European Central Bank - eurosystem
European Central Bank - eurosystem
Search
Search Options
Home Media Explainers Research & Publications Statistics Monetary Policy The €uro Payments & Markets Careers
Suggestions
Sort by

Privacy statement for Microsoft Power BI

What is our legal framework?

All personal data are processed in accordance with European Union data protection Law, that is to say in line with Regulation (EU) 2018/1725 (the “EUDPR”)[1] and Decision ECB/2020/28[2].

These legal instruments provide the framework that defines the ECB’s obligations and data subjects’ rights regarding personal data processing.

Why do we process personal data?

Power BI is used by the ECB as an analytics and reporting tool, essential for generating insights, making informed decisions and efficiently managing various administrative and operational processes. In certain cases, reports or dashboards created within Power BI may contain personal data.

In these cases, personal data are processed to ensure accurate reporting and improve services. This processing may involve storing and analysing data and using these data to produce reports.

What is the legal basis for processing your personal data?

The processing of personal data using Power BI at the ECB is firmly grounded in Article 5(1)(a) of the EUDPR, which authorises data processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the ECB. This legal basis is reinforced by Article 12.1 of the Statute of the European System of Central Banks (ESCB) and the ECB, which mandates that the ECB takes the decisions necessary to ensure the performance of the tasks entrusted to the ESCB. Recital 22 of the EUDPR further clarifies that the processing of personal data for the performance of tasks carried out in the public interest includes data processing necessary for the management and functioning of European Union institutions, such as the ECB.

The ECB’s use of Power BI directly supports the fulfilment of its mandate by facilitating effective internal administration, robust management reporting and informed decision-making, all of which are crucial for the ECB’s institutional tasks and are carried out in the public interest.

Consequently, personal data processing in Power BI is carried out on a robust legal footing, fully compliant with the EUDPR, supported explicitly by the ECB’s governance framework outlined in Decision ECB/2020/28, and reinforced by the statutory authority established in Article 12.1 of the Statute of the ESCB and ECB.

Who is responsible for processing your personal data?

The ECB’s Directorate General Information Systems (DG/IS), as the data controller, is responsible for processing your personal data in accordance with the EUDPR. DG/IS ensures that your personal data are handled lawfully, transparently and in line with the purposes outlined in this privacy statement.

Microsoft acts as the data processor for Power BI, processing personal data on behalf of the ECB under the terms of the data processing agreement concluded between the ECB and Microsoft. This agreement ensures that Microsoft complies with all applicable data protection laws. This approach is explicitly supported by Recital 51 of the EUDPR, which underlines the ECB’s obligation to only use processors that provide sufficient guarantees to implement the technical and organisational measures required by the EUDPR. Additional operational support is provided by designated service providers and performed under the ECB’s strict supervision.

Who will be the recipients of your personal data?

Access to personal data within Power BI is restricted to authorised individuals on a need to know basis. Your personal data will be processed by the following recipients.

  • Report creators and designated report viewers may have access to personal data presented within Power BI dashboards and reports, depending on the nature of the data included. Access to all kinds of data in reports (including personal data) is strictly controlled and subject to role-based permissions. Personal data will be aggregated or anonymised where possible to limit the likelihood of individuals being identified from the reports.
  • The IT support team in DG/IS and their designated external providers may access a limited set of personal data (for example, IP addresses or group membership details) to support users and troubleshoot issues, strictly on a need to know basis. They will never have access to user-generated content (such as the data contained within the reports).
  • Microsoft and its sub-processors, as the service providers, may access a limited set of personal data (for example, IP addresses or group membership details) for technical support or maintenance purposes, strictly on a need to know basis. Microsoft policy ensures that its technicians do not have standing access to ECB data, and any sub-‑processors are only allowed to access aggregated or pseudonymised service-generated data. They will never have access to user-generated content (such as the data contained within the reports).
  • The ECB Digital Security team may process personal data solely to investigate, mitigate and resolve issues in the event of a security incident. This access is performed under strict supervision and in full compliance with ECB security policies.

Where access to your personal data is required to facilitate the exercising of your rights under the EUDPR, this is restricted to authorised personnel, ensuring that minimal personnel are involved.

What categories of personal data are collected?

  1. Power BI reports generally present aggregated or economic data without identifying individuals. However, certain reports, for example those designed for Human Resources or similar administrative purposes, may include personal data. Examples of personal data that may be presented in such reports include an individual’s full name, contact details, email address, staff identification number, job title, department, office location, telephone number, date of birth or similar information. Report creators must clearly indicate in their disclaimer if personal data are presented, along with a link to the ECB’s privacy statement.
  2. If a Power BI report includes special categories of personal data (sensitive personal data), such as information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics, biometrics, health or sexual orientation, additional protection measures are required. In these situations, this privacy statement does not apply and a dedicated privacy statement and explicit disclaimer must be provided. This responsibility lies with the report creator.
  3. User identification details. Power BI automatically collects certain user information, such as username and email address, strictly for authentication and access control purposes. This collection is essential for managing user access rights and permissions.
  4. IP address and associated metadata. The system collects users’ IP addresses and associated metadata when accessing Power BI reports and dashboards. This information is primarily used for technical purposes, such as ensuring system security, troubleshooting issues and enhancing service performance.

Will your personal data be processed in third countries or by international organisations?

Microsoft acts as the data processor for your personal data, which will be processed within the EU Data Boundary (EUDB) under the terms of the data processing agreement between the ECB and Microsoft. This ensures that your data are stored and processed within the EU, in compliance with applicable data protection laws. You can find more information about the EUDB, and the services to which it applies, on Microsoft’s website.

In exceptional cases (such as a global security incident), your personal data may be processed by Microsoft in third countries that have received an adequacy decision from the European Commission (pursuant to Article 47 of the EUDPR). Any processing outside the EUDB will be well documented.

In exceptional circumstances, your personal data might be processed in third countries or by international organisations based on the derogations for specific situations set out in Article 50(1) of the EUDPR.

How long will the ECB keep personal data?

The retention period for personal data processed in Power BI depends on the specific purpose for which the data were collected. Personal data included in reports or datasets will be retained only for as long as necessary to fulfil the related business needs. Once the data are no longer required, they will be securely deleted.

Other types of service-generated data are kept for the ECB’s standard retention periods:

  • metadata required for system operations are retained for up to 180 days;
  • personal data linked to terminated user accounts are retained for a maximum of 90 days after termination of the account before being deleted;
  • in the event of contract termination, all personal data are deleted within 90-180 days, in line with the data processing agreement concluded between the ECB and Microsoft.

What are your rights?

Under the EUDPR, you have the right to:

  • access your personal data;
  • rectify any data that are inaccurate or incomplete;
  • delete your personal data (with certain limitations);
  • object to or restrict the processing of your personal data.

The ECB may restrict your rights as a data subject where there is a risk of compromising investigations conducted by the Data Protection Officer (DPO) or endangering legal proceedings related to processing activities. These restrictions are based on specific provisions outlined in Article 3(1)(i) of Decision ECB/2022/42[3] and are reviewed every six months.

Who can you contact for queries or requests?

If you wish to exercise your rights or have questions about how your personal data are processed, you can contact the ECB’s Data Protection Officer directly at dpo@ecb.europa.eu for all queries relating to personal data.

Addressing the European Data Protection Supervisor

If you consider that your rights under the EUDPR have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.

  1. Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

  2. Decision (EU) 2020/655 of the European Central Bank of 5 May 2020 adopting implementing rules concerning data protection at the European Central Bank and repealing Decision ECB/2007/1 (ECB/2020/28) (OJ L 152, 15.5.2020, p. 13).

  3. Decision (EU) 2022/2359 of the European Central Bank of 22 November 2022 adopting internal rules concerning restrictions of rights of data subjects in connection with the European Central Bank’s internal functioning (ECB/2022/42) (OJ L 311, 2.12.2022, p. 176).