Administrative Agreement Iosco

Purpose and main features of the Administrative Arrangement Further information can be found in the opinion of the European Data Protection Board here and in the draft Administrative Agreement. However, the existence of an administrative arrangement does not solve the complexity that regulated companies face when responding to requests for information from EU citizens with personal data from non-EEA securities regulators, such as the US SEC. Such transfers continue to require careful analysis to ensure GDPR compliance. On 12 February 2019, the European Data Protection Board (European Data Protection Board)[1] adopted its first opinion on an “administrative arrangement” providing for a new mechanism for the transfer of personal data between financial supervisory authorities and securities agencies of the European Union (“EU”) and their counterparts in third countries. In accordance with the EU General Data Protection Regulation 2016/679 (“GDPR”), personal data cannot be transferred from the European Economic Area (“EEA”) to a third country unless the European Commission has decided that that third country is “adequate” from a data protection perspective or “appropriate safeguards” have been put in place to ensure that the processing of personal data in the hands of the recipient meets the high standards of the GDPR. Reflects. Article 46 of the GDPR provides for various protection options, including the possibility of “including provisions in administrative agreements between authorities or bodies that include enforceable and effective rights of the data subject”. [2] The European Data Protection Board has not yet approved such “administrative arrangements”. IoSCO`s Administrative Arrangement for the transfer of personal data between the authorities of the European Economic Area (EEA) listed in Annex A and each of the non-EEA authorities listed in Apapendix B companies subject to the supervision of securities regulators in several jurisdictions should pay particular attention to the implementation of the Administrative Arrangement in the coming weeks and months. The administrative agreement removes much of the uncertainty about the legality of data transfers between EU and third country financial supervisory authorities under the GDPR. This should allow for a freer exchange of enforcement and supervisory information and increase the number of cross-border investigations and enforcement procedures in the future. The Administrative Arrangement will be made available to all market regulators in the EEA; The European Data Protection Board noted in its opinion that the new mechanism is necessary to ensure “effective international cooperation” between financial supervisors and regulators.

In assessing the adequacy of the administrative arrangement proposed by ESMA and IOSCO, the European Data Protection Board highlighted the safeguards it contains: it is an administrative arrangement between EU financial market supervisors, represented by the European Securities and Markets Authority (ESMA), and international partner authorities, represented by the International Organisation of Securities Commissions (IOSCO). You can find it below under “Attachments”. Member States` data protection supervisory authorities can now authorise transfers under the Administrative Arrangement. Assuming such approvals are imminent, EEA financial regulators will need to enter into an administrative agreement with their non-EEA counterparts in order to benefit from this new mechanism. The opinion of the European Committee on Human Rights comes after the draft administrative arrangement was submitted to the Chair of the European Committee of Human Rights in January 2019 by the European Securities and Markets Authority (“ESMA”) and the International Organisation of the Autorité des marchés financiers (“IOSCO”). The opinions of the European Data Protection Board aim to ensure uniform application of the GDPR in all EU Member States. Where a situation is of general application or will have effects in more than one Member State, the European Data Protection Board may examine and comment on the matter. Once adopted, the data protection supervisory authority of each Member State should not deviate from the approved standards.

This helps us to continuously improve the website and keep it up to date. If you have any questions and would like us to contact you, please use our contact form. For more information on actual or suspected violations of regulatory requirements, please contact our Whistleblower Contact Point. [1] The European Data Protection Board is an independent body established by the EU General Data Protection Regulation 2016/679 (“GDPR”), composed of representatives of national data protection authorities and the European Data Protection Supervisor, which can adopt general guidance on the GDPR and is also empowered to take binding decisions to ensure consistent application of the GDPR. The system is necessary for the legal exchange of data with the financial supervisory authorities of third countries. It establishes adequate data protection safeguards and contains effective and enforceable rights of data subjects. .