- PRIVACY STATEMENT
Privacy statement for the IT Responsible Disclosure Programme
With the introduction of the IT Responsible Disclosure Programme, IT security researchers can contact the ECB when they discover IT security vulnerabilities that affect ECB managed systems as described under the programme.
What is our legal framework?
All personal data are processed in accordance with EU Data Protection Law, that is to say in line with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
Why do we process personal data?
With the IT Responsible Disclosure Programme, IT security researchers can report IT security vulnerabilities that affect ECB managed systems as described under the programme. When IT security researchers submit their information via email, we may receive their names and the corresponding email addresses.
What is the legal basis for processing your personal data?
Your personal data are being processed by the ECB because you consent to the processing by providing the personal data requested. You can withdraw your consent at any time by contacting IT_responsible_disclosure@ecb.europa.eu. All processing of your personal information will stop once you have withdrawn your consent, but any prior processing will remain lawful.
Who is responsible for processing your personal data?
The ECB is the controller for the processing of the personal data. The ECB Directorate General Information Systems is responsible for the processing.
Who will receive your personal data?
The recipients of the data are the staff members of the ECB Directorate General Information Systems as the team responsible for the IT Responsible Disclosure Programme.
What type of personal data are collected?
The ECB processes the following personal data:
- email address
Where are your data transferred to, processed and stored?
Your data are/will be processed by the ECB, located in Germany.
How long will the ECB keep personal data?
The personal data are stored for a maximum of 1 year before being deleted.
What are your rights?
You have the right to access your personal data and correct any data that is inaccurate or incomplete. You also have (with some limitations) the right to delete your personal data, to object or to restrict the processing of your personal data in line with Regulation (EU) 2018/1725.
Who can you contact in case of queries or requests?
You can exercise your rights by contacting IT_responsible_disclosure@ecb.europa.eu. You can also directly contact the ECB’s Data Protection Officer at firstname.lastname@example.org regarding all queries relating to personal data.
Addressing the European Data Protection Supervisor
If you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.