Privacy statement for on-site and virtual ECB Visitor Centre activities

The European Central Bank (ECB) Visitor Centre offers on-site guided visits, as well as on-site and virtual lectures (“activities”).

These activities are organised by the Directorate General Communications of the ECB and, in the case of virtual activities, hosted via an external platform, i.e. Microsoft Teams.

What is our legal framework?

All personal data are processed in accordance with European Union data protection law, as set out in Regulation (EU) 2018/1725 (EUDPR) of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

Why do we process personal data?

Personal data are processed for organisational purposes related to virtual and on-site activities: operational management (schedule and manage activities efficiently, provide adequate level of service) and communication (send confirmations, instructions, or follow-up information about the corresponding activities).

For on-site activities, personal data are also processed for the additional purposes of ensuring access control of persons and vehicles to the ECB premises, keeping track of who is visiting the ECB and ensuring visitors’ security while they are on the ECB’s premises.

The respective data will not be used further and will not be published internally (e.g. intranet) or externally (e.g. internet).

For activities on the premises of the ECB, please see here the privacy statements for the issuance of visitor badges, security surveillance and cameras on premise, the use of thermal imaging cameras and the auto-track functionality of pan-tilt cameras, as well as the ECB house rules.

By attending an ECB activity, participants consent to having their photo taken and appearing in video and audio recordings, in addition to the publication of resulting media files on participants’ social media channels and digital platforms, on- and offline.

In case of ECB coverage on social media, please see our social media pages.

The ECB’s use of social media does not in any way imply an endorsement of individual social media sites or their privacy policies. The ECB recommends that users read the privacy policies of the sites, which explain their individual data collection and processing policies, use of data, user rights and the ways in which users can protect their privacy when using these services.

What is the legal basis for processing your personal data?

Your personal data are processed by the ECB:

• in the performance of a task in the public interest, based on Article 5(1)(a) of Regulation (EU) 2018/1725 in conjunction with the house rules of the European Central Bank.
• because you consented to this processing by providing the personal data requested. You may withdraw your consent at any time by contacting us as indicated below. All processing of your personal information will stop once you withdraw your consent; however, any processing that has already taken place remains lawful.

Who is responsible for processing your personal data?

The ECB is the controller for the processing of your personal data. The Public Communication Division in our Directorate General Communications is responsible for this processing. ADITO acts as a sub-processor (see ADITO’s privacy statement).

Who will be the recipients of your personal data?

The recipients of the data are staff from the Public Communication Division in the Directorate General Communications and, respectively, from ADITO.

For on-site activities, the recipients of the data will also be the teams in the Directorate Administration and external security staff responsible for event and contact management, including related activities such as processing of access badges and plausibility checks.

What categories of personal data are collected?

The ECB Visitor Centre team processes the following personal data:

• title, first and last name;
• organisation (if applicable);
• age group (corresponding to the majority of the group members);
• contact details of the requester (email address, phone number);
• place of residence (country, town/city);
• disability-related information (if applicable)
• vehicle registration (if applicable)
• date and time of your scheduled visit or lecture

To attend a virtual lecture, Microsoft Teams requires attendees to provide a first name and surname (see Microsoft’s privacy statement).

Will your personal data (in a clear or encrypted form) be processed (e.g. transferred, accessed or stored) in third countries or by international organisations?

The ECB does not foresee any transfer of your personal data to third countries or international organisations. However, your personal data might exceptionally be processed in third countries or by international organisations based on the derogations for specific situations set out in Article 50(1) EUDPR.

How long will the ECB keep personal data?

If you have requested / organised the visit on behalf of your group, your personal data required for organisational purposes will be stored for five year before being deleted.

Personal data of your group members collected for the purposes of keeping track of who is visiting the ECB’s premises are stored unitl four weeks after the event and are then automatically deleted..

Please note that personal data may be held in the ECB’s archives in accordance with Decision (EU) 2023/1610 of the European Central Bank of 28 July 2023 establishing the historical archives of the European Central Bank.

What are your rights?

You have the right to access your personal data and correct any data that are inaccurate or incomplete. You also have (with some limitations) the right to delete your personal data and to object to or to restrict the processing of your personal data in line with the EUDPR. The ECB may restrict your rights to safeguard the interests and objectives referred to in Article 25(1) EUDPR.

Who can you contact for queries or requests?

You can exercise your rights by contacting the Visitor Centre at visitor.centre@ecb.europa.eu. You can also directly contact the ECB’s Data Protection Officer at dpo@ecb.europa.eu for all queries relating to your personal data.

Addressing the European Data Protection Supervisor

If you consider that your rights under the EUDPR have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.