Legal Notice and Data Protection
The protection of individuals with regard to the processing of personal data by ESMA is based on Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC as implemented by ESMA in implementing rules adopted by its Management Board.
Personal Data Protection
Although you can browse through most of the ESMA website without giving any information about yourself, in some cases, personal information is required in order to provide the e-services you request. Pages that require such information treat it according to the policy described in the Regulation mentioned above.
In this respect:
- ESMA's Data Protection Officer ensures that the provisions of both the Regulation and the Implementing Rules are applied and advises controllers on fulfilling their obligations (see in particular Chapter IV, Section VI of the Regulation).
- For all EU institutions and bodies, the European Data Protection Supervisor (EDPS) acts as an independent supervisory authority (see Chapter VI of the Regulation).
- ESMA maintains records of processing activities in accordance with Article 31 of the Regulation.
ESMA has the legal obligation to keep a central register of records of activities processing personal data (Article 31 of Regulation 2018/1725).
The register shall contain at least the following information:
- name and contact details of the controller, the data protection officer and, where applicable, the processor and the joint controller;
- the purposes of the processing;
- description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed;
- where applicable, transfers of personal data to a third country or an international organisation and the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures to protect those personal data;
- information about data subjects’ rights and on how to exercise those rights
The list of records of ESMA’s activities processing personal data, with hyperlinks to the relevant record, follows:
What is an e-service?
An e-service on this website is a service or resource made available on the internet in order to improve the communication between citizens and businesses on the one hand and ESMA on the other hand.
Three types of e-services are or may be offered by the ESMA:
- Information services that provide users with easy and effective access to information, thus increasing transparency and understanding of the activities of ESMA.
- Interactive communication services that allow better contacts with ESMA's target public thus facilitating consultations, and feedback mechanisms, in order to contribute to the shaping of policies, activities and services of ESMA.
- Transaction services that allow access to all basic forms of transactions with ESMA, e.g. procurement, financial operations, recruitment, event enrolment, etc.
Third party websites
ESMA’s website provides links to third party sites. Since we do not control them, we encourage you to review their privacy policies.
As a general principle, ESMA only processes personal data for the performance of tasks carried out in the public interest on the basis of the Treaty on the Functioning of the European Union, on the basis of the relevant legislation or in the legitimate exercise of official authority vested in ESMA or in a third party to whom the data are disclosed.
All processing operations of personal data are duly notified to ESMA's Data Protection Officer and, if the case arises, to the European Data Protection Supervisor.
ESMA guarantees that the information collected is processed and/or accessed only by the members of its staff responsible for the corresponding processing operations.
ESMA does not take any decisions based solely on automated processing, including profiling, without human involvement, which produces legal effects concerning natural persons or which similarly affects natural persons.
Unless specified differently in the Records Register, all natural persons providing personal information to ESMA by means of paper or electronic form are deemed to have unambiguously given their consent for the subsequent processing operations in application of article 7 of Regulation. Natural persons have the right to withdraw their consent at any time. Such withdrawal of consent will have no bearing on the lawfulness of any previous processing.
Data subjects have the right to receive information about the processing of their personal data, to access the personal data and to correct any inaccurate or incomplete personal data, as well as to request the erasure, restriction of processing or to object to the processing of their personal data on written request to be addressed to the controller (specific contact details can be found in the relevant record, as published in the Records Register). Data subjects may at any time consult ESMA's Data Protection Officer or have recourse to the European Data Protection Supervisor.
How are data processed by ESMA?
Further information on how your data are processed by ESMA, what are your Rights and how you can exercise them, may be found in the relevant record, as published in the Records Register. In particular, the following information will be included:
- What information is collected and for what purpose. ESMA collects personal information exclusively to the extent necessary to fulfil a specific purpose. The information will not be re-used for an incompatible purpose.
- How long your data is kept. ESMA only keeps the data for the time necessary to fulfil the purpose of collection or further processing.
- To whom your information is disclosed. ESMA will only disclose information to third parties if that is necessary for the fulfilment of the purpose(s) identified above and to the mentioned (categories of) recipients. ESMA will not divulge your personal data for direct marketing purposes.
- Information about international transfers of personal data, where relevant.
- Information about how you can exercise your rights, including on possible applicable restrictions, which may apply and a point of contact if you have queries or complaints.
- The security measures taken to safeguard your information against possible misuse or unauthorised access.
What are your rights and how you can exercise them?
You are entitled to access information relating to your personal data processed by ESMA, verify its accuracy and, if necessary, correct it in case the data is inaccurate or incomplete. If your personal data is no longer needed for the purpose of the processing, if you withdraw your consent or if the processing operation is unlawful, you have the right to request the erasure of your personal data.
Under certain circumstances, such as if you contest the accuracy of the processed personal data or if you are not sure if your personal data is lawfully processed, you can ask the Data Controller to restrict the personal data processing. You may also object, on compelling legitimate grounds, to the processing of your personal data.
Additionally, you have the right to data portability which allows you to make a request to obtain the personal data that the Data Controller holds on you and to transfer it from one Data Controller to another, where technically possible.
You may exercise your rights by contacting the Data Controller (specific contact details can be found in the relevant record, as published in the Records Register). Exemptions might be applicable in accordance with Regulation (EU) 2018/1725.
In some cases, your rights might be restricted in accordance with Article 25 of Regulation (EU) 2018/1725, ESMA’s Internal Rules and other relevant legal provisions, such as ESMA’s obligation not to disclose confidential information pursuant to professional secrecy, or to prevent prejudice or harm to the supervisory or enforcement functions of a third country authority acting in the exercise of the official authority vested in it. This may include functions relating to the monitoring or assessment of compliance with applicable laws, prevention or investigation of suspected infringement; for important objectives of general public interest, or for the supervision of regulated individuals and entities.
In each case before applying a restriction, ESMA will assess whether the restriction is appropriate. The restriction should be necessary and provided by law, and will continue only for as long as the reason for the restriction continues to exist.
Decision on internal rules concerning restrictions of certain rights of data subjects
Decision on Internal rules concerning restrictions of certain rights of data subjects
- In accordance with the requirements of Article 25 of Regulation (EU) 2018/1725, ESMA adopted a Decision laying down Internal rules on restrictions of certain rights of data subjects in relation to processing of personal data in the framework of the functioning of ESMA (OJ L 303, 25.11.2019, p. 31–36, “the Decision”). Pursuant to this Decision, ESMA may apply restrictions to certain rights of data subjects (such as the right to be informed, right of access, rectification, erasure, restriction of processing etc.).
- In each case, ESMA will assess whether the restriction is appropriate. The restriction should be necessary and provided by law, and will continue only for as long as the reason for the restriction continues to exist.
▸ Decision on Internal rules concerning restrictions of certain rights of data subjects
Do we transfer any of your personal data to third countries or international organisations (outside the EU/EEA)?
ESMA will transfer personal data outside of the EU/EEA only where necessary and appropriate to fulfill its obligations in the context of international cooperation in accordance with Article 33 of the ESMA Regulation, as may be further amended, repealed or replaced.
The transfers will be done in accordance with Chapter V of the Regulation (EU) 2018/1725, i.e. where there is a Commission’s adequacy decision recognising a third country as ensuring an adequate level of protection of personal data, or for important reasons of public interest, as recognised in Union or Member State law.
In the absence of an adequacy decision adopted by the Commission, where these transfers are made in the usual course of business or practice, your personal data might be transferred only to third country authorities that are signatories to the IOSCO-ESMA Administrative Arrangement (AA) for the transfer of personal data between EEA and non-EEA securities regulators adopted in accordance with Article 48(3) of the Regulation.
In particular, the following safeguards are provided to personal data exchanged under the AA:
- ESMA will only transfer personal data that are relevant, adequate and limited to what is necessary for the purposes for which they are requested by a third-country authority (TCA);
- The (TCA) receiving personal data from ESMA will have in place appropriate technical and organisational measures to protect personal data that are transferred to it against accidental or unlawful access, destruction, loss, alteration, or unauthorised disclosure;
- The TCA will retain personal data for no longer than is necessary and appropriate for the purpose for which the data are processed;
- No decision will be taken by the TCA concerning a natural person based solely on automated processing of personal data, including profiling, without human involvement;
The TCA will not divulge your personal data for other purposes, such as for marketing or commercial purposes.
In the context of international transfers, your Rights might be exempted or restricted in particular to prevent prejudice or harm to the supervisory or enforcement functions of a TCA under the AA, acting in the exercise of the official authority vested in it, as indicated in the previous section (“What are your Rights and how can you exercise them?”).
If you believe that your personal data have not been handled consistent with the safeguards set out in the AA, you can lodge a complaint or claim at ESMA, at the TCA or both Authorities: for doing so, you can contact the Data Controller (specific contact details can be found in the relevant record, as published in the Records Register. In such event, ESMA and the TCA will use best efforts to settle the dispute or claim amicably in a timely fashion.
In the event where the matter is not resolved, other methods can be used, by which the dispute could be resolved unless the request is manifestly unfounded or excessive. Such methods include participation in non-binding mediation or other non-binding dispute resolution proceedings initiated by the natural person or by the ESMA or the TCA concerned.
If the matter is not resolved through cooperation by the Authorities, nor through non-binding mediation or other non-binding dispute resolution proceedings, in situations where you raise a concern and ESMA is of the view that the TCA has not acted consistent with the safeguards set out in the AA, ESMA will suspend the transfer of personal data to the TCA until it is of the view that the issue is satisfactorily addressed by the TCA, and will inform you thereof.
Administrative arrangement for the transfer of personal data between EEA and non-EEA authorities
- In the absence of an adequacy decision adopted by the Commission, where the transfers of personal data are made in the usual course of business or practice, ESMA will transfer personal data only to third country authorities that are signatories to the IOSCO-ESMA Administrative Arrangement (AA) for the transfer of personal data between EEA and non-EEA securities regulators adopted in accordance with Article 48(3) of the Regulation(EU) 2018/1725;
- The European Data Protection Supervisor (EDPS) authorised ESMA to use the administrative arrangement as ensuring appropriate safeguards for the transfer of personal data to public bodies in third countries not covered by a European Commission adequacy decision, on the basis of the positive opinion of the European Data Protection Board (EDPB) (opinion 4/2019).
List of IOSCO signatories to the AA | EDPB opinion | EDPS Authorisation Decision | Administrative Arrangement
How do we treat e-mails you send us?
Some pages on ESMA's websites have a link to our contact mailboxes, which activates your e-mail software and invites you to send your comments. When you send such a message, your personal data is collected only to the extent necessary to reply. If the management team of the mailbox is unable to answer your question, it will forward your e-mail to another service. If you have any questions about the processing of your e-mail and related personal data, do not hesitate to include them in your message.
ESMA owns the copyright for all material on this website. This copyright does not extend to any legislative text which is publicly available or to other third party’s materials.
ESMA's name, abbreviation and logo are the exclusive property of the European Securities and Markets Authority and are protected under the Paris Convention for the Protection of Industrial Property of 20 March 1883 and national laws implementing the Convention.
ESMA's logo and other images may not be used without prior permission except when reproducing ESMA material containing the logo or other images.
Where copyright vests in a third party, permission for reproduction must be obtained from this copyright holder.
Reproduction of all information on this site (ESMA Library) is authorised except as otherwise stated, provided the source is acknowledged and:
- where the original material is incorporated in documents that are sold (regardless of the medium), the publisher must inform buyers that it may be obtained free of charge through ESMA website;
- if the original material is transformed by the user (e.g. by making a summary of it or by translating it) and republished, this must be stated explicitly through the following disclaimer:
- ‘This document has been drafted using material downloaded from ESMA’s website’ (or alternatively ‘This document constitutes a translation of a document downloaded from ESMA’s website’);
- ESMA does not endorse this publication and in no way is liable for copyright or other intellectual property rights infringements nor for any damages caused to third parties through this publication’;
3. when linking to the ESMA website from business sites or for promotional purposes, the ESMA website content and its source must be clearly identifiable separately from any other content;
4. any document in which this material is displayed does not:
- in any way imply that ESMA is endorsing a firm, journal or publication or any particular products, services or communications;
- present false or misleading information concerning ESMA;
- contain content that could be construed as distasteful, offensive or controversial;
- infringe any intellectual property or other rights of any person or otherwise not comply with any relevant law or regulation.
- ESMA tries to ensure that the information on this website is timely and accurate.
- The information on this website is of a general nature only and is not intended to address the specific circumstances of any particular individual or entity.
- The information on this website can under no circumstances be regarded as professional or legal advice. If you need specific advice, you should consult a suitably qualified professional.
- ESMA accepts no responsibility or liability whatsoever with regard to the information on this website. ESMA is not liable for any damage arising from use or inability to use this website, for any material contained in it, or from any action or decision taken as a result of using this website or any such material.
- This disclaimer is neither intended to limit the liability of ESMA in contravention of any requirements laid down in applicable law nor to exclude its liability for matters which may not be excluded under that law.
- This website offers links to other websites. ESMA has no control over the linked websites and is not responsible for the contents of any linked website or for any problems incurred as a result of using any linked website. Offering links to other websites should not be taken as an endorsement of any kind from ESMA.
- By accessing any part of this website, you will be deemed to have accepted the terms of this legal notice.
For any questions on legal notice, you may contact firstname.lastname@example.org.
If you have questions or concerns, please contact: DPO@esma.europa.eu.
Right to recourse
You have the right to lodge a complaint with the European Data Protection Supervisor (email@example.com) if you consider that your rights under the Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by ESMA.