The EBRD is an international organisation established by treaty, the Agreement Establishing the European Bank for Reconstruction and Development available at https://www.ebrd.com/news/publications/institutional-documents/basic-doc..., and as such it is not subject to any national or supranational laws.
In order to carry out its purpose, and in accordance with the Agreement Establishing EBRD, the EBRD has put in place its own governance arrangements and internal rules regulating various matters relevant for its operation including information security and protection of personal data.
The EBRD processes personal data in accordance with the following principles: (i) purpose limitation: personal data is processed for one or more specified purposes, and only to the extent necessary and proportionate to those purposes; (ii) transparency: personal data is processed in a transparent manner, subject to legitimate expressly specified exceptions, and in accordance with EBRD’s internal rules; (iii) security: personal data is protected by appropriate technical and organisational safeguards against unauthorised processing and against accidental loss, destruction or damage; (iv) accuracy: the EBRD takes measures to ensure that personal data processed by it is as accurate as possible and updated as necessary to fulfil the purposes for which it is processed; (v) storage limitation: the EBRD retains personal data for the duration specified in its applicable retention schedule(s) adopted in accordance with its policies on records management and archives.
The EBRD is committed to the protection of personal data, which is considered a sub-set of EBRD’s information assets. When entering into contracts with suppliers of goods and services that involve transfer of personal data, the EBRD requires from the suppliers compliance with the principles outlined in the previous paragraph and the applicable data protection laws.
If you have any questions or requests, you may contact EBRD at DPOffice@ebrd.com.