Administrative Arrangement for the Transfer of Personal Data between Israel Securities Authority and European Economic Area Authorities, following the GDPR regulations
On January 23, 2020, the Israel Securities Authority (ISA) signed an administrative arrangement for the transfer of personal data between EEA and non-EEA securities regulators ("the administrative arrangement").
The administrative arrangement is intended to overcome the limitations implicit in the General Data Protection Regulations (GDPR) with respect to the transfer of personal data from European countries. the administrative arrangement goal is to allow the continued sharing of personal data between members of the IOSCO who belong to the EU and authorities members that are not part of the EU, as part of the cooperation in enforcement and exchange of information according to the IOSCO memorandum of understanding (MMoU), as well as other exchanges of personal information including the supervisory context.
How and why the ISA does processes your personal data?
As a general principle, the ISA only collects and processes personal data for the performance of statutory tasks assigned to it on the basis of the Securities Law and its regulations, as well as other laws that the ISA enforces.
As regards the collection and processing of personal data received in the usual course of business or practice through international transfers, the ISA is committed to have in place the safeguards set out in the administrative arrangement, without prejudice to any law and without detracting from any other legal source for the transfer of personal data by the ISA.
In particular, when the ISA collects and processes personal data transferred under the administrative arrangement, it guarantees the following:
- The ISA will only transfer personal data that are relevant, adequate and limited to what is necessary for the purposes for which they are transferred and further processed.
- The ISA will have in place appropriate technical and organizational measures to protect personal data that are transferred to it against accidental or unlawful access, destruction, loss, alteration or unauthorized disclosure.
- The ISA will retain personal data for no longer than is necessary and appropriate for the purpose for which the data are processed.
 For the purposes of the AA, personal information is defined as that which can be used to naturally identify a living individual, whether directly or indirectly.
- No decision will be taken by the ISA concerning a natural person based solely on automated processing of personal data, including profiling, without human involvement.
- The ISA will not divulge your personal data for other purposes, such as for marketing and commercial purposes.
What are your safeguards under the Administrative Arrangement?
As regards the personal data shared under the administrative arrangement, you can make a request to the ISA to receive information about the processing of your personal data, to access the personal data and to correct any inaccurate or incomplete personal data, as well as to make request about the erasure, restriction of processing or to object to the processing of your personal data on written request to be addressed to: Adv. Hava Binshtok, by way of the Director of Public Enquiries at the following link, where it is possible to choose "Privacy Protection" under the tab "Complaint details".
Given the often sensitive nature of the ISA's work, and the risk of prejudice to the discharge of our public functions, in some cases your safeguards might be restricted in accordance with the instructions of the Securities Law and its regulations, the Privacy Protection Law and its regulations and other relevant legal provisions, such as ISA's obligation not to disclose confidential information pursuant to professional secrecy or other legal obligations, or to prevent prejudice or harm to its supervisory or enforcement functions or to the supervisory or enforcement functions of a transferring or receiving Authority under the AA acting in the exercise of the official authority vested in it. This may include functions relating to the monitoring or assessment of compliance with applicable laws, prevention or investigation of suspected infringement; for important objectives of general public interest, or for the supervision of regulated individuals and entities. In each case, ISA will assess whether the restriction is appropriate. The restriction should be necessary and provided by law, and will continue only for as long as the reason for the restriction continues to exist. For more information, please see [include link to National Measures].
What redress is available to you?
If you believe that your personal data have not been handled consistent with these safeguards, you can lodge a complaint or claim at the transferring Authority, the receiving Authority or both Authorities: for doing so, you can contact [please add here contact details]. In such event, the Authority or the Authorities will use best efforts to settle the dispute or claim amicably in a timely fashion.
In the event where the matter is not resolved, other methods can be used, by which the dispute could be resolved unless the request is manifestly unfounded or excessive. Such methods include participation in non-binding mediation or other non-binding dispute resolution proceedings initiated by the natural person or by the Authority concerned.
If the matter is not resolved through cooperation by the Authorities, nor through non-binding mediation or other non-binding dispute resolution proceedings, in situations where you raise a concern and a transferring Authority is of the view that a receiving Authority has not acted
consistent with the safeguards set out in the administrative arrangement, the transferring Authority will suspend the transfer of personal data under this Arrangement to the receiving Authority until the transferring Authority is of the view that the issue is satisfactorily addressed by the receiving Authority, and will inform you thereof.
If you have questions or concerns, you can contact the ISA through the relevant contact person at the ISA: Adv. Hava Binshtok, by way of the Director of Public Enquiries at the following link, where it is possible to choose "Privacy Protection" under the tab "Complaint details".
FAQs on the arrangement are answered by the IOSCO