Privacy statement for T2S

TARGET2-Securities (T2S) is a dedicated Eurosystem service providing settlement of securities transactions to signatory Central Securities Depositories (CSDs). The signatory CSDs use the cross-border, pan-European settlement system with an integrated technical environment. Therefore, the transactions can be harmonised and safely settled.

What is our legal framework?

All personal data are processed in accordance with European Union data protection law, which is to say in line with Regulation (EU) 2018/1725 (‘EUDPR’) in the case of the European Central Bank (ECB), and Regulation 2016/679 (‘GDPR’) in the case of the national central banks (NCBs) and any authorised party participating in T2S.

Why do we process personal data?

T2S processes (as defined in the EUDPR/GDPR) personal data for the following purposes:

• to authenticate and to validate T2S users’ identities and to control access to the T2S Graphical User Interface (GUI). For this purpose, personal data of natural persons, i.e. T2S System users, are processed in T2S;
• the ECB may facilitate payment instructions on behalf of a T2S participant if this participant faces problems in performing the payment instruction themselves and instructs the ECB to act on its behalf, as agreed and authorised in the relevant contract between the T2S participant and the ECB; and
• for storage in the legal archive.

Per se, the settlement of T2S securities does not require the usage of personal data.

Additionally, although it is not a standard market practice, it cannot be excluded or prevented that other personal data may also be included in a free format field of the transaction message.

Personal data are not required to settle securities instructions in T2S, therefore any personal data present in a securities instruction is merely passed through. In line with the EUDPR/GDPR, this implies that T2S processes any personal data present in the securities instruction.

If duly authorised authorities, e.g. duly authorised legal enforcement authorities, raise a legitimate access request for T2S data, the access to the requested data may include access to personal data if it is present in the requested securities instruction.

What is the legal basis for processing your personal data?

Your personal data are processed, in accordance with the Articles 17 and 22 of the Statute of the European System of Central Banks and of the European Central Bank, by the Eurosystem (comprising the ECB and the euro area NCBs) and the non-euro area NCBs participating in T2S (once they have signed the T2S Currency Participation Agreement), and the signatory CSDs participating in T2S. Furthermore, the processing of personal data is based on:

• Article 6(1)(a) GDPR (in relation to euro area NCBs and any participating non-euro area NCBs in T2S, as well as the signatory CSDs);
• Article 5(1), points (a), (b) and (c) of the EUDPR in relation to the ECB; and
• the corresponding relevant provisions in the legislation relating to the non-euro area NCBs.

These provisions stipulate that personal data may be processed to perform a task that is in the public interest or as part of the exercise of official authority vested in the controller, or necessary to fulfil contractual obligations.

Regarding personal data processed in T2S, a joint controllership exists, comprising (i) the ECB and the euro area NCBs, (ii) the non-euro area NCBs participating in T2S and (iii) the signatory CSDs participating in T2S. For the purpose of processing personal data in T2S, the ECB and the euro area NCBs, as well as the non-euro area NCBs participating in T2S and the signatory CSDs are Joint Controllers under Article 28 EUDPR and Article 26 GDPR. Information on personal data and data subjects exercising their rights should only be shared within the joint controllership. Data subjects may exercise their rights under Articles 15 to 18 GDPR and Articles 17 to 20 EUDPR by contacting any of the T2S Joint Controllers.

Who is responsible for processing your personal data?

As any T2S Controller, the ECB is responsible for processing personal data in T2S in relation to:

• the personal data that any Joint Controller or their authorised parties forward or receive from T2S as a part of the settlement message; and
• the personal data of T2S authorised users of the GUI.

This includes the obligation to handle data subjects’ requests in the exercise of their rights and the processing of personal data breaches, also if a third party is entrusted by a Joint Controller with the processing of T2S transactions.

The responsibilities of the Joint Controllers (i.e. data collection, access rights management, etc.) are formally defined in a joint controllership arrangement. This also facilitates the exercise of data subjects’ rights by defining and implementing the means of providing information to the data subjects. Each Joint Controller or authorised party participating in T2S is also responsible for the protection of personal data belonging to their system component. In the event that a Joint Controller assigns the processing of personal data to a third party, the assigning Joint Controller will remain responsible for compliance with the obligations set out in the EUDPR and the GDPR, as applicable. There has been no such assignment to a third party within T2S to date.

Data subjects can access or address the request to any T2S Joint Controller in order to exercise their rights.

Who will be the recipients of personal data?

The recipients of your personal data (including entities that have access to that personal data) will be the Joint Controllers or their participants, that will process the data according to their internal organisational rules.

What categories of personal data are collected?

T2S settlement messages are based on the standard ISO transaction message and include information relating to both the ordering and the beneficiary customers of the respective sending and receiving T2S participants. Other personal data could (but do not need to) be included in a free format field of the standard ISO transaction message. Therefore, different categories of personal data could be included in a T2S settlement instruction.

Will your personal data (in a clear or encrypted form) be processed (e.g. transferred, accessed or stored) in third countries or by international organisations?

No, your personal data will not be processed (e.g. transferred, accessed, or stored) in third countries or international organisations.

How long will the Joint controllers keep personal data?

Your personal data are stored within T2S for a maximum duration of ten years for legal evidence and fiscal purposes, as required by relevant national laws and regulations.

What are your rights?

You have the right to access your personal data and request a correction of any personal data that is inaccurate or incomplete. You also have (with the limitations imposed by national laws and regulations) the right to request the deletion of your personal data and to object or to restrict the processing of your personal data in line with the GDPR or the EUDPR. The ECB may restrict your rights to safeguard the interests and objectives referred to in Article 25(1) EUDPR and other Joint Controllers may restrict such rights in accordance with Article 23(1) GDPR.

In line with Article 28(1) and (3) EUDPR and Article 26(1) and (3) GDPR you can exercise your rights in respect of and towards each of the Joint Controllers.

Who can you contact for queries or requests?

You can exercise your rights by contacting any of the Joint Controllers at the contact points mentioned on the respective websites. The Joint Controllers may provide you with a form to clarify your request.

Regarding the ECB, you can directly contact MIP-Compliance@ecb.europa.eu and the ECB’s Data Protection Officer at dpo@ecb.europa.eu for all queries relating to your personal data.

Addressing the European Data Protection Supervisor, supervisory authority concerned or national supervisory authority

If you consider that your rights under the GDPR or EUDPR have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint at any time with:

• the European Data Protection Supervisor; or
• the supervisory authority concerned as defined in Article 4(22) GDPR or the national supervisory authority as defined in Article 3(22) EUDPR. A list of these authorities is available on the European Data Protection Board’s website.