European Central Bank - eurosystem
European Central Bank - eurosystem
Search
Search Options
Home Media Explainers Research & Publications Statistics Monetary Policy The €uro Payments & Markets Careers
Suggestions
Sort by
  • PRIVACY STATEMENT

Privacy statement for the activities of the ECB’s Data Protection Officer

What is our legal framework?

All personal data are processed in accordance with European Union data protection law, that is to say in line with Regulation (EU) 2018/1725 (the EUDPR), and Decision (EU) 2020/655 of the European Central Bank adopting implementing rules on data protection at the ECB.

Why do we process personal data?

Personal data are processed to enable the Data Protection Officer (DPO) to perform his or her tasks as specified in Article 4 of Decision (EU) 2020/665 in conjunction with Article 45 EUDPR. These tasks are as follows:

  • inform and advise the Executive Board, the controllers, the Staff Committee and the data protection coordinators, and respond to consultations from any of them or any data subject on matters concerning the interpretation and application of data protection provisions at the ECB (Article 4(a) Decision (EU) 2020/665 and Article 45(1)(a) EUDPR);
  • investigate matters and incidents related to data protection either on the DPO’s own initiative or at the request of the Executive Board, a controller, the Staff Committee or any data subject, and report back to the requester of the investigation (Article 4(b) Decision (EU) 2020/665 and Article 45(2) EUDPR);
  • assist a controller, upon request, in drafting data protection impact assessments and submissions for the prior consultation of the EDPS (Articles 39, 40 and 45(1)(e) EUDPR and Article 4(d) Decision (EU) 2020/665);
  • respond to requests from the European Data Protection Supervisor and, within the sphere of his or her competence, cooperate with the EDPS (Article 45(1)(g) EUDPR and Article 4(e) Decision (EU) 2020/665);
  • cooperate with the data protection officers of other Union institutions and bodies, national central banks and national competent authorities, in particular by: (i) sharing knowledge and know-how based on experience; (ii) representing the ECB in relevant discussions relating to data protection issues, excluding court cases; and (iii) participating in interinstitutional committees and bodies (Article 4(f) Decision (EU) 2020/665);
  • ensure in an independent manner the application of the EUDPR at the ECB by monitoring compliance with the EUDPR, with other applicable Union law containing data protection provisions and with the policies of the ECB and its processors in relation to the protection of personal data, including the assignment of responsibilities, the raising of awareness and training of ECB staff members involved in processing operations and any related audits (Article 45(1)(b) EUDPR and Article 4(b) and (g) of Decision (EU) 2020/665).
  • ensure that data subjects are informed of their rights and obligations pursuant to the Article 45(1)(c) EUDPR and to refer data subject requests to the relevant responsible organisational unit within the ECB and to ensure that the identity of the requesting data subject is sufficiently clear;
  • provide advice where requested as regards the necessity for a notification or a communication of a personal data breach pursuant to Articles 34 and 35 EUDPR (Article 45(1)(d) EUDPR);
  • provide advice where requested as regards the need for prior consultation of the European Data Protection Supervisor pursuant to Article 40 EUDPR; to consult the European Data Protection Supervisor in case of doubt as to the need for a prior consultation (Article 45(1)(f) EUDPR);
  • ensure that the rights and freedoms of data subjects are not adversely affected by processing operations (Article 45(1)(h) EUDPR).

What is the legal basis for processing your personal data?

Your personal data are processed by the ECB:

  • in the performance of a task carried out in the public interest, based on Article 5(1)(a) EUDPR in conjunction with Article 45 EUDPR and Article 4 of Decision (EU) 2020/655. The relevant legal provisions for the specific tasks to be performed by the DPO are cited in the section above;
  • because the DPO is exercising the powers laid down in Article 5 of Decision (EU) 2020/655, in the performance of his or her tasks pursuant to Article 4;
  • because the DPO is investigating matters and incidents related to data protection pursuant to Article 4(b) and following the investigation procedure laid down in Article 6 of Decision (EU) 2020/655.

Who is responsible for processing your personal data?

The ECB is the controller for the processing of your personal data. The Data Protection Officer is responsible for the processing.

Who will be the recipients of your personal data?

The recipients of your personal data (including entities who have access to that personal data) are the DPO and the members of his or her team.

Your personal data may also be disclosed as follows:

  • Other authorised ECB staff members may be given access to your personal data on a need-to-know basis.
  • In the context of an audit, third-party auditors or consultants may be recipients of your personal data on a need-to-know basis.
  • Where necessary to ensure the exercise of a data subject’s rights under the EUDPR, an individual who has requested a data protection investigation may be a recipient of your personal data.
  • The ECB’s Executive Board may be a recipient of your data as the DPO may bring to the Executive Board’s attention any data protection related issue, including the failure of an ECB staff member to comply with the provisions of the EUDPR or any other Union data protection provisions applicable to the ECB (Article 5(d) of Decision (EU) 2020/665).

Public authorities (e.g., the European Data Protection Supervisor, the Court of Auditors and the Court of Justice of the European Union) which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law will not be regarded as recipients. The further processing of those data by those public authorities will be in compliance with the applicable data protection rules according to the purposes of the processing (Article 3(13) EUDPR).

What categories of personal data are collected?

The DPO has access to personal data being processed, to all ECB premises, and to all information, data processing operations and databases at any time (Article 5(b) of Decision (EU) 2020/665). Therefore, the DPO might collect, in the performance of its tasks, any personal data processed by the ECB or its processors, namely a natural or legal person, public authority, agency or other body which processes personal data on behalf of the ECB.

Will your personal data (in a clear or encrypted form) be processed (e.g. transferred, accessed or stored) in third countries or by international organisations?

Your personal data will not be processed in third countries outside the European Economic Area or by international organisations.

Your personal data might exceptionally be processed in third countries/international organisations based on the derogations for specific situations set out in Article 50(1) EUDPR.

How long will the ECB keep personal data?

Your personal data will be stored for a maximum of ten years before being deleted or anonymised.

What are your rights?

You have the right to access your personal data and correct any data that is inaccurate or incomplete. You restrict the processing of your personal data in line with EUDPR.

Pursuant to Article 3(1)(i) of Decision (EU) 2022/2359 of the ECB, the ECB may restrict your rights as a data subject also have (with some limitations) the right to delete your personal data and to object to or to

where the exercise of those rights would endanger investigations conducted by the DPO on processing activities carried out at the ECB, the safeguarding of which is in accordance with the interests and objectives referred to in (b) and/or (h) of Article 25(1) EUDPR.

Restrictions are subject to a case-by-case assessment and apply for a limited duration. The maintenance of the restriction is subject to a regular review at least every six months. As soon as the circumstances that justified the restriction no longer apply, the restriction is lifted.

Who can you contact for queries or requests?

You can exercise your rights by contacting the ECB’s Data Protection Officer at dpo@ecb.europa.eu. You can contact the same address for any other queries relating to your personal data.

Addressing the European Data Protection Supervisor

If you consider that your rights under the EUDPR have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.