What is personal data?
According to Article 4(1) of the General Data Protection Regulation, ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What are the purposes of the processing?
The purposes of the personal data processing by EBF concern EBF’s main activities (e.g. interaction with its members, European banking sector organizations, raising awareness on banking issues, making policies etc.), as well as administrative activities (e.g. employees management).
The lawful basis EBF uses to process your data
Processing of your data is based on one of the following lawful legal bases:
- performance of contract,
- legitimate interest
- compliance with a legal or regulatory obligation
- public interest.
Disclosure of information
It is noted that personal data may be disclosed to law enforcement authorities without your consent if required by law, following a reasonable request to prevent, investigate or act against actual or suspected illegal activity, physical harm or financial loss.
EBF has taken all the appropriate technical and organizational measures in order to safeguard your personal data. Those measures are periodically assessed.
Third parties that process data for EBF
Your personal data are accessed mainly by our employees, which are bound by confidentiality clauses. The recipients of your data may be individual experts, external consultants, research institutions, event organizers, travel agencies, software providers as well as marketing and communication companies.
Please note that all EBF’s affiliated/contracted companies and collaborators are contractually committed to take the appropriate technical and organizational measures to protect confidentiality, integrity and availability of your data. Whenever we transfer your personal data out of the EEA, we ensure that a similar degree of protection is applied to it, by safeguarding at least one of the following transfer solutions are implemented:
- We will transfer your personal data to countries that have been deemed by the European Commission to provide an adequate level of protection for personal data, referring to the protection provided by the laws of the country to which the data will be transferred. You can find the relevant decisions of the European Commission here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en;
- We may use specific contracts approved by the European Commission (standard contractual clauses) to legally bind the processor of your personal data;
- We may transfer data to US-based companies if they are part of the Privacy Shield;
- We have acquired your consent for certain transfers, after informing you of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards;
- We transfer your personal data whenever it is necessary for the performance of the contract between us (the data subject and the Controller), or the implementation of pre-contractual measures taken at the data subject’s request.
When do we delete your data?
Your personal data are retained only for as long as it is required according to the relevant legislation. Moreover, we delete the personal data that you provide to us, if there is no legal basis or other requirement for keeping your data.
Your rights towards your personal data
You can exercise your rights towards the processing of your personal data and specifically:
- Request access to your data
- Request the correction of your data, in cases where the data we hold about you are incorrect or insufficient
- Request to delete your data, if there is no legal obligation for us to keep them
- Withdraw your consent, in cases where consent is the lawful basis for the processing of your data
- Object to processing for a specific reason
- Request restriction of processing
- Request to transfer your data to another Controller
- You may exercise the aforementioned rights, at the e-mail address: firstname.lastname@example.org
You will receive a response to your request within one (1) month of its receipt. If an extension of two (2) months to respond to your request is required, taking into account the complexity and number of concurrent requests, we will inform you in due time.
If you do not receive a response to your request, you have the right to lodge a complaint with the Data Protection Authority of your residence.
We do not use automated decision-making.