Privacy statement - COVID-19 pandemic
Data Protection legal framework applicable to the European Central Bank
All personal data are processed in accordance with EU Data Protection Law, i.e. in line with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
The European Central Bank as controller of processing personal data
The European Central Bank (ECB) is the controller for the processing of the personal data. The ECB Medical Centre is responsible for the processing.
Purposes and description of processing personal data
The ECB must assist in preventing its personnel from becoming infected with the coronavirus (COVID-19); it must to the extent that it is able, avoid the spread of COVID-19 on the ECB’s premises; and it must ensure the continued functioning of the ECB. Personal data are processed to establish a list of ECB personnel and externals tested positive for or been diagnosed with’ COVID-19 (“infected person”), in order to implement the necessary follow-up and mitigation measures to protect ECB personnel and externals during the COVID-19 pandemic. This list will assist the ECB in verifying the fitness to work of ECB personnel, according to the applicable legal and statutory obligations, and in implementing policies to promote their health and wellbeing. The information collected will enable the ECB to implement procedures and policies to reduce the risk of infection on the ECB’s premises. ECB personnel” should be understood here as comprising: ECB permanent, fixed-term and short term contract employees, Graduate programme participants and trainees. “External or non ECB employee”, as defined in the House Rules, includes: all contractors working on the premises of the ECB as well as to their directors, agents, staff, freelancers and subcontractors.
In the event that a member of staff of the ECB personnel or an external is tested positive for COVID-19, the following procedure is applied:
ECB Security and Safety Division and Medical Centre
- The infected person contacts the ECB Medical Centre (MC) directly (by email or phone) during business hours or the ECB Security and Safety Division (SET) outside business hours.
- If the ECB personnel or external tested positive for COVID-19 calls SET, SET provides the information it is given to MC, including the date on which the person tested positive for COVID-19 was last on the ECB premises. SET then waits for MC’s further instructions.
- SET creates an internal security incident report after having been notified by an infected person. This includes the date and time of the received call and the building or floor the person was located on during their last visit to the ECB’s premises. No other details are recorded.
- The infected person provides a list of the persons (ECB personnel, visitors, meeting participants, other externals ) they were in close contact with on the ECB’s premises during the days before experiencing COVID-19 symptoms and/or being tested COVID-19 positive. After first contacting the infected person and the identification of close contacts on the ECB premises, MC decides on a course of action regarding cleaning and security intervention and notifies such course of action by email to SET. SET is not involved further in communication between the MC and the affected person(s). Information about members of the household of the infected person – if such information is provided to MC – is not provided by MC to any other third party; instead it is used only in order to give advice, from an occupational health perspective, to the ECB personnel or external concerned (e.g. not to send children to school or crèche, if possible, in view of the rules of the school or crèche concerned, in compliance with national or local requirements and to reduce the risk of virus transmission via children to other ECB personnel and externals).
DG-HR and Medical Centre (MC)
- Medical Centre (MC) may inform the HR line manager about the infected person if there is a risk of infection to other colleagues and to ensure that MC traces all the close contacts on the ECB’s premises that may have been infected. The HR line manager contacts the line manager or contract manager of the infected person if there is a need to provide MC with additional information for the contact tracing procedure (i.e. business travel, meetings, etc.) or if advice needs to be given, from an HR perspective, to the line manager or contract manager (i.e. team communication related to office decontamination).
The personal data collected will not be used for any purposes other than the performance of the activities specified above. If this changes, you will be informed accordingly.
Legal basis of processing operations
Your personal data is being processed by the ECB:
- for compliance with a legal obligation to which the ECB is subject, based on Article 5(1)(b) of Regulation (EU) 2018/1725. This provision should be read in conjunction with ECB’s obligation stemming from Article 9(c) ECB Conditions of Employment (CoE) to provide to its staff members a work place which complies with health and safety standards at least equivalent to the minimum requirements under Council Directive 89/391/EEC.
- because the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law insofar as it is authorised by Union law providing for appropriate safeguards for the fundamental rights and the interests of the data subject. It is also necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union law or pursuant to contract with a health professional (Article 10(2)(h) of Regulation (EU) 2018/1725).
Categories of personal data collected and processed by the European Central Bank
In order to carry out this processing the ECB Medical Centre collects the following categories of personal data:
- first name;
- last name;
- email address (private and ECB email address);
- telephone number;
- medical status (COVID-19 symptoms; information on COVID-19 symptoms of household members – no names);
- information about the result of the COVID-19 test (when the need for testing has been confirmed);
- list of close contacts of the infected person concerned since the appearance of the first symptoms, and over a period to be determined on a case-by-case basis;
- number of the office and building floor of the infected person concerned;
- necessary period of recovery before work can be resumed.
Recipients of the personal data
Your personal data is accessed by the ECB staff responsible for carrying out the data processing operation described above and by authorised staff on the basis of the “need to know” principle. Such authorised staff abide by statutory requirements, and where relevant, additional confidentiality agreements. The recipients of the data are:
- ECB Medical Advisers and nurses who have full access to the necessary medical information required to perform their specific tasks;
- Authorised staff members of SET and other units of Directorate Administration who have access to aggregated data (number of the office and building floor of the ECB personnel or external concerned). SET staff members also have access to the name of the Infected person and to limited information provided by the infected person if they call SET before contacting MC;
- Authorised staff of the Directorate General Human Resources (DG-HR) who are subject to specific confidentiality rules according to Article 6.7 of the ECB Staff Rules with access to limited administrative information related to the purposes specified in the Staff Rules. MC may need to communicate personal data to the HR manager, who may need to communicate such personal data further to the line manager or contract manager of the infected person if there is a need to help MC with additional information for the contact tracing procedure within the ECB or to provide advice from an HR perspective;
- Authorised staff of the ECB residences (where the infected person lives in one of the residences which have a contract with the ECB to provide accommodation) – MC shares aggregated data (floor, room number, information that a person has been tested positive for COVID-19);
- Local health authorities (Gesundheitsamt). The name, private email address and other justified information about the infected person may be reported when necessary to local health authorities, in line with applicable national or local requirements;
- The ECB Incident Response Team (IRT) and Directorate-General Communications (DG/C) have access only to aggregated data in order to discuss response plans and to inform all ECB ECB personnel and externals and, upon request, the public about the number of COVID-19 cases among ECB personnel and externals in aggregated form and the measures applied.
Time limits for storing personal data
MC will store personal data of the infected persons who call using the following phone numbers during business hours on 069/1344-3061 or 069/1344-3064, and outside business hours on 069/1344-8008 or who contact MC directly via email, in the Medical Software Ergodat for 10 years in accordance with the retention period applicable to storage of personal data by MC.
Data subject rights
You have the right to access your personal data and correct any data that are inaccurate or incomplete. You also have (with some limitations) the rights to:
- delete your personal data;
- restrict or object to the processing of your personal data
in line with the relevant provisions of Regulation (EU) 2018/1725.
Contact Information in case of queries and requests
You can exercise your rights by contacting the ECB Medical Centre at firstname.lastname@example.org. The ECB’s Data Protection Officer at email@example.com answers all queries relating to personal data.
Addressing the European Data Protection Supervisor
If you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.