Data Protection SFTR: Personal Data out of EEA

Any exchange or transmission of personal data by competent authorities of the Member States or by trade repositories…should be undertaken in accordance with…Directive 95/46/EC. Any exchange or transmission of personal data by ESMA, EBA or EIOPA should be carried out in accordance with…Regulation (EC) No 45/2001.

SFTR requires Trade Repositories (TRs) (and NCAs) to adhere to Directive 95/46/EC (UK transposition = the Data Protection Act 1998) for the exchange or transmission of personal data. Interestingly, SFTR fails to mention processing.ii

This has ramifications for TRs that outsource aspects of their operation to non-EEA

The aforementioned European agencies are additionally subject to Regulation (EC) No 45/2001 (on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data).

Given that the reporting obligation will only come into force after GDPR goes live on 25 May 2018, references to Directive 95/46/EC are without meaning as data protection will be superseded by GDPR. One can only assume legislators assumed Transaction Reporting would be in force prior to May 2018.

Thus, I shall consider these issues with reference to GDPR. In any case, GDRP ‘applies to the processing of personal data wholly or partly by automated means [ and non-automated means] of personal data.’iii

On a side note, the European Data Protection Supervisor approved of SFTR with respect to Data Protection issues.iv


What is Personal Data?


any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.v

I have cross referenced this definition with the 153 transaction reporting fields and I cannot find a field whose data matches this description. For example, Table 1 counterparty data fields require LEI identifiers (fields 2-3; 7-8; 10-11; 13-18). Indeed, ESMA’s 394-page Final Report contains not a single reference to ‘personal data’.

SFTR, unlike MiFIR, appears not to require personal data. Of course, TRs hold account-level personal data.


Non-EEA data transfers under GDPR

Notwithstanding the apparent absence of personal data from SFTR’s Transaction Reporting regime, a brief overview of requirements follows.

For non-EEA data transfers of personal data, GDPR operates on an adequacy These jurisdictions have been deemedvi to provide an ‘adequate’ level of data protection by the Commission:

  • Andorra,
  • Argentina,
  • Canada (commercial organisations),
  • Faeroe Islands,
  • Guernsey,
  • Israel,
  • Isle of Man,
  • Jersey,
  • New Zealand,
  • Switzerland and
  • Uruguay.

For all other non-EEA countries ‘appropriate safeguards’vii must be enacted in order for personal data to be transferred.


‘Appropriate safeguards’


(a) a legally binding and enforceable instrument between public authorities or bodies;

(b) binding corporate rules (BCRs) in accordance with Article 47 [more on this below];

(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);

(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);

(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or

(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

Alsoix, ‘subject to the authorisation from the competent supervisory authority’:

– contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or

-provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.


If such ‘appropriate safeguards’ are put in place, prior consent is not requiredx from the data subject.

Insomuch as TRs deem transaction reporting data to contain personal data, the above mechanism would allow them to process personal data in third-country non-EEA firms in a legal manner under GDPR.


Binding Corporate Rules

Per (b), above, BCRs are one of the ways organisations can comply with data protection rules about ensuring adequate safeguards when personal data is sent outside the EEA.xi

GDPR Article 47 lists 16 conditions that must be fulfilled for BCRs. BCRs need to be approved by one of the EU’s data protection authoritiesxii; The UK’s ICOxiii is one such authority.

Around 25 per cent of the BCRs approved across Europe so farxiv have been authorised by the UK’s ICO. xv


Future Developments

On 20 December 2017, the EBA issued Recommendations On Cloud Outsourcing.xvi

While merely recommendations that only ‘apply to credit institutions and investment firms’, given the wide adoption of cloud solutions, they are likely to be considered in any future review or modification of GDPR.



[i] SFTR Recital 38

[ii] SFTR Recital 38

[iii] GDPR Article 2


[v] GDPR Article 4(1)


[vii] GDPR Article 46(1)

[viii] GDPR Article 46(2)

[ix] GDPR Article 46(3)

[x] GDPR Article 49(1)


[xii] GDPR Article 47, 57(1)(s)


[xiv] As of December 2017

[xv] ; accessed 1/12/2017