Privacy Notice for virtual meetings via Microsoft Teams

In accordance with European and national privacy regulations, please be informed that Banca d'Italia, via Nazionale 91, Rome, processes personal data acquired during virtual meetings conducted using dedicated tools.

Categories of Data Processed and Data Subjects

During virtual meetings, the following categories of personal data are processed, necessary to enable connection, access, and effective use of the platform, referring to different categories of data subjects:

• for Banca d'Italia staff, such data includes: username, first name, last name, email address, organizational unit, mobile phone number, office number, presence status.
• for meeting guests, data includes: displayed name, email address.

In addition to this initial dataset, further personal data is generated by user interactions within the virtual meeting. User-generated content may include attendance reports (entry and exit times), meeting chat, video, audio, documents, recordings, transcripts, and smart summaries generated with integrated generative AI tools.

Purpose of Processing

Personal data collected in virtual meetings is processed to facilitate secure and efficient communication and collaboration between Banca d'Italia staff and external users with whom Banca d'Italia cooperates through such meetings.

Specifically, personal data is collected as part of the product's functionalities used for work purposes.

Legal Basis

Personal data is processed by Banca d'Italia because communication and collaboration activities through virtual meetings are necessary for the performance of public interest tasks carried out by Banca d'Italia as part of its official functions, in line with Article 6, paragraph 1, letter e) of EU Regulation 2016/679 (GDPR), which authorizes the processing of data necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

This includes instrumental virtual meetings, functional to the performance of institutional or administrative activities of the Institute, such as meetings of collegial bodies or working groups. In such cases, it is not necessary to request consent for the processing of participants' personal data, collected also through meeting recording and transcription functions, as these activities are functional to the performance of public interest tasks.

If, however, virtual meetings have a primarily training or informational purpose, the meeting organizer who intends to activate recording and transcription will obtain explicit consent from the data subjects when inviting them to the meeting or, in any case, before the meeting starts, also informing them of any subsequent publication of the recording.

Data Processor

The provider of these communication tools dedicated to virtual meetings has been appointed by Banca d'Italia as data processor, pursuant to Article 28 GDPR. The data processor, with the Banca d'Italia's authorization, may use sub-processors for certain activities, in compliance with the conditions set out in Article 28, paragraph 4 of the GDPR.

Contractual agreements ensure that the provider complies with data protection regulations and adopts appropriate technical and organizational measures. Personal data collected is processed using security measures suitable to ensure confidentiality and prevent unauthorized access by third parties or unauthorized personnel.

The data processor and sub-processors process personal data within the EU, in accordance with the terms of the agreement. In exceptional cases, personal data may be processed outside the EU, only to countries with adequate safeguards (adequacy decision, standard contractual clauses, or equivalent). In the absence of other legal bases, this will only be possible under the exceptions provided by Article 49 of the GDPR.

Authorized Parties

Personal data collected during virtual meetings may be accessed by meeting participants, authorized Banca d'Italia staff, and the service provider based on the 'need to know' principle. Examples include:

• Meeting organizers may access meeting details, such as names and email addresses of participants, attendance reports, any recordings or transcripts;
• Meeting participants may access meeting chats, shared content, participant lists, and any recordings or transcripts, if applicable;
• System administrators and authorized technical staff of Banca d'Italia may access limited personal data (e.g., IP addresses or group membership details) for technical support and troubleshooting, always according to the principle of minimum necessity. They will not have access to user-generated content (e.g., meeting content or recordings);
• The data processor and sub-processors may access limited personal data (e.g., IP addresses or group membership details) for technical support or maintenance purposes, only when strictly necessary. According to the provider's policies, technicians do not have permanent access to Banca d'Italia data and appointed personnel may only access aggregated or pseudonymized data;
• A minimum number of authorized personnel may access personal data to give an answer to data subjects who have exercised their rights under the GDPR.

Retention Period

Personal data collected is retained for a period strictly necessary to achieve the purposes for which it was collected. The specific retention period depends on the specific purpose of processing and the business context for which the data was collected. In particular:

• Recording and transcript files are retained for a maximum of ten days from the creation date, after which they are automatically deleted from the system. The organizer may delete such files manually even before this deadline. Recordings and transcripts are accessible by the meeting organizer and, if provided, by other authorized participants until deletion;
• Data generated by the service (metadata necessary for system operation) is retained for up to 180 days;
• When a user account is terminated, personal data is retained for up to 90 days before deletion;
• If the user (or Banca d'Italia on behalf of the user) deletes the data, the provider deletes all copies of personal data within 30 days;
• If Banca d'Italia terminates the contract with the provider, all personal data is deleted within 90-180 days of service termination, in accordance with the agreement terms.

Data Subject Rights

Data subjects may exercise, with respect to the Data Controller - Banca d'Italia - Servizio Organizzazione - via Nazionale 91, 00184 ROME, email org.privacy@bancaditalia.it - the right to access personal data, as well as other rights recognized by law, including the right to obtain rectification or integration of data, as well as deletion or anonymization (where possible) or the right to object in whole or in part, for legitimate reasons, to processing or to request its limitation.

Limits to the exercise of such rights are reserved in cases provided by law. The Data Protection Officer of Banca d'Italia can be contacted at via Nazionale 91, 00184, Rome, or at responsabile.protezione.dati@bancaditalia.it.

If the data subject believes that the processing concerning them is carried out unlawfully, they may lodge a complaint with the Privacy Authority.