Privacy statement for the Central Banking Internal Auditors (CBIA) survey on the procurement and selection of external auditors

What is our legal framework?

All personal data are processed in accordance with European Union data protection law, that is to say in line with Regulation (EU) 2018/1725 (“EUDPR”).

Why do we process personal data?

Personal data are processed for the purposes of a benchmarking study in relation to the procurement and selection of external auditors. Respondents’ names and email addresses are collected to enable the ECB to contact them in the event of further questions and/or for the exchange of further information. The data will not be published or used for any other purpose.

What is the legal basis for processing your personal data?

Your personal data are processed by the ECB:

• in the performance of a task carried out in the public interest, based on Article 5(1)(a) of the EUDPR read in conjunction with Protocol (No 4) on the Statute of the European System of Central Banks (ESCB) and the European Central Bank and the Good Practices for the selection and mandate of External Auditors according to Article 27.1 of the ESCB/ECB Statute;
• because you consented to this processing by providing the personal data requested. You may withdraw your consent at any time by contacting the contact point mentioned below. All processing of your personal information will stop once you withdraw your consent; however, any processing that has already taken place remains lawful.

Who is responsible for processing your personal data?

The ECB is the controller for the processing of your personal data. Audit Missions Division 1 in the Directorate Internal Audit (dia-good-practices-coordination@ecb.europa.eu) is responsible for this processing.

Who will be the recipients of your personal data?

The recipients of your personal data (including entities who have access to that personal data) are selected members of staff in the Directorate Internal Audit, the ECB’s Audit Committee and members of the CBIA group.

What categories of personal data are collected?

The ECB processes the following personal data:

• names;
• email addresses;
• job titles.

Will your personal data (in a clear or encrypted form) be processed (e.g. transferred, accessed or stored) in third countries or by international organisations?

The ECB does not foresee any transfers of your personal data to third countries or international organisations. However, your personal data might exceptionally be processed in third countries/by international organisations based on the derogations for specific situations set out in Article 50(1) of the EUDPR.

How long will the ECB keep personal data?

Your personal data will be stored for a maximum of one year after the closure of the survey before being deleted.

Please note that personal data may be held in the ECB’s archives in accordance with Decision (EU) 2023/1610 of the European Central Bank of 28 July 2023 establishing the historical archives of the European Central Bank and amending Decision ECB/2004/2 (ECB/2023/17).

What are your rights?

You have the right to access your personal data and correct any data that are inaccurate or incomplete. You also have (with some limitations) the right to delete your personal data and to object to or restrict the processing of your personal data in line with the EUDPR. The ECB may restrict your rights to safeguard the interests and objectives referred to in Article 25(1) of the EUDPR.

Who can you contact for queries or requests?

You can exercise your rights by contacting us at dia-good-practices-coordination@ecb.europa.eu. You can also contact the ECB’s Data Protection Officer directly at dpo@ecb.europa.eu for all queries relating to your personal data.

Addressing the European Data Protection Supervisor

If you consider that your rights under the EUDPR have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.