The Board will not itself process your personal data outside the European Economic Area (EEA).
Service providers who work for the Board may process your personal data outside the EEA (e.g. in the United States). Where this is the case, the Board will ensure that the service provider enters into a contract with the Board and that the level of protection is guaranteed, for example by way of a decision of the European Commission that a third country provides an adequate level of protection (Article 45 of the GDPR), by way of a certification from the data importer under the EU-US Privacy Shield (Article 45 GDPR), by using standard data-protection clauses adopted by the European Commission between the parties that process data outside the EEA (Article 46 of the GDPR) or by way of another legal instrument containing appropriate guarantees.
The Board may, as part of its public-interest tasks and of the exercise of public authority, and within the limits provided for by Articles 44 and 45 of the Law of 7 December 2016, exchange data with a financial supervisory authority of a country outside the EEA (‘third country’) for the purposes of international cooperation.
Where this is the case, the Board ensures that:
- the third country or international organisation guarantees an adequate level of protection (adequacy decision of the European Commission – Article 45 of the GDPR); or
- appropriate safeguards are in place (Article 46 of the GDPR), in particular where the non-EEA financial supervisory authority has undertaken to provide appropriate safeguards laid down in an administrative arrangement, such as the one currently in place with the Public Company Accounting Oversight Board (“PCAOB”); or
- it may make use of a derogation, such as the one applicable in the event of a transfer of information necessary for important reasons of public interest (Article 49 of the GDPR).
If you have any questions on this subject or if you would like to obtain more information, you may send a dated and signed request to the Board for the attention of the data protection officer. The contact details of the DPO are provided in the question 'How can you contact us?' of this Data Protection Policy.