Protection of personal data

Protecting personal data is a fundamental right ensured by the Charter of Fundamental Rights of the European Union.

The EBA is highly committed to ensuring the protection of personal data, and it processes any personal data it collects in line with Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (EUDPR).

Personal data is processed only for the performance of tasks carried out in the public interest on the basis of EU law or in the legitimate exercise of official authority vested in the EBA as an EU authority. Alternatively, the data processing is lawful if it forms part of a legal or contractual obligation or when the individual concerned (data subject) has given explicit consent.


As a general rule, you have the right to be informed about the processing of your personal data, and to access that information at any time and rectify it if it is inaccurate or incomplete. Under certain conditions, you also have a right to erasure, restriction of processing and objection to processing.  Additionally, you have the right to data portability, which allows you to make a request to obtain the personal data that the Data Controller holds on you and to transfer it from one Data Controller to another, where technically possible. Exemptions might be applicable in accordance with EUDPR.

To exercise these rights, you can contact the responsible data controller directly (specific contact details can be found in the relevant record, as published in the EBA’s register of records – see below) or contact the EBA Data Protection Officer at the email address:

For questions or complaints concerning the processing of your personal data, you can turn to the EBA’s Data Protection Officer at Alternatively, you can also have recourse to the European Data Protection Supervisor if you consider that your rights under the EUDPR have been infringed as a result of the EBA processing your personal data.

For more information on how the EBA collects and uses personal data, see the privacy notice.

In accordance with the requirements of Article 25 of EUDPR, the EBA adopted the Decision laying down Internal rules on restrictions of certain rights of data subjects in relation to processing of personal data in the framework of the functioning of European Banking Authority (EBA) (EBA/DC/2021/377). Pursuant to this Decision, the EBA may apply restrictions to certain rights of data subjects (such as the right to be informed, right of access, rectification, erasure, restriction of processing etc.). In each case, the EBA will assess whether the restriction is appropriate. The restriction should be necessary and provided by law, and will continue only for as long as the reason for the restriction continues to exist.

The EBA maintains a register of records on its personal data processing activities, in accordance with under Art 31 of the EUDPR.
The register contains general information on the data processing activities, such as:

  • the purposes of the processing;
  • description of the categories of data subjects and of the categories of personal data;
  • the categories of recipients to whom the personal data have been or will be disclosed;
  • where applicable, transfers of personal data to a third country or an international organisation and the documentation of suitable safeguards;
  • the envisaged time limits for erasure of the different categories of data;
  • a general description of the technical and organisational security measures to protect those personal data.

The EBA updates the central register as and when necessary.


areaActivity Description
Access to documentsAccess to documents
AdministrationEBA Newsletters
Communication strategy and website revamp survey
EBA website and e-services
EBA Learning Hub
EthicsDeclaration of interest
Ethics declarations by non-staff
Confirmation of reading the ethics guidelines and the conflict of interests policy
Ethics workflow
WhistleblowingExternal whistleblowing reporting
Human resources360 degree evaluation
Harassment, informal procedure
Selection of confidential counselors
Recruitment of Temporary and Contract Agents and Seconded National Experts
Recruitment of trainees
Selection procedures (trainees)
Probation and appraisal
Allegro HR management system 
Learning and development
Posted workers
HR administrative inquiries and disciplinary proceedings
Processing of personal data in the context of requests and complaints under Article 90 of the Staff Regulations of Officials
Requests for assistance under Article 24 of the Staff Regulations
Pre-recruitment declaration of interest
Financial contribution for Accredited European School
Medical services
Job shadowing internship
Staff Committee
Staff engagement survey
OperationsManagement of meetings, conferences and other events
Financial transaction
Workspace optimization platform – CONDECO App
Microsoft 365 services for guest access
BoS / MB Signal group - contact details management
Directory & meetings (contact details) organised by the Prudential Pegulation and Supervisory Policy Department

Audio–video communication and collaboration services

Infrastructure services

IT service management

IT workplace services

Network services

Security logging and auditing

Telecommunications services

Procurement and selection of experts

Record of security inquiries
Physical Access Control System
Core activitiesEuReCA - European reporting System for material CFT/AML weaknesses