Controller of personal data

The Eurosystem Collateral Management System (hereinafter: ‘ECMS’) is a unified system for managing assets used as collateral in Eurosystem credit operations. It keeps track of the individual collateral and credit positions of national central banks’ counterparties.

The ECMS is available through the Eurosystem Single Market Infrastructure Gateway along with other services of the Trans-European Automated Real-time Gross settlement Express Transfer system (hereinafter: ‘TARGET’) and ensures that cash, securities and collateral flow freely across Europe.

The Croatian National Bank, Trg hrvatskih velikana 3, Zagreb, OIB: 95970281739 (hereinafter: ‘CNB’), together with the European Central Bank (hereinafter: ‘ECB’) and the national central banks of the Eurosystem (hereinafter: ‘NCBs’), is deemed to be a Joint Controller of personal data in the meaning of Article 28 of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (hereinafter: ‘EUDPR’) and Article 26 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: ‘GDPR’) regarding the processing of the personal data of natural person ECMS users.

Legal framework

All personal data are processed in accordance with European Union data protection law, that is the GDPR and the EUDPR.

Regarding the personal data processed in ECMS, a joint controllership exists, comprising:

1. the ECB and the NCBs as joint controllers of the personal data of natural person ECMS users; and
2. the ECB as a controller in relation to the ECMS Coordination Desk.

Four Eurosystem national central banks Deutsche Bundesbank, Banco de España, Banque de France and Banca d’Italia (hereinafter: ‘4CB’) in their central bank roles provide operational services and assume specific operational responsibilities in ECMS.

The responsibility of Joint Controllers is governed by an agreement.

Purpose and description of the processing

Personal data (as defined in the EUDPR/GDPR) are processed for three purposes, namely:

1. for access of Natural Person ECMS Users, mandated by any of the Joint Controllers or by Participants, that can access ECMS using a USB token or another technical device with a distinguished name certificate, login name and password;
2. for the operational maintenance and update of a list with the contact details and names of ECMS National Service Desk managers and ECMS National Crisis managers, as well as of a distribution list; and
3. for storage in the common component, in the CNB national directory, and for storage according to the CNB retention plan.

ECMS does not require personal data for the processing of transactions. However, personal data might be processed by Joint Controllers in the event that they are included as part of a transaction message from a Central Securities Depository (hereinafter: ‘CSD’) or an eligible Triparty Agent (hereinafter: ‘TPA’) that is intended for processing in ECMS and transmitted by a CSD or TPA.

Legal basis

The processing of personal data in ECMS is justified by the provisions in Article 6(1), point (e) of the GDPR, i.e. the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official duties of controllers, pursuant to Article 22 of the Statute of the European System of Central Banks and of the European Central Bank and Article 96, paragraph (2) and Article 103 of the Act on the Croatian National Bank (Official Gazette 75/2008, 54/2013 and 47/2020) and the Decision on collateral management in Eurosystem credit operations (Official Gazette 84/2025) and Article 22 of the Statute of the European System of Central Banks and of the European Central Bank and Article 5(1), points (a), (b) and (c) of the EUDPR in relation to the ECB.

Data subjects, personal data processed, source of personal data and essential elements of agreements among Joint Controllers

The source of personal data for natural persons are ECMS Participants, e.g. credit institutions, central securities depositories, eligible triparty agents, etc., and data subjects themselves.

ECMS processes a set of personal data regarding three types of data subjects:

1. Natural Person ECMS User, a person that can access ECMS and is mandated by any of the Joint Controllers, or by CSDs or TPAs;
2. Natural Person – ECMS National Service Desk manager, a person responsible for communicating incidents to the ECMS Service Desk on behalf of their community;
3. Natural Person – ECMS National Crisis manager, a person responsible for communicating information that is urgently needed to avoid or limit any negative impact on ECMS operations.

Personal data are processed in ECMS regarding:

1. Processing of personal data of Natural Person ECMS Users: name and surname, contact details, e-mail address, telephone number, a unique reference, signature of the authorised person.

Each Natural Person ECMS User is identified in ECMS by:

• a unique reference (System User Reference – SUR);
• a USB token or another technical device that contains the digital certificate and its distinguished name. The DN digital certificate (Distinguished Name Certificate) is an electronic document associating the identity of an ECMS user to a pair of cryptographic keys;
• a clear link to an existing Participant (Parent BIC/BIC); and
• a unique login name (Login Name).

2. Processing of personal data of ECMS National Service Desk managers and National Crisis managers:

• name and surname;
• institution;
• e-mail and telephone number.

3. Processing of personal data of other data subjects:

Personal data of other data subjects refer to data that are not required for the processing services of ECMS. The ISO^[1] message format used in ECMS includes free format fields.

Since ECMS does not require this personal data for the processing of submitted transactions, the fields containing incidental personal data are not monitored, and are not accessible via the ECMS GUI (Graphical User Interface). The categories of personal data can therefore not be specified.

Data subjects may exercise their rights by contacting any of the Joint Controllers through the points of contact that are mentioned on their respective websites. Each NCB shall channel any request received from a data subject, or from any of its Participants, to exercise the data protection rights to the ECMS Service Desk operated by the 4CB, if necessary, in order to administer the request.

The NCBs, including the CNB, shall be responsible for processing data subjects’ requests coming from their own Natural Person ECMS Users and shall be accountable for replying to these requests to their respective data subject. In addition, each NCB, including the CNB, is responsible and accountable for replying to requests concerning personal data protection in ECMS from their Participants’ Natural Person ECMS Users and other data subjects.

The NCBs shall forward these requests to the 4CB, if required, to request cooperation. Once a request has been received and its scope clarified, the Joint Controllers may request the ECMS Service Desk to supply necessary information.

The ECMS Service Desk shall cooperate with the NCBs in the processing of data subjects’ requests. The NCBs shall provide regularly (i.e. at least once a year) to the ECMS Service Desk operated by the 4CB an anonymised list with a breakdown of the data subject requests relating to ECMS.

With respect to personal data breaches, please note that the 4CB shall notify the Joint Controllers without undue delay upon becoming aware of a personal data breach in ECMS. The 4CB shall lead the related investigation, containment, and remediation activities, providing regular updates to the Joint Controllers.

Additionally, the 4CB shall provide the Joint Controllers with all necessary support to ensure compliance with their notification obligations to data subjects or supervisory authorities.

In all cases, the European Data Protection Supervisor shall be notified by the relevant NCB of the personal data breach as soon as possible, no later than within 72 hours, in accordance with Article 33 of the GDPR and Article 34 of the EUDPR. The CNB shall also notify the Croatian Personal Data Protection Agency.

With respect to the technical and organisational measures, the CNB shall apply ECMS measures (e.g. for the identification of Natural Person ECMS Users mentioned above) and technical and organisational measures from the CNB system.

The ECMS personal data are processed in ECMS in accordance with the following documents: the ECMS Business Description document (published on the ECB website), the ECMS message usage guide (published on the ECB website) and other ECB user documents, as amended from time to time.

Storing of personal data

Personal data are stored within ECMS for a maximum duration of ten years in the legal archive, for legal evidence and fiscal purposes.

In the CNB national directory, personal data in digital and physical form are stored for a duration of ten years according to the CNB retention plan.

The CNB shall keep personal data, whether data in digital or physical form, so as to protect their secrecy and prevent access to unauthorised parties. The data in digital form are protected through encoded computer access, while objects in physical form are kept in facilities with restricted access.

Recipients of personal data

The recipients of personal data are the Joint Controllers who process personal data in accordance with their internal organisational rules and applicable regulations.

The CNB’s ECMS National Service Desk is responsible for a list of contact details and names of contact persons and users.

However, personal data might exceptionally be processed in third countries/international organisations based on the derogations for specific situations set out in Article 50(1) of the EUDPR and Article 49(1) of the GDPR.

Rights of persons whose data are processed

Persons whose data are processed shall have the right to access their personal data and request rectification of any personal data that are inaccurate or incomplete, the right to object and the right to restriction of processing personal data in accordance with the GDPR and the EUDPR. The ECB may restrict the rights of persons whose data are processed to safeguard the interests and objectives referred to in Article 25(1) of the EUDPR. Other Joint Controllers, including the CNB, may restrict such rights in accordance with Article 23(1) of the GDPR.

In accordance with Article 28(1) and (3) of the EUDPR and Article 26(1) and (3) of the GDPR, the rights can be exercised in respect of and against each of the Joint Controllers.

Who can you contact for queries or requests?

If you consider that your rights under the GDPR or the EUDPR have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint at any time with:

• the European Data Protection Supervisor, the relevant supervisory authority referred to in Article 4(22) of the GDPR or the national supervisory authority as defined in Article 3(22) of the EUDPR for other central banks. A list of these authorities is available on the website of the European Data Protection Board.

Any complaints regarding CNB actions in connection with personal data processing should be addressed to the Croatian Personal Data Protection Agency (AZOP), Metela Ožegovića 16, Zagreb, azop@azop.hr, the supervisory authority responsible for personal data protection in the Republic of Croatia.

For more information on the topic of personal data processing. All queries should be addressed to the CNB data protection officer (službenik.osobni@hnb.hr).

Privacy statement for ECMS.

1. International Organisation for Standardisation ↑