Protecting personal data is a fundamental right provided for in the Charter of Fundamental Rights of the European Union.

The EBA is highly committed to ensuring the protection of personal data, and it processes any personal data it collects in line with Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (EUDPR).

Personal data is processed only for the performance of tasks carried out in the public interest on the basis of EU law or in the legitimate exercise of official authority vested in the EBA as an EU authority. Alternatively, the data processing is lawful if it forms part of a legal or contractual obligation or when the individual concerned (data subject) has given explicit consent.

How to exercise your rights as a data subject

As a general rule, you have the right to be informed about the processing of your personal data, and to access that information at any time and rectify it if it is inaccurate or incomplete. Under certain conditions, you also have a right to erasure, restriction of processing and objection to processing.  Additionally, you have the right to data portability, which allows you to make a request to obtain the personal data that the Data Controller holds on you and to transfer it from one Data Controller to another, where technically possible. Exemptions might be applicable in accordance with EUDPR.

To exercise these rights, you can contact the responsible data controller directly (specific contact details can be found in the relevant record, as published in the EBA’s register of records – see below) or contact the EBA Data Protection Officer at the email address:

For questions or complaints concerning the processing of your personal data, you can turn to the EBA’s Data Protection Officer at Alternatively, you can also have recourse to the European Data Protection Supervisor if you consider that your rights under the EUDPR have been infringed as a result of the EBA processing your personal data.

For more information on how the EBA collects and uses personal data, see the privacy notice.

Decision on Internal rules concerning restrictions of certain rights of data subjects

In accordance with the requirements of Article 25 of EUDPR, the EBA adopted the Decision laying down Internal rules on restrictions of certain rights of data subjects in relation to processing of personal data in the framework of the functioning of European Banking Authority (EBA) (EBA/DC/2021/377). Pursuant to this Decision, the EBA may apply restrictions to certain rights of data subjects (such as the right to be informed, right of access, rectification, erasure, restriction of processing etc.). In each case, the EBA will assess whether the restriction is appropriate. The restriction should be necessary and provided by law, and will continue only for as long as the reason for the restriction continues to exist.

Register of records of activities processing personal data

The EBA maintains a register of records on its personal data processing activities, in accordance with under Art 31 of the EUDPR.
The register contains general information on the data processing activities, such as:

  • the purposes of the processing;
  • description of the categories of data subjects and of the categories of personal data;
  • the categories of recipients to whom the personal data have been or will be disclosed;
  • where applicable, transfers of personal data to a third country or an international organisation and the documentation of suitable safeguards;
  • the envisaged time limits for erasure of the different categories of data;
  • a general description of the technical and organisational security measures to protect those personal data.

The EBA updates the central register as and when necessary.