The OECD has long played a pivotal role in developing policies for the protection of personal data. The 1980 OECD Privacy Guidelines were the first internationally-agreed privacy principles. Updated in 2013, they remain an essential benchmark, including for the OECD's internal rules and practices. This page describes those rules and practices, which apply as well to the entities and bodies within the OECD framework such as the International Energy Agency (IEA), OECD Nuclear Energy Agency (NEA), International Transport Forum (ITF), and the Multilateral Organisation Performance Assessment Network (MOPAN).
Personal Data being processed
Other types of processing include data needed to facilitate participation in meetings and events, and to access and comment on documents. Personal data may also be processed as part of the evidence gathering process to support policy making, for example, through surveys of individuals such as PISA and assessment platforms such as PILA. Such data uses may be the subject of separate data protection notices as appropriate.
The OECD’s Data Protection Rules
All staff are obligated to implement transparent and appropriate measures to protect individuals in relation to the processing of their personal data. The OECD Data Protection Rules are set forth in the Decision of the Secretary-General on the Protection of Individuals with regard to the Processing of their Personal Data (“Rules"). The Rules, which apply to the processing of personal data by or on behalf the OECD, are included in Annex XII of the Staff Rules and Regulations.
The Rules require that personal data be processed in a transparent manner for legitimate purposes to deliver the relevant mission and work programme. Personal data are to be adequate, relevant, kept up-to-date, limited to what is needed and retained for no longer than necessary. The Rules also require that the responsible staff ensures that contractors processing personal data on OECD’s behalf provide guarantees on the implementation of appropriate technical and organisational measures. There are significant limitations related to the processing of special category personal data, and for high risk processing.
Risk Assessment is mandatory, with data protection by design and default integrated into the process. Security risks are addressed through technical and organisational measures reasonably appropriate to the risk. In the event of a personal data breach, notification requirements would be triggered. Personal data can only be transferred outside the organisation subject to appropriate safeguards that should ensure, in particular, effective data subject rights and legal remedies.
The Rules provide rights for individuals with respect to their personal data. In addition to transparency and information, those rights cover access, rectification, erasure, and objection, which individuals can assert directly with the responsible staff. There is also a process for settling claims submitted by individuals.
Implementation and Oversight
As an accountable organisation, the OECD has developed a Privacy Management Programme to structure its approach to implementing its Rules.
The OECD Data Protection Commissioner (DPC) enforces the Rules, with powers of investigation and correction to be exercised in full independence during a five-year fixed term (renewable once). As part of his duties, the DPC also submits an annual activity report to the Secretary-General (2022, 2021, 2020, 2019).
The Data Protection Officer (DPO) provides information and advice to staff and individuals, as well as exercising an independent compliance role to support the DPC.
Individuals can contact the DPO with queries or complaints related to the processing of their personal data. For further assistance in resolving claims related to personal data protection, they can contact the DPC.
Data Protection Commissioner: Billy Hawkes, DPC@oecd.org, +33 1 8555 4482