The International Organization of Securities Commissions (IOSCO) and the European Securities and Markets Authority (ESMA) welcome the Opinion of the European Data Protection Board (EDPB) on their administrative arrangement for the transfer of personal data between European Economic Area (EEA) Financial Supervisory Authorities and non-EEA Financial Supervisory Authorities.

Under the European General Data Protection Regulation (GDPR), personal data can be transferred from a EEA country to a third country when appropriate safeguards are provided. One of the ways to provide the safeguards is by an administrative arrangement between public authorities. In its Opinion, the EDPB considers that ESMA and IOSCO’s administrative arrangement ensures appropriate safeguards when personal data will be transferred pursuant to the arrangement.

The EDPB Opinion is the first of its kind and will enable the continued exchange of enforcement and supervisory information between securities regulators, including under the IOSCO Multilateral MoU, to promote orderly markets and protect investors, while providing the protection of personal data.

ESMA and IOSCO members who exchange personal data on a regular basis will now take the necessary steps to enter into the arrangement.

Ashley Alder, IOSCO Chair, said:
“The IOSCO MMoU is a widely used arrangement under which 121 securities regulators have agreed the basis on which they exchange information for the purposes of their enforcement mandates. I welcome the EDPB’s opinion which enables these vital cross border exchanges to continue with EEA authorities in a manner that is consistent with the new GDPR and the overall public interest.”

Steven Maijoor, ESMA Chair, added:
“I also welcome the opinion from the EDPB on the administrative arrangement on transfer of personal data. While providing data protection safeguards, this will allow EEA and non-EEA supervisory authorities to continue to share the data needed for their work in overseeing increasingly globalised and interconnected capital markets, particularly in the areas of market abuse and insider dealing.”

Maureen Jensen, Chair of the IOSCO Subgroup on Data Protection, said:
“Our goal in working collaboratively with the EDPB to prepare the administrative arrangement has been to ensure that personal data rights are respected in a manner that allows securities markets regulators to continue to fulfil our mandates to protect investors and ensure stability in the capital markets through information sharing. I believe the administrative arrangement achieves this goal and balances these important objectives."