This External Privacy Notice explains what we do with your personal data from the start until the end of your relationship with EBRD.
It describes how we collect, use and process your personal data, and how, in doing so, we comply with our legal obligations to you under the EBRD Personal Data Protection Rules ("PDPR"). Your privacy is important to us, and we are committed to protecting and safeguarding your rights.
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
This External Privacy Notice applies to:
- a representative, director, officer, authorised signatory, employee, agent or other natural person connected with an expert, consultant, contractor, EBRD client, tenderer or any other third party with whom we interact;
- a website user, visitor, service subscriber or survey respondent; or
an applicant for a job at EBRD (either as a member of staff or as an independent contractor).
For the purpose of the PDPR the organisation responsible for your personal data is the European Bank for Reconstruction and Development ("EBRD" or "us"), One Exchange Square, London EC2A 2JN.
We have appointed a Personal Data Management Officer to respond to any requests for information from data subjects. If you have any questions about this External Privacy Notice or how we handle your personal data, please contact the Personal Data Management Officer at firstname.lastname@example.org.
The EBRD Personal Data Protection Policy provides that EBRD shall process personal data in accordance with the following principles:
Lawfulness: personal data shall be processed in accordance with one of the express bases set out in any directive or procedure adopted by the EBRD in the implementation of the EBRD Personal Data Protection Policy;
Purpose Limitation: personal data shall be collected for one or more specified and legitimate purposes, and not further processed in a manner that is incompatible with those purposes;
Minimisation: EBRD shall endeavour, to the extent reasonably practicable, to process personal data that is relevant and limited to what is necessary in relation to the purposes for which such data is processed;
Fairness: EBRD shall act with fairness when processing personal data;
Transparency: EBRD shall process personal data in a transparent manner, subject to legitimate expressly specified exceptions set out in any directive or procedure adopted by the EBRD in the implementation of the EBRD Personal Data Protection Policy;
Security: personal data shall be protected by appropriate technical and organisational safeguards against unauthorised processing and against accidental loss, destruction or damage;
Accuracy: EBRD shall take measures to ensure that personal data it processes is as accurate as possible and updated as necessary to fulfil the purposes for which it is processed; and
Storage Limitation: EBRD shall retain personal data for the duration specified in its applicable EBRD retention schedule(s).
- Lawfulness: personal data shall be processed in accordance with one of the express bases set out in any directive or procedure adopted by the EBRD in the implementation of the EBRD Personal Data Protection Policy;
The EBRD Personal Data Protection Directive provides that EBRD shall process personal data for various purposes. This can include but are not be limited to the following:
procurement procedures and award of contracts;
performance of contracts;
administering and managing our websites;
providing services to you;
organising conferences, events and training;
client due diligence and KYC procedures;
We will only use your personal data for the purposes for which we collect it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
This External Privacy Notice is non-contractual and we may amend it from time to time. Please visit this External Privacy Notice regularly if you want to stay up to date, as we will post any changes in our approach to data privacy here.
- If you are dissatisfied with any aspect of this External Privacy Notice, you may have rights which we have described where relevant.
What kind of personal data do we collect?
We collect data about you to enable us to ensure that our relationship runs smoothly.
Depending on the relevant circumstances and applicable laws and requirements, we may collect some or all of the information listed below to help us with this, where appropriate:
- Age/date of birth;
- Contact details, including your email and postal addresses, phone number and current job title or position;
- Company and business activities;
- Education details;
- Employment history;
- Nationality/citizenship/place of birth;
- Emergency contacts and, where relevant, details of any dependants;
- Referee details;
- Immigration status;
- Copy of driving license/passport;
- Financial information (where we need to carry out financial background checks);
- Social security number and any other tax-related information;
- Diversity information including racial or ethnic origin, religious or other similar beliefs, physical or mental health, sexual orientation;
- Religious affiliation (where appropriate);
- Biometric data (where appropriate);
- Health-related information;
- Child or carer arrangements;
- Details of any criminal convictions and offences (where appropriate);
- Location of workplace;
- CCTV footage and other information obtained through electronic means such as swipecard records;
- Professional affiliation;
- Extra information that you choose to tell us;
- Extra information that your colleagues choose to tell us about you;
- Extra information that your referees choose to tell us about you; and
- Extra information that we find from other third party sources.
Please note that the above list of types of personal data collected is not exhaustive.
How do we collect your personal data?
We collect your personal data in two primary ways:
- Personal data that you give to us; and
- Personal data that we receive from other sources.
Personal data you give to us
There are numerous ways that you can share your information with us. These include:
- When you complete job application forms or contact us with employment enquiries;
- When you complete a survey or a form (e.g. upon visiting our premises, or on ebrd.com);
- When you liaise with an EBRD representative in the course of conducting a business relationship with EBRD;
- When you sign up for an EBRD organised event;
- When you register to an EBRD online training, webinars, or discussions.
- When you register to the EBRD e-Procurement portal, or any other EBRD portal, website or newsletter.
- When you contact us to complain about one of our projects as part of the EBRD Independent Project Accountability Mechanism ("IPAM");
- When you contact us to request information as part of the EBRD Access to Information Policy ("AIP"); and
- When you contact us to request information or complain pursuant to the PDPR.
Personal data we receive from other sources
We also receive personal data about you from other sources. These may include:
- Information obtained about you when we searched third party sources such as LinkedIn and other job sites for potential candidates for your role;
- If you were referred to us through a recruitment agency, they may have shared personal data about you with us;
- Information obtained about you from third party service providers who undertook background checks about you on our behalf;
- Your referees may have disclosed personal data about you to us;
- Information obtained about you from the organisation you represent;
- Third party vendors/suppliers/service providers/platforms/microsite portals, used by EBRD to fulfil its business purposes or support its business activities related to you and your interaction with the EBRD.
- Other third parties (such as relevant public authorities) who may share your personal data with us;
- Information obtained about you if a third party signs up for an EBRD organised event on your behalf or as a part of a group;
- Information obtained about you if a third party raises a complaint about an EBRD project your behalf (as someone who is affected by the project) as part of the IPAM; and
- Information obtained about you if your details are provided by a third party identifying you in a project complaint process as part of the IPAM.
How do we use your personal data?
We will only process your personal data when we are permitted to do so by the PDPR. We will use your personal data in the following circumstances:
Where we have (or are going to enter into) a contractual relationship with you, to ensure the smooth running and performance of our relationship (including all of the activities that need to be undertaken in a usual relationship of that type).
Where processing your personal data is necessary: (i) for the performance of a task carried out by EBRD in the public interest; (ii) in the execution of the functions of the EBRD; or (iii) for establishing and asserting the status, privileges, immunities and exemptions of the EBRD.
To help us to comply with EBRD's policies, directives and procedures including the PDPR.
Where you give us your consent to process your personal data.
- Where we need to protect your interests (or someone else's interests).
Please see Section IV, paragraph 2 of the EBRD Personal Data Protection Directive (Lawfulness of Processing Personal Data) for further information.
Here are some more details about each of the above:
Where we have (or are going to enter into) a contractual relationship with you, to ensure the smooth running and performance of our relationship (including all of the activities that need to be undertaken in a usual relationship of that type)
To the extent that we have (or are going to enter into) a contractual relationship with you, one of the ways in which we are able to lawfully process your data is where this processing is necessary for the performance of a contract or other arrangement to which you are (or are going to be) a party. We therefore rely on this legal basis to collect or otherwise use your personal data to enable us to perform our part of our contract or other arrangement with you and our obligations to third parties, and to ensure that you are properly fulfilling your obligations to us.
We have set out below a non-exhaustive list of various ways in which we may process or use your personal data for this purpose. For a number of these purposes, it may be more appropriate, depending on the nature of the relationship that we have with you, for us to rely on an alternative lawful basis such as the performance of a task carried out by EBRD in the public interest. The below is therefore intended to be illustrative only:
- Carrying out obligations or requirements arising from the relationship between us;
- Making arrangements for the termination of our relationship with you and/or the organisation you represent;
- Keeping a record of any services that you subscribe to; and
- To admit you to an EBRD event you have signed up for.
Where processing your data is necessary: (i) for the performance of a task carried out by EBRD in the public interest; (ii) in the execution of the functions of the EBRD; or (iii) processing is necessary for establishing and asserting the status, privileges, immunities and exemptions of the EBRD
We process your personal data where it is necessary for the purposes of a task in the public interest, in the execution of the functions of the EBRD as set out in the Agreement Establishing the EBRD or for establishing and asserting the status, privileges, immunities and exemptions of the EBRD.
We have set out below a non-exhaustive list of various ways in which we may process or use your personal data for this purpose. For a number of these purposes, it may be more appropriate, depending on the nature of the relationship that we have with you, for us to rely on an alternative lawful basis such as ensuring the smooth running of our contractual relationship. The below is therefore intended to be illustrative only:
To facilitate our recruitment process, including by:
- Collecting your data from you and other sources, such as your referees;
- Assessing qualifications for a particular job or task, including decisions about promotions;
- Verifying information we have received, using third party resources (such as psychometric evaluations or skills tests), or through information requests (such as references, qualifications and potentially any criminal convictions); and
Facilitating the onboarding procedure;
Facilitating our relationship with you and/or the organisation that you represent;
Storing your details (and updating them when necessary) on our databases;
Keeping a record of your visit to our premises;
To prevent unauthorised use of our information and equipment;
To assist us with establishing, exercising or defending claims and allegations;
For administrative purposes such as business management and planning;
Running CCTV at our premises to ensure the safety and security of our staff and property; and
- For internal administrative purposes, including processing a project complaint under channels set out in the Whistleblowing Policy, the IPAM or PDPR, or fulfilling a request made by you (or on your behalf) using an online form submitted via ebrd.com.
To enable us to comply with EBRD's policies, directives and procedures, including the PDPR;
We are committed to ensuring that our processes are aligned with our internal governance framework and we may use your personal data to help us to otherwise comply with the EBRD's policies, directives and procedures and other obligations to which we are subject.
We have set out below a non-exhaustive list of various ways in which we may process or use your personal data for this purpose:
Responding to a request for information under the AIP or the PDPR;
To help us comply with the EBRD's policies, directives and procedures - where appropriate, we will use diversity information (this could be information about your ethnic background, gender, disability, age, sexual orientation, religion or other beliefs, and/or social-economic background) on an anonymised basis to decide where to concentrate efforts in order to create an inclusive working environment where everyone feels comfortable being themselves, participate in external certifications (e.g. Edge, Stonewall and the Race at Work Charter) to provide benchmarking against external organisations and help identify areas of focus to progress the diversity and inclusion agenda further;
When we need to comply with our obligation to conduct pre-employment checks using third party resources, as part of our recruitment processes, including potentially any criminal convictions;
Dealing with internal or external legal disputes involving you or third parties;
Complying with health and safety obligations; and
- Our obligations to others which are outside of the relationship that we have with you.
Where you give us your consent to process your personal data
In certain circumstances, we will be relying on your opt-in consent before we can undertake certain processing activities with your personal data. We endeavour to obtain opt-in consent as a freely given, specific, informed and unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to you. In plain language, this means that:
You have to give us your consent freely, without us putting you under any type of pressure;
You have to know what you are consenting to – so we will make sure we give you enough information;
You should only be asked to consent to one processing activity at a time – we therefore avoid "bundling" consents together so that you don't know exactly what you are agreeing to; and
You need to take positive and affirmative action in giving us your consent – we are likely to provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion.
You have the right to withdraw consent at any time in respect to any processing of your personal data based on your consent. Any withdrawal of consent does not affect the previously lawful processing of your personal data prior to the withdrawal.
- As and when we introduce any processing activities requiring your consent, we will provide you with more information so that you can decide whether you want to opt-in.
Where we need to protect your interests (or someone else's interests)
We may also use your personal data where we need to protect your interests (or someone else's interests) or where it is needed in the public interest (or for official purposes).
This may mean we need to process your personal data in order to help us to help you if you suffer from a health condition or disability.
Please note that the above list of the ways in which we use your personal data for this purpose is not exhaustive. Also, some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data, regardless of the category under which they have been listed here.
Who do we share your personal data with?
Where appropriate, we may share certain of your personal data, in various ways and for various reasons including (but not limited to) when we need to comply with EBRD's policies, directives and procedures.
Such sharing of personal data may be with the following categories of people:
- Relevant colleagues within EBRD;
- Your family and personal representatives;
- Our professional advisers;
- Individuals and organisations who hold information related to your reference or application to work with us, such as current or past employers, educators and examining bodies, immigration agencies and employment and recruitment agencies;
- Third parties, in order to comply with our obligations under EBRD's policies, directives and procedures;
- Medical professionals;
- Foreign Commonwealth and Development Office and/or other governmental authorities;
- Third party service providers who perform functions on our behalf (including insurance plan providers and professional advisers such as auditors),
- Third party outsourced IT and document storage providers where we have an appropriate processing agreement (or similar protections) in place;
- Third parties involved in, or assisting with, litigation (including legal advisers, witnesses, experts and judicial and quasi-judicial authorities); and
Third parties who we have retained to provide services such as pre-employment checks to the extent that these checks are appropriate and in accordance with EBRD's policies, directives and procedures, including the PDPR.
- We want to make sure that your personal data is stored and transferred in a way which is secure. We will therefore only transfer data to third parties where they comply with a standard of protection of personal data equivalent to at least the level of protection established by the PDPR.
How do we safeguard your personal data?
We have put in place appropriate measures that are designed to prevent unauthorised access to, and misuse of, your personal data. These include reasonable measures to deal with any suspected data breach.
We are committed to the appropriate ongoing security and confidentiality of personal data by taking all reasonable and appropriate steps to protect the personal data that we hold from accidental or unauthorised destruction, loss, alteration, disclosure or access by unauthorised persons. We do this by having in place a range of appropriate technical and organisational measures.
- There is always risk involved in sending information through any channel over the internet. You send information over the internet entirely at your own risk. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted over the internet and we do not warrant the security of any information, including personal data, which you transmit to us over the internet.
If you suspect any misuse or loss of or unauthorised access to your personal data please let us know immediately. If you think that EBRD did not process your personal data in accordance with the PDPR, you can submit a complaint to the Personal Data Review Panel in accordance with the EBRD Personal Data Complaint Review Procedure.
- For further information about EBRD's obligations in respect of the security and confidentiality of personal data, please see Section IV, paragraph 4 of the EBRD Personal Data Protection Directive, the Information Security Policy and its implementing acts.
How long do we keep your personal data for?
We may retain your personal data as long as it remains necessary in relation to the purposes for which we collected the information. The precise length of time will depend on the type of personal data, the purpose for which we have processed it and other obligations under EBRD's policies, directives and procedures that may require us to retain it for certain minimum periods. For example, we may be required to retain certain data if it might be relevant to any potential litigation.
In determining the appropriate retention period for different types of personal data, we always consider the amount, nature, and sensitivity of the personal data in question, the potential risk of harm from unauthorised use or disclosure of that personal data, the purposes for which we need to process it and whether we can achieve those purposes by other means (in addition of course to ensuring that we comply with our obligations under our policies, directives and procedures, as described above).
- Once we have determined that we no longer need to hold your personal data, we will delete it from our Systems.
Please note that you have various rights to your personal data, which we have set out below.
Right to access personal data
You may ask to obtain confirmation from the EBRD as to whether or not your personal data is being processed, and, where it is processed, to access certain relevant information about the data and the processing. You may also access your personal data processed by EBRD. Your rights will be subject to the restrictions on the right to access under applicable EBRD’s policies and procedures.
For more information about this right of access, and if you wish to submit a request to exercise your right of access, please refer to Section IV, paragraphs 9 and 10 of the EBRD Personal Data Protection Directive and the EBRD Data Subject Requests Procedure.
Right to rectification
In the event that you identify inaccuracies or incompleteness in the personal data that EBRD holds about you, you have the right (i) to request that the EBRD rectifies such inaccuracies; or (ii) to supplement the personal data, as appropriate, for completeness.
For more information about this right to rectification, and if you wish to submit a request to exercise your right to rectification, please refer to Section IV, paragraphs 9 and 10 of the EBRD Personal Data Protection Directive and the EBRD Data Subject Requests Procedure.
Right to lodge a complaint
In the event that you have a complaint about the processing of your personal data by the EBRD, you have the right to lodge such a complaint to the EBRD's Personal Data Review Panel within 90 days of becoming aware of the EBRD’s failure to process personal data in accordance with the PDPR.
For more information about this right to lodge a complaint, please refer to the EBRD Personal Data Complaint Review Procedure.
Please note that we may keep a record of your communications to help us resolve any issues which you raise.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during the period for which we hold your data.
How do we store and transfer your data internationally?
In connection with the purposes described in this External Privacy Notice, your personal data may be transferred to the following recipients located outside of your jurisdiction:
To other EBRD offices (including the London Headquarters and Resident Offices);
To third parties (such as advisers to EBRD and suppliers to our business or providers of benefits); and
- To a cloud-based storage provider.
Please note that some of these third parties may, in turn, transfer your data internationally.
We want to make sure that your personal data is stored and transferred in a way which is secure. We will therefore only transfer data internationally to third parties where they comply with a standard of protection of personal data equivalent to at least the level of protection established by the PDPR.
Automated Decision Making
Automated decision making takes place when an electronic system uses personal information to make a decision without human intervention. These decisions can be based on factual data, as well as on digitally created profiles or inferred data.
At this stage, we do not envisage that any decisions will be taken about you using ‘Automated Decision-Making’; where this does occur, the Bank will endeavour to ensure that it occurs in accordance with the principles of the Bank’s Personal Decision Making Framework.
Cookies Notice – any cookies notice adopted by EBRD from time to time;
EBRD Data Subject Requests Procedure – the EBRD’s data subject request procedure as adopted on 20 May 2021 as amended from time to time, and any procedure adopted by EBRD as a successor to or replacement of such procedure;
EBRD Personal Data Complaint Review Procedure – the EBRD’s personal data complaint review procedure document as adopted on 20 May 2021 as amended from time to time, and any procedure adopted by EBRD as a successor to or replacement of such procedure.
EBRD Personal Data Protection Directive – the EBRD’s personal data protection directive adopted on 29 April 2021, as amended from time to time, and any directive or procedure adopted by EBRD as a successor to or replacement of such directive;
EBRD Personal Data Protection Policy – the EBRD’s personal data protection policy adopted on 20 April 2021, as amended from time to time, and any policy adopted by EBRD as a successor to or replacement of such policy;
EBRD Personal Data Protection Rules / PDPR – the EBRD Personal Data Protection Policy, the EBRD Personal Data Protection Directive, the EBRD Personal Data Complaint Review Procedure, the EBRD Data Subject Requests Procedure and any other directive or procedure adopted by EBRD, from time to time, to implement the EBRD Personal Data Protection Policy;
- Systems – includes telephone, computer, internet and Wi-Fi systems, software and portals, accounts and/or networks belonging, controlled or used by us that are used to transmit, undertake and/or receive communications or are otherwise used in the course of our activities.