Personal Data Review & Redress Mechanism
Last updated: February 2021
Introduction
This statement outlines how the International Finance Corporation’s (“IFC”, “our” or “we”) allows individuals (“you”) to make requests with respect to their personal data held by IFC in accordance with principle seven of the World Bank Group Personal Data Privacy Policy (the “Privacy Policy”). The process described below applies to personal data collected by IFC on or after February 1, 2021.
How to submit a request
Current staff may submit requests using the webform available here.
If you are not a current staff member of IFC or another World Bank Group institution, you may submit a request using the webform available here.
How we validate requests
Upon receipt, requests are first evaluated by the IFC Data Privacy Office (IFC DPO). Our validation criteria provide that requests may be rejected in certain circumstances, including where (i) the identity of the requester cannot be authenticated, (ii) the requester fails to provide sufficient information to allow IFC to reasonably respond to the request, (iii) the request is overly broad or excessive when balanced with the resource and cost implications of responding to the request, (iv) the request is repetitive of a previous request submitted by, or behalf of, the same requester or (v) the request is clearly intended to circumvent reasonable document production restrictions under legal, administrative or similar proceedings. If your request is rejected during the validation process, you will be given reasons and have the opportunity to request reconsideration by the IFC DPO. If the IFC DPO confirms a rejection decision, you will also have an opportunity to appeal to the Privacy Review Panel discussed below.
How we process requests – Search &Review
Once a request is validated, a search for your personal data will be conducted using the identifying information you provided when you submitted your request. We may ask for additional information to assist us in conducting the search or to scope out our search (e.g., relevant date ranges, information about how you have engaged with IFC, etc.).
Once a personal data search has been performed, the IFC DPO will make available to you your personal data held by IFC or, if none is found in the relevant systems or databases, will inform you accordingly. At this time, you may also request additional information about the processing of your personal data by IFC. For clarity, you will not be entitled to the documents or files containing the personal data.
How we process requests – Option to request reconsideration
When the IFC DPO has provided what it reasonably believes to be a full response to your request, it will inform you of your options to:
- Request reevaluation, if you reasonably believe IFC holds additional personal data about you; or
- Indicate that you believe your personal data has not been processed in accordance with the Privacy Policy.
In either of these cases, the IFC DPO will reevaluate the search and/or review the processing against the requirements of the Privacy Policy and respond accordingly.
How we process requests – Option to appeal
When the IFC DPO has provided what it reasonably believes to be a full response to your reconsideration request, it will inform you of your option to appeal the IFC DPO’s decision if you feel that your request has not been handled appropriately. If you are staff or former staff, you may appeal to the World Bank Administrative Tribunal pursuant to the provisions of the Statute of the World Bank Administrative Tribunal. More information regarding the World Bank Administrative Tribunal, including filing instructions and FAQs can be found here.
If you are an external requester, you may appeal to the Privacy Review Panel as further described below. The Privacy Review Panel consists of senior IFC individuals who are independent of the IFC DPO team and who have not been involved in validating, assessing or responding to your request. The Privacy Review Panel will conduct an independent review of any matter brought before it for appeal.
Upon completion of its appeal review, the Privacy Review Panel will require the IFC DPO to make available (i) any additional information it determines is appropriate and consistent with the Privacy Policy or (ii) its decision on what actions, if any, should be taken by IFC. Decisions of the Privacy Review Panel are final.
Reasonable Limitations and Conditions
As provided in the Privacy Policy, IFC may place reasonable limitations and conditions on its obligation to respond to requests received through the above procedure, including the following:
Validation Requirement
As described above, IFC may reject requests that do not meet our validation requirements.
In addition, if the IFC DPO determines a request submitted to IFC will better be addressed through a procedure operated by another WBG Institution or mechanism, it may re-direct the request to the appropriate mechanism and notify the requester accordingly.
Scope of Search
Personal data searches will be conducted in the systems, or portions of systems, designated by the IFC DPO based on a comprehensive personal data inventory conducted by IFC’s technology team that is at this point in time focused on personal data in structured formats. The list of designated systems will be updated as IFC’s technical search capacity expands.
Exceptions to Disclosure
Notwithstanding any of the foregoing, IFC may withhold or redact personal data from a response when it falls into one of the following categories:
- the personal data may be sought through a separate mechanism available to the requester;
- the personal data is processed by IFC pursuant to confidential internal or deliberative processes;
- the personal data is sought for purposes which are clearly unfounded;
- providing the personal data or information would:
- compromise the security and safety of another individual;
- disclose information about another individual who can be identified;
- disclose information subject to third party confidentiality obligations;
- disclose commercially sensitive information; or
- breach a regulatory obligation applicable to a third-party who provided such personal data to IFC.
- the personal data is processed in the context of communication or a transaction between IFC and a company, institution, government agency or other legal entity where the requester is acting on behalf of such legal entity;
- the personal data is subject to attorney-client privilege or similar professional confidentiality regimes, and/or other applicable legal privileges or immunities, or processed in relation to legal, administrative or similar proceedings or preparation in reasonable anticipation of legal, administrative or similar proceedings;
- providing the personal data is reasonably likely to render impossible or seriously impair the achievement of an archival, research or statistical purpose.
IFC will apply the above exceptions as necessary and proportionate to balance the legitimate interest of IFC and its ability to fulfill the mission, mandate and purpose entrusted to it by its member countries, and IFC's legal rights and obligations, with the legitimate interest of the requester.
Other Limitations
The above procedure is available to individual natural persons making requests regarding their own personal data. Requests related to personal data of an individual other than the requester will be rejected, unless the requester has (i) an applicable power of attorney or (ii) proof of legal guardianship of a minor and is making the request on such minor’s behalf. Requests from legal entities other than natural persons will be rejected.
IFC may place reasonable timelines on a requester’s ability to ask for reconsideration or appeal under this procedure, as well as the amount of time responsive data is made available to requesters in IFC’s relevant data portal. Requesters will be given notice of these timelines when they submit a request and as they move through the process.
Requests and all related communications must be in writing and, to the extent practicable, be in English, and all responses of the IFC DPO will be given in English.
Privacy Questions
Questions related to IFC’s personal data review & redress mechanism can be directed to IFC’s Data Privacy Office at ifcdataprivacy@ifc.org.
Changes to this statement
This statement was last updated on the date listed above. If we change it, we will post the new version to this website.
