Data Protection Notice – ENISA website

This notice relates to the processing of personal data by ENISA through the general ENISA website. For any other specific ENISA activity that involves the processing of personal data, specific data protection notices/privacy statements are available (please, visit ENISA’s central register for data processing activities for further information).

Your personal data shall be processed in accordance with the Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data[1].

The data controller of the processing activity is ENISA (Communications Sector).

The legal basis for the processing activity is article 5(1)(a) Regulation (EU) 2018/1725, as the ENISA’s website is central to the operation of the Agency. The processing of personal data is needed to support certain functions of the website.

The purpose of this processing activity is to support a) communication of any individual with ENISA through the website via website contact forms or via email. In addition, necessary technical information relating to website’s visitors is processed through log files, in order to support the website’s security, on the basis of standard information security practices.

Note: Sometimes ENISA’s website is used to provide registration of participants to specific ENISA events, such as conferences or workshops organised by the Agency. ENISA’s website or other related portals or services (e.g. Resilience portal) may also be used for the submission of applications to participate in specific ENISA’s experts groups. Please see the specific record/privacy notice of each event or expert group for further information about the processing of personal data in this particular context.

The data processors of this processing operation are: 

  • Microsoft Azure: Azure provides cloud hosting services and processes personal data on behalf of ENISA (the data controller). Azure processes various types of data related to monitoring, performance, and load balancing to ensure the reliability, availability, and performance of its cloud services and infrastructure.
  • Bilbomatica S.A (https://www.bilbomatica.es/ ) and its subcontractor Syslab GmBH (https://www.syslab.com). The contracted entities provide web development and web hosting maintenance services to ENISA for our website hosted on Azure. As data processors, the contractors may have access to personal data as necessary to perform their contracted services. 

The following personal data are being processed:

  • Communication via website (contact forms or email):  First and last name, email address, title/subject and content of your message.
  • Cookies: ENISA's website uses Matomo (https://matomo.org/), an open source web analytics service to help analyse the use of this website. For more information see our Cookies policy.
  • Technical information for security purposes (log files): website visitor’s IP address, timestamp, browser string and the full request on the ENISA’s website. In case of suspicious activity (e.g. visitor's IP address has been deemed as suspicious by security company Fortinet's global sensors network), the visitor’s IP is logged in “attack logs” and the connection to the ENISA’s website is blocked.
  • The newsletter function has been temporarily discontinued

Access to your data will be granted only to designated ENISA staff and designated staff of the ENISA processor. In case of contacts via the website, if the management team of the mailbox is unable to answer your question, it will forward your email to another service within ENISA. You will be informed via email about which service your question has been forwarded to. Your personal data will not be transferred to any third party. The data may also be available to EU bodies charged with monitoring or inspection tasks in application of EU law (e.g. internal audits, European Anti-fraud Office – OLAF).  

Personal data will be kept up to a maximum period of 1 year for communication via the website. Cookies will be retained as per cookies policy. Technical information for security purposes (log files) are rotated and kept in  back-up store for a period of six months. Attack logs are stored on the equipment and they last between one and two months limited by the storage space after which they are being overwritten.

You have the right of access to your personal data and to relevant information concerning how we use it. You have the right to rectify your personal data. Under certain conditions, you have the right to ask that we delete your personal data or restrict its use. You have the right to object to our processing of your personal data, on grounds relating to your particular situation, at any time. We will consider your request, take a decision and communicate it to you. If you have any queries concerning the processing of your personal data, you may address them to ENISA at info [at] enisa.europa.eu. You may also contact at any time the ENISA DPO at dataprotection [at] enisa.europa.eu.

You have the right of recourse at any time to the European Data Protection Supervisor at https://edps.europa.eu.


[1] Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002.

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies