Iosco Administrative Agreement

Companies subject to the oversight of securities regulators in several jurisdictions should closely monitor the implementation of the administrative arrangement in the coming weeks and months. The administrative agreement removes much of the uncertainty about the legality of data transfers between EU and third country financial supervisory authorities under the GDPR. This should allow for a freer exchange of enforcement and supervisory information and increase the number of cross-border investigations and enforcement procedures in the future. Member States` data protection supervisory authorities can now authorise transfers under the Administrative Arrangement. Assuming such approvals are imminent, EEA financial regulators will need to enter into an administrative agreement with their non-EEA counterparts in order to benefit from this new mechanism. In accordance with the EU General Data Protection Regulation 2016/679 (“GDPR”), personal data cannot be transferred from the European Economic Area (“EEA”) to a third country unless the European Commission has decided that that third country is “adequate” from a data protection perspective or “appropriate safeguards” have been put in place to ensure that the processing of personal data in the hands of the recipient meets the high standards of the GDPR. Reflects. Article 46 of the GDPR provides for various protection options, including the possibility of “including provisions in administrative agreements between authorities or bodies that include enforceable and effective rights of the data subject”. [2] The European Data Protection Board has not yet approved such “administrative arrangements”.

Purpose and main features of the Administrative Arrangement The opinion of the European Data Protection Board comes after the draft Administrative Arrangement was submitted to the Chair of the European Human Rights Committee in January 2019 by the European Securities and Markets Authority (“ESMA”) and the International Organisation of the Securities Commission (“IOSCO”). The opinions of the European Data Protection Board aim to ensure uniform application of the GDPR in all EU Member States. Where a situation is of general application or will have effects in more than one Member State, the European Data Protection Board may examine and comment on the matter. Once adopted, the data protection supervisory authority of each Member State should not deviate from the approved standards. IOSCO Administrative Arrangement for the transfer of personal data between the different authorities of the European Economic Area (EEA) in accordance with Annex A and each of the non-EEA authorities as defined in Apapendix B However, the existence of an administrative arrangement does not resolve the complexity that regulated companies face when responding to requests for information from EU citizens with data at personal character from securities regulators outside the EEA. like the U.S. SEC. Such transfers continue to require careful analysis to ensure GDPR compliance. Further information can be found in the opinion of the European Data Protection Board here and in the draft Administrative Agreement. The Administrative Arrangement will be made available to all market regulators in the EEA; The European Data Protection Board noted in its opinion that the new mechanism is necessary to ensure “effective international cooperation” between financial supervisors and regulators. In assessing the adequacy of the administrative arrangement proposed by ESMA and IOSCO, the European Data Protection Board highlighted the safeguards it contains: it is an administrative arrangement between EU financial market supervisors, represented by the European Securities and Markets Authority (ESMA), and international partner authorities, represented by the International Organisation of Securities Commissions (IOSCO).

You can find it below under “Attachments”. According to the European General Data Protection Regulation (GDPR), personal data may be transferred from an EEA country to a third country if appropriate safeguards are provided. One of the ways to ensure guarantees is an administrative agreement between the authorities. In its opinion, the European Data Protection Board considers that the administrative arrangement between ESMA and IOSCO provides adequate safeguards for the transfer of personal data in accordance with the Agreement. On 12 February 2019, the European Data Protection Board (European Data Protection Board)[1] adopted its first opinion on an “administrative arrangement” providing for a new mechanism for the transfer of personal data between financial supervisory authorities and securities agencies of the European Union (“EU”) and their counterparts in third countries. . . .