Personal Data Protection at the OECD


The OECD has long played a pivotal role in developing policies for the protection of personal data. The 1980 OECD Privacy Guidelines were the first internationally-agreed privacy principles. Updated in 2013, they remain an essential benchmark, including for the OECD's internal rules and practices. This page describes those rules and practices, which apply as well to the entities and bodies within the OECD framework such as the International Energy Agency (IEA), OECD Nuclear Energy Agency (NEA), International Transport Forum (ITF), and the Multilateral Organisation Performance Assessment Network (MOPAN).


Personal Data being processed

The OECD and the entities and bodies within the OECD framework process personal data in the course of delivering their respective public interest missions. For example, the OECD processes personal data to manage and provide benefits to staff and as part of its recruitment process. It also processes data regarding users of OECD websites, which is described in the privacy policy and visitors to the organisation as described in this notice. Similarly, the entities and bodies within the OECD framework may process data as described in the privacy policies on their respective websites.

Other types of processing include data needed to facilitate participation in meetings and events, and to access and comment on documents. Personal data may also be processed as part of the evidence gathering process to support policy making, for example, through surveys of individuals. Such data uses may be the subject of separate data protection notices as appropriate.


The OECD’s data protection rules

All staff are obligated to implement transparent and appropriate measures to protect individuals in relation to the processing of their personal data. The OECD rules are set forth in the Decision of the Secretary-General on the Protection of Individuals with regard to the Processing of their Personal Data (“Decision"), which applies to the processing of personal data by OECD staff and contractors and is included in Annex XII of the Staff Rules and Regulations.

The rules require that personal data be processed in a transparent manner for legitimate purposes to deliver the relevant mission and work programme. Personal data are to be adequate, relevant, kept up-to-date, limited to what is needed and retained for no longer than necessary. There are significant limitations related to the processing of sensitive personal data, automated processing, including profiling, and for high risk processing.

Risk Assessment is mandatory, with data protection by design and default integrated into the process. Security risks are addressed through technical and organisational measures reasonably appropriate to the risk. In the event of a personal data breach, notification requirements would be triggered.


Individual Rights and Oversight

The Decision provides rights for individuals with respect to their personal data. Those rights cover access, rectification, erasure, objection, and data portability, which individuals can assert directly with the responsible staff. The Decision also provides a process for settling claims.

The OECD Data Protection Commissioner (DPC) enforces the Decision, with powers of investigation and correction to be exercised in full independence during a five-year fixed term (renewable once). As part of his duties, the DPC also submits an annual activity report to the Secretary-General (20202019).

The Data Protection Officer (DPO) provides information and advice to staff and individuals, as well as exercising an independent compliance role to support the DPC.  

Individuals can contact the DPO with queries or complaints related to the processing of their personal data. For further assistance in resolving claims related to personal data protection, they can contact the DPC.

Data Protection Officer: Michael Donohue,, +33 1 4524 1479

Data Protection Commissioner: Billy Hawkes,, +33 1 8555 4482


Related Documents