|
|
Tasks of collection bodies
Q1. Do you agree with the preferred approach outlined above, under which the validations will be defined on a cross-cutting basis without specifying explicitly the types of information to which a given validation should be applied (and understanding that they should be performed always when relevant for a given type of information as set out in the ITS on tasks of collection bodies or sectoral ITS)?
Yes. FESE agrees with ESMA that it is not necessary to specify how the validations should be performed for each type of information separately. That would make the Level 2 legislation prone to technological obsolesce and would need to be updated constantly. Instead, we agree that sufficient technological and procedural flexibility is necessary.
However, one of the legal issues that needs to be addressed by ESMA is the allocation of responsibility for ensuring compliance with GDPR on the ESAP platform. GDPR (Regulation 2016/679) imposes strict obligations on the treatment and storage of personal data, which may affect the information submitted by entities to the collection bodies and the ESAP platform. It is unclear whether the collection bodies, or the ESAP platform, will be considered as data controllers or data processors under GDPR, and what duties they have to inform each other of any deletion or modification of personal data.
We suggest that ESMA, or the Commission, should clarify this matter and provide guidance on how to coordinate the data protection obligations between the reporting entities, the collection bodies, and the ESAP platform. This would reduce the administrative burden and legal uncertainty for the collection bodies, who may not have direct access or control over the data stored on the ESAP platform. Furthermore, collection bodies may be legal entities that do not store or collect personal information in their day-to-day operations (like exchanges)...
more in full response