As data becomes more important to fulfill the 江南体育鈥檚 Twin Goals of alleviating extreme poverty and promoting shared prosperity, so does the importance of responsibly collecting, using, and sharing data鈥搃ncluding personal data. Recognizing this, the 江南体育 issued a Policy on Personal Data Privacy (the 鈥淧rivacy Policy鈥�) that governs the use of personal data by the 江南体育 institutions: the International Bank for Reconstruction and Development and the International Development Association (together the 鈥淲orld Bank鈥�), the International Finance Corporation, the Multilateral Investment Guarantee Agency, and the International Centre for Settlement of Investment Disputes. The Privacy Policy signals to the world the 江南体育鈥檚 leadership on the responsible use of personal data by international organizations.
Please click here to review the .
Individuals have the ability, subject to limitations and conditions, to request information about their personal data and to seek redress if they reasonably believe their personal data has been used by the Bank in violation of the Privacy Policy.
Please access the Request and Review tab for more information.
The World Bank Data Privacy Office oversees the World Bank鈥檚 compliance with the Privacy Policy. The Data Privacy Office鈥檚 vision is to embed data privacy by design into the fabric of the Bank鈥檚 work around the world.
Section III (7) (b) of the 江南体育 Policy on Personal Data Privacy (the 鈥淧rivacy Policy鈥�) requires the Bank to 鈥渁dopt mechanism(s) to . . . provide individuals with a method, subject to reasonable limitations and conditions, to: i. request information regarding the individual鈥檚 Personal Data Processed by [the Bank] ; and ii. seek redress if the individual reasonably believes that the individual鈥檚 Personal Data has been Processed in violation of this Policy鈥�.
The Privacy Policy expressly addresses two options for living individuals, whose personal data is processed by the World Bank:
(1) to receive information about their personal data processed by the Bank (鈥淩equest鈥�, 鈥淩equest for Information鈥� or 鈥淩equest Mechanism鈥�); and
(2) to seek redress in case of a reasonable suspicion that their personal data is or has been processed in violation of the Privacy Policy (鈥淩eview鈥� or 鈥淩eview Mechanism鈥�).
The Request Mechanism and Review Mechanism are established through the Bank Directive Personal Data Privacy Request and Review Mechanisms. The Bank Procedure Personal Data Privacy Request and Review Mechanisms Procedures set out requirements to conduct these proceedings.
Individuals may submit a request to the World Bank to receive information about their personal data processed by the Bank.
Scope and limitations of the Request for Information process are set out in the Bank Directive Personal Data Privacy Request and Review Mechanisms. Procedural provisions, for example on admissibility, are set out in the Bank Procedure Personal Data Privacy Request and Review Mechanisms Procedures.
To submit a Request for Information, please .
The World Bank鈥檚 Review Mechanism allows individuals to seek redress if they reasonably believe that their personal data has been processed by the World Bank in violation of the 江南体育 Policy on Personal Data Privacy. It is regulated by the Bank Directive Personal Data Privacy Request and Review Mechanisms. Procedural provisions, for example on admissibility, are set out in the Bank Procedure Personal Data Privacy Request and Review Mechanisms Procedures.
The Review Mechanism consists of two tiers:
(1) A first internal administrative review is conducted by the Chief Data Privacy Officer who acts as the First Tier Reviewer.
To submit a Call for Review to the First Tier Reviewer, please click here .
(2) The second-tier review is conducted:
(a) By the according to its Statute, for individuals who have standing before it.
(b) By an external, independent panel, the External Privacy Review Panel, for all other individuals.
.
Last Updated: Apr 02, 2025
The World Bank鈥檚 External Privacy Review Panel (EPRP), a panel composed of three members, is an independent second-tier reviewer for complaints brought by individuals who do not have standing before the World Bank Administrative Tribunal and who suspect a violation of the 江南体育 Privacy Policy by the World Bank in relation to their personal data. The EPRP considers such cases de novo after an internal administrative first tier review by the World Bank鈥檚 Chief Data Privacy Officer. For that purpose, it conducts written proceedings and may hold oral proceedings if necessary. The EPRP is assisted by a secretariat.
The External Privacy Review Panel was established by the World Bank Directive Personal Data Privacy Request and Review Mechanisms. Its activities are regulated by the Bank Directive Personal Data Privacy: External Privacy Review Panel which also includes a code of conduct for its members. EPRP meets in session twice a year for a period of up to one week to deliberate and make determinations on the Calls for Review before it.
Members of the EPRP are appointed by the 江南体育 President for a three-year term which may be renewed once for an additional three years.
The EPRP is chaired by an expert on privacy and data protection in a public sector entity and has two additional members who are familiar with the World Bank, one of them through first-hand experience.
Ryan Calo, a US national, has been appointed as Chair of the three-member External Privacy Review Panel. Mr. Calo is an internationally recognized privacy law scholar and has been a professor of law and adjunct professor of computer and information science at the University of Washington since 2012. He was previously a director of privacy research for a Stanford University center and a privacy attorney at a Washington, DC based law firm. Mr. Calo advises various privacy organizations, including the Future of Privacy Forum, and has testified before different legislatures on privacy and other aspects of emerging technologies.
Dr. Nathalie Moreno, a Franco-British national, has been appointed as Member of the External Privacy Review Panel. Ms. Moreno is a highly regarded international data protection & cybersecurity lawyer with a broad-based international practice and sectoral knowledge. Ms. Moreno has been a Partner for Data Protection & Cybersecurity at Addleshaw Goddard, LLP, in London since 2020. Ms. Moreno previously was partner in different Washington DC, Paris and London based international law firms and also served as a legal consultant at the European Commission in Brussels and at the World Bank in Washington DC, in the first part of her legal career.
Ximena Puente de la Mora, a Mexican national, has been appointed as Member of the External Privacy Review Panel. Ms. Puente de la Mora is an expert in privacy, transparency, AI, information technologies and human rights. Ms. Puente de la Mora previously served as a federal deputy of Mexico's 64th legislature and was the first President Commissioner of the National Institute of Transparency, Access to Information and Personal Data Protection of Mexico from 2014 to 2017, an autonomous constitutional body. She also held roles as the President of the Ibero-American Data Protection Network and President of the Mexican National Transparency System. With over 20 years of expertise in data protection and privacy, dating back to her PhD dissertation, Ms. Puente de la Mora is connected to the World Bank through her involvement with the Global Partnership for Social Accountability. 