European Central Bank - eurosystem
European Central Bank - eurosystem
Search
Možnosti vyhledávání
Home Média ECB vysvětluje Výzkum a publikace Statistika Měnová politika Euro Platební systémy a trhy Kariéra
Návrhy
Třídit podle
V češtině není k dispozici.

Privacy statement for Microsoft Teams

What is our legal framework?

All personal data are processed in accordance with European Union data protection law, that is to say in line with Regulation (EU) 2018/1725 (the “EUDPR”)[1] and Decision (EU) 2020/655 (ECB/2020/28)[2].

These legal instruments provide the framework that defines the ECB’s obligations and data subjects’ rights regarding personal data processing.

Why do we process personal data?

Personal data are processed in Microsoft Teams to facilitate secure and efficient communication and collaboration among ECB staff members, guest users, external partners and other third parties (such as vendors or partners) with whom the ECB collaborates through external access. This processing is essential to support our institutional and administrative tasks and is conducted strictly in line with the ECB’s data protection framework.

In practice, this means that personal data are collected to enable functionalities such as internal chats, meetings, channel messages, audio and video calls, file sharing, co-authoring of documents, recording and transcribing of meetings, use of digital whiteboards and other interactions for work purposes.

What is the legal basis for processing your personal data?

Your personal data are processed by the ECB strictly in the performance of its official functions and tasks carried out in the public interest. This processing is firmly grounded in Article 5(1)(a) of the EUDPR, which authorises data processing that is necessary for the performance of a task carried out in the public interest, explicitly confirmed by Recital 22, recognizing the legitimacy of ECB’s management and administrative functions and is further reinforced by Article 12.1 of the Statute of the European System of Central Banks and the European Central Bank.

The ECB’s adoption and use of collaboration tools like Microsoft Teams is in line with its responsibility to organise its work efficiently in the public interest and is fully supported by Decision ECB/2020/28, which outlines how the ECB should manage personal data in the context of its official tasks.

This Decision sets out comprehensive internal rules and governance protocols which ensure that all personal data processed through Teams are managed securely, proportionately and in strict accordance with the ECB’s data protection obligations. It mandates robust safeguards and accountability measures, thereby reinforcing the ECB’s legal framework for data processing.

All personal data processed in this way are therefore processed on a solid legal footing, as required by the EUDPR and the ECB’s governance framework.

Who is responsible for processing your personal data?

The ECB’s Directorate General Information Systems (DG/IS), as the data controller, is responsible for processing your personal data in accordance with the EUDPR. DG/IS ensures that your personal data are handled lawfully, transparently and in line with the purposes outlined in this privacy statement.

Microsoft acts as the data processor for Microsoft Teams, processing personal data on behalf of the ECB under the terms of the data processing agreement concluded between the ECB and Microsoft. This agreement ensures that Microsoft complies with all applicable data protection laws. This approach is explicitly supported by Recital 53 of Regulation (EU) 2018/1725, which underlines the ECB's obligation to select only processors providing sufficient guarantees to implement appropriate technical and organisational measures. Additional operational support is provided by designated service providers, strictly under the ECB’s supervision.

Who will be the recipients of your personal data?

Access to personal data within Microsoft Teams is restricted to authorised individuals on a need-to-know basis. Your personal data will be processed by the following recipients.

  • Meeting organisers have access to meeting details as the name and emails from the participants.
  • Meeting participants may have access to meeting chats and shared content, including the attendee list and any recordings or transcriptions made during the meeting. If a meeting is recorded, participants are notified in advance and the recording is shared with the participants of the meeting unless configured otherwise by the organiser.
  • Members of teams or group chats, including external guests or users from federated domains, will have access to the instant messages, files and collaborative content associated with the team or chat. Access is granted to external parties in accordance with ECB security policies, ensuring that they can only see what is necessary for their collaboration. Additionally, all users within these environments will be able to view key profile information, such as name, email address, job title, department and current status, to facilitate clear identification and effective communication among participants.
  • The IT support team in DG/IS and their designated external providers may access a limited set of personal data (for example, IP addresses or group membership details) to support troubleshooting and user support, strictly on a need-to-know basis. They will never have access to user-generated content (such as the content of Teams chats).
  • Microsoft and its sub-processors, as the service providers, may access a limited set of personal data (for example, IP addresses or group membership details) for technical support or maintenance purposes, strictly on a need-to-know basis. Microsoft policy ensures that its technicians do not have standing access to ECB data, and any sub-processors are only allowed to access aggregated or pseudonymised service-generated data. They will never have access to user-generated content (such as the content of Teams chats).
  • The ECB Digital Security team may process personal data solely to investigate, mitigate and resolve issues in the event of a security incident. This access is performed under strict supervision and in full compliance with ECB security policies.

Where access to your personal data is required to facilitate the exercising of your rights under the EUDPR, this is restricted to authorised personnel, ensuring that minimal personnel are involved.

What categories of personal data are collected?

  • On behalf of its staff and ECB guests, as well as external users who do not have an ECB email account but are federated with the ECB Microsoft Teams tenant, the ECB updates the tenant with an initial set of data to ensure users can connect, log on and use the platform effectively.
  • For ECB staff members, this set of data includes (but is not limited to):
  • username;
  • first name;
  • surname;
  • email address;
  • organisational unit;
  • phone extension;
  • mobile number;
  • office number.
  • For European System of Central Banks (ESCB) and European banking supervision guests, this set of data includes:
  • username;
  • first name;
  • surname;
  • email address;
  • organisation.
  • For external users federated with the ECB tenant, this set of data includes:
  • first name;
  • surname;
  • email address;
  • organisation and department.
  • In addition to this initial dataset, personal data are further generated as users interact within the Microsoft Teams environment. While collaborating, all participants (including ECB staff, guest users and external federated users) may create and upload content that is processed and stored on the platform. Such user-generated content may include, but is not limited to, chat and channel records (instant messaging conversations), images, videos, audio files, documents, meeting notifications, meeting recordings, meeting transcripts and intelligent recaps.
  • All members of teams or group chats (including external guests and users from federated domains) can access shared content such as instant messages, files and collaborative materials linked to the team or chat. In these settings, users are able to view key profile information, including name, email address, job title, department and current status, to ensure all participants can clearly identify and communication effectively with each other.
  • Users are expected to adhere to ECB policies when sharing any additional personal data within Teams.

Will your personal data be processed in third countries or by international organisations?

Microsoft acts as the data processor for your personal data, which will be processed within the EU Data Boundary (EUDB) under the terms of the data processing agreement between the ECB and Microsoft. This ensures that your data are stored and processed within the EU, in compliance with applicable data protection laws. You can find more information about the EUDB, and the services to which it applies, on Microsoft’s website.

In exceptional cases (e.g. a global security incident), your personal data may be processed by Microsoft in third countries that have received an adequacy decision from the European Commission (pursuant to Article 47 of the EUDPR). Any processing outside the EUDB will be well documented.

In exceptional circumstances, your personal data might be processed in third countries or by international organisations based on the derogations for specific situations set out in Article 50(1) of the EUDPR.

How long will the ECB keep personal data?

General retention policy: the ECB’s Filing and Retention plan governs how long personal data are kept, ensuring that they are not retained longer than necessary. The specific retention period depends on the processing purpose and the business case for which the data were originally collected.

Chat and channel messages are stored for a period of one year. Any content accessed or edited via Microsoft Teams has a defined retention period of one year, starting from the last modification date within the Microsoft Teams environment.

Service-generated data (metadata needed for system operations) are kept for up to 180 days.

When a user account is terminated, personal data are retained for a maximum of 90 days before deletion.

If the user (or the ECB, acting on the user’s behalf) deletes the data, Microsoft removes all copies of the personal data within 30 days.

If the ECB terminates its contract with Microsoft, all personal data are deleted within 90 to 180 days after service termination, in line with the data processing agreement.

What are your rights?

Under the EUDPR, you have the right to:

  • access your personal data;
  • rectify any data that are inaccurate or incomplete;
  • delete your personal data (with certain limitations);
  • object to or restrict the processing of your personal data.

The ECB may restrict your rights as a data subject where there is a risk of compromising investigations conducted by the Data Protection Officer or endangering legal proceedings related to processing activities. These restrictions are based on specific provisions outlined in Article 3(1)(i) of Decision ECB/2022/42[3] and are reviewed every six months.

Who can you contact for queries or requests?

If you wish to exercise your rights or have questions about how your personal data are processed, you can the ECB’s Data Protection Officer directly at dpo@ecb.europa.eu for all queries relating to personal data.

Addressing the European Data Protection Supervisor

If you consider that your rights under the EUDPR have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.

  1. Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

  2. Decision (EU) 2020/655 of the European Central Bank of 5 May 2020 adopting implementing rules concerning data protection at the European Central Bank and repealing Decision ECB/2007/1 (ECB/2020/28) (OJ L 152, 15.5.2020, p. 13).

  3. Decision (EU) 2022/2359 of the European Central Bank of 22 November 2022 adopting internal rules concerning restrictions of rights of data subjects in connection with the European Central Bank’s internal functioning (ECB/2022/42) (OJ L 311, 2.12.2022, p. 176).