The scale at which Europe processes personal data is increasing. In the financial sector, this includes personal data of investors under Mifid 2/MiFIR (provided by financial institutions to supervisors) and personal data of officials at financial institutions (e.g. processed by ECB).

The latest is that the European Banking Authority (EBA) is going to include personal data of certain customers of financial institutions and certain beneficial owners of customers in their black sheep database of financial instutions, the EuReCA blacklist [*].
Read their announcement The EBA will start collecting information on natural persons through its AML/CFT database, EuReCA (marked by me):

Starting from May 2024, supervisors across the European Union (EU) will be able to report names of natural persons to EuReCA, the EU central database on anti-money laundering (AML) and countering the financing of terrorism (CFT) of the European Banking Authority (EBA). Through EuReCA, the EBA has been able to contribute to making supervision more informed, targeted and effective. With this step, the EBA will contribute to further strengthening the fight against money laundering (ML) and terrorist financing (TF) in the EU.
EuReCA contains information on serious AML/CFT deficiencies in individual financial institutions that have been identified by EU supervisors. It also contains information on the measures taken by supervisors to address those deficiencies.
If a serious deficiency or a measure is linked to a natural person, for example a customer or a beneficial owner, supervisors will be able to report this information to EuReCA. Supervisors can also report the name of a member of the management body or a key function holder in a financial institution, if necessary, because a lack of honesty or integrity can cause or lead to serious problems in a financial institution’s governance arrangements, business model or activities and ultimately, weaken the institution’s AML/CFT defences.

According to the EBA, data protection regulations are complied with. The EBA has updated the relevant Data Protection Impact Assessment (DPIA).

In the Data Protection Notice the EBA informs the public on its processing activities (marked by me), amongst others:

What personal data do we process, for what purpose, who can access it and how long do we keep them?
EuReCA collects information from reporting authorities in the context of preventing and countering money laundering and terrorist financing. Identification of natural persons is not the main purpose of the EuReCA database.

Data on natural persons is provided by EU reporting authorities. These data sets are collected and further processed with the purpose of identifying and analysing material weaknesses (significant failures in the compliance with any of the AML/CFT-related requirements) in the supervision of activities of financial operators and vulnerabilities and risks in relation to money laundering and terrorist financing in the financial sector in situation where the natural persons appear to be linked with the material weakness. Information related to suspicions of criminal offences or criminal convictions committed by a customer, a beneficial owner, a member of the management body or key function holder could be an indicator of a lack of honesty, integrity or ML/TF risks.

This can be a significant cause or contributor to material weaknesses in a financial sector operator’s governance arrangements, fitness and propriety, holders of qualifying holdings, business model or activities. Therefore, the personal data specified in Annex II of the Commission Delegated Regulation (EU) 2024/595, may include information related to suspicion or conviction for criminal offences. The data are analysed and shared, on a need-to-know and confidential basis with reporting authorities at national and EU level for their supervisory activities in line with point 5 of Annex II of Commission Delegated Regulation (EU) 2024/595. The data can be further shared with EIOPA, ESMA, national judicial authorities EPPO, FIUs

This processing activity involves processing personal data of individuals connected with the materiality of the weakness identified. Personal data may be included in some specific fields, in case an individual has a direct connection with the materiality of the weakness identified and there is a request by EBA to identify some categories of natural persons.

The data necessary to make sure the right person is identified may be collected in structured fields (ie: name, surname, date of birth, country of residence, nationality.)

The categories of persons are set out in details in Annex II of the Commission Delegated Regulation (EU) 2024/595. These are: customer, beneficial owner, member of the management body or key function holder(s).

In addition, the processing activity will involve processing of identification and technical data such as the access logs of EBA staff and authorities accessing the database.

The personal data are analysed and shared, on a need to know and confidential basis, with reporting authorities (AML/CFT authorities, prudential authorities, payment institutions authorities, conduct of business authorities, resolution authorities, designated authorities as defined in Article 1 of Commission Delegated Regulation (EU) 2024/595) at national and EU level for their supervisory activities (Article 9a(2) and (3) of the EBA Regulation). The data will be transmitted where appropriate to national judicial authorities and the European Public Prosecutor’s Office (EPPO). EuReCa operates in the wider context of close coordination between the EBA and other reporting authorities at national and EU level, including the European Central Bank (ECB) and Single Resolution Board (SRB). In that context, data including personal data can also be shared on a case-by-case basis with EIOPA and ESMA as part of the general duty of cooperation foreseen in Article 2(4) of EBA Regulation and with national Financial Intelligence Units (FIUs) pursuant to Article 9a(1), point (a), of the EBA Regulation

The personal data is also accessible to the EBA staff managing EuReCa and may be accessible to the IT support.

As set out in Article 14 of the Commission Delegated Regulation (EU) 2024/595 the EBA will keep personal data in an identifiable form for a period of up to 10 years from the collection by the EBA and, where it does so, shall delete personal data upon expiry of that period. Based on a yearly assessment of their necessity, personal data may be deleted before the end of that maximum period on a case-by-case basis.

Why do we process your personal data and under what legal basis?
The data are processed to enable to EBA to fulfil the mandate it has received in Article 9a(1), 9a(2) and 9a(3) of the EBA Regulation.
The Commission Delegated Regulation (EU) 2024/595 provides the details of performance of these tasks.

[*] More information in the factsheet by the EBA on EuReCA.