Skip to main content



Search form

Data protection

Data protection

The protection of individuals with regard to the processing of personal data by ESMA is based on Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 as implemented by ESMA in implementing rules adopted by its Management Board.

Register of the Data Protection Officer

    Personal data protection

    Although you can browse through most of the ESMA website without giving any information about yourself, in some cases, personal information is required in order to provide the e-services you request. Pages that require such information treat it according to the policy described in the Regulation mentioned above.

    In this respect:

    • For each specific e-service, a controller determines the purposes and means of the processing of personal data and ensures conformity of the specific e-service with the privacy policy.
    • ESMA's Data Protection Officer ensures that the provisions of both the Regulation and the Implementing Rules are applied and advises controllers on fulfilling their obligations (see in particular Articles 24 of the Regulation).
    • For all EU institutions and bodies, the European Data Protection Supervisor (EDPS) acts as an independent supervisory authority (see Articles 41 to 45 of the Regulation).
    • ESMA notifies the EDPS of processing operations likely to present specific risks within the meaning of Article 27 of the Regulation.
    • ESMA maintains a register of processing operations notified in accordance with Article 25 of the Regulation.

    What is an e-service?

    An e-service on this website is a service or resource made available on the internet in order to improve the communication between citizens and businesses on the one hand and ESMA on the other hand.

    Three types of e-services are or may be offered by the ESMA:

    1. Information services that provide users with easy and effective access to information, thus increasing transparency and understanding of the activities of ESMA.
    2. Interactive communication services that allow better contacts with ESMA's target public thus facilitating consultations, and feedback mechanisms, in order to contribute to the shaping of policies, activities and services of ESMA.
    3. Transaction services that allow access to all basic forms of transactions with ESMA, e.g. procurement, financial operations, recruitment, event enrolment, etc.

    Third party websites

    ESMA’s website provides links to third party sites. Since we do not control them, we encourage you to review their privacy policies.

    Basic principles

    As a general principle, ESMA only processes personal data for the performance of tasks carried out in the public interest on the basis of the Treaty on the Functioning of the European Union, on the basis of the relevant legislation or in the legitimate exercise of official authority vested in ESMA or in a third party to whom the data are disclosed.

    All processing operations of personal data are duly notified to ESMA's Data Protection Officer and, if the case arises, to the European Data Protection Supervisor.

    ESMA guarantees that the information collected is processed and/or accessed only by the members of its staff responsible for the corresponding processing operations.

    Unless specified differently in the Data Protection Register, all natural persons providing personal information to ESMA by means of paper or electronic form are deemed to have unambiguously given their consent for the subsequent processing operations in application of article 5(d) of Regulation 45/2001.

    Data subjects have the right to access and rectify their data on written request to be addressed to the Agency. Data subjects may at any time consult ESMA's Data Protection Officer (DPO[at] or have recourse to the European Data Protection Supervisor.

    How are data processed by ESMA?

    Further information on how your data are processed by ESMA may be found on the relevant section of the ESMA website. In particular, the following information will be included:

    • What information is collected, for what purpose and through which technical means ESMA collects personal information exclusively to the extent necessary to fulfil a specific purpose. The information will not be re-used for an incompatible purpose.
    • To whom your information is disclosed. ESMA will only disclose information to third parties if that is necessary for the fulfilment of the purpose(s) identified above and to the mentioned (categories of) recipients. ESMA will not divulge your personal data for direct marketing purposes.
    • How you can access your information, verify its accuracy and, if necessary, correct it. As a data subject you also have the right to object to the processing of your personal data on legitimate compelling grounds except when it is collected in order to comply with a legal obligation, or is necessary for the performance of a contract to which you are a party, or is to be used for a purpose for which you have given your unambiguous consent.
    • How long your data is kept. ESMA only keeps the data for the time necessary to fulfil the purpose of collection or further processing.
    • The security measures taken to safeguard your information against possible misuse or unauthorised access.
    • A point of contact if you have queries or complaints.

    How do we treat e-mails you send us?

    Some pages on ESMA's websites have a link to our contact mailboxes, which activates your e-mail software and invites you to send your comments. When you send such a message, your personal data is collected only to the extent necessary to reply. If the management team of the mailbox is unable to answer your question, it will forward your e-mail to another service. If you have any questions about the processing of your e-mail and related personal data, do not hesitate to include them in your message.


    If you have questions or concerns, please contact: