Privacy statement for the Microsoft Forms application

What is our legal framework?

All personal data are processed in accordance with European Union data protection Law, that is to say in line with Regulation (EU) 2018/1725 (the “EUDPR”)^[1] and Decision (EU) 2020/655 (ECB/2020/28)^[2].

These legal instruments provide the framework that defines the ECB’s obligations and data subjects’ rights regarding personal data processing.

Why do we process personal data?

Personal data are processed to facilitate the collection of information and input from respondents to forms (including surveys, quizzes and polls) created using the Microsoft Forms application. Your personal data are used to ensure that form responses are recorded and analysed accurately, with a view to improving ECB services and understanding user needs. This may include storing and processing responses, generating reports and contacting respondents if necessary.

What is the legal basis for processing your personal data?

Article 5(1)(a) of the EUDPR authorises data processing that is necessary for the performance of tasks carried out in the public interest or under the official authority of the ECB. The ECB’s role as an EU institution means that many of its activities – including internal administration and stakeholder engagement – serve a public interest. Recital 22 of the EUDPR confirms that data processing required for the ECB’s management and functioning is considered a legitimate public-interest activity.

Microsoft Forms is used by the ECB as a secure and efficient tool to collect data from both internal and external stakeholders, as necessary for internal administration and stakeholder engagement. This use of Microsoft Forms directly supports the ECB’s public-interest tasks, as its operational and management activities are integral to fulfilling its institutional mandate.

All personal data collected in such surveys are therefore processed on a solid legal footing and fully aligned with ECB Decision (EU) 2020/655 (ECB/2020/28), as required by the EUDPR and the ECB’s governance framework.

Who is responsible for processing your personal data?

The ECB’s Directorate General Information Systems (DG/IS), as the data controller, is responsible for processing your personal data in accordance with the EUDPR. DG/IS ensures that your personal data are handled lawfully, transparently and in line with the purposes outlined in this privacy statement.

Microsoft acts as the data processor for Microsoft Forms, processing personal data on behalf of the ECB under the terms of the data processing agreement concluded between the ECB and Microsoft. This agreement ensures that Microsoft complies with all applicable data protection laws. This approach is explicitly supported by Recital 53 of Regulation (EU) 2018/1725, which underlines the ECB's obligation to select only processors providing sufficient guarantees to implement appropriate technical and organisational measures Additional operational support is provided by designated service providers, strictly under the ECB’s supervision.

Who will be the recipients of your personal data?

Access to personal data within Microsoft Forms is restricted to authorised individuals on a need-to-know basis. Your personal data will be processed by the following recipients.

• The creator of the form will have access to the responses submitted by respondents. However, if the “Record Name” feature is disabled, the responses are stored in an anonymised format so that the form creator will not be able to identify the individual who submitted the response.
• The IT support team in DG/IS and their designated external providers may access a limited set of personal data (for example, IP addresses or group membership details) to support troubleshooting and user support, strictly on a need-to-know basis. They will never have access to user-generated content (such as the actual responses in forms).
• Microsoft and its sub-processors, as the service providers, may access a limited set of personal data (for example, IP addresses or group membership details) for technical support or maintenance purposes, strictly on a need-to-know basis. Microsoft policy ensures that its technicians do not have standing access to ECB data, and any sub‑processors are only allowed to access aggregated or pseudonymised service-generated data. They will never have access to user-generated content (such as the actual responses in forms).
• The ECB Digital Security team may process personal data solely to investigate, mitigate and resolve issues in the event of a security incident. This access is performed under strict supervision and in full compliance with ECB security policies.

Where access to your personal data is required to facilitate the exercising of your rights under the EUDPR, this is restricted to authorised personnel, ensuring that minimal personnel are involved.

What categories of personal data are collected?

1. Form responses may contain personal data, depending on the respondent’s input and the nature of the questions. For example, responses may include general personal data such as full name, contact details, email address, staff identification number, job title, department, office location, telephone number, date of birth and similar information. Form creators must include a clear disclaimer in the form, along with a link to the ECB’s privacy statement, to inform respondents that their submissions may contain personal data.

If your form responses contain special categories of personal data (sensitive personal data), such as information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics, biometrics, health or sexual orientation, this requires extra protection. In such cases, this privacy statement does not apply and a dedicated privacy statement and explicit disclaimer must be provided. This responsibility lies with the form creator.

1. Email address and username (only when “Record Name” is enabled). When the “Record Name” feature is switched on, respondents’ email address and username are automatically collected. A built-in disclaimer appears on the form, informing you that your name and email will be recorded. This disclaimer cannot be altered or hidden.

If the “Record Name” feature is disabled, the user ID is hashed, ensuring that neither administrators nor form creators can identify the respondent.

1. IP address and associated metadata. The system collects the respondent’s IP address and associated metadata as part of the form submission process. This information is primarily used for technical purposes such as ensuring system security, supporting troubleshooting and enhancing service performance.

Will your personal data be processed in third countries or by international organisations?

Microsoft acts as the data processor for your personal data, which will be processed within the EU Data Boundary (EUDB) under the terms of the data processing agreement between the ECB and Microsoft. This ensures that your data are stored and processed within the EU, in compliance with applicable data protection laws. You can find more information about the EUDB, and the services to which it applies, on Microsoft’s website.

In exceptional cases (e.g. a global security incident), your personal data may be processed by Microsoft in third countries that have received an adequacy decision from the European Commission (pursuant to Article 47 of the EUDPR). Any processing outside the EUDB will be well documented.

In exceptional circumstances, your personal data might be processed in third countries or by international organisations based on the derogations for specific situations set out in Article 50(1) of the EUDPR.

How long will the ECB keep personal data?

General retention policy: the ECB’s Filing and Retention plan governs how long personal data are kept, ensuring that they are not retained longer than necessary. The specific retention period depends on the processing purpose and the business case for which the data were originally collected.

Service-generated data (metadata needed for system operations) are kept for up to 180 days.

When a user account is terminated, personal data are retained for a maximum of 90 days before deletion.

If the user (or the ECB, acting on the user’s behalf) deletes the data, Microsoft removes all copies of the personal data within 30 days.

If the ECB terminates its contract with Microsoft, all personal data are deleted within 90 to 180 days after service termination, in line with the data processing agreement.

Data related to forms (responses, comments, etc.) are deleted manually once the results of the form have been fully analysed.

What are your rights?

Under the EUDPR, you have the right to:

• access your personal data;
• rectify any data that are inaccurate or incomplete;
• delete your personal data (with certain limitations);
• object to or restrict the processing of your personal data.

The ECB may restrict your rights as a data subject where there is a risk of compromising investigations conducted by the Data Protection Officer (DPO) or endangering legal proceedings related to processing activities. These restrictions are based on specific provisions outlined in Article 3(1)(i) of Decision ECB/2022/42^[3] and are reviewed every six months.

Who can you contact for queries or requests?

If you wish to exercise your rights or have questions about how your personal data are processed, you can contact the ECB’s Data Protection Officer directly at dpo@ecb.europa.eu for all queries relating to personal data.

Addressing the European Data Protection Supervisor

If you consider that your rights under the EUDPR have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.