On 12 February 2019, the European Data Protection Board (EDPB) adopted its first opinion (the Opinion) on an administrative arrangement, which provides a new mechanism for the transfer of personal data between European Union (EU) financial supervisory authorities and securities agencies and their non-EU counterparts.
In accordance with the EU’s General Data Protection Regulation 2016/679 (the GDPR), a controller or processor may transfer personal data to a third country or international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Subject to authorisation from the competent supervisory authority (competent SA), article 46(3)(b) of the GDPR provides for various safeguarding options, including the possibility of an administrative arrangement between public authorities or bodies with provisions which include enforceable and effective data subject right.
The first draft administrative arrangement had been submitted to the Chair of the EDPB in January 2019 according to article 46(3)(b) of the GDPR to frame the transfers of personal data from EEA financial supervisory authorities (and the European Securities and Markets Authority itself) to their non-EEA counterparts. Following the submission, the Chair of the EDPB has requested the Board for an opinion pursuant to Article 64(2) GDPR to ensure consistent application of the GDPR throughout EU member states. The decision on the completeness of the file was taken on 15 January 2019.
Key features of the Administrative Arrangement
The Opinion notes that the draft administrative arrangement may be used by all market regulators in the EEA and submitted to the competent SAs for authorisation.
It also stresses that administrative arrangements are necessary to ensure efficient international cooperation between financial authorities and regulators and highlights the following guarantees that need to be included in the administrative arrangements:
1. Definitions of GDPR concepts and data subject rights: The administrative arrangement accurately reflects key data protection definitions and concepts to determine the scope of the AA and its consistent application, as these are provided for in the GDPR.
2. Principle of purpose limitation and prohibition of any further use: The administrative arrangement assumes that the financial supervisory authorities have specific responsibilities and regulatory mandates; transfers may only take place within the framework of such mandates (and not in a manner which is incompatible with such purposes).
3. Principle of data quality and proportionality: the administrative arrangement also requires financial supervisory authorities only to transfer accurate and up to date personal data that are adequate, relevant and limited to what is necessary for the purposes for which they are transferred and further processed.
4. Principle of transparency: A general notice is required to be provided to data subjects by each Authority in relation to the processing carried out, including the details of transfer and rights of data subjects.
5. Principle of data retention: Financial supervisory authorities may only retain personal data for as long as is necessary for the relevant purpose.
6. Security and confidentiality measures: Each financial supervisory authority receiving personal data from the EEA must have appropriate technical and organizational measures in place to protect personal data from any accidental or unlawful access, destruction, loss, alteration, or unauthorized disclosure; the recipient authority must also inform the transferring authority as soon as possible in the event of (and must use reasonable and appropriate means to remedy) a personal data breach.
7. Safeguards relating to data subject rights: The administrative arrangement provides for data subject rights including the right of access and the right to have data rectified, erased, restricted, or blocked; such rights are exercisable against both the transferring and receiving financial supervisory authorities.
8. Restrictions on onward transfers: onward transfers to a third party that is not an authority participating in the administrative arrangement and not covered by an adequacy decision from the European Commission may take place only with the prior written consent of the initial EU transferring authority along with appropriate assurances consistent with the safeguards in the administrative arrangement.
9. Redress: The administrative arrangement provides for a redress mechanism allowing the relevant data subjects, where appropriate, to receive compensation in the event of any violation of their rights. Redress can be exercised before a competent body (e.g. court).
10. Oversight mechanism: An external oversight mechanism (ensuring the implementation of the safeguards) is included in the administrative arrangement. In the event of a negative review, a financial supervisory authority’s participation in the administrative arrangement could be suspended.
Recommendations
The EDPB underlines non-binding nature of these agreements in the Opinion and states that each competent SA shall monitor the administrative arrangement and its practical application especially relating to data subject rights, onward transfers, redress and oversight mechanisms and only authorise this administrative arrangement where there is full compliance by the signatories with all of the clauses to ensure that guarantees continue to safeguard an appropriate level of data protection when data are transferred to a third country.
Moreover, the Opinion provides that each competent SA will suspend the relevant data flows carried out by the financial supervisory authorities (NCA) in its Member State pursuant to the authorization, if the administrative arrangement no longer provides for appropriate safeguards in the meaning of the GDPR.
Conclusions
The Opinion notes that the EDPB considers the administrative arrangement as an appropriate safeguard when personal data will be transferred to public bodies in third countries not covered by a European Commission adequacy decision.
The administrative arrangement aims to remove much of the uncertainty around the legality of data transfers between EU and non-EEA financial supervisory authorities but the Opinion emphasizes the importance of regular dialogue between the EEA NCAs and their competent SAs in order to realize monitoring and enforcement of the administrative arrangements under the GDPR.
Full opinion can be found here.
You can also view the draft of the administrative arrangement.
For more information please visit our Data Protection & Cyber law team.
Contacts
Eleni Neoptolemou (associate), Munevver Kasif (junior associate)
Back to News
