Administrative arrangement for the transfer of personal data between European Economic Area (“EEA”) Financial Supervisory Authorities and non-EEA Financial Supervisory Authorities
As regards the processing of personal data received in the usual course of business or practice through international transfers, the CNB is committed to have in place the safeguards set out in the administrative arrangement for the transfer of personal data between EEA and non-EEA securities regulators (“the administrative arrangement”), without prejudice to a relevant adequacy decision of the European Commission, or to the application of the public interest derogation respectively.
The full text of the administrative arrangement (pdf, 234 kB).
Overview of guarantees
Against this background, when the CNB processes personal data transferred under the administrative arrangement, it guarantees the following:
-
Purpose limitation and prohibition of any further use
Authorities that are signatories to the administrative arrangement, i.e. including the CNB, have specific responsibilities and regulatory mandates, which include protecting investors or customers and fostering integrity and confidence in securities and/or derivative markets. In this context, the transfers can therefore only take place in the framework of such mandates and responsibilities, namely if necessary to support their institutional tasks. In addition, the receiving Authority is not allowed to further process your personal data in a manner that is incompatible (e.g. for marketing or commercial purposes) with the purposes indicated in the previous sentence.
-
Data quality and proportionality
The CNB will only transfer personal data that are adequate, relevant and limited to what is necessary for the purposes for which they are transferred and further processed.
-
Limited data retention period
The CNB will retain personal data for no longer than is necessary and appropriate for the purpose for which the data are processed.
-
Security and confidentiality
The CNB will have in place appropriate technical and organisational measures to protect personal data that are transferred to it against accidental or unlawful access, destruction, loss, alteration, or unauthorised disclosure.
-
Transparency
The CNB provides you with a general notice on the administrative arrangement by way of the Information about the processing of personal data, and in particular this notice. Furthermore, the CNB will provide you with an individual notice on a respective transfer of your personal data subject to restrictions and limitations, in particular the obligation of secrecy, laid down in the data protection legislation.
-
Safeguards relating to your rights as a data subject
As regards the personal data shared under the administrative arrangement, you can make a request, in accordance with Section 7 of the Information about the processing of personal data, to the CNB to receive information about the processing of your personal data, to access the personal data and to correct any inaccurate or incomplete personal data, as well as to make request about the erasure, restriction of processing or to object to the processing of your personal data.
Given the often sensitive nature of the CNB tasks, and the risk of prejudice to the discharge of the CNB public functions, in some cases your safeguards might be restricted in accordance with the relevant legal provisions laid down in the data protection legislative, such as CNB's obligation not to disclose confidential information pursuant to professional secrecy or other legal obligations, or to prevent prejudice or harm to its supervisory or enforcement functions or to the supervisory or enforcement functions of a transferring or receiving Authority acting in the exercise of the official authority vested in it. This may include functions relating to the monitoring or assessment of compliance with applicable laws, prevention or investigation of suspected infringement; for important objectives of general public interest, or for the supervision of regulated individuals and entities. In each case, the CNB will assess whether the restriction is appropriate. The restriction should be necessary and provided by law, and will continue only for as long as the reason for the restriction continues to exist.
No decision will be taken by the CNB concerning a natural person based solely on automated processing of personal data, including profiling, without human involvement.
-
Redress
If you believe that your personal data have not been handled consistently with these guarantees, you can lodge a complaint or claim at the transferring Authority, the receiving Authority or both Authorities: for doing so, you can contact the CNB in accordance with Section 2 of the Information about the processing of personal data. In such event, the CNB or the CNB in conjunction with the respective Authority or Authorities will use best efforts to settle the dispute or claim amicably in a timely fashion.
In the event where the matter is not resolved, other methods can be used, by which the dispute could be resolved unless the request is manifestly unfounded or excessive. Such methods include participation in non-binding mediation or other non-binding dispute resolution proceedings initiated by the natural person or by the Authority concerned.
If the matter is not resolved through cooperation by the Authorities, nor through non-binding mediation or other non-binding dispute resolution proceedings, in situations where you raise a concern and a transferring Authority is of the view that a receiving Authority has not acted consistently with the safeguards set out in the administrative arrangement, the transferring Authority will suspend the transfer of personal data under this Arrangement to the receiving Authority until the transferring Authority is of the view that the issue is satisfactorily addressed by the receiving Authority, and will inform you thereof.