With provision n. 119 of 23rd May 2019, the Italian Data Protection Authority has authorized CONSOB (The Italian Companies and Exchange Commission) to sign an administrative agreement for the transfer of personal data between the Financial Supervisory Authorities of the European Economic Area (EEA) and also between those located outside the EEA.
The provision represents the first case of authorization to transfer data pursuant to art. 46, par. 3, lett. b) of the GDPR. In fact, the Regulation provides that, in the absence of an adequacy decision by the European Commission, administrative agreements between authorities or public bodies may constitute adequate guarantees for the transfer of data, provided that they include effective and protectable rights and have the authorisation of the Data Protection Authority.
In this case, the aim of the agreement is the transfer of information in the context of international cooperation activity, in order to guarantee mutual assistance in repressing illegal conduct on the financial markets.
The agreement was formulated by the European Securities and Markets Authority (ESMA) and the International Organization of Securities Commissions (IOSCO).
The DPA has authorized CONSOB to sign the agreement as it considers the guarantees included in it ensure an adequate level of personal data protection.
In fact, the agreement envisages compliance with the principles of transparency, proportionality, data quality, adequate security measures and guarantees for the rights of data subjects. In particular, data subjects can obtain confirmation of the possible transfer of their data to a Financial Supervisory Authority outside the European Economic Area. They will have access on request to their personal data and can directly request the Financial Supervisory Authority concerned or the Financial Supervisory Authority outside the EEA to rectify, delete, limit or block their data. Any restriction to these rights must be provided for by law and is only allowed to the extent and for the period necessary to protect privacy or to deliver objectives of public interest.
Specific precautions are also envisaged for subsequent transfers of data to an Authority which does not participate in the agreement or to a third country in which there is no adequacy decision according to art. 45 of the GDPR. In particular, such transfers may only take place with the prior written consent of the transferring Authority and provided that the third party provides guarantees similar to those provided for in the agreement.
Finally, the Italian Data Protection Authority has subjected the validity of the agreement to certain conditions. The parties must be fully compliant with all the clauses and CONSOB must inform the Authority of any suspension of data transfers and of any review or suspension of participation in the agreement. Furthermore, in compliance with the principle of accountability, CONSOB will have to keep the documentation relating to the application of the agreement (e.g. the number of requests and complaints of infringements presented by data subjects at EU level) and for the first two years, file a report to the Authority.
The Data Protection Authority will now have to monitor the practical application of the agreement, verifying compliance with the guarantees provided in it. Should any infringements be detected, the Authority may suspend data flows carried out by CONSOB.