks to establish whether the controller has legitimate grounds overriding yours right to restriction.
• You have the right to object to the processing of personal data, on grounds relating to your particular situation, unless EIB demonstrates compelling legitimate grounds for the processing or for the establishment, exercise or defence of legal claims;
• You have the right to receive your personal data from the EIB in a structured, commonly used and machine-readable format to allow you to transmit your data to another controller without hindrance from the EIB (right to data portability);
• When the legal basis of the processing is the consent, data subject has the right to withdraw his/her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
• Exceptions and restrictions under Article 25 of Regulation (EU) 2018/1725 and relevant EIB decision may apply to EIB investigations. The relevant EIB decision is available HERE
• You have the right to lodge a complaint with the European Data Protection Supervisor (www.edps.europa.eu) at any time (right to lodge a complaint).

11. Contact us

If you have any questions about our processing of your personal data, or wish to exercise any of the rights described above, please contact us: Investigations@eib.org or the EIB's Data Protection Officer, Mr. Pelopidas Donos, by email at p.donos@eib.org or at the following address:

Mr. Pelopidas Donos, European Investment Bank
98-100 Boulevard Konrad Adenauer, L-2950 Luxembourg (Grand Duchy of Luxembourg)