General information on the ECB Identity Portal

The European Central Bank (ECB) Identity Portal (hereafter “the portal”) is an online platform that performs the central identification and authentication of users of the ECB managed applications.

A user is an authenticated and authorised natural person, who, on behalf of the third party, has access to the ECB Identity Portal (hereafter “the portal”) and is assigned access rights in accordance with their role.

About the terms of use

These terms of use set out the rules governing the use of the portal. Users acknowledge that their personal data is processed as specified in the privacy statement by logging in and accessing their accounts. Initial agreement takes place before any users are created by the ECB. Actual use of the portal implies that the user remains bound by all the terms of use.

The current version of the terms of use is available on the portal. When a new user logs into the portal the first time, the user will be asked to acknowledge the terms of use.

To ensure the proper functioning of the portal, the ECB may at any point in time update the terms of use without giving prior notice to the user. Modified terms of use are published in the portal and enter into force automatically as of their date of publication. Existing users are alerted via email about the update of the actual terms of use.

Access and connection to the portal

Technical requirements for accessing the portal, as well as user management rules, are set out in the user manual. The use of the portal requires two-factor authentication. Authentication is only valid in conjunction with personalised email accounts.

Any transfer of data via the portal between the user and the ECB takes place using a secure encrypted connection. It is the responsibility of the user to verify that the user maintains the communication with the actual real site (i.e. to verify the validity of the website certificate).

Functioning and development of the portal

The functioning of the portal is described in the user manual which sets out, among other things, the portal functionalities associated with these processes and other features of the portal more generally.

The ECB is responsible for the operation of the portal and ensures the correct functioning of the portal as well as its IT security, including incident management. The ECB maintains the portal, reserving the right to make any changes deemed necessary to improve the functioning of the portal. In particular, it may add, modify or delete functionalities offered by the portal. It also reserves the right to suspend all or part of the services offered by the portal without prior notice, in particular for security reasons or for any other reason deemed necessary.

The ECB reserves the right to make changes in the portal in the event of (national) legislative or regulatory changes.

In the event of unavailability of the portal, the ECB organises a timely intervention and puts in place service continuity measures. The unavailability of the portal shall not give rise to any pecuniary compensation from the ECB towards the users and the entities.

The ECB shall not be held liable in case of the following events:

• Delay or non-performance of their obligations under these terms of use which would be the consequence of an event constituting force majeure;
• Any errors in the content presented, or for the information provided being accurate, complete, or suitable for any specific purpose.

In the event of the unavailability of the portal, users from the ECB and from the supervised entities and the ECB shall inform each other as soon as possible and shall make their best endeavours to restore the portal to use as soon as possible.

Centralised technical support for portal users is provided by the ECB and can be contacted via supportcenter@ecb.europa.eu.

The ECB is the copyright owner of the portal and its original content, features, and functionality. Reproduction of the portal (or parts of it) on other websites or any public or private information system is not permitted without prior written authorisation from the ECB. Printing and reusing of the content of the portal is allowed only for the own use of the user, excluding any profit-making activities.

Use of the portal

Users are responsible for the proper use of the portal, including confidentiality of data at their side, protection of the two-factor authentication data and correctness of any user account information. User accounts can be closed or terminated by the ECB without prior notice if any abusive behaviour is detected, such as an account hack or data leak. The termination of an account may result in its forfeiture and deletion. User accounts that remain inactivated for six months will be deleted automatically without prior notice and this includes the erasure of all information associated with an account. Log information is deleted after 12 months automatically and is only processed in case of a security breach/investigation.

Users assume liability for the correctness and completeness of data submitted via the portal.

By completing the registration users acknowledge these terms of use.

User Identity Data verification

On a yearly basis the ECB Identity Portal users will be required to confirm their identity and the need for using their account. This implies that the user account will be blocked, and users will need to reactivate their account by logging to the ECB Identity Portal within 120 days since blocking the account.

User account is deleted automatically if not reactivated within 120 days and this includes the erasure of all information associated with an account. Log information is deleted after 12 months automatically and is only processed in case of a security breach/investigation.

If an account is required after the deadline, the user will have to request a new one. Accordingly, the necessary roles will have to be assigned again.

Cookies

The user is informed that each connection to the portal may lead to the automatic installation of a cookie on its browsing software.

A cookie is a small piece of information, exchanged between the portal server and the user’s computer, allowing the portal server to retrieve information on the user’s use of the portal.

Cookies are important for the proper functioning of the portal. They manage the connection information and provide a secure connection. Cookies put in place are only used to connect and authenticate the user. Cookies are strictly necessary for the operation of the portal. The portal will not work if cookies are blocked.

Applicable law and settlement of disputes

These terms of use are governed by general EU administrative law. In the event of a dispute arising from the application of these terms of use, preference should be given to the conclusion of an amicable agreement between the user and the ECB.

Further information

For further information on how your personal data are processed for the functioning of the portal see the 3UM privacy statement.

Terms of use – supplement for Delegated Users and Access Administrators of the ECB Identity Portal

Supplementary document

This document supplements the Terms of use for end users of the ECB Identity Portal.

Glossary of these terms of use

• Third party: a legal person that interacts with the European Central Bank (ECB).
• User: an authenticated and authorised natural person, who, on behalf of the third party, has access to the ECB Identity Portal (hereafter “the portal”) and is assigned access rights in accordance with their role.
• Delegated User Administrator (hereafter “DUA”): an authenticated and authorised natural person, who, on behalf of the third party, can announce to the ECB those users that have access to the portal on behalf of the third party.
• Delegated Access Administrator (hereafter “DAA”): an authenticated and authorised natural person, who, on behalf of the third party, can assign access rights to third-party users created by the DUA, in accordance with their role.

Access and connection to the portal

Technical requirements for accessing the portal, as well as user management rules, are set out in the user manual. The use of the portal requires two-factor authentication. Authentication is only valid in conjunction with personalised business email accounts of domains owned by the third party.

Third parties appoint two or more DUAs, who are responsible for creating and managing users of the portal and assigning roles to them. DUAs have to be confirmed by the third party once each year. Access for all affected third-party users will be removed if there is no valid DUA.

DUAs are responsible for the review of access rights. Therefore, DUAs can create, modify and remove additional DUAs and DAAs in OneWelcome.

Every year DUAs are required to

• Confirm other DUAs for their institution: they confirm or reject the role for each DUA.
• Confirm the DAAs for their institution: they confirm or reject the role for each DAA.

Depending on the interaction with ECB, the third party may or may not be asked to nominate one or more DAAs responsible for managing the access rights of users within selected ECB IT services.

Every year DAAs are required to confirm which application access users have for their application.

Any transfer of data via the portal between the user of the third party and the ECB takes place using a secure encrypted connection. It is the responsibility of the third party and its users to verify that the user maintains the communication with the actual real site (i.e. to verify the validity of the website certificate).

Specific responsibilities of DUAs

• Creating users (and actively responding to user creation requests initiated from underlying ECB applications)
• Maintaining user data
• Deleting users
• Grant and revoke DUA roles within the DUAs own institution
• Regular review of users (user reconciliation/recertification)
• Yearly review of others DUAs and DAAs (admin user reconciliation/recertification)
• Report to ECB on local incidents related to user management
• Provide support to local users

Specific responsibilities of DUAs

• Add local users from groups under responsibility of DAAs
• Remove local users from groups under responsibility of DAAs
• Grant and revoke DAA roles for the application(s) that the DAAs themselves manage
• Yearly review of application users (application user reconciliation/recertification)
• Annual review of group memberships
• Report to ECB on local incidents related to group management
• Provide support to local users

Use of the portal

Third parties are responsible for the proper use of the portal by their DUAs, DAAs and users (as applicable), including confidentiality of data on the part of the third party, protection of the two-factor authentication data, correctness of any user account information and assignment access rights in line with need-to-know requirements.

The ECB reserves the right to approach third-party DUAs in case creation of certain users is required from ECB’s perspective.

User accounts can be closed or terminated by the ECB without prior notice if any abusive behaviour is detected, such as an account hack or a data leak. The termination of an account may result in the forfeiture and destruction of all information associated with the account.

The third party has to carry out an annual review of existing users (implemented by the DUAs) and their roles (implemented by the DAAs) and report any changes to their ECB counterparty in a timely manner.

The third party has to carry out reviews of existing DUAs and DAAs users every year, DUAs are responsible for the recertification process.

Access rights held by users who have changed roles or jobs have to be adapted and users that leave the organisation need to be removed without undue delay. User accounts that remain inactivated for six months will be deleted automatically without prior notice and this includes the erasure of all information associated with an account.

DUAs, DAAs and their third parties assume liability for the correctness and completeness of data submitted via the portal.

By completing the registration as DUA or DAA, they acknowledge these supplementary terms of use.