the Commisslone Mazionale per le Sodeta e la Borsa in ItaJy and the Public Company Accounting Oversight Board In the United States

Similar documents
and Article I. PURPOSE

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

and have agreed as follows: Article I. Purpose of Cooperation and Statement

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

Article i. PURPOSE. and

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

European Data Protection Supervisor Your personal information and the EU administration: What are your rights?

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

Data Protection Bill [HL]

COMP Article 1. Article 1 Subject matter and objectives

Data Protection Bill [HL]

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

DATA PROCESSING AGREEMENT. between [Customer] (the "Controller") and LINK Mobility (the "Processor")

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

Telekom Austria Group Standard Data Processing Agreement

BASECONE DATA PROCESSING AGREEMENT (BASECONE AS PROCESSOR)

8557/16 SHO/ra 1 DGD 2

DATA PROTECTION (AMENDMENT) REGULATIONS Amendments to the Data Protection Regulations Insertion of new sections...

ARTICLE 29 Data Protection Working Party

RESTREINT UE/EU RESTRICTED

ELECTRONIC DATA PROTECTION ACT An Act to provide for protection to electronic data with regard to the processing of electronic data in Pakistan

Brussels, 16 May 2006 (Case ) 1. Procedure

Data Protection Policy. Malta Gaming Authority

BINDING CORPORATE RULES PRIVACY policy. Telekom Albania. Çaste që na lidhin.

ARTICLE 29 Data Protection Working Party

DATA PROTECTION (JERSEY) LAW 2005

Data Protection Act 1998

5418/16 AV/NT/vm DGD 2

Data Processing Agreement. <<Health Service Provider>> The National Message Broker Service known as Healthlink

Law Enforcement processing (Part 3 of the DPA 2018)

ARTICLE 29 DATA PROTECTION WORKING PARTY

Act CXII of on the Right of Informational Self-Determination and on Freedom of Information 1 CHAPTER I GENERAL PROVISIONS. 1.

The Public Company Accounting Oversight Board in the United States ("PCAOB"), based on its

16 March Purpose & Introduction

General Data Protection Regulation

Adequacy Referential (updated)

THE GDPR AND DFIR THE IMPACT OF THE EU GENERAL DATA PROTECTION REGULATION ON DIGITAL FORENSICS AND INCIDENT RESPONSE

Access to Personal Information Procedure

GDPR. EU General Data Protection Regulation. ebook Version 1.2

The Act on Processing of Personal Data

DATA PROCESSING AGREEMENT

COUNCIL OF THE EUROPEAN UNION. Brussels, 13 September 2011 (OR. en) 10093/11 Interinstitutional File: 2011/0126 (NLE)

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 * [CONSOLIDATED TEXT] NOTE

FUJITSU Cloud Service K5: Data Protection Addendum

YUM! Brands, Inc. Charter of the Audit Committee of the Board of Directors

Data Protection Act 1998 Policy

CONSULTATIVE COMMITTEE OF THE CONVENTION FOR THE PROTECTION OF INDIVIDUALS WITH REGARD TO AUTOMATIC PROCESSING OF PERSONAL DATA

EUROPEAN PARLIAMENT COMMITTEE ON CIVIL LIBERTIES, JUSTICE AND HOME AFFAIRS

SKILLSTAR 2018 NONPROFIT KFT. DATA PROTECTION POLICY

COMMUNICATION FROM THE COMMISSION. On the global approach to transfers of Passenger Name Record (PNR) data to third countries

The NATIONAL CONGRESS decrees: CHAPTER I PRELIMINARY PROVISIONS

EU STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

Annex 1: Standard Contractual Clauses (processors)

DATA PROTECTION (JERSEY) LAW 2018

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 [CONSOLIDATED TEXT] NOTE

Official Gazette No. 55 issued on 8 May Data Protection Act. of 14 March 2002

CHAPTER [INSERT] DATA PROTECTION BILL Acts [insert] ARRANGEMENT OF SECTIONS PART I PART II

OTrack Data Processing Terms

Personal Data Protection Act

PERSONAL DATA PROCESSING AGREEMENT

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

Opinion on a notification for Prior Checking received from the Data Protection Officer of the European Commission regarding the database ARDOS

Number 5 of Vehicle Registration Data (Automated Searching and Exchange) Act 2018

6153/1/18 REV 1 VH/np 1 DGD2

Instructions on the processing of personal data in the election process

Terms and Conditions GDPR Ready Data

DATA SHARING AND PROCESSING

DATA PROCESSING ADDENDUM

PE-CONS 71/1/15 REV 1 EN

ARTICLE 29 DATA PROTECTION WORKING PARTY

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

1 PROCEDURE GOVERNING INTERNAL DEALING. Procedure governing internal dealing

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE

EXPRESS SCRIPTS HOLDING COMPANY AUDIT COMMITTEE CHARTER. Adopted December 14, 2011, as amended as of September 7, 2016

Data Processing Agreement

Schools Subject Access Request Procedures

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April on the protection of natural persons

MEMORANDUM OF UNDERSTANDING BETWEEN THE NETHERLANDS AUTHORITY FOR THE FINANCIAL MARKETS AND THE SWISS FEDERAL AUDIT OVERSIGHT AUTHORITY

DECISION no. 52 of 31 st May 2012 on the processing of personal data using video surveillance means

EXECUTIVE SUMMARY. 3 P a g e

Brussels, 3 May 2006 (Case ) 1. Procedure

DATA PROCESSING ADDENDUM. 1.1 The User and When I Work, Inc. ("WIW") have entered into the Terms of Service, for the provision of the Service.

ASSEMBLEIA DA REPÚBLICA [PORTUGUESE PARLIAMENT]

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

AUDIT COMMITTEE CHARTER

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

T he European Union s Article 29 Data Protection

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

International Privacy Laws: Those New EU Data Protection Regulations Do Apply to You!

DocuSign Envelope ID: D3C1EE91-4BC9-4BA9-B2CF-C0DE318DB461

Mannofield Parish Church. Registered Scottish Charity No: SC (the Congregation ) Data Protection Policy

EU GDPR - DATA PROCESSING ADDENDUM INSTRUCTIONS FOR CDNETWORKS CUSTOMERS

Council of the European Union Brussels, 27 February 2015 (OR. en)

European College of Business and Management Data Protection Policy

SSLI \6.0 v1.0

Agreement between Eurojust and the Republic. of Iceland

Factsheet on the Right to be

THE DATA PROTECTION BILL (No. XIX of 2017) Explanatory Memorandum

SCHEDULE Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Transcription:

Agreement between the Commisslone Mazionale per le Sodeta e la Borsa in ItaJy and the Public Company Accounting Oversight Board In the United States on the Transfer of Certain Personal Data The Public Company Accounting Oversight Board {"PCAOB") in the U.S., based on its obligations and authority under the Sarbanes-Oxley Act of 2002, as amended (the "Sarbanes-Oxley Act"), and the Commissione Nazionale per le Societa e la Borsa {"CONSOB") in Italy, based on its obligations and authority under Legislative Decree no. 58/1998, Legislative Decree no. 39/2010 and the European Commission Decision No. 2013/280/EU of June 11, 2013 on the adequacy of the competent authoritfes of the United States of America pursuant to Article 47, paragraph 1(c) of Directive 2006/43/EC, Having regard to the Statement of Protocol agreed upon the Parties to facilitate cooperation and exchange of information relating to auditors that fall within the regulatory jurisdiction of both Parties, and in particular to Article IX thereof on the transfer of personal data; Having regard to Article 47(l)(e) of Directive 2006/43/EC, which states that the transfer of personal data to a third country must be in accordance with Chapter IV of Directive 95/46/EC; have agreed as follows: I-DEFINITIONS 1. For the purpose of this Agreement: (a) "personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or Indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physioiogicaj, mental, economic, cultural or social Identity; (b) "processing of personal data" ("processing") means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction; (c) "controller" means, in the case of personal data processed in Italy and transferred to the PCAOB, CONSOB or the PCAOB which alone or jointly determines the purpose and means of the processing of personal data; (d) "processor" means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller; 1

(e) the "Italian Data Protection Authority" means the competent data protection authority in Italy, that is, the Italian "Garante per la protezione del dati personali", established by Law December 31, 1996, no. 675; (f) "third party" means any natural or legal person, public authority, agency or any other body other than the data subject, CONSOB, the PCAOB, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the data; (g) "recipient" means a natural or legal person, public authority, agency or any other body to whom personal data are disclosed, whether a third party or not; however, authorities which may receive personal data in the framework of a particular inquiry shall not be regarded as recipients; (h) "sensitive data" means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership and data concerning health or sex life; (!) "judicial data" means data relating to offences, criminal convictions or security measures in relation to individuals; (J) "Party" or "Parties" means the Public Company Accounting Oversight Board (PCAOB) in the US and/or the Commissione Nazlonale per le Societa e la Borsa (CONSOB) in Italy; (k) "Data Protection Directive" means Directive 95/46/EC of the European parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; (I) "Italian Data Protection Act" means Legislative Decree no. 196/2003; (m) "Data Protection Laws and Regulations" means the Data Protection Directive, the Italian Data Protection Act, Consob Regulation no. 15318/2006 and any other applicable laws, rules and regulations on data protection; (n) "Statement of Protocol" or "SOP" means the document by that name dated and agreed upon by the Parties to facilitate cooperation and exchange of information relating to Auditors that fall within the regulatory Jurisdiction of both the PCAOB and CONSOB. II. DATA PROCESSING PRINCIPLES The Parties agree that the transmission of personal data by CONSOB to the PCAOB pursuant to the SOP shall be governed by the following principles: 1. Purpose limitation: Personal data transmitted by CONSOB to the PCAOB will be processed by the PCAOB itself only to fulfill its audit regulatory functions in accordance with the Sarbanes-Oxley Act of 2002, as amended (the "Sarbanes-Oxley Act"), i-e., for the purposes of auditor oversight, inspections and investigations of registered audit firms and their associated persons subject to the regulatory jurisdiction of the PCAOB and CONSOB as outlined in the SOP and the requests for information provided thereunder. The onward transfer of such data is governed by paragraph 8 below. CONSOB will apply the principle of data anonymization and minimization, which means that transfer of personal data will take place on a case-by-case basis only, when strictly necessary for the purposes of carrying out the SOP. 2. Data quality and proportionality: Each Party will endeavor to ensure that it transmits to the other Party personal data that is accurate, adequate and relevant in relation to the purposes for which they are transferred and further processed. Each Party will inform the other Party if it learns that 2

previously transmitted information was inaccurate and/or must be updated. In such case, the other Party will make any appropriate corrections to its files. The Parties acknowledge that the PCAOB primarily seeks the names, and information relating to professional activities, of the individual persons who were responsible for or participated in the audit engagements selected for review during an inspection or who play a significant role in the firm's management and quality control (the "Auditor Information"). Such information would be used by the PCAOB in order to assess the degree of compliance of the registered accounting firm and its associated persons with the Sarbanes-Oxley Act, the securities laws relating to the preparation and issuance of audit reports, the rules of the PCAOB, the rules of the SEC and relevant professional standards in connection with its performance of audits, issuances of audit reports and related matters involving issuers (as defined In the Sarbanes-Oxley Act). The parties agree that providing the Auditor Information to the PCAOB in the context of the Sarbanes-Oxley Act is adequate, relevant and not excessive in relation to the purposes for which it is transferred and further processed. However, the disclosure of other types of personal data, if requested by the PCAOB, shall be considered by CONSOB on a case by case basis. The personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed, or for such time as otherwise required by applicable laws, rules and regulations. 3. Transparency: COIMSOB will provide to data subjects information relating to the transfer and further processing of personal data as required by the Data Protection Law and Regulations. The Parties acknowledge that the purpose and use of the personal data by the PCAOB are set forth in the Sarbanes-Oxley Act, as further described in Appendix I. 4. Security and confidentiality: The Parties acknowledge that in Appendix II, the PCAOB and CONSOB have provided Information describing technical and organizational security measures deemed adequate by the Parties to guard against accidental or unlawful destruction, loss, alteration, disclosure of, or access to, the personal data. The PCAOB and CONSOB agree to update the information in Appendix II if changes are made to their technical and organizational security measures that would weaken the protection provided for personal data. Any person acting under the authority of the data controller, including a processor, must not process the data except on Instructions from the data controller. The Parties acknowledge that the Parties have provided information set forth in Appendix III, describing the applicable laws and/or rules relating to confidentiality and the consequences for any unlawful disclosure of non-public or confidential information or suspected violations of these laws and/or rules. 5. Riglits of access, rectification, deletion and objection: The Parties acknowledge that a data subject whose personal data has been transferred to the PCAOB may request that CONSOB identify any personal data that has been transferred to the PCAOB and request that CONSOB confirm with the PCAOB that the data is complete, accurate and, if applicable, up-to-date and the processing Is in accordance with the data processing principles in this Agreement. If the data turns to be 3

incomplete, inaccurate or outdated or the processing Is not In accordance with the data processing principles In this Agreement, the data subject shall make a request directly to CONSOB for any rectification, erasure or blocking of data. 6. Sensitive data: Sensitive data, as defined in clause 1(h), shall not be transferred by CONSOB to the PCAOB. 7. Judicial data: Judicial data, as defined In clause 1{I), shall not be transferred by CONSOB to the PCAOB, except in compliance with the provisions of Data Protection Laws and Regulations. 8. Onward transfer: a. When the PCAOB Intends to disclose to another entity (except the U.S. Securities and Exchange Commission, or to the Attorney General of the United States or the states attorney general In connection with any criminal investigations, any personal data received in the course of cooperation pursuant to the SOP, It shall comply with the process set forth below. b. The PCAOB shall request the prior written consent of CONSOB, Indicating the type of personal data that it intends to transfer (including whether it Intends to transfer personal data other than Auditor information as defined in Article 2 above) and the reasons and purposes for which It considers it to be necessary to transfer personal data pursuant to section 105(b)(5) of the Sarbanes-Oxley Act. c. If CONSOB agrees to the transfer. It may subject its consent to certain conditions. In particular, CONSOB may require certain personal data to be withheld or made anonymous, taking Into account the Data Protection Laws and Regulations and other applicable EU or Italian legislation, if CONSOB does not provide Its consent within 10 working days, or subject its consent to conditions, the PCAOB will consult further with CONSOB and consider CONSOB's objections and conditions. d. In the exceptional cases where, in order to accomplish the purposes of the Sarbanes-Oxley Act or to protect investors, the PCAOB determines it necessary to onward share personal data received under the SOP despite CONSOB's objections or conditions, the PCAOB will use its best efforts to ensure that personal data transferred are limited to those strictly necessary and relevant for the aforesaid purposes. e. It shall be the responsibility of CONSOB to provide relevant information to the data subject, if required by EU or Italian Law. 9. Redress: The Parties acknowledge that the data subject may request an effective administrative procedure before the Italian Data Protection Authority when his or her right to privacy has been infringed or data protection rules governing the processing of personal data have been violated with respect to him or her. 4

m. TERMINATION This Agreement comes into force on the same date as the SOP. It will have effect only during the period the SOP is also in force. The Parties may consult and revise the terms of this Agreement in the event of a substantial change In the laws, regulations or practices affecting the operation of this Agreement This Agreement may be terminated by either Party at any time. After termination of this Agreement, the Parties shall continue to maintain as confidential, consistent with the SOP, any information provided under the SOP. Chairman Public Company Accounting Oversight Board Giuseppe Vegas Chairman Commissione Nazionale per ie Societa e la Borsa 5

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback