Guideline (EU) 2016/256 of the European Central Bank of 5 February 2016 concernin... (32016O0001)
EU - Rechtsakte: 01 General, financial and institutional matters

GUIDELINE (EU) 2016/256 OF THE EUROPEAN CENTRAL BANK

of 5 February 2016

concerning the extension of common rules and minimum standards to protect the confidentiality of the statistical information collected by the European Central Bank assisted by the national central banks to national competent authorities of participating Member States and to the European Central Bank in its supervisory functions (ECB/2016/1)

THE GOVERNING COUNCIL OF THE EUROPEAN CENTRAL BANK,
Having regard to the Treaty on the Functioning of the European Union and in particular Article 127(6) thereof,
Having regard to Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions(1), and in particular Article 6(1) in conjunction with Article 6(7) thereof,
Whereas:
(1) Article 5.1 of the Statute of the European System of Central Banks and of the European Central Bank requires the European Central Bank (ECB), assisted by the national central banks (NCBs), to collect either from the competent national authorities or directly from economic agents the statistical information which is necessary to undertake the tasks of the European System of Central Banks (ESCB).
(2) Article 8(3) of Council Regulation (EC) No 2533/98(2) requires the ESCB members to take all the necessary regulatory, administrative, technical and organisational measures to ensure the physical and logical protection of confidential statistical information. To this end, the ECB must define common rules and implement minimum standards to prevent unlawful disclosure and unauthorised use of confidential statistical information.
(3) Guideline ECB/1998/NP28 of the European Central Bank(3) establishes the common rules and minimum standards required by Article 8(3) of Regulation (EC) No 2533/98, which ensure a basic level of protection of confidential statistical information collected by the ECB.
(4) Following the establishment of the Single Supervisory Mechanism (SSM), Council Regulation (EU) 2015/373(4) amended Article 8(1)(d) and Article 8(4) of Regulation (EC) No 2533/98 allowing the transmission and use of confidential statistical information, for the performance of tasks in the field of prudential supervision given to the members of the ESCB. The processing of confidential statistical information by the members of the ESCB should be subject to appropriate protection of confidentiality, as required under Article 8(3) of Regulation (EC) No 2533/98.
(5) Furthermore, Regulation (EU) 2015/373 inserted a new Article 8(4a) into Regulation (EC) No 2533/98 which allows the ESCB to transmit confidential statistical information to authorities or bodies of the Member States responsible for the supervision of financial institutions, markets and infrastructures to the extent and at the level of detail necessary for the performance of their respective tasks. The authorities or bodies receiving confidential statistical information should take all the necessary regulatory, administrative, technical and organisational measures to ensure the physical and logical protection of confidential statistical information.
(6) Guideline ECB/1998/NP28 specifies obligations of the members of the ESCB with regard to the handling of confidential statistical information with regard to their tasks outside the SSM. The same level of protection should be ensured in the transmission and subsequent use of confidential statistical information with regard to both national competent authorities (NCAs) of Member States participating in the SSM, including NCBs with regard to their function as NCAs, and the ECB in the performance of its tasks under Regulation (EU) No 1024/2013.
(7) Article 6(7) of Regulation (EU) No 1024/2013 empowers the ECB, in consultation with national competent authorities, and on the basis of a proposal from the Supervisory Board, to adopt and make public a framework to organise the practical arrangements for the implementation of that Article, which, inter alia, provides that the ECB is responsible for the effective and consistent functioning of the SSM,
HAS ADOPTED THIS GUIDELINE:

Article 1

Definitions

For the purposes of this Guideline, the following definitions shall apply:
(1) ‘confidential statistical information’ means statistical information which is defined as confidential in accordance with Article 1(12) of Regulation (EC) No 2533/98 and which has been collected in accordance with the provisions and for the purposes outlined in that Regulation;
(2) ‘protection measures’ means procedures appropriate for the protection, both logical and physical, of confidential statistical information;
(3) ‘logical protection measures’ means measures that prevent unauthorised access to confidential statistical information itself;
(4) ‘physical protection measures’ means measures that prevent unauthorised access to a physical area and physical media;
(5) ‘physical area’ means any part of a building in which are located the physical media on which confidential statistical information is stored or over which it is transmitted;
(6) ‘physical media’ means hard copies (paper) and computer equipment (including peripherals and storage devices) on which confidential statistical information is stored or processed;
(7) ‘national competent authority’ has the meaning given in Article 2(2) of Regulation (EU) No 1024/2013;
(8) ‘reporting agent’ has the meaning given in Article 1(2) of Regulation (EC) No 2533/98.

Article 2

Logical protection

1.   The ECB and the NCAs shall each define and implement authorisation rules and logical protection measures governing their staff's access to confidential statistical information.
2.   Without prejudice to the continuity of the system administration function, the minimum protection measure to be implemented shall be a unique user identifier and personalised password.
3.   All appropriate measures shall be taken to ensure that confidential statistical information is arranged in such a way that any published data covers at least three economic agents. Where one or two economic agents make up a sufficiently large proportion of any observation to make them indirectly identifiable, published data shall be arranged in such a way as to prevent their indirect identification. These rules shall not apply if the reporting agents or the other legal persons, natural persons, entities or branches that can be identified have explicitly given their consent to disclosure.

Article 3

Physical protection

The ECB and the NCAs shall each define and implement authorisation rules and physical protection measures governing their staff's access to any physical area, without prejudice to Article 4 of this Guideline.

Article 4

Third party access

In the event of any third party having access to confidential statistical information in line with Article 8(4a) of Regulation (EC) No 2533/98, the ECB and the NCAs shall ensure through appropriate means, where possible by way of a contract, that the confidentiality requirements as prescribed in Regulation (EC) No 2533/98 and in this Guideline are complied with by the third party.

Article 5

Data transmission and networks

1.   Where allowed by Article 8 of Regulation (EC) No 2533/98, confidential statistical information shall be transmitted
extra muros
electronically, following encryption.
2.   The ECB and the NCAs shall each define authorisation rules for such transmission of confidential statistical information.
3.   For internal networks, appropriate protection measures shall be taken to prevent unauthorised access.
4.   Interactive access to confidential statistical information from unsecured networks shall be prohibited.

Article 6

Documentation and staff awareness

The ECB and the NCAs shall ensure that all their rules and procedures relating to the protection of confidential statistical information are documented, and that this documentation is kept up to date. The staff involved shall be informed about the importance of the protection of confidential statistical information and kept up to date about all rules and procedures that affect their work.

Article 7

Reporting

1.   The NCAs shall inform the ECB at least once a year of any problems experienced since the last report, actions taken in response to these problems and planned improvements with regard to the protection of confidential statistical information. The ECB shall also draw up a report covering the same issues at least once a year.
2.   The Governing Council shall assess the implementation of this Guideline at least once a year. In preparation for that assessment, the ECB shall be informed of the authorisation rules and types of protection measures applied by the NCAs as referred to in Articles 2, 3 and 5 of this Guideline. The ECB shall report to the Governing Council on the application of those rules and protection measures by both the NCAs and the ECB.

Article 8

Taking effect and implementation

1.   This Guideline shall take effect on the twentieth day following that of its publication in the
Official Journal of the European Union
.
2.   The NCAs and the ECB shall ensure that the provisions of this Guideline also apply to members of their decision making bodies.
3.   The ECB and the NCAs shall aim, to the extent legally feasible, to extend the obligations defined in implementation of the provisions of this Guideline to persons involved in the performance of supervisory tasks who are not staff members.

Article 9

Addressees

This Guideline is addressed to the NCAs, and to the ECB in the performance of its tasks under Regulation (EU) No 1024/2013, in each case insofar as they receive confidential statistical information from the ESCB.
Done at Frankfurt am Main, 5 February 2016.
For the Governing Council of the ECB
The President of the ECB
Mario DRAGHI
(1)  
OJ L 287, 29.10.2013, p. 63
.
(2)  Council Regulation (EC) No 2533/98 of 23 November 1998 concerning the collection of statistical information by the European Central Bank (
OJ L 318, 27.11.1998, p. 8
).
(3)  Guideline ECB/1998/NP28 of 22 December 1998 concerning the common rules and minimum standards to protect the confidentiality of the individual statistical information collected by the European Central Bank assisted by the national central banks (
OJ L 55, 24.2.2001, p. 72
).
(4)  Council Regulation (EU) 2015/373 of 5 March 2015 amending Regulation (EC) No 2533/98 concerning the collection of statistical information by the European Central Bank (
OJ L 64, 7.3.2015, p. 6
).
Markierungen
Leseansicht