What is our legal framework?
All personal data are processed in accordance with European Union Data Protection Law, that is to say in line with Regulation (EU) 2018/1725 ('EUDPR’).
Why do we process personal data?
Personal data are processed for the authentication and identification of the users. Personal information is a mandatory requirement in order to create accounts for users to access the platform and securely authenticate. The personal information is collected via the authentication systems Identity and Access Management (IAM) or ECB Identity Portal. These data are automatically synchronised between IAM or ECB Identity Portal and the centralised submission platform in order to allow the basic functionalities of the system (provide access to different data collections and ensure traceability of the access to each data collection and reporting entity).
What is the legal basis for processing your personal data?
Your personal data are processed by the ECB in the performance of a task in the public interest, based on Article 5(1)(a) EUDPR in conjunction with Protocol (No 4) on the Statute of the European System of Central Banks and the European Central Bank and Article 6 of Council Regulation (EU) No 1024/2013.
Who is responsible for processing your personal data?
The ECB is the controller for the processing of the personal data. The Directorate General Statistics and the Directorate General Information Systems are responsible for the processing. In addition, the data is processed by Amazon Web Services EMEA SARL, as sub processor for the ECB.
Who will be the recipients of your personal data?
The recipients of the data (including entities who have access to that personal data) are user administrators who are designated ECB staff members, designated NCB or NCA staff members in the ESCB or SSM context, user administrators from external organisations (i.e private companies/banks, universities) and the data subjects themselves.
What categories of personal data are collected?
The ECB processes the following personal data
- Contact details (email)
- User id
- Employment details: Organisation/Institution
Will your personal data (in a clear or encrypted form) be processed (e.g. transferred, accessed or stored) in third countries or by international organisations?
Your data are processed within the internal ECB network, stored in ECB on-premises systems, as well as by third parties, providing infrastructure and platform services to the ECB, including data centres, network and operational services (public cloud Infrastructure and Platform services). In particular, your data are processed by Amazon Web Services EMEA SARL, as sub processor for the ECB, hosting the database for the ECB Centralised submission platform, as well as the system to store log files and the data of the platform’s control team. Hosting data centres are always located in the EU. Data is encrypted in transit and at rest with encryption keys managed by the ECB. Your data are also processed and stored in the authentication systems (IAM and ECB Identity portal) used to login to the Centralised Submission Platform.
Your personal data will be also processed in third countries or by international organisations based on appropriate safeguards (pursuant to Article 48 EUDPR). These are provided by:
- Standard Contractual Clauses (SCCs);
How long will the ECB keep personal data?
User accounts and all personal data in the ECB centralised submission platform will be kept in accordance with the retention policy of the authentication systems IAM and ECB Identity Portal. Personal data will be retained in IAM for as long as a user is active on the platform. If a user is declared to be inactive, data related to roles/permissions are cleared immediately, and the data related to identity will remain stored in a dedicated archive Lightweight Directory Access Protocol (LDAP) folder. Other data relating to audit logs, accesses, activities, etc. are cleared after 6 months. Once a user account is removed from IAM and ECB Identity Portal, the associated data will be removed from the user management function in the ECB Centralised submission platform. The audit logs will be deleted either in accordance with the retention period defined by the ECB collection owner for a given data set, or upon the data subject’s request at any time.
What are your rights?
You have the right to access your personal data and correct any data that is inaccurate or incomplete. You also have (with some limitations) the right to delete your personal data, to object or to restrict the processing of your personal data in line with the EUDPR. The ECB may restrict your rights to safeguard the interests and objectives referred to in Article 25(1) EUDPR.
Who can you contact in case of queries or requests?
You can exercise your rights by contacting the responsible team of the centralised submission platform at firstname.lastname@example.org. You can also directly contact the ECB’s Data Protection Officer at email@example.com regarding all queries relating to personal data.
Addressing the European Data Protection Supervisor
If you consider that your rights under the EUDPR have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.