How and why personal data may be processed and transferred
Securities Market Agency (SMA) may transfer personal data to a third country authority for the purpose of exercising their responsibilities as public authorities, responsible for the regulation and supervision of securities markets and/or derivatives, including the regulation, management, supervision, enforcement and ensuring compliance with regulations in the field of securities or derivatives (hereinafter: a third country authority).
SMA as the transferring authority will transfer personal data that are adequate, relevant and limited to what is necessary for the purposes for which they are transferred and further processed.
SMA has in place appropriate technical and organisational measures to protect personal data that are transferred against accidental or unlawful access, destruction, loss, alteration, or unauthorised disclosure. Such measures include appropriate administrative, technical and physical security measures.
When SMA receives personal data from a third country authority, it will transfer the personal data onward or share the personal data to a third party only with the prior written consent of the transferring authority, and if the third party provides appropriate assurances that are consistent with the safeguards in GDPR (Article 488a(3) of Financial Instruments Market Act). Only in exceptional cases SMA may share personal data without prior written consent (e.g. reasons of public interest, conducting a civil or administrative enforcement proceedings, assisting in a criminal prosecution).