1. The controller may restrict the rights referred to in Article 1(2) to safeguard the interests and objectives referred to in Article 25(1) of Regulation (EU) 2018/1725, in particular where the exercise of those rights would jeopardise or otherwise adversely affect:
(a)
the performance of the ECB’s supervisory tasks under Regulation (EU) No 1024/2013, including the proper functioning of the supervisory system;
(b)
the safety and soundness of credit institutions and the stability of the financial system within the Union and each Member State;
(c)
the effectiveness of the reporting of breaches in accordance with Article 23 of Regulation (EU) No 1024/2013.
2. To safeguard the interests and objectives referred to in Article 25(1) of Regulation (EU) 2018/1725, the controller may restrict the rights referred to in Article 1(2) in relation to personal data obtained from other Union institutions and bodies and competent authorities of Member States or third countries or international organisations, in any of the following circumstances:
(a)
where the exercise of those rights could be restricted by other Union institutions and bodies, from which the personal data was obtained, on the basis of other acts provided for in Article 25 of Regulation (EU) 2018/1725 or in accordance with Chapter IX of that Regulation or with the founding acts of other Union institutions and bodies;
(b)
where the exercise of those rights could be restricted by the competent authorities of Member States, from which the personal data was obtained, on the basis of acts referred to in Article 23 of Regulation (EU) 2016/679 of the European Parliament and of the Council ( 4 ) , or under national measures transposing Articles 13(3), 15(3) or 16(3) of Directive (EU) 2016/680 of the European Parliament and of the Council ( 5 ) ;
(c)
where the exercise of those rights could jeopardise or otherwise adversely affect the ECB’s cooperation with third countries or international organisations, from which the information was obtained, in the conduct of its tasks, unless the ECB’s interest in cooperation is overridden by the interests or fundamental rights and freedoms of the data subjects.
3. Before applying a restriction in the circumstances referred to in paragraphs 2(a) and (b), the controller shall:
(a)
take note of arrangements concluded with the relevant Union institutions and bodies or the competent authorities of Member States; and
(b)
consult with the relevant Union institutions and bodies or the competent authorities of Member States unless it is clear to the controller that the application of that restriction is provided for by one of the acts or measures referred to in paragraphs 2(a) and (b).
4. The controller may only apply a restriction where on a case-by-case assessment it concludes that the restriction:
(a)
is necessary and proportionate taking into account the risks to the rights and freedoms of the data subject; and
(b)
respects the essence of the fundamental rights and freedoms in a democratic society.
5. The controller shall document its assessment in an internal assessment note which shall include the legal basis, the reasons for the restriction, the rights of the data subjects that are restricted, the data subjects affected, the necessity and proportionality of the restriction and the likely duration of the restriction.
6. A decision to restrict the rights of a data subject pursuant to this Decision to be taken by the controller shall be made at the level of the relevant business area head or deputy head in whose business area the main processing operation involving the personal data is carried out.