- Purpose and Scope
- Purpose
- This Policy adopted by the Board of Directors of the Asian Infrastructure Investment Bank (AIIB or the Bank) sets forth the Principles governing the Processing of Personal Data by AIIB. The purpose of this Policy is to ensure that the Bank Processes Personal Data in a consistent manner taking into consideration recognized international standards for the Processing of Personal Data.
- Scope
- This Policy applies to the Processing of Personal Data by AIIB.
- This Policy shall not override, supersede, modify or expand other policy requirements adopted by the AIIB Board of Directors including any provisions set out in the Policy on Prohibited Practices, the Policy on Public Information and the Environmental and Social Framework.
- Purpose
- Definitions
- Bank Personnel. As defined in the Code of Conduct for Bank Personnel.
- Consent. Any freely given, specific, and informed manifestation by the Data Subject of their assent to the Processing of their Personal Data either by a written or oral statement or by a clear affirmative action.
- Data Subject. An identified or identifiable natural person whose Personal Data is subject to Processing by AIIB.
- Personal Data. Any information relating to an identified or identifiable natural person. An identifiable natural person is one whose identity can be known or recognized, directly or indirectly, by reference to an attribute or combination of attributes within the data or combination of the data with other available information. Such attributes include, but are not limited to, name, identification number, location data, online identifier, metadata and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.
- Principles. The Personal Data privacy principles set forth in Section 3.
- Processing. Any operation or set of operations, wholly or partly automated or otherwise, which is performed on Personal Data, including but not limited to, collection, recording, storage, use, transmission, disclosure, dissemination, or deletion.
- Principles of Personal Data Privacy
- Principle 1: Legitimate and Fair Processing. AIIB shall Process Personal Data fairly and only for legitimate purposes in accordance with this Policy. The Processing of Personal Data is considered fair and for a legitimate purpose where:
- the Consent of the Data Subject is obtained;
- it is in the vital or best interests of the Data Subject or another person;
- it is necessary for AIIB to perform a contract or comply with a binding obligation or commitment; or
- it is consistent with, or reasonably necessary to, the fulfillment of AIIB’s functions, mandate or purpose.
- Principle 2: Purpose Specification and Limitation and Data Minimization. AIIB shall specify the legitimate purpose(s) for the Processing of Personal Data and shall notify the Data Subject of such purpose(s) no later than at the time of collection or as soon as reasonably practicable after collection. AIIB shall Process Personal Data only for the specified purpose(s) unless the Data Subject Consents to further Processing or if such Processing is compatible with the original specified purpose(s). Further Processing of Personal Data for archiving, research, or statistical purposes shall not be considered incompatible with the original purpose(s). The amount and type of Personal Data collected shall be limited to what is necessary for and proportionate to the legitimate purpose(s) for which it is Processed.
- Principle 3: Data Accuracy. AIIB shall record Personal Data as accurately as possible to the best of its knowledge. Where necessary, AIIB shall update such Personal Data to ensure it fulfills the legitimate purpose(s) for which it is Processed.
- Principle 4: Storage Limitation. AIIB shall keep Personal Data in a form which permits identification of Data Subject(s) for no longer than is necessary for the legitimate purposes for which Personal Data was collected or for further Processing for archiving, research, or statistical purposes. AIIB shall delete Personal Data or render it anonymous as soon as reasonably practicable after such purposes have been fulfilled.
- Principle 5: Data Security. AIIB shall adopt security capabilities that match potential security risks to Personal Data. It shall adopt appropriate technical and organizational measures to protect Personal Data against accidental loss or modification, destruction or damage, and prevent unauthorized or unlawful Processing.
- Principle 6: Transfer of Personal Data. AIIB shall transfer Personal Data to third parties only for legitimate purposes by using appropriate and secure means of transmission. Where AIIB assigns third parties to Process Personal Data on its behalf, it shall take reasonable measures to impose contractual obligations on such third parties to ensure that such Personal Data will receive reasonably equivalent level of protection required by this Policy.
- Principle 7: Accountability. AIIB shall adopt mechanisms to ensure compliance with this Policy and provide Data Subjects with a method, subject to reasonable limitations and conditions, to request:
- information on what Personal Data is Processed by AIIB concerning them, the reason for its Processing, and the period for which it is to be stored;
- the correction of their Personal Data upon showing that it is inaccurate; and
- the deletion of their Personal Data upon showing that its Processing by AIIB does not serve, or no longer serves, a legitimate purpose.
- Principle 1: Legitimate and Fair Processing. AIIB shall Process Personal Data fairly and only for legitimate purposes in accordance with this Policy. The Processing of Personal Data is considered fair and for a legitimate purpose where:
- Derogations
- The Board of Directors may allow a derogation from any of the Principles set out in this Policy if it determines that:
- such derogation is necessary to protect the legitimate interests of AIIB and these aforesaid legitimate interests outweigh the harm arising from derogating from such Principle(s); or
- such derogation is necessary to protect the vital interests of the Data Subject or another person and these aforesaid vital interests outweigh the harm arising from derogating from such Principle(s).
- The President shall submit a recommendation to the Board of Directors when it is to consider applying such derogation(s).
- The Board of Directors may allow a derogation from any of the Principles set out in this Policy if it determines that:
- Implementation
- The President shall ensure observance of this Policy through the issuance of a Directive and shall assign and resource such Bank Personnel as the President considers necessary for the effective and efficient implementation of this Policy.
- Immunities, Privileges and Exemptions
- The Processing of Personal Data in accordance with this Policy is without prejudice to the immunities, privileges and exemptions of AIIB accorded to it, which are specifically reserved.
- Effectivity
- This Policy is effective on July 1, 2022. It shall not cover Personal Data Processed before the effective date.
- Reporting
- The President shall submit to the Board of Directors on an annual basis a report on the implementation of this Policy.