Personal data protection

The OECD and the entities and bodies within the OECD framework process personal data in the course of delivering their respective public interest missions. For example, the OECD processes personal data to manage and provide benefits to staff and as part of its recruitment and procurement processes. It also processes data regarding users of OECD websites, which is described in the privacy policy and visitors to the organisation as described in this notice. Similarly, the entities and bodies within the OECD framework may process data as described in the privacy policies on their respective websites.

Other types of processing include data needed to facilitate participation in meetings and events, and to access and comment on documents. Personal data may also be processed as part of the evidence gathering process to support policy making, for example, through surveys of individuals such as PISA and assessment platforms such as PILA. Such data uses may be the subject of separate data protection notices as appropriate.

All staff are obligated to implement transparent and appropriate measures to protect individuals in relation to the processing of their personal data. The OECD Data Protection Rules are set forth in the Decision of the Secretary-General on the Protection of Individuals with regard to the Processing of their Personal Data (“Rules"). The Rules, which apply to the processing of personal data by or on behalf the OECD, are included in Annex XII of the Staff Rules and Regulations.

The Rules require that personal data be processed in a transparent manner for legitimate purposes to deliver the relevant mission and work programme. Personal data are to be adequate, relevant, kept up-to-date, limited to what is needed and retained for no longer than necessary. The Rules also require that the responsible staff ensures that contractors processing personal data on OECD’s behalf provide guarantees on the implementation of appropriate technical and organisational measures. There are significant limitations related to the processing of special category personal data, and for high risk processing.

Risk Assessment is mandatory, with data protection by design and default integrated into the process. Security risks are addressed through technical and organisational measures reasonably appropriate to the risk. In the event of a personal data breach, notification requirements would be triggered. Personal data can only be transferred outside the organisation subject to appropriate safeguards that should ensure, in particular, effective data subject rights and legal remedies.

The Rules provide rights for individuals with respect to their personal data. In addition to transparency and information, those rights cover access, rectification, erasure, and objection, which individuals can assert directly with the responsible staff. There is also a process for settling claims submitted by individuals.

As an accountable organisation, the OECD has developed a Privacy Management Programme to structure its approach to implementing its Rules. 

The OECD Data Protection Commissioner (DPC) enforces the Rules, with powers of investigation and correction to be exercised in full independence during a five-year fixed term (renewable once). As part of his duties, the DPC also submits an annual activity report to the Secretary-General (2025, 2024, 2023, 2022, 2021, 2020, 2019).

The Data Protection Officer (DPO) provides information and advice to staff and individuals, as well as exercising an independent compliance role to support the DPC.  

Individuals can contact the DPO with queries or complaints related to the processing of their personal data. For further assistance in resolving claims related to personal data protection, they can contact the DPC.

Data Protection Officer: Michael Donohue, DPO@oecd.org, +33 1 45 24 14 79

Data Protection Commissioner: Billy Hawkes, DPC@oecd.org, +33 1 85 55 44 82