1. Introduction
The European Investment Bank (hereinafter “the EIB”) is committed to the protection personal data. The EIB collects and further processes personal data in accordance with Regulation (EC) 2018/1725 of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (hereinafter the “EU DPR”).
This data protection statement explains the reason for the processing, the way of collection, handling and ensuring protection of all personal data. Additionally, this statement further explains the ways in which the information is used, and the rights of the individuals concerned, that are available in relation to their personal data.
The information in relation to the processing operation EIB Group Client Portal for digital interactions with business stakeholders undertaken by the EIB is presented below.
2. Controller
The data controller is the Information Systems & Applications Division, part of Business Planning & Support Department of the European Investment Bank (the “EIB”).
3. Purpose of the processing
This data protection statement provides information regarding the processing of personal data carried out by the EIB in the course of the use of the EIB Group Client Portal by business stakeholders to interact with EIB. The EIB performs these tasks in the exercise of the authority vested to it in accordance with the Provisions of the Treaties and its Statute.
The EIB processes personal data with a view to manage the EIB Group Client Portal in a reasonable and proper manner, in accordance with applicable laws and regulations. Personal data are processed in accordance with Regulation (EC) 2018/1725 of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (hereafter, the EU DPR).
In the context of the use of the EIB Group Client Portal, the EIB processes the personal data for the below purpose(s):
EIB processes personal data to provide secure and relevant online services to stakeholders such as EIB Group clients, partners, and auditors. This also involves collecting and transmitting personal data to support various activities, including granting access to financial information related to contracts, exchanging mandate management reports, enabling contract-related transactions (e.g. revisions, conversions, prepayments, disbursements), facilitating document sharing, comments, and ad-hoc requests.
The processing of personal data in the context of the use of the EIB Group Client Portal does not involve the existence of automated decision-making, including profiling.
4. Legal basis of the processing
The legal basis for the processing of personal data in the context of the use of the EIB Group Client Portal is the user’s consent in the context of a contract or envisaged contract with EIB Group and public interest.
Although the EIB Group Client Portal is the preferred communication channel to be used for security and efficiency reasons, EIB Group business stakeholders are not obliged to use EIB Group Portal and can use other channel of communication such as email to contact the EIB Group.
5. Categories of data subjects
The following categories of data subjects are/may be concerned by the processing under 2:
- Clients or prospects: employees of companies, countries, financial institutions, as well as, if necessary, auditors and consultants
- Partnership clients: employees of the European Investment Fund/European Commission
- Internal users: EIB Group employees authorised to access the EIB Group Client Portal
6. What personal data does the EIB process?
The EIB processes the following categories of personal data: name, contact information (phone, email, job title, company), date of birth.
Cookies: The EIB Group Client Portal uses strictly necessary cookies for its functioning and performance:
| Cookie | Size in Bytes | Expiration | Description | Type |
|---|---|---|---|---|
| ASP.NET_SessionId (.NET)OSSESSIONID (Java) | 41 | Session | Set by the underlying technology (Microsoft ASP.NET) used to run the web application, or by OutSystems (Java). Sole Transmission | Sole Transmission |
| osVisitor | 45 | Never | The first time the end-user accesses the web server (accessing a web page from the server), a unique value is stored in this cookie. No association with actual user identity(ies) is done by OutSystems. | Strictly necessary |
| osVisit | 43 | 30 min | Each time the end-user accesses a web page and this cookie doesn't exist yet, the cookie is created and set with a unique value, representing that the visitor accessed the site. This cookie expires after 30 minutes, if the visitor leaves the web application and then returns 30 minutes later, a new session is started. No association with an actual user identity(ies) is done by OutSystems. | Strictly necessary |
| pageLoadedFromBrowserCache | 30 | Session | Ensures feedback messages are not shown again if the user clicks the back button. Required for correct behavior of apps. | Strictly necessary |
| (web screen name):(generated id):(initial tab) | 46 | Session | Used by some applications to keep the pagination state in specific web pages. | Strictly necessary |
| (User Provider Name) | 49 | 10 days | Used by the Remember Login functionality in applications. | Strictly necessary |
| (User Provider Name).sid | 56 | Session | Used in conjunction with the Session Id cookie to prevent session fixation vulnerabilities. | Strictly necessary |
| Nr1(User Provider Name) | 192 | Session | Used to enforce session expiration as needed. Contains information needed to ensure session authenticity. | Strictly necessary |
| Nr2(User Provider Name) | 99 | Session | Provides information to the application code about the user identifier via the built-in function GetUserId. Contains information needed to avoid CSRF attacks. | Sole Transmission |
| DEVICE_ORIENTATION | 26 | 360 days | Stores the orientation of the mobile device to allow OutSystems UI to implement the action GetDeviceOrientation properly. No association with actual user identities is done by OutSystems. | Strictly necessary |
| DEVICE_TYPE | 21 | 360 days | Stores the type of device being used so the framework can adjust properly in Silk UI (traditional web apps). No association with actual user identities is done by OutSystems. | Strictly necessary |
| DEVICES_TYPE | 17 | 360 days | Stores the type of mobile device in use to allow OutSystems UI Web (traditional web apps) to adjust the interface. No association with actual user identities is done by OutSystems. | Strictly necessary |
| DEVICE_BROWSER | 20 | 360 days | Stores the browser in use on the device to allow OutSystems UI to implement the action GetBrowser properly. No association with actual user identities is done by OutSystems. | Strictly necessary |
| DEVICE_OS | 12 | 360 days | Stores the device's operating system allowing OutSystems UI to implement the action GetOS properly. No association with actual user identities is done by OutSystems. | Strictly necessary |
7. Where does the EIB obtain the personal data?
Personal data is obtained directly from the data subjects.
8. To whom is the personal data disclosed?
Data is transmitted internally to the EIB relevant service to perform their business process.
The EIB may disclose personal data to the following recipients:
- Middle Office / KYC & Counterparty management / Counterparty Onboarding & KYC Unit & KYC Monitoring Unit for Onboarding and Monitoring (KYC document collection, Client Due Diligence)
- Middle Office / Intermediated Lending Division for Guarantee Portfolio Monitoring
- Middle Office / Disbursement Division for revision / conversion requests
- Relevant unit for ad-hoc requests
- For support and maintenance activities
- Business owner of the EIB Group Client Portal, namely Business Planning & Support Department / Information Systems and Applications - Business Project Development Unit
- Group Digital Office/Business Solutions Department/Lending Division/Lending Middle Office Unit
- The team performing information protection and access control activities within Group Digital Office
Also, in accordance with their user role, counterpart and contract access rights, EIB Group Client Portal users, can view activities performed by other users (e.g. Username for an activity step performed or a comment added).
9. International transfers
Personal data may be transferred to entities established outside the EU or the European Economic Area and the below mechanisms/safeguards are in place:
Standard Contractual Clauses (approved by the European Commission)
10. How long does the EIB keep personal data?
Only account-related data is retained, namely: User ID, name and contact information. It is kept as long as necessary for the purposes described in this data protection statement. The criteria determining the retention period are the following:
- User activity on the EIB Group Client Portal
- Account deactivation request
Personal account-related data is kept up to 10 years from the deactivation of an account. After this period, the only kept data is user ID, which is anonymous.
11. What are the rights of data subjects and how can they exercise them?
Data subjects’ rights are set out in sections 3 to 5 of the EU DPR.
- Data subjects have the right to obtain from the controller confirmation as to whether or not their personal data are being processed, and, if so, to access their personal data by contacting the controller or through the EIB Data Protection Officer (right of access);
- Data subjects have the right to request the controller to rectify any inaccurate data and/or have incomplete personal data completed (right to rectification);
- Data subjects have the right to request the controller to erase their personal data as per Article 19 of the EU DPR (right to be forgotten);
- Data subjects have the right to request the controller to restrict the processing of their personal data in the following cases (right to restriction of processing):
- (i) if they contest the accuracy of their data;
- (ii) if the processing of the data is unlawful and they oppose to their erasure;
- (iii) if the controller no longer needs the personal data referred to for the purposes of the processing but the data subject concerned needs them for the establishment, exercise or defence of legal claims; or
- (iv) if data subjects have objected to the processing of their data and the EIB seeks to establish whether the controller has legitimate grounds overriding data subjects’ right to restriction.
- Data subjects have the right to object to the processing of personal data, on grounds relating to their particular situation, unless the EIB demonstrates compelling legitimate grounds for the processing or for the establishment, exercise or defence of legal claims;
- Data subjects have the right to receive their personal data from the EIB in a structured, commonly used and machine-readable format to allow you to transmit your data to another controller without hindrance from the EIB (right to data portability);
- When the legal basis of the processing is consent, data subjects have the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
- Data subjects have the right to lodge a complaint with the European Data Protection Supervisor (www.edps.europa.eu) at any time (right to lodge a complaint).
12. Contact
Should data subjects have any questions about the processing of their personal data, or wish to exercise any of the aforementioned rights, they should contact Business Planning & Support Department - Information Systems & Applications Division at group-portal-helpdesk@eib.org or the EIB's Data Protection Officer, Mr. Pelopidas Donos, by email at p.donos@eib.org or at the following address:
Mr. Pelopidas Donos European Investment Bank
98-100 Boulevard Konrad Adenauer
L-2950 Luxembourg (Grand Duchy of Luxembourg)