On January 19, 2021, the Information Commissioner’s Office (ICO) published a letter dated September 11, 2020, available here, stating that the transfer of personal information from UK-based companies to the Securities and Exchange Commission (SEC) for the purpose of Compliance with legal regulations can take place according to the General Data Protection Regulation (GDPR).
SEC-regulated companies must comply with SEC documentation requests and make their books, records, or documents available for inspection to ensure compliance with US securities laws, rules, and regulations. This requires the creation of information, documentation and other records, which may include personal data and special category personal data.
The ICO reiterated that the submission of personal information from SEC regulated UK companies (including UK issuers whose stocks or depository receipts are registered with the SEC or listed on a US stock exchange or market) to the SEC is GDPR must comply with rules for international transfers. However, in its letter, the ICO stated that the GDPR is not an obstacle to international data transfers and identified a way for the transfer based on the principle of public interest under Article 49 (1) (d) GDPR.
The ICO admitted that with reference to the exemptions in Article 49 GDPR, data protection and data protection rights must be weighed against other human rights. Under certain circumstances, despite the lack of an adequacy decision in accordance with Article 45 GDPR and inadequate protective measures in accordance with Article 46 GDPR, transfers may be necessary from time to time on the basis of the exemptions under Article 49 GDPR, e.g. B. due to the public interest.
In its view, the ICO stated: “It is possible for UK companies regulated by the SEC to transfer personal data to the SEC on the basis of the exemption.” According to Article 49 (1) (d) GDPR for three main reasons:
- “UK law contains important grounds of public interest” as required by Article 49 (4) GDPR.
Compliance with SEC rules helps prevent financial crimes and strengthens the regulatory goal of maintaining and protecting the integrity of the UK financial system.
- According to the guidelines of the European Data Protection Board (EDPB), the transfer must be “absolutely necessary” for important reasons of public interest.
The data sender must take note of the principle of necessity and know precise and particularly solid justifications. In practice, this means that organizations need to identify the exact basis in EU or UK law in order to apply the relevant public interest exemption.
- SEC inquiries analyzed by the ICO were absolutely necessary and proportionate.
The ICO noted that, much like requests from UK regulators, SEC regulated companies need to be convinced that requests are within regulatory powers and requirements and should keep records as part of a fully auditable governance process. In addition, such inquiries should not be extensive and systematic.
It is possible for UK companies regulated by the SEC to transfer personal data to the SEC by relying on the public interest exemption of Article 49 (1) (d) GDPR. At the same time, companies should continue to comply with their other GDPR obligations, including their accountability and transparency obligations.
The ICO has expressed preferences for a long-term solution that does not rely on the exemption under Article 49 (1) (d) GDPR and is ready to work with the SEC to create a GDPR transfer instrument under Article 46. The ICO will continue to investigate potential complaints from data subjects and assess the organizations’ evidence of such transfers, which should indicate that the exemption has been applied appropriately.