Last updated: February 2021
Current staff may submit requests using the webform available here.
If you are not a current staff member of IFC or another World Bank Group institution, you may submit a request using the webform available here.
Upon receipt, requests are first evaluated by the IFC Data Privacy Office (IFC DPO). Our validation criteria provide that requests may be rejected in certain circumstances, including where (i) the identity of the requester cannot be authenticated, (ii) the requester fails to provide sufficient information to allow IFC to reasonably respond to the request, (iii) the request is overly broad or excessive when balanced with the resource and cost implications of responding to the request, (iv) the request is repetitive of a previous request submitted by, or behalf of, the same requester or (v) the request is clearly intended to circumvent reasonable document production restrictions under legal, administrative or similar proceedings. If your request is rejected during the validation process, you will be given reasons and have the opportunity to request reconsideration by the IFC DPO. If the IFC DPO confirms a rejection decision, you will also have an opportunity to appeal to the Privacy Review Panel discussed below.
Once a request is validated, a search for your personal data will be conducted using the identifying information you provided when you submitted your request. We may ask for additional information to assist us in conducting the search or to scope out our search (e.g., relevant date ranges, information about how you have engaged with IFC, etc.).
Once a personal data search has been performed, the IFC DPO will make available to you your personal data held by IFC or, if none is found in the relevant systems or databases, will inform you accordingly. At this time, you may also request additional information about the processing of your personal data by IFC. For clarity, you will not be entitled to the documents or files containing the personal data.
When the IFC DPO has provided what it reasonably believes to be a full response to your request, it will inform you of your options to:
When the IFC DPO has provided what it reasonably believes to be a full response to your reconsideration request, it will inform you of your option to appeal the IFC DPO’s decision if you feel that your request has not been handled appropriately. If you are staff or former staff, you may appeal to the World Bank Administrative Tribunal pursuant to the provisions of the Statute of the World Bank Administrative Tribunal. More information regarding the World Bank Administrative Tribunal, including filing instructions and FAQs can be found here.
If you are an external requester, you may appeal to the Privacy Review Panel as further described below. The Privacy Review Panel consists of senior IFC individuals who are independent of the IFC DPO team and who have not been involved in validating, assessing or responding to your request. The Privacy Review Panel will conduct an independent review of any matter brought before it for appeal.
As described above, IFC may reject requests that do not meet our validation requirements.
In addition, if the IFC DPO determines a request submitted to IFC will better be addressed through a procedure operated by another WBG Institution or mechanism, it may re-direct the request to the appropriate mechanism and notify the requester accordingly.
Personal data searches will be conducted in the systems, or portions of systems, designated by the IFC DPO based on a comprehensive personal data inventory conducted by IFC’s technology team that is at this point in time focused on personal data in structured formats. The list of designated systems will be updated as IFC’s technical search capacity expands.
Notwithstanding any of the foregoing, IFC may withhold or redact personal data from a response when it falls into one of the following categories:
IFC will apply the above exceptions as necessary and proportionate to balance the legitimate interest of IFC and its ability to fulfill the mission, mandate and purpose entrusted to it by its member countries, and IFC's legal rights and obligations, with the legitimate interest of the requester.
The above procedure is available to individual natural persons making requests regarding their own personal data. Requests related to personal data of an individual other than the requester will be rejected, unless the requester has (i) an applicable power of attorney or (ii) proof of legal guardianship of a minor and is making the request on such minor’s behalf. Requests from legal entities other than natural persons will be rejected.
IFC may place reasonable timelines on a requester’s ability to ask for reconsideration or appeal under this procedure, as well as the amount of time responsive data is made available to requesters in IFC’s relevant data portal. Requesters will be given notice of these timelines when they submit a request and as they move through the process.
Requests and all related communications must be in writing and, to the extent practicable, be in English, and all responses of the IFC DPO will be given in English.
Questions related to IFC’s personal data review & redress mechanism can be directed to IFC’s Data Privacy Office at email@example.com.
This statement was last updated on the date listed above. If we change it, we will post the new version to this website.