Administrative arrangement for the transfer of personal data between EEA and non-EEA securities regulators

FIN-FSA, Financial Supervisory Authority has on 19th June 2019 entered into an administrative arrangement for the transfer of personal data between certain EEA Authorities and non-EEA Authorities. The Administrative Arrangement is entered into pursuant to Article 46(3) of the General Data Protection Regulation (EU) 2016/679. Below outlines information on processing of personal data and safeguards provided under the administrative arrangement.  

How and why does the FIN-FSA processes your personal data?

As a general principle, FIN-FSA only collects and processes personal data for the performance of statutory tasks assigned to it on the basis of the Act on Financial Supervisory Authority (878/2008), Securities Market Act (746/2012), Act on Investment Services (747/2012), Market Abuse Regulation (EU) N:o 596/2014, Regulation on Markets in Financial Instruments (EU) N:o 600/2014 (MIFIR) and other applicable securities market legislation and regulations.

As regards the collection and processing of personal data received in the usual course of business or practice through international transfers, FIN-FSA is committed to have in place the safeguards set out in the administrative arrangement for the transfer of personal data between EEA and non-EEA securities regulators (“the administrative arrangement”).

In particular, when FIN-FSA collects and processes personal data transferred under the administrative arrangement, it guarantees the following:

• The Authority will only transfer personal data that are relevant, adequate and limited to what is necessary for the purposes for which they are transferred and further processed;
• The Authority will have in place appropriate technical and organisational measures to protect personal data that are transferred to it against accidental or unlawful access, destruction, loss, alteration, or unauthorised disclosure;
• The Authority will retain personal data for no longer than is necessary and appropriate for the purpose for which the data are processed;
• No decision will be taken by the Authority concerning a natural person based solely on automated processing of personal data, including profiling, without human involvement;
• The Authority will not divulge your personal data for other purposes, such as for marketing or commercial purposes.

What are your safeguards under the Administrative Arrangement?

As regards the personal data shared under the administrative arrangement, you can make a request to the Authority to receive information about the processing of your personal data, to access the personal data and to correct any inaccurate or incomplete personal data, as well as to make request about the erasure, restriction of processing or to object to the processing of your personal data on written request to be addressed to for doing so, you can contact FIN-FSA’s Data Protection Officer at tietosuojavastaava(at)bof.fi.

Given the often sensitive nature of our work, and the risk of prejudice to the discharge of our public functions, in some cases your safeguards might be restricted in accordance with the Act on Financial Supervisory Authority, the Act on the Openness of Government Activities (621/1999) and other relevant legal provisions, such as FIN-FSA’s obligation not to disclose confidential information pursuant to secrecy or other legal obligations, or to prevent prejudice or harm to the supervisory or enforcement functions of a transferring or receiving Authority under the AA acting in the exercise of the official authority vested in it. This may include functions relating to the monitoring or assessment of compliance with applicable laws, prevention or investigation of suspected infringement; for important objectives of general public interest, or for the supervision of regulated individuals and entities. In each case, FIN-FSA will assess whether the restriction is appropriate. The restriction should be necessary and provided by law, and will continue only for as long as the reason for the restriction continues to exist.

What redress is available to you?

If you believe that your personal data have not been handled consistent with these safeguards, you can lodge a complaint or claim at the transferring Authority, the receiving Authority or both Authorities: for doing so, you can contact FIN-FSA’s Data Protection Officer at tietosuojavastaava(at)bof.fi. In such event, the Authority or the Authorities will use best efforts to settle the dispute or claim amicably in a timely fashion.

In the event where the matter is not resolved, other methods can be used, by which the dispute could be resolved unless the request is manifestly unfounded or excessive. Such methods include participation in non-binding mediation or other non-binding dispute resolution proceedings initiated by the natural person or by the Authority concerned.

If the matter is not resolved through cooperation by the Authorities, nor through non-binding mediation or other non-binding dispute resolution proceedings, in situations where you raise a concern and a transferring Authority is of the view that a receiving Authority has not acted consistent with the safeguards set out in the administrative arrangement, the transferring Authority will suspend the transfer of personal data under this Arrangement to the receiving Authority until the transferring Authority is of the view that the issue is satisfactorily addressed by the receiving Authority, and will inform you thereof. 

Contact details

FIN-FSA’s Data Protection Officer: tietosuojavastaava(at)bof.fi.        

IOSCO: Administrative Arrangement