Privacy notice for online meetings via Microsoft Teams

In accordance with the provisions of European and national legislation on privacy, please note that Banca d'Italia, located at via Nazionale 91, Rome, processes the personal data collected during the online meetings held using dedicated tools.

Categories of data processed and data subjects

During the online meetings, the following categories of personal data, referring to different categories of Data Subjects, are processed for the purposes of enabling users to connect to, access and effectively use the platform:

• For Banca d'Italia staff, the data processed include: username, first name, last name, email address, organizational unit, mobile phone number, office number, availability status.
• For guest participants in the meetings, the data processed include: display name, email address.

In addition to this initial dataset, other personal data are generated by user interactions in the online meetings. User-generated content may include attendance reports (join and leave times), meeting chats, videos, audios, documents, recordings, transcripts, and intelligent recaps created using the built-in generative AI tools.

Processing purposes

Personal data collected during online meetings are processed to facilitate secure and efficient communication and collaboration between Banca d'Italia staff and external users with whom Banca d'Italia cooperates during these meetings.

Specifically, personal data are collected in the context of the product-specific functionalities used for work purposes.

Legal basis

Banca d'Italia processes personal data because communication and collaboration via online meetings are necessary for the performance of tasks carried out in the public interest as part of its official mandate, pursuant to Article 6(1)(e) of Regulation (EU) 2016/679 ('GDPR') authorizing the processing of data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.

Online functional meetings necessary for the performance of Banca d'Italia's institutional and/or administrative tasks, e.g. meetings of governing bodies or working groups, fall within this category. In these cases there is no requirement to request the participants' consent to the processing of personal data collected during the meetings, including through recordings and transcripts, since these activities are necessary for the performance of public interest tasks.

Conversely, in the case of online meetings held primarily for training or informative purposes, meeting organizers intending to activate the recording and transcript functions shall obtain explicit consent from the Data Subjects, specifying whether the recordings will be published.

Data Processor

Pursuant to Article 28 of GDPR, Banca d'Italia has appointed as Data Processor the provider of the online meeting tool. The Data Processor, subject to Banca d'Italia's authorization, may engage sub-processors to carry out specific activities, in compliance with Article 28(4) of GDPR.

The contractual agreements shall ensure that the service provider complies with data protection legislation and implements appropriate technical and organizational measures. The personal data collected shall be processed using appropriate security measures to ensure their confidentiality and prevent access by unauthorized third parties or personnel.

The Data Processor and sub-processors shall process the personal data within the EU, in accordance with the terms of the agreement. In specific situations, personal data may be processed outside the EU, provided that the third countries where they are processed have appropriate safeguards in place (e.g. adequacy decision, standard contractual clauses or equivalent measures). In the absence of other legal bases, the transfer of personal data to third countries shall only take place if the derogations provided for by Article 49 of GDPR apply.

Persons authorized to process personal data

Personal data collected during online meetings may be disclosed to meeting participants, authorized Banca d'Italia staff, and the service provider on a need to know basis. Examples include:

• meeting organizers may access meeting details, such as participants' names and email addresses, attendance reports, recordings or transcripts (if available);
• meeting participants may access meeting chats, shared content, lists of participants, recordings or transcripts (if available);
• system administrators and authorized technical staff of Banca d'Italia may access limited personal data (e.g. IP addresses or group membership details) for technical support and troubleshooting purposes, strictly on a need to know basis. They may not access user-generated content (e.g. meeting contents or recordings);
• The Data Processor and sub-processors may access limited personal data (e.g. IP addresses or group membership details) for technical support or maintenance purposes, only when strictly necessary. In accordance with the service provider's policies, its IT support staff shall not have permanent access to Banca d'Italia data and that designated staff shall only be granted access to aggregated or pseudonymized data.
• A few authorized staff members may access personal data to respond to requests from Data Subjects who have exercised the rights set out in the GDPR. 

Storage period

The personal data collected shall be stored only for as long as is strictly necessary for the purposes for which the personal data are collected. The storage period varies depending on the specific purposes for which the personal data are processed and on the business context in which they are collected. Specifically:

• Recording and transcript files shall be stored for a maximum of ten days from the creation date, after which they are automatically deleted from the system. Meeting organizers may delete them manually earlier. Recordings and transcripts shall be accessible by meeting organizers and, if applicable, by other authorized participants up to the time of deletion.
• Data generated by the service (metadata necessary for system operation) shall be stored for up to 180 days.
• When a user account is terminated, the personal data shall be stored for a maximum of 90 days prior to deletion.
• If the user (or Banca d'Italia on behalf of the user) deletes the data, the provider shall delete all copies of the personal data within 30 days.
• If Banca d'Italia terminates the contract with the provider, all personal data shall be deleted within 90-180 days of service termination, in accordance with the terms of the agreement.

Rights of the Data Subject

Data Subjects have the right to access their personal data and any and all rights recognized by law, including the right to obtain the rectification, completion, erasure and (where possible) anonymization of personal data, as well as the right to object, on legitimate grounds, to the processing, in whole or in part, of such data or to request processing restrictions. Data Subjects may exercise such rights by contacting the Data Controller - Banca d'Italia - Organization Directorate - Via Nazionale 91, 00184 Rome, email: org.privacy@bancaditalia.it.

This is without prejudice to any restrictions, provided for by law, to the exercise of such rights. The Data Protection Officer of Banca d'Italia can be contacted at via Nazionale 91, 00184, Rome, or at the following email address: responsabile.protezione.dati@bancaditalia.it.

Should the Data Subject deem that their data have been handled in breach of the law, they may lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei dati personali).