European Central Bank - eurosystem
European Central Bank - eurosystem
Search
Search Options
Home Media Explainers Research & Publications Statistics Monetary Policy The €uro Payments & Markets Careers
Suggestions
Sort by
  • PRIVACY STATEMENT

Privacy statement for Miro

What is our legal framework?

All personal data are processed in accordance with applicable European Union data protection law, in particular Regulation (EU) 2018/1725 (the “EUDPR”)[1] and Decision (EU) 2020/655 (ECB/2020/28)[2].

These legal instruments provide the framework that defines the ECB’s obligations and data subjects’ rights regarding personal data processing.

Why do we process personal data?

Personal data are processed in Miro digital whiteboards to facilitate secure and effective collaboration in workshops and meetings involving ECB staff members and, if authorised, colleagues from the national central banks, national competent authorities or external partners. This processing supports the ECB’s institutional and administrative tasks and is conducted strictly in line with the ECB’s data protection framework.

In practice, this means that personal data are collected to allow functionalities such as workshops and meetings, Miro digital whiteboard or digital team creation and file sharing, user authentication, attribution of contributions and co-editing/drafting of notes, diagrams, uploaded files and comments during collaborative work sessions.

What is the legal basis for processing your personal data?

Your personal data are processed by the ECB strictly in the performance of its official functions and tasks carried out in the public interest. This processing is firmly grounded in Article 5(1)(a) of the EUDPR, which authorises data processing that is necessary for the performance of a task carried out in the public interest. This is explicitly confirmed by Recital 22, recognising the legitimacy of the ECB’s management and administrative functions, and is further reinforced by Article 12.1 of the Statute of the European System of Central Banks and the European Central Bank.

The ECB’s adoption and use of collaboration tools such as Miro digital whiteboards is in line with its responsibility to organise its work efficiently in the public interest. Miro is used to support institutional collaboration, workshops and meetings, complementing other ECB productivity and communication services.

This Decision sets out comprehensive internal rules and governance protocols which ensure that all personal data processed through Miro are managed securely, proportionately and in strict accordance with the ECB’s data protection obligations. It mandates robust safeguards and accountability measures, thereby reinforcing the ECB’s legal framework for data processing.

All personal data processed in this way are therefore processed on a solid legal footing, as required by the EUDPR and the ECB’s governance framework.

Who is responsible for processing your personal data?

The ECB’s Directorate General Information Systems (DG/IS), as the data controller, is responsible for processing your personal data in accordance with the EUDPR. DG/IS ensures that your personal data are handled lawfully, transparently and in line with the purposes outlined in this privacy statement.

Miro (RealtimeBoard, Inc.) acts as the data processor for Miro digital whiteboards, processing personal data on behalf of the ECB under the contractual agreement concluded between the ECB and Miro. This agreement ensures that Miro complies with all applicable data protection laws. This approach is explicitly supported by Recital 53 of Regulation (EU) 2018/1725, which underlines the ECB’s obligation to select only processors providing sufficient guarantees to implement appropriate technical and organisational measures.

Who will be the recipients of your personal data?

Access to personal data within Miro is restricted to authorised individuals on a need-to-know basis. Your personal data will be processed by the following recipients.

  • Miro digital whiteboard owners and participants (both ECB and external) have access to the digital whiteboard content, including contributions notes, drawings, uploaded files, and comments, as well as to the names, surnames and email addresses of the contributors. Access is restricted to those explicitly invited to the digital whiteboard or to the team of contributors.
  • The IT support team in DG/IS and their designated external providers may access a limited set of personal data (for example, IP addresses or group membership details) to support troubleshooting and user support, strictly on a need-to-know basis. They will never have access to user-generated content (such as the content of digital whiteboards or the associated comments).
  • Miro (RealtimeBoard, Inc.) and its authorised sub-processors, as the service providers, may access a limited set of personal data (for example, IP addresses or group membership details) for technical support or maintenance purposes, strictly on a need-to-know basis. They will never have access to user-generated content (such as the content of digital whiteboards or the associated comments).
  • The ECB Digital Security team may process personal data solely to investigate, mitigate and resolve issues in the event of a security incident. This access is performed under strict supervision and in full compliance with the ECB’s security policies.

Where access to your personal data is required to facilitate the exercise of your rights under the EUDPR, this is restricted to authorised staff, ensuring that a minimal number of staff are involved.

What categories of personal data are collected?

  • On behalf of its staff and authorised collaborators, the ECB provides an initial set of data to ensure users can authenticate themselves, log on and use Miro digital whiteboards effectively.
  • For ECB staff members and digital whiteboard participants, this set of data includes (but is not limited to):
  • username;
  • first name;
  • surname;
  • email address;
  • organisational unit.
  • Digital whiteboard participants are able to see each other’s contributions and basic profile information (name, surname and ECB email address or equivalent organisational email address) to ensure that they can be clearly identified and can collaborate effectively.
  • Users are expected to adhere to ECB policies when sharing any additional personal data within Miro.

Will your personal data be processed in third countries or by international organisations?

Miro acts as the data processor for your personal data. By default, Miro provides EU data residency, meaning that in-scope production data (such as digital whiteboards and whiteboard content) are stored and processed in a primary data centre in Ireland () and a back-up data centre in Germany. This ensures that the majority of your data remain within the European Union, in compliance with the applicable data protection laws. Further details about Miro’s data residency policy are available here.

In certain cases, however, some categories of personal data (such as metadata, customer support data, AI features) may be accessed or processed outside the EU, in the United States. These transfers are safeguarded through the use of Standard Contractual Clauses and Miro’s participation in the EU-US Data Privacy Framework.

In exceptional circumstances, your personal data might be processed in third countries or by international organisations based on the derogations for specific situations set out in Article 50(1) of the EUDPR.

How long will the ECB keep personal data?

General retention policy: the ECB’s Filing and Retention Plan governs how long personal data are kept, ensuring that they are not retained longer than necessary. The specific retention period depends on the processing purpose and the business case for which the data were originally collected.

Service-generated data (metadata needed for system operations) and logs are kept for up to 180 days.

What are your rights?

Under the EUDPR, you have the right to:

  • access your personal data;
  • rectify any data that are inaccurate or incomplete;
  • delete your personal data (with certain limitations);
  • object to or restrict the processing of your personal data.

The ECB may restrict your rights as a data subject where there is a risk of compromising investigations conducted by the Data Protection Officer or endangering legal proceedings related to processing activities. These restrictions are based on specific provisions outlined in Article 3(1)(i) of Decision ECB/2022/42[3] and are reviewed every six months.

Who can you contact for queries or requests?

If you wish to exercise your rights or have questions about how your personal data are processed, you can contact the ECB’s Data Protection Officer directly at dpo@ecb.europa.eu for all queries relating to personal data.

Addressing the European Data Protection Supervisor

If you consider that your rights under the EUDPR have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.

  1. Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

  2. Decision (EU) 2020/655 of the European Central Bank of 5 May 2020 adopting implementing rules concerning data protection at the European Central Bank and repealing Decision ECB/2007/1 (ECB/2020/28) (OJ L 152, 15.5.2020, p. 13).

  3. Decision (EU) 2022/2359 of the European Central Bank of 22 November 2022 adopting internal rules concerning restrictions of rights of data subjects in connection with the European Central Bank’s internal functioning (ECB/2022/42) (OJ L 311, 2.12.2022, p. 176).