What is our legal framework?
All personal data are processed in accordance with EU Data Protection Law, that is to say in line with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
Why do we process personal data?
Personal data are processed for purposes of authentication and identification of users of the ECB Centralised submission platform. The provision of certain personal information is a mandatory requirement so that user accounts can be created and users can access the platform and authenticate securely. The personal information is collected via the authentication systems IAM and ECB Identity Portal. These personal data are automatically synchronised between IAM or ECB Identity Portal and the ECB centralised submission platform in order to allow access to the various data collections and to ensure traceability of access to each data collection of a reporting entity.
What is the legal basis for processing your personal data?
Your personal data are processed by the ECB in the performance of a task in the public interest, based on Article 5(1)(a) of Regulation (EU) 2018/1725 in conjunction with Protocol (No 4) on the Statute of the European System of Central Banks and the European Central Bank (OJ C 202, 7.6.2016, p. 230) and on Article 6 of Council Regulation (EU) No 1024/2013 (OJ L 287, 29.10.2013, p.63).
Who is responsible for processing your personal data?
The ECB is the controller for the processing of the personal data. The Directorate General Statistics and the Directorate General Information Systems are responsible for the processing.
Who will receive your personal data?
The recipients of the data are designated ECB staff members, designated staff members of national central banks within the European System of Central Banks and national competent authorities within the Single Supervisory Mechanism (including secondees), user administrators from external organisations (e.g. private companies, banks, universities) and the data subjects themselves.
What type of personal data are collected?
The ECB processes the following personal data in relation to the ECB Centralised submission platform:
- name
- contact details (email address)
- user id
- employment details: organisation/institution
Where are your data processed and stored?
Your data are/will be processed within the internal ECB network and stored in an on-premises database in the ECB (that is, in the database of the ECB Centralised submission platform), in the log files on the ECB network drive, in the data lab of the platform’s control team and in the authentication systems IAM and ECB Identity Portal.
How long will the ECB keep personal data?
User accounts and all personal data in the ECB Centralised submission platform will be kept in accordance with the retention policy of the authentication systems IAM and ECB Identity Portal. Personal data will be retained in IAM for as long as a user is active on the platform. If a user is declared to be inactive, data related to roles/permissions are cleared immediately, the data related to identity remain stored in a dedicated archive LDAP folder. Other data relating to audit logs, accesses, activities, etc. are cleared after 6 months. Once a user account is removed from IAM and ECB Identity Portal, the associated data will be removed from the user management function in the ECB Centralised submission platform. The audit logs will be deleted either in accordance with the retention period defined by the ECB collection owner for a given data set, or upon the data subject’s request at any time.
For more information on the ECB Identity Portal retention policy, please consult the Privacy Statement for the ECB Identity Portal and the OneWelcome Privacy Policy.
What are your rights?
You have the right to access your personal data and correct any data that is inaccurate or incomplete. You also have (with some limitations) the right to delete your personal data, to object to or to restrict the processing of your personal data in line with Regulation (EU) 2018/1725.
Who can you contact in case of queries or requests?
You can exercise your rights by contacting the team responsible for the ECB Centralised submission platform at statistics@ecb.europa.eu. You can also contact the ECB’s Data Protection Officer directly at dpo@ecb.europa.eu regarding all queries relating to personal data.
Addressing the European Data Protection Supervisor
If you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.