Search En menu en ClientConnect

Top searches
Most visited pages

Data Protection Statement for Internal Audit activities

1.  Controller

This data protection statement provides information regarding the purpose of the processing carried out by the Internal Audit Department of the European Investment Bank hereafter, hereafter the “EIB” or “we” in the course of the audit engagements performed by the EIB Internal Audit Department.

In the course of this activity the processing of personal data does not involve the existence of automated decision-making, including profiling.

2.  Purpose of the processing

This data protection statement provides information regarding the purpose of the processing carried out by the EIB in the course of the audit engagements performed by the EIB Internal Audit Department. The EIB performs tasks in the exercise of the authority vested to it in accordance with the Provisions of the Treaties and its Statute.

The EIB processes your personal data as reasonably necessary so that it can conduct and manage audit engagements in a reasonable and proper manner, in accordance with applicable laws and regulations. Personal data are processed in accordance with Regulation (EC) 2018/1725 of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (hereafter, the EU DPR).

Specifically, EIB processes the personal data for the below purpose(s) as described in the record: The EIB Group Internal Audit Charter defines the mission of Internal Audit. The purpose of Internal Audit is to provide independent, objective assurance and advisory services designed to add value and improve the EIB Group's operations. The internal audit activity helps the EIB Group accomplish its objectives by bringing a systematic, disciplined approach to assessing and improving the effectiveness of governance, risk management and internal control. To this end, Internal Audit provides the management of the EIB Group’s entities with assurances, analyses, agreed action plans or recommendations, counsel and information concerning the activities reviewed.

3.  Legal Basis of the processing

The legal basis for the processing of personal data in the course of audit engagements is: The public interest and in particular the EIB Group Charter for Internal Audit, adopted by the EIB Board of Directors on 12 May 2021 and the EIF Board of Directors on 21 June 2021. 

4.  Categories of data subjects

The following categories of individuals (data subjects) are/may be concerned by the processing under 2: Externals, EIB/EIF staff members, Candidates, Designated EIB/EIF Staff members, Members and former members of EIB/EIF Governing Bodies, alternates, and non-voting Experts; Former EIB Group Staff members incl. Pensioners; Family members of the other data subjects concerned; Suppliers and beneficiaries of the EIB Group’s procurement activities and financial transactions

5.  What personal data do we process?

EIB processes the following categories of personal data: name, contact details, title, date of birth, e-mail address, telephone number, employee badge number, national security number.  Any data handled within the scope of specific activities being audited may be processed, strictly limited to what is relevant for assessing compliance and effectiveness of internal controls/processes in relation to the audit objectives. Only personal data that are strictly necessary will be processed, following a necessity assessment conducted in line with the audit objectives.  

6.  Where do we obtain your personal data?

We may obtain your personal data:

  • Internally, from the EIB relevant services and/or EIB governing and controlling bodies
  • from a legal entity or an organisation that you represent or with which you are associated
  • from an intermediary involved in the transaction /contract to which EIB is associated to

7.  To whom is your data disclosed?

We may disclose personal data about you to the following recipients:

  • EIB Board of Directors,
  • Chair EIF Board of Directors,
  • Management Committee,
  • Audit Committee,
  • Audit Board,
  • EIF Chief Executive,
  • External Auditors,
  • the service provider

8.  International Transfers

Your data may be transferred to entities established outside the EU or the European Economic Area, in particular towards the USA.

9.  How long do we keep your personal data?

We keep your data for the period of 30 years determined by Internal Audit Department as from their collection.

10. What are your rights and how can you exercise them?

Your rights are set out in sections 3 to 5 of the EU DPR.

  • You have the right to obtain from the controller confirmation as to whether or not your personal data are being processed, and, if so, to access your personal data by contacting the Controller or through the EIB DPO (right of access);
  • You have the right to request the controller to rectify any inaccurate data and/or have incomplete personal data completed (right for rectification);
  • You have the right to request the controller to erase your personal data as per Article 19 of the EU DPR (right to be forgotten);
  • You have the right to request the controller to restrict the processing of your personal data in the following cases (right to restriction of processing):
    • (i) if you contest the accuracy of your data;
    • (ii) if the processing of the data is unlawful and you oppose to their erasure;
    • (iii) if the controller no longer needs the personal data referred to for the purposes of the processing but you require them for the establishment, exercise or defence of legal claims; or
    • (iv) if you have objected to the processing of your data and EIB seeks to establish whether the controller has legitimate grounds overriding yours right to restriction.
  • You have the right to object to the processing of personal data, on grounds relating to your particular situation, unless EIB demonstrates compelling legitimate grounds for the processing or for the establishment, exercise or defence of legal claims;
  • You have the right to receive your personal data from the EIB in a structured, commonly used and machine-readable format to allow you to transmit your data to another controller without hindrance from the EIB (right to data portability);
  • When the legal basis of the processing is the consent, data subject has the right to withdraw his/her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
  • You have the right to lodge a complaint with the European Data Protection Supervisor (www.edps.europa.eu) at any time (right to lodge a complaint).

11. Contact us

If you have any questions about our processing of your personal data, or wish to exercise any of the rights described above, please contact us: ia-secretariat@eib.org or the EIB's Data Protection Officer, Mr. Pelopidas Donos, by email at p.donos@eib.org or at the following address:

Mr. Pelopidas Donos
European Investment Bank
98-100 Boulevard Konrad Adenauer
L-2950 Luxembourg (Grand Duchy of Luxembourg)