Transfer of personal data to the United Kingdom
- On June 28, 2021, the European Commission adopted an adequacy decision for transfers of personal data to the United Kingdom, under the GDPR. Therefore, SCCs are not required for transfers to the UK from the EU. This means that data can continue to flow from the EU to the UK as before. UK data protection law governs transfers from UK to EU / non-EU. The European Commission’s adequacy decision in the UK includes a sunset clause limiting its duration until June 27, 2025. After this period, the adequacy decision can be renewed. However, during this period, the European Commission will closely follow legal developments in the UK and may suspend or revoke the adequacy decision at any time. A list of countries that have made an adequacy decision is available here.
Transfer of personal data to third countries not subject to adequacy decisions
- As reported in our June AMIF newsletter, the European Commission has published its final implementing decision on the new standard contractual clauses (SPCs) for the transfer of personal data to third countries.
- The new CCPs deal with the entry into force of the GDPR and the requirements of this regime. The delay in the update was partly due to the decision of the European Court of Justice in Schrems II (C-311/18) and the need for the European Commission to reconcile the new CPS with this decision. They also take into account the recommendations of the EDPS on additional measures.
- The new CCPs repeal and replace the old CCP of controller (Decision 2001/497 / EC, as amended) and the CCP of controller (Decision 2010/87 / EC).
- Therefore, new agreements with investment managers / distributors from third countries (such as the United States) must use the new SCCs of September 27, 2021 in order to comply with the GDPR.
- Existing agreements with investment managers / distributors from third countries (such as the United States) should be replaced by the new SCCs by December 27, 2022
Commission adopts PRIIPS RTS
The European Commission has adopted the PRIIPS regulatory technical standards (RTS) specifying the content and format of the key information document (CHILD) with annexes including models that the companies concerned, such as UCITS ManCos, would be required to use. The RTS will be submitted to the European Parliament and the Council for approval, hopefully by the end of the year. The text proposes the transition from UCITS KIID to PRIIPS KID on July 1, 2022.
RTS projects were submitted by the European Common Supervisory Authorities in February (discussed in our February newsletter).
ESMA report on trends, risks and vulnerabilities
ESMA has published its second report on trends, risks and vulnerabilities for 2021. The report highlights concerns about the continued rise in valuations of all asset classes in an environment of economic recovery and interest rates low interest. It also focuses on potential issues that could arise from increased risk-taking by investors and the materialization of risks from events such as GameStop, Archegos and Greensill. He notes that the financial sector is increasingly exposed to cyber risk.
The Joint Committee of European Supervisory Authorities (comprising ESMA, EBA and EIOPA) has also published its report on the risks and vulnerabilities of the EU financial system. The report identified certain economic vulnerabilities (including a possible deterioration in the quality of assets in the financial sector) as well as vulnerabilities related to cyber risks and information and communication technologies and advised specific policy actions. .