- PRIVACY STATEMENT
Privacy statement for the ECB’s Identity Governance and Access Management (IGAM)
Identity Governance and Access Management (IGAM), a central tool to manage access rights and identities for roles and entitlements, implements a set of solutions with the aim of improving information technology (IT) security at the ECB.
What is our legal framework?
All personal data are processed in accordance with European Union data protection law, that is to say in line with Regulation (EU) 2018/1725 (‘EUDPR’).
Why do we process personal data?
Personal data are processed
- for the purposes to ensure IT security for ECB. This is namely, to ensure secure identity and access management in accordance with the relevant European System of Central Banks and Single Supervisory Mechanism policies and guidelines
- to provide users access to the ECB’s IT resources. This includes but is not limited to the initial login for the ECB’s infrastructure as well as access to any systems that leverage this initial account, such as the ECB’s intranet, file storage and DARWIN
- to support users having difficulties with login to ECB´s IT resources
Due to the specific requirements of certain ECB applications, user information may be forwarded by IGAM to systems not hosted by the ECB, such as Microsoft Azure. Each system owner is responsible for such synchronisation within the scope of the relevant privacy statement or record of processing activity of the application receiving IGAM data.
What is the legal basis for processing your personal data?
Your personal data are processed by the ECB in the performance of IT security tasks carried out in the public interest, based on Article 5(1)(a) of EUDPR, in conjunction with Article 5(1) (a) of the EUDPR in conjunction with Recital 22 of the EUDPR.
According to Recital 22 of the EUDPR, the processing of personal data for the performance of tasks carried out in the public interest by the Union institutions and bodies includes the processing of personal data necessary for the management, functioning and IT Security of those institutions and bodies. IGAM supports the daily tasks by identification, authentication, and authorization of users to maintain IT Security as stated in page 55 of functions paper of DSS perform security operational tasks of Identity and Access Management.
Who is responsible for processing your personal data?
The ECB is the controller for the processing of the personal data. The Digital Security Services Division is responsible for the processing. DSS uses external providers to process personal data on our behalf and according to our instructions:
- Oracle
- Cassidian Cybersecurity SAS
- ATOS Benelux
- Unisys
Who will be the recipients of your personal data?
The recipients of your personal data (including entities who have access to that personal data) are, depending on the data type, the designated staff of ECB and/or external providers:
- Directorate General Information Systems Service Desk (DG-IS SD)
- Directorate General Information Systems Field Services (DG-IS FS)
- Digital Security Services (DSS)
- ECB managers
- Delegates of ECB managers as appointed within IGAM for approvals and/or requests
- Special IT Support (SITS)
- other ECB IT Services as required by the application, e.g. ECB´s people directory
What categories of personal data are collected?
The ECB processes the following personal data:
- Name (as of ISIS information)
- First Name – ECB IT Services as required
- Preferred First Name – ECB IT Services as required
- Last Name – ECB IT Services as required
- Preferred Last Name – ECB IT Services as required
- Middle Name – ECB IT Services as required
- Display Name – ECB IT Services as required
- ECB Identifiers
- ISIS Employee Number – DG-IS SD, SITS, DG-IS FS, DSS, ECB Managers
- IGAM User Login – ECB IT Services as required
- ECB01 Globally Unique Identifier – ECB IT Services as required
- E-mail (by IGAM) – ECB IT Services as required
- Contact Details (as of ISIS information)
- ECB Mobile Phone – ECB IT Services as required
- Fax – ECB IT Services as required
- Telephone Number – ECB IT Services as required
- Telephone Number II – ECB IT Services as required
- Personal Telephone Number – DG-IS SD, SITS, DG-IS FS and DSS
- Personal Email – DG-IS SD, SITS, DG-IS FS and DSS
- Shipping Address (optional field) – DG-IS FS and DSS
- Employment Details (as of ISIS information):
- Employee Type – DG-IS SD, SITS, DG-IS FS, DSS, ECB Managers
- Employee Subtype – DG-IS SD, SITS, DG-IS FS, DSS, ECB Managers
- Job Title Name – ECB IT Services as required
- Salary Band – DSS
- Organisation – ECB IT Services as required
- Organisation SAP Code – ECB IT Services as required
- ECB Employee Status – ECB IT Services as required
- Identity Status – ECB IT Services as required
- Start Date – see ECB Start Date
- End Date – see ECB End Date
- ECB Start Date – DG-IS SD, SITS, DG-IS FS, DSS, ECB Managers
- ECB End Date – ECB IT Services as required
- Activity Data (as of ECB01)
- Last Login Date – DG-IS SD, SITS, DG-IS FS, DSS, ECB Managers
Where data that is provided to ECB IT Services is available to all other recipients mentioned above. Where data is made available to ECB managers, their Delegates of ECB managers as appointed within IGAM for approvals and/or requests will receive the same data.
Will your personal data (in a clear or encrypted form) be processed (e.g. transferred, accessed or stored) in third countries or by international organisations?
Your personal data will be processed at ECB premises and IGAM reporting data will be processed in European data centres by US based cloud providers under the safeguard of the Adequacy Decision of the European Commission.
How long will the ECB keep personal data?
Your personal data will be stored for a maximum of 10 years after the end of contract or last pension claim, except for ECB staff number and user login which will be stored permanently due to ESCB/SSM policy requirements regarding ECB´s public key infrastructure.
What are your rights?
You have the right to access your personal data and correct any data that is inaccurate or incomplete. You also have (with some limitations) the right to delete your personal data, to object or to restrict the processing of your personal data in line with EUDPR. The ECB may restrict your rights to safeguard the interests and objectives referred to in Article 25(1) EUDPR.
Who can you contact in case of queries or requests?
You can exercise your rights by contacting servicedesk@ecb.int. You can also directly contact the ECB’s Data Protection Officer at dpo@ecb.europa.eu for all queries relating to your personal data.
Addressing the European Data Protection Supervisor
If you consider that your rights under the EUDPR have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.