Privacy statement for TIPS

TARGET Instant Payment Settlement (TIPS) is a dedicated Eurosystem service for payment service providers to offer money transfers to their customers in real time every day of the year, irrespective of the opening times of their local bank. Central banks and financial institutions can submit payment orders in euro to TIPS, where they are processed and settled in central bank money, i.e. money held in an account with a central bank.

TIPS also provides liquidity management services to participants, which can monitor their accounts and their outward or inward transactions via a specific graphical user interface (GUI). Access to the GUI is limited to duly authorised TIPS users. TIPS users are natural persons, typically employees of the central banks or of participants.

TIPS is legally structured as a multiplicity of payment systems, which make up to the component systems of TIPS. Each central bank of the Eurosystem (including the ECB) operates its own TIPS component system.

What is our legal framework?

All personal data are processed in accordance with European Union data protection law, which is to say in line with Regulation (EU) 2018/1725 (‘EUDPR’) in the case of the European Central Bank (ECB), and Regulation (EU) 2016/679 (‘GDPR’) in the case of the national central banks (NCBs) and any authorised party participating in TIPS.

Why do we process personal data?

TIPS processes (as defined in the EUDPR/GDPR) personal data for the following purposes:

• to allow TIPS participants to allocate payments in their proprietary accounting systems to the accounts of the ordering or receiving customer, as appropriate, when those customers are natural persons. The proprietary accounting systems are outside the scope of TIPS. TIPS forwards the payment messages as received from the sending financial institution to the receiving financial institution, without making any changes or truncation;
• the ECB may facilitate payment instructions on behalf of a TIPS participant if this participant faces problems in performing the payment instruction themselves and instructs the ECB to act on its behalf, as agreed and authorised in the relevant contract between the TIPS participant and the ECB;
• to authenticate and to validate TIPS users’ identities and to control access to the TIPS GUI. For this purpose, personal data of natural persons TIPS System users are processed in TIPS; and
• for storage in the legal archive.

TIPS performs the settlement of instant payments between TIPS participants based on the Bank Identifier Codes (BICs) of the TIPS participants or based on their account numbers. The settlement of TIPS instant payments does not require the usage of any personal data, but the personal data needs to be included in the instruction when either the sender, the beneficiary or both are natural persons.

Additionally, although it is not a standard market practice, it cannot be excluded or prevented that other personal data may also be included in a free format field of the transaction message.

Personal data are not required to settle payment instructions in TIPS, therefore any personal data present in a payment instruction is merely passed through. In line with the EUDPR/GDPR, this implies that TIPS processes any personal data present in the payment instruction.

If duly authorised authorities, e.g. duly authorised legal enforcement authorities, raise a legitimate access request for TIPS data, the access to the requested data may include access to personal data if personal data is present in the requested payment instruction.

What is the legal basis for processing your personal data?

Your personal data are processed, in accordance with the Article 22 of the Statute of the European System of Central Banks and of the European Central Bank, by the Eurosystem (comprising the ECB and the euro area NCBs) and the non-euro area NCBs (applicable once they have joined TIPS) participating in TIPS, Furthermore, the processing of personal data is based on:

• Article 6(1)(a) GDPR (in relation to euro area NCBs and any participating non-euro area NCBs in TIPS);
• Article 5(1), points(a), (b) and (c) of the EUDPR in relation to the ECB; and
• the corresponding relevant provisions in the legislation relating to the non-euro area NCBs.

These provisions stipulate that personal data may be processed to perform a task that is in the public interest or as part of the exercise of official authority vested in the controller, or necessary to fulfil contractual obligations.

Regarding personal data processed in TIPS, a joint controllership exists, comprising (i) the ECB and the euro area NCBs and (ii) the non-euro area NCBs participating in TIPS. For the purpose of processing personal data in TIPS, the ECB and the euro area NCBs, as well as the non-euro area NCBs participating in TIPS, are Joint Controllers under Article 28 EUDPR and Article 26 GDPR. Information on personal data and data subjects exercising their rights should only be shared within the joint controllership. Data subjects may exercise their rights under Articles 15 to 18 GDPR and Articles 17 to 20 EUDPR by contacting any of the TIPS Joint Controllers.

Who is responsible for processing your personal data?

The ECB operates the ECB component of TIPS. Therefore, as any TIPS controller, the ECB is responsible for processing personal data in TIPS in relation to:

• the personal data that any Joint Controller or their authorised parties forward or receive from TIPS as a part of the payment message; and
• the personal data of TIPS authorised users of the GUI.

This includes the obligation to handle data subjects’ requests in the exercise of their rights and the processing of personal data breaches, also if a third party is entrusted by a Joint Controller with the processing of TIPS transactions.

The responsibilities of the Joint Controllers (i.e. data collection, access rights management, etc.) are formally defined in a Joint Controllership arrangement. This also facilitates the exercise of data subjects’ rights by defining and implementing the means of providing information to the data subjects. Each Joint Controller or authorised party participating in TIPS is also responsible for the protection of personal data belonging to their system component. In the event that a Joint Controller assigns the processing of personal data to a third party, the assigning Joint Controller will remain responsible for compliance with the obligations set out in the EUDPR and the GDPR, as applicable. There has been no such assignment to a third party within TIPS to date.

Data subjects can access or address the request to any TIPS Joint Controller in order to exercise their rights.

Who will be the recipients of your personal data?

The recipients of your personal data (including entities that have access to that personal data) will be the joint controllers or their participants, that will process the data according to their internal organisational rules.

What categories of personal data are collected?

TIPS payment messages are based on the standard ISO transaction message and include information relating to both the ordering and the beneficiary customers of the respective sending and receiving TIPS participants. If either the ordering or the beneficiary customer or both are natural persons, personal information such as name and account number will be included. Other personal data could (but do not need to) be included in a free format field of the standard ISO transaction message. Therefore, different categories of personal data could be included in a TIPS settlement instruction.

Will your personal data (in a clear or encrypted form) be processed (e.g. transferred, accessed or stored) in third countries or by international organisations?

No, your personal data will not be processed (e.g. transferred, accessed, or stored) in third countries or by international organisations.

How long will the Joint Controllers keep personal data?

Your personal data are stored within TIPS for a maximum duration of ten years for legal evidence and fiscal purposes, as required by relevant national laws and regulations.

What are your rights?

You have the right to access your personal data and request a correction of any personal data that is inaccurate or incomplete. You also have (within the limitations imposed by national laws and regulations) the right to request the deletion of your personal data and to object or to restrict the processing of your personal data in line with the GDPR or the EUDPR. The ECB may restrict your rights to safeguard the interests and objectives referred to in Article 25(1) EUDPR and other Joint Controllers may restrict such rights in accordance with Article 23(1) GDPR.

In line with Article 28(1) and (3) EUDPR and Article 26(1) and (3) GDPR you can exercise your rights in respect of and towards each of the Joint Controllers.

Who can you contact for queries or requests?

You can exercise your rights by contacting any of the Joint Controllers at the contact points mentioned on the respective websites. The Joint Controller(s) may provide you with a form to clarify your request.

Regarding the ECB, you can also directly contact MIP-Compliance@ecb.europa.eu and the ECB’s Data Protection Officer at dpo@ecb.europa.eu for all queries relating to your personal data.

Addressing the European Data Protection Supervisor, supervisory authority concerned or national supervisory authority

If you consider that your rights under the GDPR or EUDPR have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint at any time with:

• the European Data Protection Supervisor; or
• the supervisory authority concerned as defined in Article 4(22) GDPR or the national supervisory authority as defined in Article 3(22) EUDPR. A list of these authorities is available on the European Data Protection Board’s website.