European Central Bank - eurosystem
European Central Bank - eurosystem
Search
Search Options
Home Media Explainers Research & Publications Statistics Monetary Policy The €uro Payments & Markets Careers
Suggestions
Sort by
  • PRIVACY STATEMENT

Privacy statement for the ECB’s centralised submission platform

What is our legal framework?

All personal data are processed in accordance with European Union data protection law, that is to say in line with Regulation (EU) 2018/1725 (“EUDPR”).

Why do we process personal data?

Personal data are processed to securely identify and authenticate users. Personal data must be collected when accounts are created through which users can access the platform. Personal data are collected via the Identity and Access Management (IAM) or ECB Identity Portal authentication systems. The data are automatically synchronised between the IAM/ECB Identity Portal and the centralised submission platform to support the basic functionalities of the system (providing access to different data collections and ensuring traceability of the access to each data collection and reporting entity).

Personal data are also processed for maintenance, performance and security purposes. Some data are needed to ensure our application is technically secure. Myra Security GmbH, a German technology manufacturer providing a security-as-a-service platform, is responsible for processing a limited number of personal data categories (e.g. IP addresses). This processing is crucial for ensuring the technical security of our application. More detailed information on Myra Security GmbH’s privacy policy can be found on Myra Security GmbH’s website.

What is the legal basis for processing your personal data?

Your personal data are processed by the ECB in the performance of a task in the public interest, based on Article 5(1)(a) EUDPR in conjunction with Protocol (No 4) on the Statute of the European System of Central Banks and the European Central Bank and Article 6 of Council Regulation (EU) No 1024/2013.

Who is responsible for processing your personal data?

The ECB is the controller for the processing of the personal data. The Directorate General Statistics and the Directorate General Information Systems are responsible for the actual processing. In addition, data are processed by Amazon Web Services EMEA SARL and Myra Security GmbH in the role of sub-processors for the ECB.

Who will be the recipients of your personal data?

The recipients of your data (including entities who have access to that personal data) are user administrators who are designated ECB staff members or, in the European System of Central Banks and a European banking supervision context, designated staff members in national central banks or national competent authorities, user administrators from external organisations (i.e. private companies, banks and universities) and the data subjects themselves.

What categories of personal data are collected?

The ECB processes the following personal data:

  • Name
  • Contact details (email)
  • User ID
  • Employment details: organisation/institution
  • IP addresses
  • HTTP headers
  • Cookies
  • Query parameters and payload data
  • Device and network information

Will your personal data (in a clear or encrypted form) be processed (e.g. transferred, accessed or stored) in third countries or by international organisations?

Your data are processed within the internal ECB network and stored in ECB systems. Data are also processed by third parties providing infrastructure and platform services to the ECB, including data centres as well as network and operational services (e.g. public cloud infrastructure and platform services). In particular, your data are processed by Amazon Web Services EMEA SARL in its role as sub-processor for the ECB. It hosts the database for the ECB’s centralised submission platform as well as the system used to store log files and the platform’s control team data. Hosting data centres are always located in the EU. Data are encrypted in transit and at rest using encryption keys managed by the ECB. Your data are also processed and stored in the IAM and ECB Identity Portal authentication systems used to log in to the centralised submission platform.

Your personal data will also be processed in third countries or by international organisations in accordance with appropriate safeguards (pursuant to Article 48 EUDPR). These are provided by standard contractual clauses (SCCs).

How long will the ECB keep personal data?

User accounts and all personal data in the ECB’s centralised submission platform will be stored in accordance with the retention policy of the IAM and ECB Identity Portal authentication systems. Personal data will be retained in the IAM for as long as a user is active on the platform. If a user is declared to be inactive, data related to roles and permissions will be cleared immediately and data related to identity will remain stored in a dedicated archived lightweight directory access protocol (LDAP) folder. Other data related to audit logs, accesses, activities, etc. are cleared after 13 months. Once a user account has been removed from the IAM and the ECB Identity Portal, the associated data will be removed from the user management function in the ECB’s centralised submission platform. The audit logs will be deleted, either in accordance with the retention period set by the ECB collection owner for a given dataset or upon request from the data subject at any time.

For more information on the retention policy of the ECB Identity Portal, please consult the Privacy Statement for the ECB Identity Portal and the OneWelcome Privacy Policy.

What are your rights?

You have the right to access your personal data and correct any data that are inaccurate or incomplete. You also have (with some limitations) the right to delete your personal data, and the right to object to or restrict the processing of your personal data, in line with the EUDPR. The ECB may restrict your rights in order to safeguard the interests and objectives referred to in Article 25(1) EUDPR.

Who can you contact in case of queries or requests?

You can exercise your rights by contacting the team responsible for the centralised submission platform at statistics@ecb.europa.eu. You can also contact the ECB’s Data Protection Officer at dpo@ecb.europa.eu directly regarding all personal data queries.

Addressing the European Data Protection Supervisor

If you consider that your rights under the EUDPR have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.