|
15.6.2021 |
EN |
Official Journal of the European Union |
C 229/16 |
Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation on digital operational resilience for the financial sector and amending Regulations (EC) 1060/2009, (EU) 648/2012, (EU) 600/2014 and (EU) 909/2014
(The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)
(2021/C 229/05)
The European Commission adopted on 24 September 2020 a Proposal for a Regulation on Digital Operational Resilience for the financial sector and Amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014 (the ‘Proposal’). The Proposal establishes a comprehensive framework on digital operational resilience for EU financial entities, based on five key areas, namely the management of ICT risks (Chapter II), the management, classification and reporting of incidents (Chapter III), digital operational resilience testing (Chapter IV), management of third-party risks and regulation of critical ICT service providers (Chapter V) and information sharing (Chapter VI).
The EDPS welcomes the objectives of the Proposal, and considers it essential for the European Union financial market’s stability that financial institutions count with a sound, comprehensive and well-documented ICT risk management framework
The EDPS highlights the importance of ensuring that any processing operation in the context of the operations of the financial entities is based on one of the legal basis laid down in Article 6 of the GDPR (1) Moreover, the EDPS highlights the importance for financial entities of embedding within their digital operational resilience framework a strong data protection governance mechanism, which clearly identifies the roles and responsibilities of the controller and the processor, as well as the processing activities that will take place.
Regarding the international transfers to ICT third-party service providers established in a third-country, the EDPS recalls that any international transfer of personal data must comply with the requirements of Chapter V of the GDPR as interpreted in the case-law of the CJEU, including the judgment in Schrems II.
Regarding the sharing arrangements on intelligence and cyber threat information amongst financial entities, the EDPS highlights that the protection of personal data does not constitute an obstacle to intelligence sharing in the financial sector. Rather, data protection requirements should be perceived as a basic requirement which should be complied with to ensure the safeguard of the rights of individuals. In this context, the EDPS encourages the adoption also in the financial sector of codes of conduct in accordance with Article 40 of the GDPR, particularly in view of clearly establishing the roles of the main stakeholders in the processing of personal data, as well as ensuring a fair and transparent processing.
Regarding the publication of administrative fines, the EDPS recommends including, among the criteria for consideration of the competent authority, the risks to the protection of the personal data of the individuals. Moreover, the EDPS recalls that the principle of storage limitation requires that personal data is stored for no longer than is necessary for the purposes for which the personal data are processed.
Regarding the notification of data breaches, the EDPS highlights that the wording of Recital 42 of the Proposal is incompatible with Article 33 of the GDPR. Therefore, the EDPS recommends deleting the reference to data protection authorities from Recital 42 of the Proposal, as well as slightly amending Article 17 of the Proposal in accordance with the recommendations of this Opinion.
1. BACKGROUND
|
1. |
The European Commission adopted on 24 September 2020 a Proposal for a Regulation on Digital Operational Resilience for the financial sector and Amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014 (the ‘Proposal’). The Proposal establishes a comprehensive framework on digital operational resilience for EU financial entities, based on five key areas, namely the management of ICT risks (Chapter II), the management, classification and reporting of incidents (Chapter III), digital operational resilience testing (Chapter IV), management of third-party risks and regulation of critical ICT service providers (Chapter V) and information sharing (Chapter VI). |
|
2. |
This Proposal belongs to a package that includes also a proposal for a regulation to build markets in cryptoassets (2) (the ‘MICA Regulation’), a proposal on a pilot regime for Market Infrastructures based on DLT (3), and a proposal to clarify or amend certain related EU financial services rules (4). The EDPS was consulted on the Proposal on the pilot regime for Market Infrastructures based on DLT and delivered his Opinion on 23 April 2021 (5). He was also consulted on the MICA Regulation on 29 April 2021 and will deliver his opinion in line with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (6). |
|
3. |
On 15 March 2021, the European Commission requested the European Data Protection Supervisor (the ‘EDPS’) to issue an opinion on the Proposal, in accordance with Article 42(1) of Regulation (EU) 2018/1725. These comments are limited to the provisions of the Proposal that are relevant from a data protection perspective. |
4. CONCLUSIONS
In light of the above, the EDPS:
|
— |
Highlights the importance of ensuring that any processing operation in the context of the operations of the financial entities is based on one of the legal basis of Article 6 of the GDPR, and indicates Article 6(1)(c), (e) and (f) of the GDPR as possible legal basis for consideration by financial entities. |
|
— |
The EDPS highlights the importance for financial entities of embedding within their digital operational resilience framework a strong data protection governance mechanism, which clearly identifies the roles and responsibilities of the controller and the processor, as well as the processing activities that will take place. |
|
— |
The EDPS recalls that any international transfer of personal data by financial entities to a ICT third-party service provider established in a third-country must comply with the requirements of Chapter V of the GDPR, and where carried out, be subject to appropriate safeguards in line with the data protection framework and the case-law of the CJEU, in particular the Schrems II case. Such financial entities may take recourse to the Standard Contractual Clauses, as it would seem as the most relevant transfer tool. |
|
— |
The EDPS highlights that the protection of personal data does not constitute an obstacle to intelligence sharing in the financial sector. Rather, data protection requirements should be perceived as a basic requirement to be complied with to ensure the safeguard of the rights of individuals within the digital operational resilience framework of financial entities. |
|
— |
The EDPS encourages the adoption also in the financial sector of codes of conduct in accordance with Article 40 of the GDPR, particularly in view of clearly establishing the roles of the main stakeholders in the processing of personal data, as well as ensuring a fair and transparent processing. |
|
— |
Regarding the publication of administrative sanctions, the EDPS recommends including, among the criteria for consideration of the competent authority, the risks to the protection of personal data of the individuals. |
|
— |
In accordance with the principle of storage limitation, the EDPS recommends financial entities to adopt measures to ensure that the information on the administrative fines are deleted from their website after the five years have elapsed, or before if, it is no longer necessary. |
|
— |
The EDPS highlights that the wording of Recital 42 of the Proposal is incompatible with Article 33 of the GDPR. The EDPS hence recommends deleting the reference to data protection authorities from Recital 42 of the Proposal, as well as amending Article 17 of the Proposal to include a reference to the obligation of notification of data breaches to the relevant data protection authorities. |
|
— |
The EDPS recommends amending Article 23(2) of the Proposal to ensure that testing, product development or research of the ICT systems may not be carried out on live production systems containing personal data of customers. |
Brussels, 10 May 2021.
Wojciech Rafał WIEWIÓROWSKI
(1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
(2) Proposal for a Regulation of the European Parliament and of the Council on Markets in Crypto-assets, and amending Directive (EU) 2019/1937, COM/2020/593 final. Available at EUR-Lex - 52020PC0593 - EN - EUR-Lex (europa.eu)
(3) Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on a pilot regime for market infrastructures based on distributed ledger technology. COM/2020/594 final, available at EUR-Lex - 52020PC0594 - EN - EUR-Lex (europa.eu)
(4) Proposal for a Directive of the European Parliament and of the Council amending Directives 2006/43/EC, 2009/65/EC, 2009/138/EU, 2011/61/EU, EU/2013/36, 2014/65/EU, (EU) 2015/2366 and EU/2016/2341, COM/2020/596 final. Available at EUR-Lex - 52020PC0596 - EN - EUR-Lex (europa.eu)
(5) Opinion 6/2021 on the Proposal for a Pilot Regime for Market Infrastructures based on Distributed Ledger Technology, available at 2021-0219_d0912_opinion_6_2021_en_0.pdf (europa.eu)
(6) Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust), and replacing and repealing Council Decision 2002/187/JHA (OJ L 295, 21.11.2018, p. 138).