- PRIVACY STATEMENT
Privacy statement for T2
T2 is the real-time gross settlement (RTGS) system owned and operated by the Eurosystem. Central banks and financial institutions can submit payment orders in euro to T2, where they are processed and settled in central bank money, i.e. money held in an account with a central bank.
Furthermore, T2 settles payments related to the Eurosystem’s monetary policy operations, transactions stemming from other financial market infrastructures and payments exchanged between participants.
The vast majority of payments processed in T2 originate from financial institutions. Payments may either correspond to transactions between financial institutions for their own account (i.e. bank-to-bank payments) or to transactions instructed by financial institutions for their non-bank clients such as corporate or natural persons.
T2 provides liquidity management services to participants, that can monitor their accounts and their outward or inward transactions via a specific graphical user interface (GUI). Access to the GUI is limited to duly authorised T2 users. T2 users are natural persons, typically employees of central banks or of participants.
T2 is legally structured as a multiplicity of payment systems, which make up the component systems of T2. Each central bank of the Eurosystem and the European Central Bank (ECB) operate their own T2 component system.
What is our legal framework?
All personal data are processed in accordance with European Union data protection law, which is to say in line with Regulation (EU) 2018/1725 (‘EUDPR’) in the case of the ECB, and Regulation (EU) 2016/679 (‘GDPR’) in the case of the national central banks (NCBs) or any authorised financial institution participating in T2.
Why do we process personal data?
T2 processes (as defined in EUDPR/GDPR) personal data for the following purposes:
- to allow T2 participants to allocate payments in their own accounting systems to the accounts of the ordering or receiving customer, when those customers are natural persons. The accounting systems of individual T2 participants are outside the scope of T2. T2 forwards the payment messages as received from the sending financial institution to the receiving financial institution, without making any changes or truncation;
- the ECB may facilitate payment instructions on behalf of a T2 participant if this participant faces problems in performing the payment instruction themselves and instructs the ECB to act on its behalf, as agreed and authorised in the relevant contract between the T2 participant and the ECB;
- to authenticate and to validate T2 users’ identities and to control access to the T2 GUI. For this purpose, personal data of natural persons T2 System users are processed in T2; and
- for storage in the legal archive.
T2 performs the settlement of payments between T2 participants based on the Bank Identifier Codes (BICs) of the T2 participants or based on their account numbers. The settlement of T2 payments does not require the usage of any personal data, but the personal data needs to be included in the instruction when either the sender, the beneficiary or both are natural persons.
Additionally, although it is not a standard market practice, it cannot be excluded or prevented that other personal data may also be included in a free format field of the transaction message.
Personal data are not required to settle payment instructions in T2, therefore any personal data present in a payment instruction is merely passed through. In line with of EUDPR/GDPR, this implies that T2 processes any personal data present in the payment instruction.
If duly authorised authorities, e.g. duly authorised legal enforcement authorities, raise a legitimate access request for T2 data, the access to the requested data may include access to personal data if personal data is present in the requested payment instruction.
What is the legal basis for processing your personal data?
Your personal data are processed, in accordance with the Article 22 of the Statute of the European System of Central Banks and of the European Central Bank, by the Eurosystem (comprising the ECB and the euro area NCBs) and the non-euro area NCBs (applicable once they have joined T2) participating in T2. Furthermore, the processing of personal data is based on:
- Article 6(1)(a) GDPR (in relation to euro area NCBs and any participating non-euro area NCBs in T2);
- Article 5(1), points (a), (b) and (c) of the EUDPR in relation to the ECB; and
- the corresponding relevant provisions in the legislation relating to the non-euro area NCBs.
These provisions stipulate that personal data may be processed to perform a task that is in the public interest or as part of the exercise of official authority vested in the controller, or necessary to fulfil contractual obligations.
Regarding personal data processed in T2, a joint controllership exists, comprising (i) the ECB and the euro area NCBs and (ii) the non-euro area NCBs participating in T2. For the purpose of processing personal data in T2, the ECB and the euro area NCBs, as well as the non-euro area NCBs participating in T2 are Joint Controllers under Article 28 EUDPR and Article 26 GDPR. Information on personal data and data subjects exercising their rights should only be shared within the joint controllership. Data subjects may exercise their rights under Articles 15 to 18 GDPR and Articles 17 to 20 EUDPR, by contacting any of the T2 Joint Controllers.
Who is responsible for processing your personal data?
The ECB operates the ECB component of T2. Therefore, as any T2 controller, the ECB is responsible for processing personal data in T2 in relation to:
- the personal data that any Joint Controller or their authorised parties forward or receive from T2 as a part of the payment message; and
- the personal data of T2 authorised users of the GUI.
This includes the obligation to handle data subjects’ requests in the exercise of their rights and the processing of personal data breaches, also if a third party is entrusted by a Joint Controller with the processing of T2 transactions.
The responsibilities of the Joint Controllers (i.e. data collection, access rights management, etc.) are formally defined in a joint controllership arrangement. This also facilitates the exercise of data subjects’ rights by defining and implementing the means of providing information to the data subjects. Each Joint Controller or authorised party participating in T2 is also responsible for the protection of personal data belonging to their system component. In the event that a Joint Controller assigns the processing of personal data to a third party, the assigning Joint Controller will remain responsible for compliance with the obligations set out in the EUDPR and the GDPR, as applicable. There has been no such assignment to a third party within T2 to date.
Data subjects can access or address the request to any T2 Joint Controller in order to exercise their rights.
Who will be the recipients of your personal data?
The recipients of your personal data (including entities that have access to that personal data) will be the Joint Controllers or their participants, that will process the data according to its internal organisational rules.
What categories of personal data are collected?
T2 payment messages are based on the standard ISO transaction message and include information relating to both the ordering and the beneficiary customers of the respective sending and receiving T2 participants. If either the ordering or the beneficiary customer or both are natural persons, personal information such as name and account number will be included. Other personal data could (but do not need to) be included in a free format field of the standard ISO transaction message. Therefore, different categories of personal data could be included in a T2 settlement instruction.
Will your personal data (in a clear or encrypted form) be processed (e.g., transferred, accessed or stored) in third countries or by international organisations?
No, your personal data will not be processed (e.g. transferred, accessed, or stored) in third countries or by international organisations.
How long will the Joint Controllers keep personal data?
Your personal data are stored within T2 for a maximum duration of ten years for legal evidence and fiscal purposes, as required by relevant national laws and regulations.
What are your rights?
You have the right to access your personal data and request a correction of any personal data that is inaccurate or incomplete. You also have (within the limitations imposed by national laws and regulations) the right to request the deletion of your personal data and to object or to restrict the processing of your personal data in line with the GDPR or the EUDPR. The ECB may restrict your rights to safeguard the interests and objectives referred to in Article 25(1) EUDPR and other Joint Controllers may restrict such rights in accordance with Article 23(1) GDPR.
In line with Article 28(1) and (3) EUDPR and Article 26(1) and (3) GDPR you can exercise your rights in respect of and towards each of the Joint Controllers.
Who can you contact for queries or requests?
You can exercise your rights by contacting any of the Joint Controllers at the contact points mentioned on the respective websites. The Joint Controller(s) may provide you with a form to clarify your request.
Regarding the ECB, you can also directly contact MIP-Compliance@ecb.europa.eu and the ECB’s Data Protection Officer at dpo@ecb.europa.eu for all queries relating to your personal data.
Addressing the European Data Protection Supervisor, supervisory authority concerned or national supervisory authority
If you consider that your rights under the GDPR or EUDPR have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint at any time with:
- the European Data Protection Supervisor; or
- the supervisory authority concerned as defined in Article 4(22) GDPR or the national supervisory authority as defined in Article 3(22) EUDPR. A list of these authorities is available on the European Data Protection Board’s website.