SECTION I • PURPOSE AND APPLICATION
- This Policy sets forth Principles governing the Processing of Personal Data by WBG Institutions.
- This Policy is intended to ensure consistent practices, aligned with recognized international standards, for the Processing of Personal Data by WBG Institutions.
- This Policy applies to WBG Institutions.
SECTION II • DEFINITIONS
As used in this Policy, capitalized terms or acronyms have the meanings set out below:
- Board: the Boards of Executive Directors of International Bank for Reconstruction and Development (IBRD) and International Development Association (IDA); the Secretary-General of International Centre for the Settlement of Investment Disputes (ICSID); and the Boards of Directors of International Finance Corporation (IFC) and Multilateral Investment Guarantee Agency (MIGA).
- Implementing Documentation: has the meaning set forth in Paragraph 1 of Section VI below.
- Personal Data: any information relating to an identified or identifiable individual. An identifiable individual is one who can be identified by reasonable means, directly or indirectly, by reference to an attribute or combination of attributes within the data, or combination of the data with other available information. Attributes that can be used to identify an identifiable individual include, but are not limited to, name, identification number, location data, online identifier, metadata and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of an individual.
- Principles: the core Personal Data privacy principles set forth in Section III.
- Processing: any operation or set of operations, automated or not, which is performed on Personal Data, including but not limited to collection, storage, use, transmission, disclosure or deletion.
- WBG Institution: any one of IBRD, IDA, ICSID, IFC and MIGA.
SECTION III • Scope
The following Principles shall apply to all Processing of Personal Data by WBG Institutions:
- Legitimate, Fair and Transparent Processing
Personal Data shall be Processed for legitimate purposes and in a fair and transparent manner in accordance with this Policy. Legitimate purposes for Processing of Personal Data mean any purpose:
- carried out with the consent of the individual whose Personal Data is being Processed;
- in the vital or best interest of (i) the individual whose Personal Data is being Processed or (ii) of another person;
- necessary for the performance of a contract or compliance with a binding obligation or undertaking; or
- consistent with, or reasonably necessary to enable a WBG Institution to carry out, its mission, mandate or purpose as an international organization established by its member countries.
- Purpose Limitation and Data Minimization
Personal Data shall be collected for one or more specific and legitimate purpose(s) and not further Processed in a manner that is incompatible with the original purpose(s) for which it was collected; further Processing for archiving purposes, research, or statistical purposes shall not be considered incompatible with the original purpose. In amount and type, Personal Data collected shall be necessary for and proportionate to the legitimate purpose(s) for which it is Processed.
- Data Accuracy
Personal Data shall be recorded as accurately as possible and, where necessary, updated to ensure it fulfills the legitimate purpose(s) for which it is Processed.
- Storage Limitation
Personal Data shall be kept in a form which permits identification of individuals only so long as necessary for the fulfillment of the purposes for which it was collected or for compatible further Processing in accordance with this Policy.
Personal Data shall be protected by appropriate technical and organizational safeguards against unauthorized Processing and against accidental loss, destruction or damage.
- Transfer of Personal Data
Personal Data shall only be transferred to third parties for legitimate purposes and with appropriate regard for the protection of Personal Data.
- Accountability and Review
Each WBG Institution shall adopt mechanism(s) to:
- oversee compliance with this Policy; and
- provide individuals with a method, subject to reasonable limitations and conditions, to:
- request information regarding the individual’s Personal Data Processed by such WBG Institution; and
- seek redress if the individual reasonably believes that the individual’s Personal Data has been Processed in violation of this Policy.
SECTION IV • Exception
SECTION V • Waiver
Provisions of this Policy may be waived by the Board.
SECTION VI • Other Provisions
- This Policy shall be implemented by each WBG Institution through directives, procedures and guidance tailored to each WBG Institution’s specific operations (the “Implementing Documentation”).
- This Policy shall apply to each WBG institution at the earlier of: (i) a public declaration of effectiveness by the Sponsor to the Issuer of the Policy upon adoption and effectiveness of Implementing Documentation or (ii) two years from the effective date of this Policy. This Policy shall not cover Personal Data collected before the date of application. Directives and Procedures under this Policy may extend to such Personal Data.
- The Processing of Personal Data in accordance with this Policy is without prejudice to the privileges and immunities of the WBG Institutions, which privileges and immunities are specifically reserved.
SECTION VII • Temporary Provisions
SECTION VIII • EFFECTIVE DATE
This Policy is effective as of May 25, 2018.
SECTION IX • ISSUER
The Issuer of this Policy is the Board.
SECTION X • SPONSORS
The Sponsors of this Policy are:
- IBRD/IDA: Senior Vice President and General Counsel
- ICSID: Senior Legal Adviser, Institutional Affairs
- IFC: Vice President, Legal, Compliance Risk and ESG Sustainability and General Counsel
- MIGA: Director and General Counsel, Legal Affairs and Claims; and Director, Finance and Risk
SECTION XI • RELATED DOCUMENTS
- Public Documents
- IBRD Access to Information Policy
- IFC Access to Information Policy
- MIGA Access to Information Policy
- Integrity Vice Presidency Policy on Disclosure of Information
- Independent Evaluation Group Access to Information Policy
- Restricted Documents
- Principles of Staff Employment
- Staff Rules
IFC Data Access and Control Office (DACO)
2121 Pennsylvania Avenue
Washington, D.C. 20433