Privacy Notice

In order to pursue its mandate and mission, the BIS processes information about individuals (“Personal Data”). The BIS takes your privacy seriously. This Privacy Notice describes how the BIS collects and processes Personal Data, and how, in doing so, the BIS complies with its Personal Data Protection Policy.

What kind of personal data does the BIS collect and for which purpose?

The nature of the Personal Data the BIS collects depends on your relationship with the BIS. Typically, the BIS may process the following Personal Data: contact information (eg name, email, address, postcode, phone number); online information (eg cookies and IP address, if you visit the BIS websites); or contractual information (eg personal details in relation to services provided to the BIS).

The BIS collects and processes personal data only for the legitimate purposes set out herein below and only processes the Personal Data which are relevant to achieve these purposes.

What are the principles of the BIS Personal Data Protection Policy and the legitimate purposes for which the BIS processes personal data?

The BIS processes Personal Data in accordance with the following principles:

Lawfulness, Fairness and Transparency: The BIS shall process Personal Data for legitimate purposes, in a fair and transparent manner. Legitimate purposes for the processing of Personal Data are:

• Processing is required in order for the BIS to be able to carry out its mandate and mission, purpose and functions;

• Processing is necessary in order to protect the vital interests of a natural person;

• Processing is necessary for establishing and asserting the status, privileges and immunities of the BIS or its staff members;

• Processing is required for the performance of a contract to which the BIS is a party;

• Processing is necessary for compliance with the BIS policies procedures and rules;

• Processing is required for any other activity of the BIS and the individual has given their express consent for such processing.

Purpose Limitation: Personal Data shall be collected for one or more specified and legitimate purposes, and not further processed in a manner incompatible with those purposes.

Data Minimisation: Processing of Personal Data shall be adequate, relevant and reasonably limited to what is necessary in relation to the legitimate purposes for which Personal Data is processed.

Storage Limitation: The BIS shall retain Personal Data for the duration specified in its applicable retention schedule(s) adopted by the BIS.

Accuracy: Personal Data shall be recorded as accurately as possible and, where necessary, updated to fulfil the legitimate purpose(s) for which it is processed.

Integrity and Confidentiality: Personal Data shall be recorded as accurately as possible and, where necessary, updated to fulfil the legitimate purpose(s) for which it is processed.

Accountability: The BIS has established appropriate accountability and oversight mechanisms.

How long does the BIS keep your Personal Data?

Your Personal Data will be kept for as long as necessary to fulfil the purposes for which they were collected or to comply with legal or internal policy requirements. The BIS applies criteria to determine the appropriate periods for retaining your Personal Data depending on their purpose and in accordance with the BIS retention policies.

How does the BIS protect your Personal Data?

Your Personal Data are protected by appropriate technical and organisational safeguards against unauthorized processing and against accidental loss, destruction, damage, alteration, disclosure, access, or use.

With whom and how does the BIS share your Personal Data?

The BIS may share your Personal Data with third parties (eg suppliers or service providers). The BIS will only transfer Personal Data to third parties where they comply with a standard of protection of Personal Data equivalent at least to the level of protection established by the BIS Personal Data Protection Policy.

What are your rights and how can you exercise them?

Right to access Personal Data: You may ask to obtain confirmation by the BIS as to whether or not your Personal Data is being processed, and, where they are processed. Your rights will be subject to the restrictions on the right to access under the BIS Personal Data Protection Policy.

Right to rectification: You may request correction of your Personal Data that you believe is inaccurate or incomplete.

Bank for International Settlements c/o Personal Data Protection Manager Centralbahnplatz 2 CH-4002 Basel

Right to lodge a complaint: In the event that you believe that the BIS is not processing your Personal Data in accordance in a manner described in this Privacy Notice, you have the right to lodge a complaint to the BIS’ Personal Data Complaints Panel within 60 calendar days of becoming aware of the BIS failure to process Personal Data in accordance with its Personal Data Protection Policy.

In submitting your complaint, you must provide relevant information, including, but not limited to (i) the reasons why you believe that the BIS has failed to process your personal data in the manner described in this Privacy Notice, (ii) the date on which you were informed or became aware of the BIS failure, and (iii) the remedy being sought.

We ask that you supplement the complaint with (i) a copy of any relevant response to a request for information regarding the processing of your personal data and/or correction provided by the BIS and (ii) all relevant evidence.

Bank for International Settlements c/o Personal Data Complaints Panel Centralbahnplatz 2 CH-4002 Basel

The BIS shall not accept or respond to anonymous complaints.

Failure to submit the complaint in accordance with requirements set out above may result in the complaint being rejected by the Personal Data Complaints Panel.