Terms and conditions for the ECB Information Management System ASTRA
The User who being granted access to the “ASTRA” information management system of the European Central Bank (the ECB) acknowledges and undertakes to abide by the terms and conditions (the Terms and Conditions) set out below.
Any content held in ASTRA, whether uploaded by the User or the ECB, will be considered to be ECB information.
The right to use ASTRA
The ECB grants the User a temporary, non-exclusive, non-transferable right to use ASTRA strictly in conformity with these Terms and Conditions. The ECB provides access to ASTRA exclusively for the purpose of exchanging information with the User. No ownership of the underlying software is hereby conferred on the User.
Access to ASTRA shall not be transferred by the User to any third party. In particular, the User is not permitted to rent, sublicense or otherwise provide access to ASTRA to third parties, unless expressly authorised to do so by the ECB.
The User is not entitled to use ASTRA outside the scope of the usage rights granted in these Terms and Conditions. The ECB may claim, without waiving any other rights or claims, the costs arising from any usage that exceeds this scope.
The granting and restriction of the aforesaid usage rights also extends to all documents provided by the ECB through or for ASTRA.
Access to ASTRA
The ECB reserves the exclusive right to control access to information held in ASTRA. The ECB will periodically verify and update access rights.
The ECB may, at any time, withdraw the User’s right to access parts or the entirety of ASTRA, without providing any reason, but in particular if the User has violated the acceptable use policy to which he or she consented during the registration process. Upon such withdrawal, the User shall immediately cease to use ASTRA.
The User shall inform the ECB, without undue delay, should the exchange of information with the ECB no longer be required – for example, because he or she is leaving his or her organisation or no longer has the responsibilities for which access to ASTRA was granted.
Sensitive ECB information
ECB information shall be protected from unauthorised access and misuse, as this might have a potentially negative business, reputational or financial impact.
ECB-PUBLIC, ECB-UNRESTRICTED, ECB-RESTRICTED and ECB-CONFIDENTIAL information may be shared via ASTRA in line with the guidance provided below.
ECB-RESTRICTED
Unauthorised access or misuse would be likely to have a MEDIUM negative impact on the ECB, the European System of Central Banks (ESCB) or the Single Supervisory Mechanism (SSM) and/or would be likely to have one or more of the following consequences:
- unsatisfactory quality or significant delays in the performance of the ECB’s processes, including the delivery of one or more projects, affecting its ability to achieve its key business objectives (as enshrined in the Treaty), or a partial failure to provide advisory functions
- market disturbance and unwanted significant market movements during any one day
- credibility affected over the short term (three months to one year)
- negative items of information and/or opinions
- media coverage in one or a few internationally recognised newspapers
- an impact on financial assets (i.e. the financial loss and the additional costs of repeating activities or correcting damage, after taking existing insurance into consideration) of between €100,000 and €1 million
ECB-CONFIDENTIAL
Unauthorised access or misuse would be likely to have a HIGH negative impact on the ECB, the ESCB or the SSM and/or would be likely to have one or more of the following consequences:
- a partial failure to perform the ECB’s processes, including the delivery of one or more projects, affecting its ability to achieve its key business objectives (as enshrined in the Treaty), or a failure to provide advisory functions
- adverse market reaction and significant market movements over a period of between one day and one week
- credibility affected over the medium term (one to three years)
- credible and negative items of information and/or opinions
- international media coverage, including in most internationally recognised newspapers
- an impact on financial assets of between €1 million and €10 million
Confidentiality
The User shall treat any information he or she is granted access to in ASTRA in the strictest confidence and shall not share or divulge this information to any unauthorised person(s). The names and logos of the ECB or its service providers, as displayed or mentioned in these Terms and Conditions, on the ECB's website or in the ASTRA workspace, are protected by statutory law. The User shall not use the ECB’s name without the ECB’s prior written consent.
Source code
The User is not entitled to receive the source code for ASTRA and shall not reverse engineer the underlying software. The User is also not authorised to change, develop or otherwise modify ASTRA, or to produce derivative works based on or incorporating ASTRA.
Any violation of the above obligation shall result in the immediate suspension of the User’s ASTRA access and usage rights. Additional rights and legal claims of the ECB shall remain unaffected by any such suspension.
The distribution, downloading and external use of information
When printing or downloading information to which access has been granted, the User shall ensure that it cannot be accessed by or disclosed to unauthorised third parties.
The User is responsible for ensuring that any such information is properly protected, both technically and physically, in accordance with its classification, as outlined below:
- the User shall ensure that the proper IT mechanisms for identification, authentication and access management (the authorisation of access to information and the enforcement of restrictions) are applied with regard to sensitive ECB information stored in the User’s IT systems
- the User shall ensure that IT security requirements are applied, irrespective of the system used to store or process sensitive ECB information
- the User shall ensure that physical security protection measures are applied to sensitive ECB information, in proportion to the negative impact that the unauthorised access to or the disclosure of such information could have
- the User shall ensure that areas containing sensitive information are protected against unauthorised access and that sensitive ECB information is not left unattended in areas in which unauthorised access to this information is possible
- the User shall ensure that persons with custody of sensitive ECB information store it securely when it is left unattended – appropriate equipment must be used when disposing of sensitive ECB information
Retention and disposal
The retention and disposal of information stored in ASTRA will be managed by the ECB in accordance with its retention policy.
The User shall ensure that locally downloaded ECB information is disposed of as soon as it is no longer needed to execute ECB-related tasks.
Uploading information
The User shall upload information to ASTRA in accordance with the information management guidelines available to all ASTRA users via the folder in ASTRA entitled “How to use ASTRA”.
If the User uploads information to ASTRA, he or she shall ensure it is assigned with the appropriate security classification. Information exceeding the levels of sensitivity specified above must not be uploaded to ASTRA.
The User warrants that information shall only be uploaded if it is necessary and relates to the policies, tasks, activities or decisions of the ECB, including the tasks performed in accordance with the Union Treaties, Protocol (No 4) on the Statute of the European System of Central Banks and of the European Central Bank, and Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63), and that the provision, publication and use of such information is in accordance with the law – in particular criminal, copyright and trademark law – and personal rights.
In the event of a dispute, the User shall indemnify the ECB and hold it harmless against all third-party claims in accordance with statutory law.
Audit trail
Any action performed on information in ASTRA will be registered in the a corresponding audit trail in the system. The ECB has the right to use the audit trail for the purpose of monitoring compliance with the requirements specified in this declaration.
Incident reporting and suspension of access
If sensitive information is exchanged by the User in breach of confidentiality, data protection or other requirements imposed by law and/or this declaration, the User shall take the appropriate measures to remedy the breach and to prevent the information from being further disseminated. Any incident involving the unauthorised disclosure of information must be reported to the ECB without undue delay (at the latest within 24 hours of its occurrence). The ECB may suspend the User’s access to ASTRA and may ask the User to erase any locally stored information with immediate effect if the ECB deems this to be necessary in order to prevent a breach of this declaration or to ensure compliance with any legal provision applicable to the User.
Warranty and liability
Although the ECB and its service providers have attempted to provide accurate information with regard to ASTRA, the ECB assumes no responsibility for the accuracy or inaccuracy of that information. Accessing and using ASTRA is solely at the User’s own risk.
To the extent permitted by the applicable laws, ASTRA is provided by the ECB “as is” and the ECB disclaims all warranties, conditions and other obligations of any kind, whether expressed or implied, including, but not limited to implied warranties of fitness for a particular purpose or non-infringement, or warranties arising from the course of dealing, usage or trade practice.
In relation to the provision of ASTRA or the information provided therein, the ECB shall be liable for any deliberate or negligent act or omission, in accordance with statutory law. This liability shall not exceed €10,000. Nothing in these Terms and Conditions shall limit the ECB’s liability in the event of deliberate acts, gross negligence, liability pursuant to the provisions of the German Product Liability Act (Produkthaftungsgesetz), or in any other case of mandatory statutory liability, in accordance, in each case, with the relevant statutory provisions.
Data protection
ASTRA Users’ personal data shall be processed by the ECB, in its capacity as data controller, in accordance with Regulation (EU) 2018/1725. In order to grant access to ASTRA, as well as for audit and information management purposes, the ECB processes Users’ names and contact details. Data regarding Users’ use of ASTRA (log files) and their actions in respect of items (audit trail) are stored in ASTRA.
Privacy notice
Users’ personal data shall be processed in accordance with EU data protection law (Regulation (EU) 2018/1725). The personal data collected are a User’s full name, email address, phone number and, in some cases, job title.
The ECB is the controller for the processing of these personal data, while the Directorate General Information Systems (Enterprise Domain Services Division) is the unit entrusted with the processing.
For the creation of user accounts for ASTRA, the data are processed on behalf of the ECB by the external service providers OneWelcome and OpenText. For further information, consult the OneWelcome privacy policy and the OpenText privacy policy.
Personal data are processed for the performance of a task carried out in the public interest (pursuant to Article 5(1)(a) of Regulation (EU) 2018/1725). In particular, the personal data are necessary for the secure sharing of information between the ECB and third parties in order to collaborate on information.
The recipients of these personal data will be all other Users in the same ASTRA space, as well as dedicated staff members of the ECB and of the service providers of the components of the ASTRA system (OneWelcome and the OpenText Corporation, and its subcontractor Google Ireland Ltd).
Users’ data will be stored in data centres located in the European Economic Area (EEA) and hosted by Google Ireland Ltd acting as a subcontractor of OpenText (see Google privacy policy). These data may be accessed by selected staff members of the OpenText Corporation based on an Adequacy Decision of the European Commission which states that a third country ensures an adequate level of protection of personal data, either based on its domestic law or because it has entered into international commitments.
The personal data needed to create a user account will be stored in the designated ECB staff member’s mailbox for a maximum of one year after they are received. They will be stored in OneWelcome for as long as the User is actively collaborating with the ECB and will be deleted within 12 months of the User becoming inactive. In ASTRA, personal data (name and email address) will be kept in the audit log until the documents are deleted manually, or in accordance with the retention period applicable to the document under the ECB’s filing and retention plan.
In accordance with the above-mentioned Regulation, the User has the right to access or rectify his or her personal data that are processed by the ECB. The User may also (subject to certain limitations) exercise the right to restrict the processing of his or her personal data or to request their deletion, by contacting the ECB.
The User can exercise his or her rights by contacting the ECB at ASTRAdataprocessing@ecb.europa.eu. Any queries relating to the protection of personal data should be addressed to the ECB’s Data Protection Officer, who can be contacted at dpo@ecb.europa.eu.
If the User considers that his or her rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of his or her personal data, the User may, at any time, lodge a complaint with the European Data Protection Supervisor.
Dispute settlement and applicable law
These Terms and Conditions shall be governed in all respects by German law, including their validity, construction and performance, and without regard to principles of conflicts of law or the United Nations Convention on Contracts for the International Sale of Goods.
Where the User is a business person within the meaning of the German Commercial Code (Handelsgesetzbuch), a legal entity governed by public law or a local authority (Gebietskörperschaft) under public law, the exclusive place of jurisdiction for all disputes arising in connection with these Terms and Conditions shall be Frankfurt am Main, Germany. If a party to the Contract has no general venue (as defined in the German Code of Civil Procedure – Zivilprozessordnung) in the Federal Republic of Germany, the exclusive place of jurisdiction for all disputes arising in connection with the Contract shall be Frankfurt am Main, Germany.
The User is advised to keep a copy of these Terms and Conditions for his or her own reference.