Search Options
Home Media Explainers Research & Publications Statistics Monetary Policy The €uro Payments & Markets Careers
Suggestions
Sort by

Privacy statement for the ECB Identity Portal

Data Protection legal framework applicable to the European Central Bank

All personal data are processed in accordance with EU Data Protection Law, i.e. Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, OJ L 295, 21.11.2018, p. 39-98.

The use of the ECB Identity Portal is subject to our terms of use which constitute part of this privacy statement.

1. The European Central Bank as controller of processing personal data

The ECB is the controller for the processing of the personal data. The Division Digital Security Services in the Directorate General Information Systems (DG-IS/DSS) is responsible for the processing of personal data. These data are processed on behalf of the ECB by the secure third-party provider iWelcome. For further information please find the iWelcome privacy policy.

2. Purposes for the processing of personal data

The personal data are processed for:

  1. the identification of users interacting with the ECB via the ECB Identity Portal to access any underlying applications;
  2. the maintenance and safeguarding of the security and integrity of the ECB’s services (log data).

3. Legal basis of processing operations

Your personal data are being processed by the ECB based on one of the conditions below.

a. Because you consent to the processing by providing the personal data requested. You can withdraw your consent at any time by deleting your account. Future processing of your personal information will stop once you have withdrawn your consent by deleting your account, but prior processing will remain lawful.

b. The ECB processes the following personal data (which has been obtained by the organisation for which you are registered on the basis of Article 5(1)(a) Regulation (EU) 2018/1725):

  • first name;
  • last name;
  • email;
  • phone;
  • company ID (if required);
  • organisational affiliation;
  • connection information (e.g. IP address, browser information, etc.).

4. Recipients of the personal data

The recipients of the data are the ECB Support Center and ECB staff dealing with services leveraging the ECB Identity Portal to manage access in general for data collected under point 2(i) and the DG-IS/DSS team for data collected under point 2(ii).

5. Time limits for storing personal data

The personal data are stored until two years after the conclusion of the respective interaction with the ECB, and will then be destroyed/deleted in an appropriate manner.

6. Data subject rights

You have the right to access your personal data and correct any data that is inaccurate or incomplete. You also have the right (with some limitations) to delete your personal data or to restrict the processing of your personal data in line with Regulation (EU) 2018/1725.

7. Contact Information in case of queries and requests

You can exercise your rights by contacting the DG-IS Service Desk at servicedesk@ecb.europa.eu. For all queries relating to personal data, please contact the ECB’s Data Protection Officer at dpo@ecb.europa.eu.

8. Addressing the European Data Protection Supervisor

If you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.

Terms of use for end users

1. General information on the ECB Identity Portal

The European Central Bank (ECB) Identity Portal (hereafter “the portal”) is an online platform that performs the central identification and authentication of users of the ECB managed applications.

A user is an authenticated and authorised natural person, who has access to the portal in accordance with their role.

2. About the terms of use

The terms of use set out the rules to which the user must agree in order to use the portal. Initial agreement takes place before any users are created by the ECB. Actual use of the portal implies that the user agrees to remain bound by all the terms of use.

The current version of the terms of use is available on the portal. When a new user logs into the portal the first time, the user will be asked to acknowledge the terms of use.

To ensure the proper functioning of the portal, the ECB may at any point in time update the terms of use without giving prior notice to the user. Modified terms of use are published in the portal and enter into force automatically as of their date of publication. Existing users are alerted via email about the update of the actual terms of use.

3. Access and connection to the portal

Technical requirements for accessing the portal, as well as user management rules, are set out in the user manual. The use of the portal requires two-factor authentication. Authentication is only valid in conjunction with personalised email accounts.

Any transfer of data via the portal between the user and the ECB takes place using a secure encrypted connection. It is the responsibility of the user to verify that the user maintains the communication with the actual real site (i.e. to verify the validity of the website certificate).

4. Functioning and development of the portal

The functioning of the portal is described in the user manual which sets out, among other things, the portal functionalities associated with these processes and other features of the portal more generally.

The ECB is responsible for the operation of the portal and ensures the correct functioning of the portal as well as its IT security, including incident management. The ECB maintains the portal, reserving the right to make any changes deemed necessary to improve the functioning of the portal. In particular, it may add, modify or delete functionalities offered by the portal. It also reserves the right to suspend all or part of the services offered by the portal without prior notice, in particular for security reasons or for any other reason deemed necessary.

The ECB reserves the right to make changes in the portal in the event of (national) legislative or regulatory changes.

In of the event of the unavailability of the portal, the ECB organises a timely intervention and puts in place service continuity measures. The unavailability of the portal shall not give rise to any pecuniary compensation from the ECB towards the users and the entities.

The ECB shall not be held liable in case of the following events:

  • delay or non-performance of their obligations under these terms of use which would be the consequence of an event constituting force majeure;
  • any errors in the content presented, or for the information provided being accurate, complete, or suitable for any specific purpose.

In the event of the unavailability of the portal, users from the ECB and from the supervised entities and the ECB shall inform each other as soon as possible and shall make their best endeavours to restore the portal to use as soon as possible.

Centralised technical support for portal users is provided by the ECB, and can be contacted via supportcenter@ecb.europa.eu.

The ECB is the copyright owner of the portal and its original content, features, and functionality. Reproduction of the portal (or parts of it) on other websites or any public or private information system is not permitted without prior written authorisation from the ECB. Printing and reusing of the content of the portal is allowed only for the own use of the user, excluding any profit-making activities.

5. Use of the portal

Users are responsible for the proper use of the portal, including confidentiality of data at their side, protection of the two-factor authentication data and correctness of any user account information.User accounts can be closed or terminated by the ECB without prior notice if any abusive behaviour is detected, such as an account hack or a data leak. The termination of an account may result in the forfeiture and destruction of all information associated with the account.User accounts that remain unused for six months will be deleted automatically after prior notice.

Users assume liability for the correctness and completeness of data submitted via the portal.

By completing the registration users acknowledge these terms of use.

6. Data protection

Personal data of users of the portal shall be processed by the ECB as data controller in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions (Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, OJ L 295, 21.11.2018, p. 39–98).

For the purposes of granting access to the portal, as well as for audit and information management purposes, the ECB processes the users’ names and contact details, organisational affiliations (when applicable), company IDs and connection information, and data regarding users’ usage of the portal (log files) and the users’ actions taken against items (audit trail) are stored in the portal.

7. Cookies

The user is informed that each connection to the portal may lead to the automatic installation of a cookie on its browsing software.

A cookie is a small piece of information, exchanged between the portal server and the user’s computer, allowing the portal server to retrieve information on the user’s use of the portal.

Cookies are important for the proper functioning of the portal. They manage the connection information and provide a secure connection. Cookies put in place are only used to connect and authenticate the user. Cookies are strictly necessary for the operation of the portal. The portal will not work if cookies are blocked.

8. Applicable law and settlement of disputes

These terms of use are governed by general EU administrative law. In the event of a dispute arising from the application of these terms of use, preference should be given to the conclusion of an amicable agreement between the user and the ECB.

Terms of use – supplement for Delegated User and Access Administrators

1. Glossary of these terms of use

  • Third party: a legal person that interacts with the European Central Bank (ECB).
  • User: an authenticated and authorised natural person, who, on behalf of the third party, has access to the ECB Identity Portal (hereafter “the portal”) and is assigned access rights in accordance with their role.
  • Delegated User Administrator (DUA): an authenticated and authorised natural person, who, on behalf of the third party, can announce to the ECB those users that have access to the portal on behalf of the third party.
  • Delegated Access Administrator (DAA): an authenticated and authorised natural person, who, on behalf of the third party, can assign access rights to third-party users created by the DUA, in accordance with their role.

2. Access and connection to the portal

Technical requirements for accessing the portal, as well as user management rules, are set out in the user manual. The use of the portal requires two-factor authentication. Authentication is only valid in conjunction with personalised business email accounts of domains owned by the third party.

Third parties appoint one or more DUA(s), who are responsible for creating and managing users of the portal and assigning roles to them. DUAs have to be confirmed by the third party once each year. Access for all affected third-party users will be removed if there is no valid DUA.

Depending on the interaction with ECB, the third party may or may not be asked to nominate one or more DAA(s) responsible for managing the access rights of users within selected ECB IT services.

Any transfer of via the portal between the user of the third party and the ECB takes place using a secure encrypted connection. It is the responsibility of the third party and its users to verify that the user maintains the communication with the actual real site (i.e. to verify the validity of the website certificate).

3. Specific responsibilities of DUAs

  • Creating users (and actively responding to user creation requests initiated from underlying ECB applications)
  • Maintaining user data
  • Deleting users
  • Regular review of users (user reconciliation/recertification)
  • Report to ECB on local incidents related to user management
  • Provide support to local users

4. Specific responsibilities of DAAs

  • Add local users from groups under responsibility of DAAs
  • Remove local users from groups under responsibility of DAAs
  • Annual review of group memberships
  • Report to ECB on local incidents related to group management
  • Provide support to local users

5. Use of the portal

Third parties are responsible for the proper use of the portal by their DUAs, DAAs and users (as applicable), including confidentiality of data on the part of the third party, protection of the two-factor authentication data, correctness of any user account information and assignment access rights in line with need-to-know requirements.

The ECB reserves the right to approach third-party DUAs in case creation of certain users is required from ECB’s perspective.

User accounts can be closed or terminated by the ECB without prior notice if any abusive behaviour is detected, such as an account hack or a data leak. The termination of an account may result in the forfeiture and destruction of all information associated with the account.

The third party has to carry out an annual review of existing users (implemented by the DUAs) and their roles (implemented by the DAAs) and report any changes to their ECB counterparty in a timely manner. Access rights held by users who have changed roles or jobs have to be adapted and users that leave the organisation need to be removed without undue delay. User accounts that remain unused for six months will be deleted automatically after prior notice.

DUAs, DAAs and their third parties assume liability for the correctness and completeness of data submitted via the portal.

By completing the registration as DUA or DAA, they acknowledge these supplementary of terms of use.