Privacy notice

EBA website and e-services

The European Banking Authority (EBA) processes your personal data to ensure the access to the EBA website and the e-services described below. The EBA processes your personal data based on Regulation (EU) 2018/1725 (EUDPR).

The following information is provided as established in Articles 15 and 16 of the EUDPR.

Who is the controller?

The EBA is the controller with regard to the data processing activities described in this data protection notice.

For more information on the EBA, please consult the EBA website

What personal data do we process, for what purpose, who can access it and how long do we keep them?

The EBA processes personal data provided to the EBA during the registration process for the e-service such as extranet, training activities, alerts, newsletters, consultation forms, and general inquiries forms.

The primary purpose of processing your data is to provide the data subjects with a seamless and personalised user experience on the EBA website. The EBA processes personal data provided to the EBA during the registration process for the e-service such as provision of general information relating to the EBA, extranet, meeting registration, consultation forms, alerts and general inquiries forms. More specific information about this processing is detailed below:


EBA publishes basic personal data and biographical information about participants in the governance structure, for the sake of transparency to the public. This data may include full names, nationality, employer, and any previous employment.

The data is published by relevant EBA staff members and made publicly available; therefore, the recipients of data could be any members of the public who access the EBA website.

EBA publishes the personal data for as long as the participant is active. Web content is kept for 5 years from the end calendar year of creation then archived permanently for historical research.

2. Extranet

We process personal data to register extranet users and to link accounts to its specific user, in order to allow subscription to notifications, and to control and safeguard the access to information published on extranet. This process also allows external collaborators to share  information required for the performance of activities with EBA.

This data may include full names, work domain, email address, organisation, position, country and phone number. All these categories of data are mandatory when registering extranet users. Mobile phone numbers and postal addresses may be provided in optional fields.

Only EBA Administrators with a relevant role that requires them to process this data can access this information.

The EBA keeps this personal data for as long as an account is active (i.e. until deletion of your account by the EBA). Accounts are deleted within a maximum of 3 working days, following a request for deletion.

3.Consultation forms

Consultations are regarded as an important instrument that ensures that the EBA functions in a transparent manner and engages with all relevant stakeholders who may be providing feedback as a part of public hearings. Personal data is therefore used to finalise specific tasks entrusted to the EBA by the EBA Founding Regulation (Regulation (EU) No 1093/2010).

For this activity the following data may be processed:  Full name, organisation, email address, phone number and comments and opinions provided.

The respective EBA policy experts working on the topic which is subject to the consultation may have access to this data, specifically, when reviewing submitted comments as part of the consultation process. In some instances, responses may be published on the EBA website along with the contributor’s organisation, if you are completing a consultation form and would prefer your comments not to be published on the EBA website, then on the form when asked whether your comments can be disclosed, you should select “no”.

Consultations are related to EBA policy developments. Records relating to policy developments are retained for ten years before a selection of records are archived for historical research and the remainder are destroyed. Where comments are additionally published on the EBA website with the data subjects’ consent, the data published on the website is also retained in line with the Website retention periods (as per section 1 above).

4.General inquiries forms

This form can be used by members of the public who wish to flag a problem or raise a question to EBA via the EBA website. To use this form users must identify themselves. The data is used only to respond to inquiries. This processing allows members of the public to communicate with EBA.

For this activity the following data may be processed: Full name, email address, the type of inquiry selected, and any information included in the description of the inquiry.

The EBA Communications team manages info[at] and has access to this data. They may provide some personal data to relevant EBA staff members where this is necessary for them to respond to your query.

The EBA keep the inquiry with any related emails for as long as it is necessary in order to comply with the principle of good administration.


5. Meeting Registration

Data is captured where participants register for an online or in-person meeting or event, this is necessary for the purpose of facilitating meetings and the organisation and logistics of such meetings.

For this activity the following data may be processed: First name, last name, organisation (national authority), country of departure, city of departure, means of transportation (plane, train, car, other vehicle), email, dietary requirements and special assistance in case of evacuation.

For the purpose of this processing activity personal data may be shared with relevant EBA staff involved in the meetings organisation and reception staff at the EBA premises from the company ‘City one’, only as is needed to facilitate a meeting.

This data is kept for two years from the date of the meeting. The data will then be deleted immediately after this period has expired.


Why do we process your personal data and under what legal basis?

The processing of your personal data by the EBA is lawful since it is necessary for performance of tasks in the public interest attributed by Union legislation and necessary for the management and functioning of the EBA, therefore the processing meets the lawful basis of EUDPR Article 5.1.a

The website, extranet, consultation forms, general inquiries forms and meeting registration process and the subsequent processing of personal data that this entails, are all necessary for EBA to function effectively and perform the tasks attributed to it by Union legislation.

Additionally, the processing of personal data as part of the consultation process is necessary to finalise specific tasks entrusted to the EBA by Union law.

Where personal data from the consultation forms is published on the EBA website this is done with the data subjects’ consent, they have to opt into their data being shared in this manner by confirming they agree to the data in the form being made available on the EBA website. This is therefore lawful in accordance with the lawful basis of EUDPR Article 5.1.d.


Will the processing of your personal data involve any transfer outside of the EU?

Your personal data is processed within the EU/EEA and will not leave that territory.

What are your rights regarding your personal data?

You have the right of access to your personal data and to relevant information concerning how we use it. You have the right to rectify your personal data. Under certain conditions, you have the right to ask that we delete your personal data or restrict its use. You have the right to object to our processing of your personal data, on grounds relating to your particular situation, at any time. We will consider your request, take a decision and communicate it to you. For more information, please see Articles 14 to 21, 23, 24 and 25 of the Regulation.

You can send your request by post in a sealed envelope or via email (see section on contact details below).

How to withdraw your consent to the publication of data captured in a consultation form being published on the EBA website and the consequences of doing this

As regards to any personal data captured in consultation forms being published on the EBA website, this is done only with consent as those completing the consultation forms. They are asked whether they agree to this data being published or not.  If you originally agreed to this data being published but now want us to remove this data from the EBA website, please contact the EBA and we will remove this data [at the latest within ten working days after your request].

Please note that withdrawing your consent does not affect the lawfulness of any processing based on your consent before your consent is withdrawn.

You have the right to lodge a complaint

If you have any remarks or complaints regarding the way we process your personal data, we invite you to contact the Data Protection Officer (DPO) of the EBA (see section on contact details below).

You have, in any case, the right to lodge a complaint with the European Data Protection Supervisor, our supervisory authority for data protection matters.

Contact details for enquiries regarding your personal data

Should you wish to contact the EBA, we encourage you to do so by email: (provide functional email of the unit that is in charge of the processing of the personal data) by stating in the subject “Data Protection Enquiry”.

If you wish to contact the DPO of the EBA personally, you can send an e-mail to dpo[at] or a letter to the postal address of the EBA marked for the attention of the DPO of the EBA.

The postal address of the EBA is DEFENSE 4 – EUROPLAZA, 20 Avenue André Prothin, CS 30154, 92927 Paris La Défense CEDEX, France.

You can also find contact information on the EBA’s website: