Personal Data Protection at the OECD


The OECD has long played a pivotal role in developing policies for the protection of personal data. The 1980 OECD Privacy Guidelines were the first internationally-agreed privacy principles. Updated in 2013, they remain an essential benchmark, including for the OECD's internal rules and practices.


Personal Data Processing by the OECD

The OECD processes personal data in the course of delivering its public interest mission. For example, the OECD processes personal data to manage and provide benefits to staff and as part of its recruitment process. It also processes data regarding users of OECD websites, which is described in the privacy policy.

Other types of processing include data needed to facilitate participation by delegates and other members of the OECD community in meetings and events, and to access and comment on documents. Personal data may also be processed as part of the evidence gathering process to support OECD policy making, for example, through surveys of individuals. Such data uses may be the subject of separate data protection notices as appropriate.


The OECD’s data protection rules

OECD staff are obligated to implement transparent and appropriate measures to protect individuals in relation to the processing of their personal data. The OECD rules are set forth in the Decision of the Secretary-General on the Protection of Individuals with regard to the Processing of their Personal Data (“Decision"), which applies to the processing of personal data by OECD staff and contractors and is included in Annex XII of the Staff Rules and Regulations.

The rules require that personal data be processed in a transparent manner for legitimate purposes to deliver the OECD mission and work programme. Personal data are to be adequate, relevant, kept up-to-date, limited to what is needed and retained for no longer than necessary. There are significant limitations related to the processing of sensitive personal data, automated processing, including profiling, and for high risk processing.

Risk Assessment is mandatory, with data protection by design and default integrated into the process. Security risks are addressed through technical and organisational measures reasonably appropriate to the risk. In the event of a personal data breach, notification requirements would be triggered.


Individual Rights and Oversight

The Decision provides rights for individuals with respect to their personal data. Those rights cover access, rectification, erasure, objection, and data portability, which individuals can assert directly with the responsible staff. The Decision also provides a process for settling claims.

The OECD Data Protection Commissioner (DPC) enforces the Decision, with powers of investigation and correction to be exercised in full independence during a five-year fixed term (renewable once). The Data Protection Officer (DPO) provides information and advice to staff and individuals, as well as exercising an independent compliance role to support the DPC.  

Individuals can contact the DPO with queries or complaints related to the processing of their personal data. For further assistance in resolving claims related to personal data protection, they can contact the DPC.


Data Protection Officer: Michael Donohue,, +33 1 4524 1479

Data Protection Commissioner: Billy Hawkes,, +33 1 8555 4482


Related Documents