INFORMATION TO BE GIVEN 2

Similar documents
INFORMATION TO BE GIVEN 2

NOTIFICATION FOR PRIOR CHECKING INFORMATION TO BE GIVEN(2)

INFORMATION TO BE GIVEN 2

INFORMATION TO BE GIVEN 2

NOTIFICATION FOR PRIOR CHECKING INFORMATION TO BE GIVEN(2)

INFORMATION TO BE GIVEN 2

NOTIFICATION FOR PRIOR CHECKING INFORMATION TO BE GIVEN(2)

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Element Finance Solutions Ltd Data Protection Policy

Creative Funding Solutions Limited Data Protection Policy

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Islam21c.com Data Protection and Privacy Policy

UWTSD Group Data Protection Policy

Subject: Kier Group plc Data Protection Policy

NOTIFICATION FOR PRIOR CHECKING INFORMATION TO BE GIVEN(2)

NOTIFICATION FOR PRIOR CHECKING INFORMATION TO BE GIVEN(2)

Data Protection Policy

Privacy Policy CARGOWAYS Logistik & Transport GmbH

Data Protection Policy

Motorola Mobility Binding Corporate Rules (BCRs)

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Privacy Policy. In this data protection declaration, we use, inter alia, the following terms:

Privacy Policy Hafliger Films SpA

the processing of personal data relating to him or her.

Talenom Plc. Description of Data Protection and Descriptions of Registers

Liechtenstein. General I Data Protection Laws. Contributed by Wanger Advokaturbüro. National Legislation. National Regulatory Authority.

Privacy Policy November 30th, 2017

HF Markets SA (Pty) Ltd Protection of Personal Information Policy

PS Mailing Services Ltd Data Protection Policy May 2018

Privacy Policy Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH 1. Definitions

SCHOOL SUPPLIERS. What schools should be asking!

Data Processing Agreement

The General Data Protection Regulation

Privacy Notice. General Information Protection Regulation ( GDPR )

The British Museum. Data Protection Code of Practise. 1 Introduction

Rights of Individuals under the General Data Protection Regulation

Contract Services Europe

Information leaflet about processing of personal data (

Data Processor Agreement

DATA PROTECTION A GUIDE FOR USERS

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

Data Protection Policy

Privacy Notice - Stora Enso s Supplier and Stakeholder Register. 1 Purpose

General Data Protection Regulation BT s amendments to the proposed Regulation on the protection of individuals with regard to the processing of

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

Data protection declaration

Identity of the controller: CHARVAT CTS a.s., ID No.: , with the registered office at Okrinek 53, Podebrady, Czech Republic, Postcode

Privacy Policy. 1. Definitions

Data Processing Agreement

DATA PROTECTION POLICY THE HOLST GROUP

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

WEBSITE PRIVACY POLICY

PRIVACY POLICY OF.LT DOMAIN

GDPR Data Protection Policy

FileFacets for GDPR. Solution Overview for Compliance. Copyright 2017 FileFacets Corporation. All rights reserved

POLICY. Art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

PRINCIPLES OF PROTECTION OF PERSONAL DATA (GDPR) WITH EFFICIENCY FROM

Data Processing Agreement

Archive Legislation: archiving in the United Kingdom. The key laws that affect your business

Data Privacy Policy. of Eisenmann Übersetzungsteam - Suzanne Eisenmann - translation team

In this data protection declaration, we use, inter alia, the following terms:

Part B of this Policy sets out the rights that all individuals have in relation to the collection and use of your personal information

CNH Industrial Privacy Policy. This Privacy Policy relates to our use of any personal information you provide to us.

Guardian Electrical Compliance Ltd DATA PROTECTION GDPR REGULATIONS POLICY

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

A Homeopath Registered Homeopath

TALENTUM Limited Liability Company PRIVACY NOTICE

DISCLOSURE ON THE PROCESSING OF PERSONAL DATA LAST REVISION DATE: 25 MAY 2018

DATA PROCESSING TERMS

Finland. General I Data Protection Laws. Contributed by Hannes Snellman Attorneys Ltd. National Legislation. National Regulatory Authority

HPE DATA PRIVACY AND SECURITY

Data Processing Clauses

Privacy Notice - Stora Enso s Customer and Sales Register. 1 Controller

Rules governing staff access to and use of Parliament's system

CEM Benchmarking Privacy Policy

PRIVACY POLICY SECTION 1 CONTACTS

POLICY. Art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

VISTRA ZURICH AG - PRIVACY NOTICE

GDPR Privacy Policy. The data protection policy of AlphaMed Press is based on the terms found in the GDPR.

Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts

Privacy Notice - General Data Protection Regulation ( GDPR )

RGSL PRIVACY POLICY. Data Controller and Contact Details

DATA PROTECTION IN RESEARCH

Data Protection Declaration of ProCredit Holding AG & Co. KGaA

Privacy and Data Protection Policy

Vistra International Expansion Limited PRIVACY NOTICE

UWC International Data Protection Policy

VISTRA NETHERLANDS PRIVACY NOTICE

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

General Legal Requirements under the Act and Relevant Subsidiary Legislations. Personal data shall only be processed for purpose of the followings:

Website privacy policy

RECRUITMENT DATA PROTECTION NOTICE. AImotive Ltd.

Privacy Statement for Use of the Certification Service of Swisscom (sales name: "All-in Signing Service")

This Privacy Statement applies to data processing carried out by:

Privacy Notices under #GDPR: Have you noticed my notice?

Technical Requirements of the GDPR

CNH Industrial will use your personal information for a number of purposes including the following:

Privacy policy SIdP website EU 2016/679

This policy is a public document and has been prepared in light of the National Privacy Principle 5: Openness.

INFORMATION MEMORANDUM ON DATA PROCESSING

Transcription:

(To be filled out in the EDPS' office) REGISTER NUMBER: 1423 (To be filled out in the EDPS' office) NOTIFICATION FOR PRIOR CHECKING DATE OF SUBMISSION: 03/01/2017 CASE NUMBER: 2017-0015 INSTITUTION: ESMA LEGAL BASIS: ARTICLE 27-5 OF THE REGULATION CE N 45/2001( 1 ) INFORMATION TO BE GIVEN 2 1/ NAME AND ADDRESS OF THE CONTROLLER EUROPEAN SECURITIES AND MARKETS AUTHORITY (ESMA) 2/ ORGANISATIONAL PARTS OF THE INSTITUTION OR BODY ENTRUSTED WITH THE PROCESSING OF PERSONAL DATA Enforcement Team (Team comprising ESMA staff carrying out investigations in accordance with Articles 23e of Regulation (EC) no 1060/2009 (CRA Regulation) and 64 of Regulation (EU) no 648/2012 (EMIR). The Enforcement Team is part of the Legal Convergence and Enforcement (LCE) Department. 3/ NAME OF THE PROCESSING Data processing for enforcement purposes under the CRA Regulation and EMIR 1 OJ L 8, 12.01.2001. 2 Please attach all necessary backup documents 1

4/ PURPOSE OR PURPOSES OF THE PROCESSING Personal data will be processed for the purposes of investigations to be carried out by an independent investigating officer (IIO) in the context of enforcement proceedings against credit rating agencies (CRAs) and trade repositories (TRs) on the basis of the requirements and tasks laid down in the CRA Regulation and EMIR. 5/ DESCRIPTION OF THE CATEGORY OR CATEGORIES OF DATA SUBJECTS The relevant investigations may imply the processing of personal data of permanent ESMA staff (TAs), Seconded National Experts (SNEs), Contractual Agents and trainees in charge of this particular processing operation, representatives/agents and employees of CRAs and TRs as well as other natural persons whose personal data may be contained in information processed in the context of the investigation and whose personal data are relevant for the purposes of this processing operation (lawyers, service providers, etc.). 6/ DESCRIPTION OF THE DATA OR CATEGORIES OF DATA (including, if applicable, special categories of data (Article 10) and/or origin of data). The (incidental) processing of personal data during an investigation may comprise the following general personal data: - contact details (name, address etc); and, as regards representatives/agents, employees and service providers of CRAs and TRs, as the case may be - details on education and training, employment, financial details (e.g. information required to ascertain the absence of conflicts of interest); and - details on goods or services provided. 2

7/ INFORMATION TO BE GIVEN TO DATA SUBJECTS Relevant information to be provided to the data subjects in accordance with Regulation (EC) No 45/2001, is given through a Privacy Statement (attached to this notification). This Privacy Notice is submitted to any persons and entities requested to provide information that may include personal data before they provide such information. 8/ PROCEDURES TO GRANT RIGHTS OF DATA SUBJECTS (Rights of access, to rectify, to block, to erase, to object) With respect to the rights of the data subjects, ESMA follows the measures outlined in its Implementing Rules on Data Protection relating to the Regulation (EC) No 45/2001 with regards to the processing of personal data which lay down the detailed rules pursuant to which a data subject may exercise his/her rights, the procedure for notifying a processing operation and the procedure for obtaining access to the register of processing operations kept by the Data Protection Officer (ESMA/2011/MB/57, attached to this notification). In particular, any request for access, rectification, blocking and/or erasing personal data may be directed to the relevant Controller. The Data Protection Officer is involved if an independent advice with respect to compliance to the provisions of Regulation (EC) No 45/2001 is needed. As regards right of rectification, reference is also made to Article 11(3) of the Implementing measures referred to above which stipulates that If a request for rectification is accepted, it shall be acted upon immediately and the data subject notified thereof. Should a request for rectification be rejected, the data controller shall have 15 working days within which to inform the data subject by means of a letter stating the grounds for the rejection. With respect to right to block, according to ESMA s Implementing Rules, requests for blocking shall specify the data to be blocked. A data subject who has requested and obtained the blocking of data shall be informed thereof by the data controller. He or she shall also be informed of the fact that data are to be unblocked at least 15 working days before they are unblocked. The data controller shall take a decision within 15 working days of receiving a request for data to be blocked. If the request is accepted, it shall be acted upon within 30 working days and the data subject notified thereof. Should the request for blocking be rejected, the data controller shall have 15 working days within which to inform the data subject by means of a letter stating the grounds for the rejection. In automated filing systems, blocking shall be ensured by technical means. The fact that personal data are blocked shall be indicated in the system in such a way as to make it clear that the data may not be used. Blocked personal data shall, with the exception of their storage, only be processed for purposes of proof, or with the consent of the data subject or for the purpose of protecting the rights of third parties. 3

9/ AUTOMATED / MANUAL PROCESSING OPERATION Automated processing: CRAs and TRs must report regularly to ESMA s supervisory department through email and restricted internal databases. These reports could include personal data and some of this data may, in case of enforcement proceedings, be passed on to the designated IIO (encrypted files transmitted via restricted internal folders, email or USB sticks). The IIO may furthermore request information from the persons subject to investigation (CRAs and TRs) and other sources. This information, which could include personal data, will normally be provided to the IIO in electronic form (encrypted files transmitted via restricted internal folders, email or USB sticks/cds). There may furthermore be audio or video recordings of interviews or hearings held by the IIO. All information collected by will be transferred to and stored in encrypted folders and used for the assessment of further investigatory steps and for the drafting of a statement of findings to be submitted to ESMA s Board of Supervisors. The relevant files will be erased once the relevant retention period has run out. Manual Processing: Information processed by the IIO, including personal data, may also be held in hard copy (print out of documents provided in electronic for or documents prepared by (e.g. transcripts) or provided to the IIO in hard copy) at ESMA s premises (in a location accessible only to the IIO and authorised ESMA staff) for the same use. The relevant documents will be destroyed at the latest once the relevant retention period has run out. 10/ STORAGE MEDIA OF DATA Information in electronic form is stored on the hard disk of ESMA laptop, in an encrypted subfolder in a restricted folder to which only the IIO and authorised ESMA staff working under the instructions of the IIO have access. Hard copies of documents containing personal data are stored in a location accessible only to the IIO and authorised ESMA staff. 11/ LEGAL BASIS AND LAWFULNESS OF THE PROCESSING OPERATION Regulation (EU) No 1095/2010 (ESMA Regulation) and the CRA Regulation (in particular Article 23e) or EMIR (in particular Article 64). 4

12/ THE RECIPIENTS OR CATEGORIES OF RECIPIENT TO WHOM THE DATA MIGHT BE DISCLOSED Personal Data is disclosed to designated ESMA staff members (members of the Enforcement Team) and, as the case may be, to the persons subject to investigation (in practice senior management, legal advisors of CRAs or TRs) to allow them to exercise their rights of defence and to ESMA s Board of Supervisors (composed of National Competent Authorities) and their advisors (including designated ESMA staff), in order to enable it to take a final enforcement decision based on the investigation of the IIO. 13/ RETENTION POLICY OF (CATEGORIES OF) PERSONAL DATA The conservation period of personal data is 15 years from the date of the decision of ESMA s Board of Supervisors taking position on the investigatory information collected by the IIO and putting an end to the proceedings. Nevertheless, if at the end of this period of 15 years, there are on-going administrative or judicial proceedings regarding this decision of ESMA s Board of Supervisors, the conservation period is extended for a period which ends one year after these administrative or judicial proceedings have become final. In case of audio or video recordings of interviews or hearings, these recordings are kept for a shorter specific conservation period which corresponds to the period needed for the records of these interviews or hearings to be transcribed. 13 A/ TIME LIMIT TO BLOCK/ERASE ON JUSTIFIED LEGITIMATE REQUEST FROM THE DATA SUBJECTS According to ESMA s Implementing Rules (ESMA/2011/MB/57, attached to this notification), Article 12 provides that: If the ground for the request of blocking data is the inaccuracy of the data, as referred in paragraph 41, a), the Data Controller shall immediately block the data for the period necessary for verifying the accuracy and completeness of the data. A data subject who has requested and obtained the blocking of data shall be informed thereof by the Data Controller. He or she shall also be informed of the fact that data are to be unblocked at least 15 working days before they are unblocked. The Data Controller shall take a decision as soon as possible and at the latest within 15 working days of receiving a request for data to be blocked. If the request is accepted, it shall be acted upon within 30 working days and the data subject notified thereof. Should the request for blocking be rejected, the Data Controller shall have 15 working days within which to inform the data subject by means of a letter stating the grounds for the rejection. In automated filing systems, blocking shall be ensured by technical means. The fact that personal data are blocked shall be indicated in the system in such a way as to make it clear that the data may not be used. Personal data blocked pursuant to this Article shall, with the exception of their storage, only be processed for purposes of proof, or with the consent of the data subject or for the purpose of protecting the rights of third parties. 5

According to ESMA s Implementing Rules, Article 13 provides that: The data subject shall have the right to obtain from the Data Controller the erasure of data if the processing thereof is unlawful. If the request is accepted, it shall be acted upon immediately. If the Data Controller deems the request unjustified, he or she shall have 15 working days within which to inform the data subject by means of a letter stating the grounds for the decision. (Please, specify the time limits for every category, if applicable) 14/ HISTORICAL, STATISTICAL OR SCIENTIFIC PURPOSES If you store data for longer periods than mentioned above, please specify, if applicable, why the data must be kept under a form which permits identification. NOT APPLICABLE 15/ PROPOSED TRANSFERS OF DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS In accordance with Articles 34 CRAR and 75 and 76 EMIR, ESMA may conclude cooperation agreements and establish cooperation arrangements including for exchanges of information with competent authorities of third countries, subject to guarantees of professional secrecy which are at least equivalent to those set out in the CRAR and EMIR and to the application of Regulation (EC) No 45/2001. ESMA will thus not transfer data to third countries (or international organisations) if an adequate level of protection of such data is not ensured in the country of the recipient or within the recipient international organisation, without prejudice to the derogations as provided for in Regulation (EC) No 45/2001. 16/ THE PROCESSING OPERATION PRESENTS SPECIFIC RISK WHICH JUSTIFIES PRIOR CHECKING (Please describe): AS FORESEEN IN: Article 27.2.(a) Processing of data relating to health and to suspected offences, offences, criminal convictions or security measures, A breach of relevant requirements of the CRAR or EMIR respectively investigated by an IIO may give rise to fines (i.e. administrative sanctions). Furthermore, ESMA shall refer matters for criminal prosecution to the relevant national authorities where, in carrying out its duties under this Regulation, it finds that there are serious indications of the possible existence of facts liable to constitute criminal offences (Article 23e(8) of the CRA Regulation and 64(8) of EMIR). Therefore, the investigation by an IIO may be held to be processing data relating to suspected offences or offences. 6

Article 27.2.(b) Processing operations intended to evaluate personal aspects relating to the data subject, Article 27.2.(c) Processing operations allowing linkages not provided for pursuant to national or Community legislation between data processed for different purposes, N/A Article 27.2.(d) Processing operations for the purpose of excluding individuals from a right, benefit or contract,. Other (general concept in Article 27.1) 17/ COMMENTS This notification constitutes an ex-post prior-checking notification. PLACE AND DATE: DATA PROTECTION OFFICER: INSTITUTION OR BODY: 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback