Privacy statement for user research conducted for a new Banking Supervision website information architecture
We at the ECB are reviewing the information architecture of the Banking Supervision website, I.e. the structure, organisation and labelling of web content, to ensure that the website is accessible and intuitive to use by all citizens. To do that, we need to study the website's end users and understand their needs and pain points.
What is our legal framework?
All personal data are processed in accordance with European Union data protection law, that is to say in line with Regulation (EU) 2018/1725 (‘EUDPR’).
Why do we process personal data?
Personal data are processed in order to conduct user research to review the information architecture of the Banking Supervision website. In particular, we process personal data to create a pool of participants and to invite them to our research activities.
What is the legal basis for processing your personal data?
Your personal data are processed by the ECB:
- in the performance of a task carried out in the public interest, based on Article 5(1)(a) of EUDPR;
- because you consented to this processing by providing the personal data requested. You may withdraw your consent at any time by contacting the Digital Publications and Websites team of the Design & Digital division in the Directorate General Communications. All processing of your personal information will stop once you withdraw your consent; however, any processing that has already taken place remains lawful.
Who is responsible for processing your personal data?
The ECB is the controller for the processing of your personal data. The Digital Publications and Websites team of the Design & Digital Division is responsible for this processing.
Who will be the recipients of your personal data?
The recipients of your personal data (including entities who have access to that personal data) are selected staff members in the Digital Publications and Websites team, as well as of our partner agency CyberDuck, based in the UK.
What categories of personal data are collected?
The ECB processes the following personal data:
- Email address
- Job role
- Type of company/organisation
- Accessibility requirements
Will your personal data (in a clear or encrypted form) be processed (e.g. transferred, accessed or stored) in third countries or by international organisations?
Your personal data might exceptionally be processed in third countries/international organisations based on the derogations for specific situations set out in Article 50(1) EUDPR.
Your personal data will also be processed in third countries or by international organisations based on an adequacy decision of the European Commission (pursuant to Article 47 EUDPR), which can be found here.
How long will the ECB keep personal data?
The ECB does not keep your personal data longer than necessary for the purposes for which the data were collected. In particular, personal data are kept as long as follow-up actions on the Banking Supervision website information architecture are necessary, up to a maximum of one year, and they are deleted thereafter.
What are your rights?
You have the right to access your personal data and correct any data that is inaccurate or incomplete. You also have (with some limitations) the right to delete your personal data and to object to or to restrict the processing of your personal data in line with EUDPR. The ECB may restrict your rights to safeguard the interests and objectives referred to in Article 25(1) EUDPR.
Who can you contact for queries or requests?
You can exercise your rights by contacting the Digital Publications and Websites team. You can also directly contact the ECB’s Data Protection Officer at firstname.lastname@example.org for all queries relating to your personal data.
Addressing the European Data Protection Supervisor
If you consider that your rights under the EUDPR have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.