Skip to content
Guidance · EDPB ·42019-on-the-draft-aa-between-eea-and-non-eea EN LLM context A cited markdown file you can paste into your AI assistant (ChatGPT, Claude, a RAG or project knowledge base) to ground it in this document. Contains: this document’s text, its sections with their topics, and the full text of every law provision it applies. Everything links back to its source on overview.legal — legal information, not advice.

Opinion 4/2019 on the draft AA between EEA and non-EEA Financial Supervisory Authorities

Summary

adopted 1 Opinion 4 / 2019 on the draft Administrative Arrangement for the transfer of personal data between European Economic Area (“EEA”) Financial Supervisory Authorities and non - EEA Financial Supervisory Authorities Adopted on 12 February 2019 adopted 2 4 Final remarks ................................ ................................ ................................ ................................ ... 8 adopted 3 The European Data Protection Board Having regard to Article 63, Article 64…

How it connects

Full text

adopted 1 Opinion 4 / 2019 on the draft Administrative Arrangement for the transfer of personal data between European Economic Area (“EEA”) Financial Supervisory Authorities and non - EEA Financial Supervisory Authorities Adopted on 12 February 2019 adopted 2 4 Final remarks ................................ ................................ ................................ ................................ ... 8 adopted 3 The European Data Protection Board Having regard to Article 63, Article 64 (2), (3) - (8) and Article 46 (3), (b) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018, Having regard to Article 10 and 22 of its Rules of Procedure of 25 May 2018, as amended on 23 November 2018. Whereas: (1) With reference to Article 46 (1), (3) (b) and 46 (4) GDPR, in the absence of a decision pursuant to Arti cle 45 (3), a controller or processor may transfer personal data to a third country or international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective l egal remedies for data subjects are available. Subject to authorisation from the competent supervisory authority (“competent SA”), the appropriate safeguards may also be provided for, in particular, by provisions inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights. (2) Taking into account the specific characteristics of the administrative arrangements provided for by Article 46 (3) (b) 1 , which may vary considerably, each case should be addressed individually and is without prejudice to the assessment of any other administrative arrangement. (3) The EDPB ensures pursuant to Article 70 (1) of the GDPR the consistent application of Regulat ion 2016/679 throughout the European Economic Area. Under Article 64 (2), the consistency mechanism may be triggered by a supervisory authority, the EDPB Chair or the Commission for any matter of general application or producing effects in more than one Me mber State. The EDPB shall issue an opinion on the matter submitted to it provided that it has not already issued an opinion on the same matter. (4) The opinion of the EDPB shall be adopted pursuant to Article 64 (3) GDPR in conjunction with Article 10 (2) of the EDPB Rules of Procedure within eight weeks after the Chair has decided that the file is complete . Upon decision of the EDPB Chair, this period may be extended by a further six weeks taking into account the complexity of the subject matter. (5) Pur suant to Article 65 (1) (c) GDPR where a competent SA does not follow the opinion of the EDPB issued under Article 64, any supervisory authority concerned or the Commission may communicate the matter to the EDPB and it shall adopt a binding decision. 1 See also recital 108 GDPR adopted 4 HAS ADOPTED THE FOLLOWING OPINION : 1 SUMMARY OF THE FACTS 1. Following several rounds of discussions , the European Securities and Markets Authority (ESMA), acting as facilitator for EEA financial supervisory authorities (NCAs) and in its own capacity, and the International Organisation of Securities Commission (IOS CO) have submitted by official letter the attached draft Administrative Arrangement (hereinafter draft AA) according to Article 46 (3) (b) GDPR to frame the transfers of personal data from EEA NCAs (and ESMA itself) to their non - EEA counterparts. This dra ft AA was communicated to the Chair of the EDPB on 2 January 2019. 2. Following the submission, the Chair of the EDPB has requested the Board for an opinion pursuant to Article 64(2) GDPR. The decision on the completeness of the file was taken on 15 January 2019. 2 ASSESSMENT 3. The draft AA may be used by all market regulators in the E EA and submitted to the competent SAs for authorisation. As a result, the matter is producing effects in more than one Member States within the meaning of Article 64(2) GDPR. 4. Th e draft AA is necessary to ensure efficient international cooperation between these authorities, acting in their capacity as public authorities, regulators and/or supervisors of securities and/or derivatives markets, in order to “safeguard investors or cus tomers, and to foster integrity and confidence in the securities and derivatives markets” in accordance with their mandates as defined by applicable laws. 5. In assessing the provisions contained in this specific draft AA, the EDPB has taken into account a number of specific elements for the assessment of possible risks posed by the transfers of personal data including the type of personal data subject to the AA and the objectives pursued. 6. The draft AA which can be found in its entirety in the attachment includes the following guarantees: - Definitions of GDPR concepts and data subject rights: Section II of the AA contains the relevant definitions necessary to determine t he scope of the AA and its consistent application. Among them there are some definitions of key concepts and rights of the European data protection legal framework such as “personal data”, “processing”, “personal data breach”, “right of access”, “right of erasure” which are in line with the definitions contained in the GDPR. - Principle of pur pose limitation and prohibition of any further use: Section III (1) of the AA works on the premise that Authorities have specific responsibilities and regulatory mandates, which include protecting investors or customers and fostering integrity and confiden ce in securities and/or derivatives markets. According to the principle of purpose limitation, the transfers can therefore only take place in the framework of such mandates and adopted 5 responsibilities, namely if necessary to support their institutional tasks and the receiving Authority will not be allowed to further process the personal data in a manner that is incompatible with these purposes. - Principle of data quality and proportionality: According to Section III.2 of the AA the transferring Authority will only transfer accurate and up to date personal data that are adequate, relevant and limited to what is necessary for the purposes for which they are transferred and further processed. Each Authority will inform the other if it becomes aware that transferred pe rsonal data is incorrect. Having regard to the purposes for which the personal data have been transferred and further processed, each Authority will supplement, erase, block, correct or otherwise rectify the personal data, as appropriate. - Principle of tran sparency: A general notice to data subjects will be provided by each Authority in relation to the processing carried out, including the transfer, the type of entities to which data may be transferred, the rights available to them under the applicable legal requirements, including how to exercise those rights and information about any applicable delay or restrictions on the exercise of such rights and the contact details for submitting a dispute or claim. This notice will be provided by each Authority on its website where it will be published along with this Arrangement. Furthermore, individual notice will be provided to data subjects by EEA Authorities in accordance with the GDPR and, in the case of ESMA, in accordance with Regulation 2018/1725. - Principle of data retention: As provided by Section III.7 of the AA the Authorities will retain personal data for no longer than is necessary for the purpose for which the data are processed in compliance with the applicable laws. - Security and confidentiality measures : Section III.4 envisages that each receiving Authority will have in place appropriate technical and organizational measures to protect personal data that are transferred to it against accidental or unlawful access, destruction, loss, alteration, or unauth orized disclosure, including, for example, marking information as personal data and restricting who has access to personal data. The AA also envisages that in the case where a receiving Authority becomes aware of a personal data breach, it will inform the transferring Authority as soon as possible and use reasonable and appropriate means to remedy the personal data breach and minimize the potential adverse effects. - Safeguards relating to data subject rights: Section III (5) of the AA provides for safeguar ds relating to data subject rights. Data subjects can obtain confirmation of whether their data have been transferred to another financial supervisory Authority outside the EEA (TCA). Data subjects will also be provided with access to their personal data u pon request. In addition, data subjects may request directly to the concerned NCA or TCA that their data are rectified, erased, restricted or blocked. Information regarding these safeguards are to be provided on the NCA/TCA website. Any restriction to thes e rights has to be provided by law and is allowed only to the extent and for as long as this is necessary to protect confidentiality or for important objectives of general public interest which when the transferring Authority is an EEA NCA, has to be recog nized by the Member State of this NCA (including, for instance, to prevent prejudice or harm to supervisory/enforcement functions). - Restrictions on onward transfers: Onward transfers to a third party in another country who is not an Authority participatin g in the AA and is not covered by an adequacy decision from the adopted 6 European Commission will only take place with the prior written consent of the transferring Authority, and if the third party provides appropriate assurances that are consistent with the safeg uards in the AA. The same safeguards are envisaged for cases of sharing of personal data with a third party in the same country of the receiving Authority unless, in exceptional cases, such third party cannot provide the aforementioned assurances. In this case, the transfe r may take place only if the sharing is “for important reasons of public interest”. When the transferring Authority is an EEA NCA, this public interest has to be recognized by the Member State of this NCA. Personal data may be shared with a third party in the same country of the receiving Authority (such as public bodies, courts, self - regulatory organizations and participants in enforcement proceedings) without consent from the transferring Authority, or assurances only in two cases: (i) If the purpose fo r which the personal data are shared and then used is consistent with the purpose for which the data were initially transferred or with the general framework of the use stated in the original specific request from the receiving Authority, and the sharing i s necessary to fulfil the mandate and responsibilities of the receiving Authority and/or the third party. (ii) When the sharing of personal data follows a legally enforceable demand or is required by law. The receiving Authority will notify the transferri ng Authority prior to the sharing and include information about the data requested, the requesting body and the legal basis for sharing. The receiving Authority will use its best efforts to limit the sharing of personal data received under this Arrangement , in particular through the assertion of all applicable legal exemptions and privileges. - Redress: Section III (8) of the AA provides for a redress mechanism. This mechanism is there to ensure the right to obtain redress and, where appropriate, to receive c ompensation. In cases where non - compliance of the AA occurs, including where data subject rights are violated, redress can be exercised before a competent body (e.g. court). Redress before such a competent body will be in accordance with the applicable leg al requirements, ensuring that the rights of the data subject related to the principles and safeguards provided for under the AA can be effectively enforced. The transferring Authority will be informed about any dispute or claim and the authorities on both sides will use best efforts to settle the dispute or claim amicably. In the event the matter cannot be resolved in this way, other methods will be used to resolve the dispute, including non - binding mediation or dispute resolution mechanisms. If the transf erring Authority is of the view that a receiving Authority has not acted consistent with the safeguards set out in the AA, e.g. as it has not followed the decision of the non - binding mediation or alternative dispute resolution mechanism, it will suspend an y transfers under the AA to the receiving Authority until the issue is satisfactorily resolved. Moreover, the “assessment group” (as well as all other Authorities) will be notified and can, in case it determines that there has been a “demonstrated change i n the willingness or ability of [the receiving Authority] to act consistent with the [AA]”, recommend that the receiving Authority’s participation in the AA be discontinued. In order to enable data subjects to exercise their right of redress, the AA will b e made publicly available. - Oversight mechanism: Section IV of the AA provides for an external oversight mechanism ensuring the implementation of the safeguards of the AA. This oversight mechanism consists of a combination of periodic reviews conducted by the “assessment group” and by each NCA/TCA internally. The combination of the external and internal oversight as well as the adopted 7 possible consequences following a negative review – which may include a recommendation to suspend an Authority’s participation in t he AA – provides for a satisfactory level of protection. 7. The EDPB welcomes the efforts made for this multilateral AA which includes a number of important data protection safeguards. In order to make sure that these safeguards continue to ensure an approp riate level of data protection when data are transferred to a third country under this AA, taking into account the unique nature of such non - binding agreements, the EDPB underlines the following: 8. Each competent SA will monitor the AA and its practical application especially in relation to sections III (5), (6), (8) and IV relating to data subject rights, onward transfers, redress and oversight mechanisms to ensure that data subjects are provided with effective and enforceable data subject rights, approp riate redress and that compliance with the AA is effectively supervised. 9. Each competent SA shall only authorise this AA as a suitable data protection safeguard with a view to the cross - border data transfer, conditional to full compliance by the signatori es with all the clauses of the AA. 10. Each competent SA, will suspend the relevant data flows carried out by the NCA in its Member State pursuant to the authorization, if the AA no longer provides for appropriate safegu ards in the meaning of the GDPR. 3 CONCLUSIONS/RECOMMEN DATIONS 11. Taking into account the above and the commitments the NCAs, ESMA and their non - EEA counterparts will undertake by signing this AA in order to have “ in place appropriate safeguards for the processing of such personal data in the exercise of their respective regulatory mandates and responsibilities ” and to “ act consistent with this Arrangement ”, the EDPB considers that the AA ensures appropriate safeguards when personal data will be transferred on the basis of this AA to public bo dies in third countries not covered by a European Commission adequacy decision. 12. Consistent with the preamble of the AA, acknowledging the importance of regular dialogue between the EEA NCAs and their competent SAs, or the European Data Protection Supervis or (“EDPS”) in the case of ESMA, and in order to allow the competent SAs to carry out their task of monitoring and enforcing the application of the GDPR in accordance with Article 57 (1) (a) of the GDPR, the authorisation adopted by the competent SA should envisage that each signatory EEA NCA or ESMA shall inform the respective competent SA of any suspension of transfers of personal data based on Sections III (8) and IV of the AA, as well as of any revision or discontinuation of participation to the AA base d on Section V. 13. In addition, the EDPB recalls that, in line with the accountability principle, each NCA and ESMA will need to keep records of information to facilitate the monitoring task of the SAs. This information should in any case be made available u pon request from the competent SA. Each SA may also, in its authorisation, request to receive this information from NCAs or ESMA on an annual basis without any prior request. This information should include elements on the number of data subject requests and claims received by data subjects at EU level, details on the cases not resolved through the envisaged dispute resolution mechanisms as well as on respective findings and actions of the “Assessment Group” following the periodic reviews including actions with regards to the sharing of personal data adopted 8 under Section 6.2.3 of the AA. Information should also be recorded on the notifications received by NCAs on the sharing of information to a third party by the TCA following a legally enforceable demand or requi red by law. 4 FINAL REMARKS 14. This opinion will be made public pursuant to Article 64 (5) (b) of the GDPR. For the European Data Protection Board The Chair (Andrea Jelinek)

Similar Content