IFC Privacy – Managing Personal Data Responsibly

The International Finance Corporation (“IFC”) has adopted core privacy principles for its operations, aligned with global standards for personal data protection. IFC’s Data Privacy Office actively works to protect and maintain the privacy, accuracy and security of the personal data that IFC collects, handles or processes, and seeks to foster a culture that values privacy through awareness.

IFC’s approach to personal data protection:

• reflects the principles established by the overarching World Bank Group (WBG) Personal Data Privacy Policy (the “Privacy Policy”), which applies to all personal data collected by IFC on or after February 1, 2021;
• is underpinned by appropriate policies and procedures aimed at supporting effective identification and management of privacy risks across IFC;
• is driven by a dedicated IFC Data Privacy Office, which is responsible for implementing the Privacy Policy throughout IFC, as well as advising staff and monitoring compliance.

Principles Governing Processing of Personal Data by IFC

The core of the Privacy Policy is the seven principles governing IFC’s processing of personal data. Personal data is information that identifies an individual (directly or indirectly).   The seven principles are summarized below:

1. Legitimate, Fair and Transparent: IFC’s processing of personal data should be for a legitimate purpose, and processing should be fair and transparent to the individual concerned (often called the data subject).
2. Purpose Limitation and Data Minimization: Personal data collected by IFC for one purpose may not be used for another purpose, except in accordance with the Privacy Policy; only the personal data needed to accomplish that purpose should be collected.
3. Data Accuracy: Personal data should be collected, recorded, and maintained as accurately as possible.
4. Storage Limitation: Personal data should be retained and disposed of according to applicable records retention and disposition schedules.
5. Security: IFC should use reasonable technical and organizational measures to avoid accidental destruction, loss, alteration, unauthorized disclosure of or access to personal data.
6. Transfers of Personal Data: Personal data should only be transferred to third parties for legitimate purposes and with appropriate regard for protection of the personal data transferred.
7. Accountability and Review: WBG institutions, including IFC, are required to adopt documentation, processes, and procedures appropriate to implement and oversee compliance with the Privacy Policy.

What Personal Data IFC Processes and Why

For information regarding what personal data IFC collects and why as part of its regular operations, please see IFC’s organizational privacy hub.

For information regarding what personal data IFC collects and why from visitors to the ifc.org website, please see the ifc.org website privacy notice.

How to Request Information on your Personal Data Processed or Held by IFC

As part of its data privacy framework, IFC has established a mechanism for individuals to request information regarding their personal data processed or held by IFC and, when appropriate, to seek redress, as further described here.

Current staff may submit requests using the webform available here.

If you are not currently a staff member of IFC or another World Bank Group institution, you may submit such a request using the webform available here.

How to Contact the IFC Data Privacy Office

All other questions related to IFC’s data privacy framework can be directed to IFC’s Data Privacy Office at ifcdataprivacy@ifc.org.