The protection of individuals with regard to the processing of personal data by ESMA is based on Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC as implemented by ESMA in implementing rules adopted by its Management Board.
Central register of all ESMA records of activities processing personal data
Personal data protection
Although you can browse through most of the ESMA website without giving any information about yourself, in some cases, personal information is required in order to provide the e-services you request. Pages that require such information treat it according to the policy described in the Regulation mentioned above.
In this respect:
- ESMA's Data Protection Officer ensures that the provisions of both the Regulation and the Implementing Rules are applied and advises controllers on fulfilling their obligations (see in particular Chapter IV, Section VI of the Regulation).
- For all EU institutions and bodies, the European Data Protection Supervisor (EDPS) acts as an independent supervisory authority (see Chapter VI of the Regulation).
- ESMA maintains records of processing activities in accordance with Article 31 of the Regulation.
What is an e-service?
An e-service on this website is a service or resource made available on the internet in order to improve the communication between citizens and businesses on the one hand and ESMA on the other hand.
Three types of e-services are or may be offered by the ESMA:
- Information services that provide users with easy and effective access to information, thus increasing transparency and understanding of the activities of ESMA.
- Interactive communication services that allow better contacts with ESMA's target public thus facilitating consultations, and feedback mechanisms, in order to contribute to the shaping of policies, activities and services of ESMA.
- Transaction services that allow access to all basic forms of transactions with ESMA, e.g. procurement, financial operations, recruitment, event enrolment, etc.
Third party websites
ESMA’s website provides links to third party sites. Since we do not control them, we encourage you to review their privacy policies.
As a general principle, ESMA only processes personal data for the performance of tasks carried out in the public interest on the basis of the Treaty on the Functioning of the European Union, on the basis of the relevant legislation or in the legitimate exercise of official authority vested in ESMA or in a third party to whom the data are disclosed.
All processing operations of personal data are duly notified to ESMA's Data Protection Officer and, if the case arises, to the European Data Protection Supervisor.
ESMA guarantees that the information collected is processed and/or accessed only by the members of its staff responsible for the corresponding processing operations.
ESMA does not take any decisions based solely on automated processing, including profiling, without human involvement, which produces legal effects concerning natural persons or which similarly affects natural persons.
Unless specified differently in the Records Register, all natural persons providing personal information to ESMA by means of paper or electronic form are deemed to have unambiguously given their consent for the subsequent processing operations in application of article 7 of Regulation. Natural persons have the right to withdraw their consent at any time. Such withdrawal of consent will have no bearing on the lawfulness of any previous processing.
Data subjects have the right to receive information about the processing of their personal data, to access the personal data and to correct any inaccurate or incomplete personal data, as well as to request the erasure, restriction of processing or to object to the processing of their personal data on written request to be addressed to the controller (specific contact details can be found in the relevant record, as published in the Records Register). Data subjects may at any time consult ESMA's Data Protection Officer or have recourse to the European Data Protection Supervisor.
How are data processed by ESMA?
Further information on how your data are processed by ESMA, what are your Rights and how you can exercise them, may be found in the relevant record, as published in the Records Register. In particular, the following information will be included:
- What information is collected and for what purpose. ESMA collects personal information exclusively to the extent necessary to fulfil a specific purpose. The information will not be re-used for an incompatible purpose.
- How long your data is kept. ESMA only keeps the data for the time necessary to fulfil the purpose of collection or further processing.
- To whom your information is disclosed. ESMA will only disclose information to third parties if that is necessary for the fulfilment of the purpose(s) identified above and to the mentioned (categories of) recipients. ESMA will not divulge your personal data for direct marketing purposes.
- Information about international transfers of personal data, where relevant.
- Information about how you can exercise your rights, including on possible applicable restrictions, which may apply and a point of contact if you have queries or complaints.
- The security measures taken to safeguard your information against possible misuse or unauthorised access.
What are your Rights and how you can exercise them?
You are entitled to access information relating to your personal data processed by ESMA, verify its accuracy and, if necessary, correct it in case the data is inaccurate or incomplete. If your personal data is no longer needed for the purpose of the processing, if you withdraw your consent or if the processing operation is unlawful, you have the right to request the erasure of your personal data.
Under certain circumstances, such as if you contest the accuracy of the processed personal data or if you are not sure if your personal data is lawfully processed, you can ask the Data Controller to restrict the personal data processing. You may also object, on compelling legitimate grounds, to the processing of your personal data.
Additionally, you have the right to data portability which allows you to make a request to obtain the personal data that the Data Controller holds on you and to transfer it from one Data Controller to another, where technically possible.
You may exercise your rights by contacting the Data Controller (specific contact details can be found in the relevant record, as published in the Records Register). Exemptions might be applicable in accordance with Regulation (EU) 2018/1725.
In some cases, your rights might be restricted in accordance with Article 25 of Regulation (EU) 2018/1725, ESMA’s Internal Rules and other relevant legal provisions, such as ESMA’s obligation not to disclose confidential information pursuant to professional secrecy, or to prevent prejudice or harm to the supervisory or enforcement functions of a third country authority acting in the exercise of the official authority vested in it. This may include functions relating to the monitoring or assessment of compliance with applicable laws, prevention or investigation of suspected infringement; for important objectives of general public interest, or for the supervision of regulated individuals and entities.
In each case before applying a restriction, ESMA will assess whether the restriction is appropriate. The restriction should be necessary and provided by law, and will continue only for as long as the reason for the restriction continues to exist.
Do we transfer any of your personal data to third countries or international organisations (outside the EU/EEA)?
ESMA will transfer personal data outside of the EU/EEA only where necessary and appropriate to fulfill its obligations in the context of international cooperation in accordance with Article 33 of the ESMA Regulation, as may be further amended, repealed or replaced.
The transfers will be done in accordance with Chapter V of the Regulation (EU) 2018/1725, i.e. where there is a Commission’s adequacy decision recognising a third country as ensuring an adequate level of protection of personal data, or for important reasons of public interest, as recognised in Union or Member State law.
In the absence of an adequacy decision adopted by the Commission, where these transfers are made in the usual course of business or practice, your personal data might be transferred only to third country authorities that are signatories to the IOSCO-ESMA Administrative Arrangement (AA) for the transfer of personal data between EEA and non-EEA securities regulators adopted in accordance with Article 48(3) of the Regulation.
In particular, the following safeguards are provided to personal data exchanged under the AA:
- ESMA will only transfer personal data that are relevant, adequate and limited to what is necessary for the purposes for which they are requested by a third-country authority (TCA);
- The (TCA) receiving personal data from ESMA will have in place appropriate technical and organisational measures to protect personal data that are transferred to it against accidental or unlawful access, destruction, loss, alteration, or unauthorised disclosure;
- The TCA will retain personal data for no longer than is necessary and appropriate for the purpose for which the data are processed;
- No decision will be taken by the TCA concerning a natural person based solely on automated processing of personal data, including profiling, without human involvement;
The TCA will not divulge your personal data for other purposes, such as for marketing or commercial purposes.
In the context of international transfers, your Rights might be exempted or restricted in particular to prevent prejudice or harm to the supervisory or enforcement functions of a TCA under the AA, acting in the exercise of the official authority vested in it, as indicated in the previous section (“What are your Rights and how can you exercise them?”).
If you believe that your personal data have not been handled consistent with the safeguards set out in the AA, you can lodge a complaint or claim at ESMA, at the TCA or both Authorities: for doing so, you can contact the Data Controller (specific contact details can be found in the relevant record, as published in the Records Register. In such event, ESMA and the TCA will use best efforts to settle the dispute or claim amicably in a timely fashion.
In the event where the matter is not resolved, other methods can be used, by which the dispute could be resolved unless the request is manifestly unfounded or excessive. Such methods include participation in non-binding mediation or other non-binding dispute resolution proceedings initiated by the natural person or by the ESMA or the TCA concerned.
If the matter is not resolved through cooperation by the Authorities, nor through non-binding mediation or other non-binding dispute resolution proceedings, in situations where you raise a concern and ESMA is of the view that the TCA has not acted consistent with the safeguards set out in the AA, ESMA will suspend the transfer of personal data to the TCA until it is of the view that the issue is satisfactorily addressed by the TCA, and will inform you thereof.
Administrative arrangement for the transfer of personal data between EEA and non-EEA Authorities
- In the absence of an adequacy decision adopted by the Commission, where the transfers of personal data are made in the usual course of business or practice, ESMA will transfer personal data only to third country authorities that are signatories to the IOSCO-ESMA Administrative Arrangement (AA) for the transfer of personal data between EEA and non-EEA securities regulators adopted in accordance with Article 48(3) of the Regulation(EU) 2018/1725;
- The European Data Protection Supervisor (EDPS) authorised ESMA to use the administrative arrangement as ensuring appropriate safeguards for the transfer of personal data to public bodies in third countries not covered by a European Commission adequacy decision, on the basis of the positive opinion of the European Data Protection Board (EDPB) (opinion 4/2019).
|List of IOSCO signatories to the AA||EDPB opinion||EDPS Authorisation Decision||Administrative Arrangement|
How do we treat e-mails you send us?
Some pages on ESMA's websites have a link to our contact mailboxes, which activates your e-mail software and invites you to send your comments. When you send such a message, your personal data is collected only to the extent necessary to reply. If the management team of the mailbox is unable to answer your question, it will forward your e-mail to another service. If you have any questions about the processing of your e-mail and related personal data, do not hesitate to include them in your message.
If you have questions or concerns, please contact: DPO@esma.europa.eu
RIGHT TO RECOURSE
You have the right to lodge a complaint with the European Data Protection Supervisor (firstname.lastname@example.org) ) if you consider that your rights under the Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by ESMA.