Privacy statement for VeridiumID

VeridiumID is a subservice of the ECB’s Identity Governance and Access Management (IGAM) tool.

What is our legal framework?

All personal data are processed in accordance with European Union data protection law, that is to say in line with Regulation (EU) 2018/1725 (“EUDPR”).

Why do we process personal data?

Personal data are processed for the purposes listed below.

• To ensure IT security for the ECB. More specifically, to facilitate secure identity and access management (IAM) in accordance with the relevant policies and guidelines of the European System of Central Banks (ESCB) and Single Supervisory Mechanism (SSM).
• To provide users with access to the ECB’s IT resources. This includes, but is not limited to, the initial user login for the ECB’s infrastructure and access to any systems linked to that initial account, such as the ECB’s intranet, file storage and DARWIN.
• To support users who are having difficulty logging into the ECB’s IT resources.

What is the legal basis for processing your personal data?

Your personal data are processed by the ECB in the performance of IT security tasks carried out in the public interest, based on Article 5(1)(a) of the EUDPR in conjunction with Recital 22 of the EUDPR.

According to Recital 22 of the EUDPR, processing of personal data in the performance of tasks carried out in the public interest by EU institutions and bodies includes the processing of personal data necessary for the management, functioning and IT security of those institutions and bodies. As a subservice of IGAM, VeridiumID supports daily tasks by identifying and authenticating users in order to maintain IT security and enable the performance of IAM-related security operational tasks.

Who is responsible for processing your personal data?

The ECB is the controller for the processing of your personal data. Digital Security Services (DSS) is responsible for this processing. DSS engages the external providers listed below to process personal data on its behalf and according to its instructions:

• Sopra Steria;
• Eviden;
• Atos Benelux;
• Unisys.

Who will be the recipients of your personal data?

The recipients of your personal data (including entities with access to your personal data) are, depending on the data type, the designated staff of the ECB and/or external providers working for:

• Directorate General Information Systems Service Desk;
• Directorate General Information Systems Field Services;
• DSS.

What categories of personal data are collected?

The ECB processes the personal data listed below.

Name (as per ISIS^[1] information):

• first name – ECB IT Services as required;
• preferred first name – ECB IT Services as required;
• last name – ECB IT Services as required;
• preferred last name – ECB IT Services as required;
• middle name – ECB IT Services as required;
• display name – ECB IT Services as required.

ECB identifiers:

• IGAM user login – ECB IT Services as required;
• ECB01 globally unique identifier – ECB IT Services as required;
• email (via IGAM) – ECB IT Services as required.

Employment details (as per ISIS information):

• identity status – ECB IT Services as required.

Activity data (as per ECB01):

• last authentication date – DSS;
• IP address of mobile authenticator and authentication endpoint – DSS;
• context score – DSS;
• motion score – DSS;
• location (if permitted by the user) – DSS.

Where data are provided to ECB IT Services, they are also available to all other recipients mentioned above.

Will your personal data (in a clear or encrypted form) be processed (e.g. transferred, accessed or stored) in third countries or by international organisations?

Your personal data will be processed at ECB premises only.

How long will the ECB keep personal data?

Your personal data will be stored for a maximum of ten years after the end of your contract or last pension claim, except for your ECB staff number and user login, which will be stored permanently owing to ESCB/SSM policy requirements related to the ECB’s public key infrastructure.

What are your rights?

You have the right to access your personal data and correct any data that are inaccurate or incomplete. You also have (with some limitations) the right to delete your personal data and to object to or restrict the processing of your personal data in line with the EUDPR. The ECB may restrict your rights in order to safeguard the interests and objectives referred to in Article 25(1) of the EUDPR.

Who can you contact for queries or requests?

You can exercise your rights by contacting servicedesk@ecb.europa.eu. You can also contact the ECB’s Data Protection Officer directly at dpo@ecb.europa.eu for all queries relating to your personal data.

Addressing the European Data Protection Supervisor

If you consider that your rights under the EUDPR have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.