The FSMA will not itself process your Data outside the European Economic Area (EEA).
It is possible that service providers whose services the FSMA use may process your Data outside the EEA (for example in the United States). Where this is the case, the FSMA ensures that the service provider enters into a contract with the FSMA and that the level of protection is guaranteed, for example by way of a decision of the European Commission determining that a third country provides an adequate level of protection (Article 45 of the GDPR), by way of standard data protection clauses drawn up by the European Commission and entered into by the parties for the purpose of processing data outside the EEA (Article 46 of the GDPR) or by way of another legal instrument that provides appropriate guarantees.
The FSMA may, as part of its public-interest tasks and of the exercise of public authority, and within the limits provided for by Articles 74 and 75 of the Law of 2 August 2002, exchange personal data with a financial supervisory authority of a country outside the EEA (hereafter ‘third country’) for purposes of international cooperation. Where this is the case, the FSMA ensures that:
- the third country ensures an adequate level of protection (adequacy decision of the European Commission - Article 45 of the GDPR); or
- appropriate safeguards are in place (Article 46 of the GDPR), in particular, where the non-EEA financial supervisory authority has undertaken to provide the safeguards laid down in an administrative arrangement such as the Administrative arrangement for the transfer of personal data between EEA and non-EEA authorities; or
- it may make use of a derogation such as the one applicable in the event of a transfer necessary for important reasons of public interest (Article 49 of the GDPR).
The FSMA will only transfer personal data that are adequate, relevant and limited to what is necessary for the purposes for which they are transferred.
If you have any questions about this subject, please feel free to send a dated and signed request to the FSMA for the attention of the Data Protection Officer. You will find the contact details of the DPO in the answer to the question below on ‘How can you contact us?’.