Data protection is about protecting the freedoms and fundamental rights of individuals with regard to the processing of their personal data, meaning any information relating to an identified or identifiable natural person, including name, date of birth, photographs, video footage, email addresses, telephone numbers and IP addresses.
Data protection is a fundamental right enshrined in EU primary and secondary law:
- Article 8 of the Charter of Fundamental Rights (CFR) states that everyone has the right to personal data protection;
- The protection of natural persons in relation to the processing of their personal data is also enshrined in Article 16 of the Treaty on the Functioning of the EU (TFEU), which constitutes a specific legal basis for adopting legislative acts on data protection.
- For the EU as a whole, the data protection rules are set out in Regulation (EU) 2016/679, more commonly known as the General Data Protection Regulation (GDPR). The GDPR applies to any organisation established in the EU, as well as to organisations based outside the EU that intentionally offer goods or services to the EU, or that monitor the behaviour of individuals within the EU.
- Regulation (EU) 2018/1725 (EUDPR) sets forth the rules applicable to the processing of personal data by EU institutions, bodies, offices and agencies which are in line with the high data protection standards established in the GDPR.
The ECB is obliged to comply with the EUDPR when it processes personal data, for instance as:
- an employer, when it processes the personal data of its staff;
- a public institution, when it invites members of the general public to register for events by sharing their personal information;
- a banking supervisor, when it requests information, including personal data, from supervised institutions or NCAs.
The ECB has appointed a Data Protection Officer who is entrusted with the primary task of ensuring, in an independent manner, the internal application of the EUDPR. The ECB's DPO can be contacted at firstname.lastname@example.org in the event of questions regarding the protection of personal data.
As a data subject (i.e. an individual whose personal data are processed by the ECB) you have the right to:
- be informed of the existence of a data processing operation concerning you and its main characteristics;
- have access to your personal data being processed by the ECB;
- rectify any inaccurate or incomplete personal data;
- withdraw consent at any time, where the processing activity is based on your consent;
- restrict the processing of your personal data;
- erase your personal data;
- object to the processing of your personal data on grounds relating to your particular situation.
You can find out how the ECB processes your personal data by reading our online privacy statements.
You can also read the records of processing operations involving personal data, which the ECB makes publicly accessible.
If you consider that your rights as described above have been violated, you have the right to file a complaint with the European Data Protection Supervisor (EDPS) at any time.
The EDPS is the independent supervisory authority, responsible for ensuring the protection of personal data by EU institutions, agencies and bodies. For more information about the EDPS, please refer to EDPS website.