- PRIVACY STATEMENT
Privacy statement for the ECBot
What is our legal framework?
All personal data are processed in accordance with European Union data protection law, that is to say in line with Regulation (EU) 2018/1725 (‘EUDPR’).
Why do we process personal data?
Individuals can engage in a dialogue with the ECBot, which is found on selected pages of the ECB and Banking Supervision websites, to receive information on ECB-related topics in real time. The complete conversation between the end user and the ECBot is stored by the data processing company IBM. As in all ‘Natural Language Processing’ chatbots, conversational data is needed to train the ECBot. ‘Natural Language Processing’ is based on deep learning, which enables chatbots to acquire meaning from inputs given by end users. It assesses the users’ intent from the input and then creates responses based on a contextual analysis, similar to a human being.
Conversations are anonymous by default. We discourage users from entering sensitive data (e.g. information about religion or health). However, if any personal or sensitive data are voluntarily provided, they will be stored for 180 days, as part of the conversation content.
Personal data, if any, are processed in order to improve the chat function, to which end the ECB analyses all conversations in an automated manner to highlight areas for future improvement.
Only natural persons who are at least 18 years old are permitted to use the ECBot.
What is the legal basis for processing your personal data?
Your personal data are processed by the ECB because you consented to this processing by using the ECBot. You may withdraw your consent at any time by contacting the ECB Chatbot Team. All processing of your personal information will stop once you have withdrawn your consent; however, any processing that has already taken place remains lawful.
Who is responsible for processing your personal data?
The ECB is the controller of the processing of the personal data. Various teams are responsible for this processing, depending on the topic of the chatbot:
- The Directorate General of Human Resources, Business Partnering Division, is responsible for the Recruitment ECBot;
- The Directorate General of Statistics, Banking Supervision Data Division is responsible for the Casper ECBot;
- The Directorate General of Communication, Public Communication Division is responsible for the Public Communication ECBot.
Who will be the recipients of your personal data?
The recipients of your personal data (including entities who have access to that personal data) are:
- The Directorate General of Human Resources, Business Partnering Division;
- The Directorate General of Statistics, Banking Supervision Data Division;
- The Directorate General of Communication, Public Communication Division;
- The Governance and Transformation Services Division.
The personal data will be stored in the IBM customer database.
What categories of personal data are collected?
By default, no personal data is collected when using the ECBot and we discourage you from including personal data in the conversation voluntarily.
Any personal data which the user chooses to include in the conversation will be stored. Personal data in the context of the conversation are provided voluntarily to the controller. The content of your conversations and the respective responses from the ECBot will be analysed.
Will your personal data (in a clear or encrypted form) be processed (e.g. transferred, accessed or stored) in third countries or by international organisations?
Your personal data are processed by IBM, located in Germany and Romania, and are stored on the IBM customer database. Processing is based on the inclusion of special clauses in the contract with IBM which ensure that the company complies with EU data protection standards (European Commission's website).
How long will the ECB keep personal data?
Any personal data included in the conversations will be stored for a maximum of 180 days before it is deleted.
What are your rights?
You have the right to access your personal data and correct any data that is inaccurate or incomplete. You also have (with some limitations) the right to delete your personal data and to object to or to restrict the processing of your personal data in line with EUDPR. The ECB may restrict your rights to safeguard the interests and objectives referred to in Article 25(1) EUDPR.
Who can you contact for queries or requests?
Addressing the European Data Protection Supervisor
If you consider that your rights under the EUDPR have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.