World Bank Group Policy Personal Data Privacy

World Bank Group Policy

Personal Data Privacy

Bank Access to Information Policy Designation

Public

Catalogue Number

SEC4.05-POL.103

Issued

May 20, 2020

Effective

May 20, 2020

Content

Policy setting forth the core privacy principles governing the

Processing of Personal Data by WBG Institutions. Amended

application date February 1, 2021.

Applicable to

IBRD,IDA,IFC,MIGA,ICSID

Issuer

The Boards, IBRD, IDA, IFC, MIGA; Secretary-General ICSID

Sponsor

Vice President, Compliance, CMPVP; Vice President and

General Counsel, CLSVP; Director and General Counsel, Legal

Affairs and Claims; and Director, Finance and Risk, MIGLC;

Senior Counsel, ICSID

SECTION I – PURPOSE AND APPLICATION

1. This Policy sets forth Principles governing the Processing of Personal Data by WBG

Institutions.

2. This Policy is intended to ensure consistent practices, aligned with recognized international

standards, for the Processing of Personal Data by WBG Institutions.

3. This Policy applies to WBG Institutions.

SECTION II – DEFINITIONS

As used in this Policy, capitalized terms or acronyms have the meanings set out below:

1. Board: the Boards of Executive Directors of International Bank for Reconstruction and

Development (IBRD) and International Development Association (IDA); the Secretary-

General of International Centre for the Settlement of Investment Disputes (ICSID); and the

Boards of Directors of International Finance Corporation (IFC) and Multilateral Investment

Guarantee Agency (MIGA).

2. Implementing Documentation: has the meaning set forth in Paragraph 1 of Section VI below.

3. Personal Data: any information relating to an identified or identifiable individual. An

identifiable individual is one who can be identified by reasonable means, directly or indirectly,

by reference to an attribute or combination of attributes within the data, or combination of the

data with other available information. Attributes that can be used to identify an identifiable

individual include, but are not limited to, name, identification number, location data, online

identifier, metadata and factors specific to the physical, physiological, genetic, mental,

economic, cultural or social identity of an individual.

4. Principles: the core Personal Data privacy principles set forth in Section III.

5. Processing: any operation or set of operations, automated or not, which is performed on

Personal Data, including but not limited to collection, storage, use, transmission, disclosure or

deletion.

6. WBG Institution: any one of IBRD, IDA, ICSID, IFC and MIGA.

SECTION III – SCOPE

The following Principles shall apply to all Processing of Personal Data by WBG Institutions:

1. Legitimate, Fair and Transparent Processing

Personal Data shall be Processed for legitimate purposes and in a fair and transparent manner in

accordance with this Policy. Legitimate purposes for Processing of Personal Data mean any

purpose:

a. carried out with the consent of the individual whose Personal Data is being Processed;

b. in the vital or best interest of (i) the individual whose Personal Data is being Processed or

(ii) of another person;

c. necessary for the performance of a contract or compliance with a binding obligation or

undertaking; or

d. consistent with, or reasonably necessary to enable a WBG Institution to carry out, its

mission, mandate or purpose as an international organization established by its member

countries.

2. Purpose Limitation and Data Minimization

Personal Data shall be collected for one or more specific and legitimate purpose(s) and not further

Processed in a manner that is incompatible with the original purpose(s) for which it was collected;

further Processing for archiving purposes, research, or statistical purposes shall not be considered

incompatible with the original purpose. In amount and type, Personal Data collected shall be

necessary for and proportionate to the legitimate purpose(s) for which it is Processed.

3. Data Accuracy

Personal Data shall be recorded as accurately as possible and, where necessary, updated to ensure

it fulfills the legitimate purpose(s) for which it is Processed.

4. Storage Limitation

Personal Data shall be kept in a form which permits identification of individuals only so long as

necessary for the fulfillment of the purposes for which it was collected or for compatible further

Processing in accordance with this Policy.

5. Security

Personal Data shall be protected by appropriate technical and organizational safeguards against

unauthorized Processing and against accidental loss, destruction or damage.

6. Transfer of Personal Data

Personal Data shall only be transferred to third parties for legitimate purposes and with appropriate

regard for the protection of Personal Data.

7. Accountability and Review

Each WBG Institution shall adopt mechanism(s) to:

a. oversee compliance with this Policy; and

b. provide individuals with a method, subject to reasonable limitations and conditions, to:

i. request information regarding the individual’s Personal Data Processed by such WBG

Institution; and

ii. seek redress if the individual reasonably believes that the individual’s Personal Data

has been Processed in violation of this Policy.

SECTION IV – EXCEPTION

N/A

SECTION V – WAIVER

Provisions of this Policy may be waived by the Board.

SECTION VI – OTHER PROVISIONS

1. This Policy shall be implemented by each WBG Institution through directives, procedures and

guidance tailored to each WBG Institution’s specific operations (the “Implementing

Documentation”).

2. This Policy shall apply to each WBG Institution starting February 1, 2021. This Policy shall

not cover Personal Data collected before the date of application. Directives and Procedures

under this Policy may extend to such Personal Data.

3. The Processing of Personal Data in accordance with this Policy is without prejudice to the

privileges and immunities of the WBG Institutions, which privileges and immunities are

specifically reserved.

SECTION VII – TEMPORARY PROVISIONS

N/A

SECTION VIII – EFFECTIVE DATE

This Policy is effective as of the date on its cover page.

SECTION IX – ISSUER

The Issuers of this Policy are as stated on its cover.

SECTION X – SPONSORS

The Sponsors of this Policy are as stated on its cover.

SECTION XI – RELATED DOCUMENTS

1. Public Documents

a. IBRD Access to Information Policy

b. IFC Access to Information Policy

c. MIGA Access to Information Policy

d. Integrity Vice Presidency Policy on Disclosure of Information

e. Independent Evaluation Group Access to Information Policy

2. Restricted Documents

a. Principles of Staff Employment

b. Staff Rules

Questions regarding this Policy should be addressed to the Sponsors.