Data protection

Information on the protection of personal data within the ASF

From 25 May 2018 the legal framework in the field of personal data is changing with the applicability of the European Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (GDPR) and the adoption of new legal provisions for this area.

The Financial Supervisory Authority processes personal data covering a broad segment of categories of individuals, from representatives of entities in the non-banking financial markets, to beneficiaries and consumers of the services offered by these entities, petitioners or contractual or institutional partners of the ASF.

 

The processing of personal data at the level of the ASF is carried out in accordance with the following principles:

Lawfulness, fairness and transparency (data are processed lawfully, fairly and transparently with respect to the data subject)
Purpose limitation (data are collected for specified, explicit and legitimate purposes and are not further processed in a way incompatible with those purposes)
Data minimisation (data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed)
Accuracy (data are accurate and, where necessary, kept up to date)
Data are kept only within the legal deadlines in force;
Security and confidentiality (data are processed in a way that ensures adequate security);

 

I. Information on the protection of personal/personal data in the Financial Instruments and Investments Sector (FISIS)

1. Personal data processed by ASF - SIIF:

Personal data is information relating to a natural person who can be identified or identifiable, directly or indirectly.
The ASF - Financial Instruments and Investments Sector processes the following categories of personal data:

- identification data: name, surname, person's name at birth (where applicable), National ID Card, series and number of identity card, passport, driving licence, home address, mailing address, e-mail, telephone (landline, fax, mobile), online identifier;

- information on occupation, nature of own activity, information on past and present professional activity, as well as professional performance, seniority, experience, data on personal and/or professional relationships;

- information of a special nature (membership of trade unions, medical data, e.g. in the case of a request for suspension of ASIF authorisation on the grounds of suspension of the employment contract (prenatal/childcare leave, etc.));

- information of a financial nature (e.g. income, trading data, trading history, income, accounts opened with financial institutions as well as their balances/payments, any charges/pledges on the account);

- information on the location of certain transactions;

- information relating to fraudulent/potentially fraudulent activity, consisting of data relating to investigations, prosecutions and convictions relating to, but not limited to, offences such as fraud, money laundering and terrorist financing;

- information relating to criminal offences or misdemeanours (e.g. tax/judicial records; administrative investigations) as well as decisions relating to individuals contained in court decisions and other acts of the judicial system;

- information resulting from the audio recording of telephone conversations, electronic communications and transfer data provided by financial services and credit institutions;

- information resulting from existing records of transfer data provided by telecommunications operators;

- information resulting from communication by persons reporting potential breaches of market abuse legislation (obtained in writing or by telephone);

- information resulting from the audio recording of assessment interviews;

- signature (e.g. signature provided on documents provided to the ASF by authorised/approved individuals in a professional relationship with entities regulated, authorised, supervised and controlled by the ASF in the capital market);

- any other information deriving from them as a result of the processing carried out by the ASF (such as: registration number in the A.S.F. register, various profiling necessary for the performance of the monitoring and control or prudential supervision activity, specific information on the authorisations issued and/or sanctions applied by the ASF);

- information obtained from sources other than the data subject (information on personal data and holdings and/or sanctions obtained from public institutions and authorities, from public registers, electronic databases, information available in social media as well as on the internet, or from authorised third parties holding such information, such as, but not limited to: Directorate for Personal Records and Database Administration, National Trade Registry Office, market/system operator, central depository, portal of Romanian courts administered by the Ministry of Justice, third parties authorized to hold databases of persons accused of terrorism, etc. );

- any other information that is necessary to carry out the activities of the ASF for the purposes set out below.

2. Categories of persons concerned

All natural persons whose personal data are processed are referred to as "Data Subjects".

The Financial Supervisory Authority, hereinafter referred to as FSA, Financial Instruments and Investments Sector, processes personal data of the following categories of data subjects:

a) Natural persons within entities operating in the non-bank financial markets regulated and supervised by the ASF, natural persons who are customers in a transaction with financial instruments or are party to transactions assimilated and/or dependent thereon and for whom the processing is carried out as a result of specific regulatory, authorisation, reauthorisation, supervision, monitoring and control processes carried out by the ASF in the exercise of the powers and duties provided for by the legislation in force, as follows:

- Shareholder; Offeror; Manager; Petitioner; Intermediary employee/market operator/central depositary; Persons subject to the application of European regulations; Direct transfer applicant; Investor; Issuer manager/manager of the issuer; Liquidator/Special administrator/judicial receiver/Financial auditors, persons carrying out transactions on and/or in relation to the capital market;

- Member of the BoD/CS/Directorate/Directors/persons exercising managerial responsibilities/persons having close links with them within the meaning of Art. 3 para. 1(26) of MAR (Regulation (EU) No 596/2014);

- ASIF/ADEL; RCCI;

- clients of intermediaries;

- independent analysts;

- any person who participates in the commission of a market abuse offence as well as the person related to the market abuse investigation pursuant to Article 125 of Law 24/2017 and Article 23 of MAR;

- any person who has access to inside information and working under an employment contract or other form of collaboration, who perform tasks through which they have access to inside information, such as consultants, accountants or credit rating agencies (Art.18 of MAR);

- natural persons who are clients of entities referred to in Article 16 of EU Regulation 596/2014 (MAR);

- Authorised natural persons providing IT services to regulated entities.

- Natural persons holding management positions (board members, SC, board of directors, directors) or key functions (internal control, risk manager, internal auditor) in an intermediary/market operator/central depository;

- distribution agents, potential acquirers;

- Various individuals requesting information on regulations as well as any other information/comments in the public consultation process/notifying exemption from certain regulations;

- Individuals acting as assessors and/or readers; persons mentioned in the documentation submitted, for whom there is no obligation to notify and who are mentioned in the individual documents; persons for whom there is an obligation to notify;

- The head of the depositary's organisational structure and his/her deputy; the natural person holding the position in the department/service carrying out the depositary activity;

- LIC/RDP having the status of a ADEL established in the territory of our country of an intermediary (IMF) of a Member State; IMF/ICSM providing investment and related services and activities at a distance under the free movement of services.

 

b) Any natural person who submits or transmits a valid petition to the ASF, in accordance with the regulatory provisions in force, regarding the products and services offered/provided by the entities on the markets regulated and supervised by the A.S.F. or regarding the activity of the ASF or the aforementioned entities, such as:

- Various petitioners, individuals, who are authorized in the capital market (e.g. directors; key persons ( e.g. RCCI, RCCO, FARA, ICPF, etc.), members of CA/CS;

- Shareholders or investors, individuals, in entities authorised, regulated and supervised by ASF-SIIF, as appropriate;

- Various claimants, individuals, who are internal auditors in entities authorised, regulated and supervised by ASF-SIIF;

- Various natural persons who are external auditors;

- Individuals interested in the application of capital market legislation.

 

3. Purpose of collection and processing within the IFIS

Processing refers to any operation or set of operations performed on personal data or on sets of personal data, with or without the use of automated means, such as:

  • collection,
  • recording,
  • organisation,
  • structuring,
  • storage,
  • adaptation or modification,
  • extraction,
  • consultation,
  • use,
  • disclosure by transmission, dissemination or otherwise making available,
  • alignment or combination,
  • restriction,
  • deletion or destruction.

Under the GDPR Regulation, the ASF is a personal data controller which determines the purpose and means of processing and contracts only with other associated controllers or processors who have confidentiality and security guarantees.

In accordance with the legal provisions in force in the field of personal data protection, the ASF manages under secure conditions and only for the specified purposes, the personal data provided to it about the categories of individuals referred to in point 2.

In accordance with the legal provisions, the purposes of data collection are strictly related to the exercise of the legal powers of supervisory, regulatory, licensing and control authority of entities in the non-banking financial markets, in accordance with the legislation on the organisation and functioning of the ASF and the specific objectives of the respective sector of activity:

  1. to establish and maintain the legal framework necessary for the stable, efficient, fair and transparent development and operation of financial instruments markets and to promote confidence in them and in investments in financial instruments;
  2. protecting operators and investors against unfair, abusive and fraudulent practices and informing and educating investors;
  3. assessing and establishing the risk profile of supervised entities and the impact of serious breaches of conduct of business rules and/or prudential indicators;
  4. development of methodologies for supervisory and control activities of entities in the financial instruments and investment sector taking into account risk profile and indicators;
  5. preventing or mitigating risks that may affect the securities and financial investment markets as a result of major problems by ensuring prudential supervision and early intervention;
  6. preventing fraud, market manipulation and ensuring the integrity of financial instruments markets.

The purposes for which the ASF collects personal data are to process the data on the basis of which the Authority, its organisational structures, can take the best decisions regarding the regulation and supervision of the non-banking financial markets, the entities on the regulated and supervised markets, with regard to their situation, from the point of view of the exercise of the legal powers and duties of the ASF, in accordance with the regulatory provisions in force.

Thus, the purposes for which ASF-SIIF collects personal data are:

- approval of a purchase/purchase document under Law 24/2017; approval of a prospectus under Law 24/2017; approval of the issuance of a CIVM under Law 24/2017; withdrawal from trading and removal from the records of the A.S.F. under Law 24/2017; resolution of a complaint regarding non-compliance with certain obligations; resolution of a request under an MMoU;

- settlement of a complaint relating to non-compliance with certain obligations; establishment of contraventions established by Law 24/2017; establishment of obligations;

- fulfilling the legal obligations to report threshold overruns to the ASF; registering issuers with the A.S.F. under Law 24/2017; and issuing securities registration certificates;

- conducting periodic reviews and controls; conducting concerted reviews of SIFs; adopting insurance measures; dealing with referrals; dealing with requests from third parties; dealing with direct transfers and issuing opinions in this regard;

- presenting specific situations for information or decision making;

- Resolution of complaints/self-assessments regarding non-compliance with certain obligations provided for by Law no. 24/2017, Law no. 297/2004, Regulation no. 32/2006 and the regulations issued in application thereof, European capital market regulations; verification of compliance by issuers, shareholders, regulated entities and financial auditors with the provisions of the aforementioned regulatory acts; GEO no. 32/2012 as amended and supplemented; ASF Regulation no. 9/2014 with subsequent amendments and additions; Law no. 74/2015 with subsequent amendments and additions; ASF Regulation no. 10/2015; Establishment of contraventions established by Law 24/2017/Law no. 297/2004; establishment of obligations; warnings, GEO no. 32/2012 with subsequent amendments and additions; A.S.F. Regulation no. 9/2014 with subsequent amendments and additions; Law no. 74/2015 with subsequent amendments and additions; ASF Regulation no. 10/2015;

- fulfilment of legal transparency obligations by issuers reporting to the ASF under Law 24/2017 of Law no. 297/2004 and GEO no. 32/2012

- exercising the powers of authority in the field of market abuse, by carrying out analyses on the possible incidence of the legal provisions on market abuse, drawing up minutes of referral to prosecution bodies; drawing up individual acts (administrative sanction decisions, hearing decisions, minutes of meetings or minutes of hearings) for the imposition of sanctions/obligations or calling the persons concerned to a hearing as provided for by Law 24/2017; processing the lists of persons with access to inside information, which is drawn up in accordance with Art. 18 of MAR and communicated to the competent authorities upon their request, as well as STOR (Suspicious Transaction and Order Report) which is transmitted pursuant to Art. 16 of EU Regulation 596/2014 (MAR) in conjunction with the provisions of Delegated Regulation (EU) No 2016/957; processing of transaction reports made by management staff.

- Obtaining data and/or information necessary to complete the analysis/investigation of the possible incidence of market abuse provisions, providing information necessary to other directorates/departments of the ASF necessary to carry out the tasks given to them by law;

- Performance of a task resulting from the exercise of public authority, e.g. - Control of entities authorised by the ASF on the basis of ASF Regulation no. 11/2016; Drawing up documents specific to the control activity (control sheets, questionnaires filled in by the controlled entities, explanatory notes requested from the controlled entities, findings notes drawn up during the control, minutes of withdrawal of documents from the control, control minutes, hearing minutes, control notes and information notes, control decisions, sanctions, hearing, action plans; addresses/information sheets on the results of the control); filling in ESMA's database with information on contravention sanctions based on the provisions of Directive 2014/65/EU (MiFID II); EU Regulation No 600/2014 (MiFIR), Directive 2014/57/EU (MAD II), EU Regulation No 596/2014 (MAR), Directive 2009/65/EC (UCITS) and Directive 2011/61/EU (AIFMD).

- issuing interpretative opinions and opinions and decisions based on Art. 6 of GEO no. 93/2012;

- analysing the comments received following the process of decision-making transparency of regulatory acts in accordance with the requirements imposed by Law 52/2003, as amended;

- approval of the rules of operation of central depositories pursuant to Article 149 (1) of Law 297/2004, as subsequently amended and supplemented; approval of the rules of operation of trading venues pursuant to Article 134 para. (1) and the provisions of Article 139 (4);

- issuing opinions and decisions under Article 6 of GEO no. 93/2012;

- analysis of the impact of issuing regulations; issuing opinions on draft regulations of other authorities according to GEO no. 93/2012;

- participation in interview committees for interviewing persons holding managerial or key positions;

- interpreting the provisions of the legislation applicable to issuers, SAIs, AIFMs, depositories, UCIs and AIFs under GEO no. 32/2012 as amended; ASF Regulation no. 9/2014 as amended; Law no. 74/2015 as amended; ASF Regulation no. 10/2015 as amended; Law no. 24/2017 as amended; and ASF Regulation no. 1/2006 as amended;

- personal data are collected and used for the processing of applications submitted for the authorisation/approval/registration of the category of data subjects and for the purpose of monitoring the fulfilment of the related conditions envisaged for the authorisation/approval of regulated entities falling within the scope of the SIIF, in accordance with the following main regulatory acts: Law no . 297/2004, ASF Regulation No. 14/2015, ASF Regulation No. 3/2016, ASF Regulation No. 32/2006, ASF Regulation No. 8/2015, ASF Regulation No. 2/2006, CNVM Regulation No. 13/2005, ASF Regulation No. 10/2017, ASF Regulation No. 12/2010, ASF Regulation No. 4/2009, ASF Rule No. 27/2015, as well as ASF Rule No. 6/2015;

- Notifications sent by the competent authorities of the Member States by e-mail passport (pasaport.notificari@asfromania.ro); Updating in the ASF register of investment firms (FISM)/credit institutions in the Member States (ICSM), as well as the activities and services they perform on the territory of Romania remotely or through branches/ADELs established in Romania;

- audio recording of telephone conversations with the ASF with the consent of the person concerned, in the case of a report of violations of market abuse legislation, or audio recording of the assessment interview or a hearing, with the consent of the person interviewed/heard;

- archiving both in physical and electronic format of documents, performing registry services for correspondence addressed to the ASF - SIIF and sent by the ASF-SIIF, as well as performing courier activities, as appropriate;

- the settlement of disputes, investigations or any other petitions/complaints/requests to which ASF-SIIF is a party;

- making referrals/reports to the competent institutions in accordance with the legal regulations applicable to the ASF (e.g.: referral to the criminal prosecution authorities in the exercise of the powers conferred on the Authority in relation to market abuse, theft of clients' financial instruments and/or related funds (embezzlement, forgery, etc.), reporting to ESMA of capital market sanctions and other information provided for in European Regulations and Directives);

Please note that personal data are sometimes used by the A.S.F. for a number of secondary purposes (e.g. archiving, internal, external audit, etc.), which are always compatible with the main purposes for which the data were originally collected by the A.S.F.

4. On what grounds does the ASF - Financial Instruments and Investments Sector (SIIF) process personal data?

The personal data managed by the ASF, under the terms of the law, are intended exclusively for use by the ASF in the performance of its legal duties and powers.

The ASF-SIIF processes your personal data for the above purposes on the following grounds:

- on the basis of the data subject's consent (e.g.: recording of assessment interview for a managerial or key position; recording of hearing; recording of telephone call for reporting a case of market abuse);

- on the basis of the legal obligations incumbent on the A.S.F. (exercise of the legal powers of supervisory, regulatory, authorisation and control authority over entities in the non-banking financial markets, in accordance with the legislation on the organisation and functioning of the A.S.F. and with the legislation in force regulating sector-specific activities);

 

II. Information on the protection of personal/personal data within the Insurance Reinsurance Sector (SAR)

1. Personal data processed by the Financial Supervisory Authority, Insurance - Reinsurance Sector (hereinafter referred to as the FSA - SAR)

 

Personal data is information relating to a natural person who can be directly or indirectly identified or identifiable. A.S.F., Insurance - Reinsurance Sector, processes the following categories of personal data:

- identification data: name, surname, name at birth of the person (where applicable), CNP, series and number of identity card, passport, driving licence, home address, correspondence address, e-mail, telephone (landline, fax, mobile), RAF code; online identifier;

- information on occupation, education, nature of own activity, information on previous and present professional activity and professional performance, seniority, curriculum vitae, educational qualifications, experience, data on personal and/or professional relations;

- information of a special nature: membership of trade unions, medical data contained in medical certificates and/or health insurance policies and related documentation;

- information of a financial nature: bank statements, information on financial situation;

- information relating to fraudulent/potentially fraudulent activity, criminal offences or contraventions consisting of:

- data relating to charges and convictions related to offences under financial and banking legislation, including offences relating to money laundering and financing of terrorism;

- offences against property or other economic/financial crimes; 

- offences under tax legislation; 

- other offences under company, bankruptcy, insolvency and consumer protection legislation; 

- previous or ongoing relevant administrative investigations or inquiries, enforcement actions or the imposition of administrative sanctions for non-compliance with the provisions applicable to activities regulated by financial/banking legislation; 

- tax/judicial records; administrative investigations as well as decisions relating to individuals contained in court decisions and other acts of the judicial system;

- information resulting from audio recordings of assessment interviews or meetings on various topics;

- signature (e.g. signature given on documents provided to the ASF by authorised/approved individuals in a professional relationship with entities regulated, authorised, supervised and controlled by the ASF);

- any other information deriving from them as a result of the processing carried out by the ASF such as: registration number in the ASF register; various profiling necessary for the performance of the monitoring and control or prudential supervision activity, specific information on the authorisations carried out and/or sanctions granted by the ASF;

- information obtained from sources other than the data subject: information on personal data and holdings and/or sanctions obtained from public institutions and authorities, from public registers, electronic databases, information available in social media as well as on the internet, or from authorised third party holders of such information, such as, but not limited to: The Directorate for Personal Records and Database Administration, the National Trade Registry Office, the portal of Romanian courts administered by the Ministry of Justice, third parties authorized to hold databases of persons accused of terrorism, etc. ;

- any other information that is necessary to carry out the activities of the ASF for the purposes set out below.

2. Categories of persons concerned

All natural persons whose personal data are processed are referred to as "Data Subjects".

The ASF - SAR processes personal data of the following categories of data subjects:

a) Natural persons within the entities operating in the non-banking financial markets regulated and supervised by the ASF, as a result of carrying out specific authorisation, re-authorisation, supervision, monitoring and control processes carried out by the ASF in the exercise of the powers and duties provided for by the legislation in force, as follows:

- individual shareholders of insurance and reinsurance companies and insurance intermediaries;

- natural persons providing management of insurance and reinsurance companies and management of insurance and reinsurance intermediaries/brokers;

- own staff authorised to conduct insurance intermediation business of the entities referred to above;

- representatives of supervised entities responding to requests from the ASF;

- individuals requesting information about regulations as well as any other information/comments in the public consultation process/notifying exemption from certain regulations.

b) Natural persons acting in their own name or as representatives of legal persons involved in insurance - reinsurance activity:

- employees of motor vehicle repair shops;

- loss adjusters and loss adjusters;

- representatives of receivers, valuers;

- financial auditors;

- IT auditors;

- lecturers in insurance.

 c) Any natural person who submits or transmits a valid petition to the ASF, in accordance with the regulations in force, regarding the products and services offered/provided by entities in the markets regulated and supervised by the ASF or regarding the activity of the ASF.

 

3. Purpose of collection and processing in the EWS

Collection and processing refers to any operation or set of operations performed on personal data or on sets of personal data, with or without the use of automated means, such as:

  • collection,
  • recording,
  • organisation,
  • structuring,
  • storage,
  • adaptation or modification,
  • extraction,
  • consultation,
  • use,
  • disclosure by transmission, dissemination or otherwise making available,
  • alignment or combination,
  • restriction,
  • deletion or destruction.                           

Under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR), the ASF is a personal data controller that determines the purpose and means of the processing and contracts only with other associated controllers or processors that have confidentiality and security safeguards.

In accordance with the legal provisions in force in the field of personal data protection, the ASF manages under secure conditions and only for the specified purposes, the personal data provided to it on the categories of individuals referred to in point 2.

In accordance with the legal provisions, the purposes of data collection are strictly related to the exercise of legal powers as regulator, authorizer, supervisor and controller of entities in the non-banking financial markets, in accordance with the legislation on the organization and functioning of the SFA and with the legislation in force regulating the specific activities of the sector of activity, powers that concern:

the stable and efficient functioning of the insurance-reinsurance market, so as to ensure the protection of policyholders and maintain market stability;
the development and improvement of prudential supervision mechanisms and the prevention or mitigation of risks that may affect the insurance-reinsurance market as a result of major problems arising, by intervening at an early stage;
ensure convergence of supervisory practices and tools and develop methodologies for the supervision and control of insurance and reinsurance entities, taking into account risk profiles and indicators;
ensuring convergence of insurance regulations adopted at national and European level;
developing and maintaining an active dialogue between the FSA and the entities in the insurance-reinsurance market, with a view to a unified approach to the organisation and functioning of this market.

According to the legal powers and competences of the ASF, in accordance with the provisions of the regulations in force, the purposes for which the ASF collects personal data are to process data on the basis of which the authority and its organisational structures can take the best decisions regarding the regulation and supervision of the non-banking financial markets and the authorisation and operation of entities in the regulated and supervised markets.

Thus, the purposes for which the ASF - SAR collects personal data are:

- to ensure a comprehensive, stable and coherent legal framework in the field of insurance-reinsurance by updating and consolidating secondary legislation, following the experience acquired, in the light of the domestic and international context of the economic and financial environment;

- to ensure convergence of insurance regulations adopted at national, European and international level;

- supporting the development of the insurance-reinsurance sector by developing the regulatory framework for supervisory and control mechanisms;

- verifying, with maximum efficiency and accuracy, the fulfilment of the legal conditions relating to the authorisation, endorsement or withdrawal of authorisations or approvals for entities operating in the insurance and reinsurance sector;

- ensuring prudential supervision and control based on risk identification, prevention and management;

- align risk supervision with international best practices;

- developing a system for adequate risk quantification and risk profiling of supervised entities;

- promoting the use of modern actuarial techniques to protect the interests of policyholders.

Please note that personal data are sometimes used by the A.S.F. for a number of secondary purposes (e.g. archiving, internal, external audit, etc.), which are always compatible with the main purposes for which the data were originally collected by the A.S.F.

 

4. The grounds on which the ASF - SAR processes personal data

Personal data managed by A.S.F. - S.A.R., under the terms of the law, are exclusively intended for use by the ASF in the performance of its legal duties and powers.

The A.S.F. - S.A.R. processes personal data for the above-mentioned purposes on the following grounds:

- on the basis of the data subject's consent, if this has been granted for audio recordings in the following situations:

evaluation interviews of persons occupying or proposed to occupy management positions;
any hearings/meetings organised on various topics;

- on the basis of the legal obligations incumbent on the ASF (exercise of its legal powers as regulator, authoriser, supervisor and controller of entities in the non-banking financial markets, in accordance with the ASF's organisational and operational legislation and the legislation in force governing sector-specific activities);

 

 III.     Information on the protection of personal/personal data within the Private Pension System Sector (PSSS)

 

1. Personal data processed by ASF - SSPP:

Personal data is information relating to a natural person who can be identified or identifiable, directly or indirectly. A.S.F., Private Pension System Sector, processes the following categories of personal data:

- identification data: name, surname, name at birth of the person (where applicable), CNP, series and number of identity card, passport, driving licence, home address, correspondence address, e-mail, telephone (landline, fax, mobile), online identifier;

- information on occupation, nature of own activity, information on past and present professional activity, as well as professional performance, seniority, experience, data on personal and/or professional relationships;

- information of a special nature (membership of trade unions, medical data contained in medical certificates, e.g. in the case of a request for suspension of the ASF authorisation due to suspension of the employment contract (prenatal/childcare leave, etc.));

- information of a financial nature (e.g. income, transaction data, transaction history, transactions carried out in a given period, holdings, income of the individual concerned, accounts opened with financial institutions as well as their balances/payments);

- information relating to the location of the execution of certain transactions (e.g. if certain transactions are executed in different trading venues);

- information relating to fraudulent/potentially fraudulent activity, consisting of data relating to charges and convictions for offences such as fraud, money laundering and terrorist financing;

- information relating to criminal offences or misdemeanours (e.g. tax/judicial records; administrative investigations) as well as decisions relating to individuals contained in court decisions and other acts of the judicial system;

- information resulting from the audio recording of telephone calls or assessment interviews (content and metadata, e.g. call recorded with the consent of the person in case of a report of market abuse violations or audio recorded interview with the consent of the interviewee);

- signature (e.g. signature given on documents provided to the ASF by authorised/approved natural persons in a professional relationship with entities regulated, authorised, supervised and controlled by the ASF in the private pension market);

- any other information deriving from them as a result of the processing carried out by the ASF (such as: registration number in the ASF register; various profiling necessary for the performance of the monitoring and control or prudential supervision activity, specific information on the authorisations carried out and/or sanctions granted by the ASF);

- information obtained from sources other than the data subject (information on personal data and holdings and/or sanctions obtained from public institutions and authorities, from public registers, electronic databases, information available in social media as well as on the internet, or from authorised third parties holding such information, such as, but not limited to: The Directorate for Personal Records and Database Administration, the National Trade Registry Office, the portal of Romanian courts administered by the Ministry of Justice, third parties authorized to hold databases of persons accused of terrorism, etc. );

- any other information that is necessary to carry out the activities of the ASF for the purposes set out below.

2. Categories of persons concerned

All natural persons whose personal data are processed are referred to as "Data Subjects".

The Financial Supervisory Authority, hereinafter referred to as the FSA, Private Pensions Sector, processes the personal data of the following categories of data subjects:

a) Natural persons within the entities operating in the private pension market regulated and supervised by the ASF, as a result of carrying out specific regulatory, authorisation, reauthorisation, supervision, monitoring and control processes carried out by the ASF in the exercise of the powers and duties provided for by the legislation in force, as follows:

- Founders individuals;

- Shareholders/associates;

- Members of the BoD/SC;

- Members of the Supervisory Board;

- Members of the Management Board, Directors;

- Head of Internal Control;

- Risk Management Officer;

- Actuary;

- Financial Auditor;

- Information Systems Audit Expert;

- Administrators;

- Persons responsible for marketing activities;

- Marketing agents individuals,

- Shareholders individuals;

- Founders individuals,

- Pension fund participants,

- Persons responsible for marketing activity,

- Claimants,

- Any individual authorised / supervised by the ASF / shareholders, eligible persons / participants, etc.

 

b) Other individuals who submit or send a petition to the ASF, in accordance with the regulations in force, regarding the services offered/provided by the entities on the markets regulated and supervised by the A.S.F. or regarding the activity of the ASF or the aforementioned entities, such as:

- Various petitioners, marketing agents individuals, who are authorized in the private pension market,

- Shareholders or investors, natural persons, in entities authorised, regulated and supervised by the ASF - SSPP, as the case may be;

- Various claimants, natural persons, who are internal auditors in entities authorised, regulated and supervised by ASF-SSPP;

- Various petitioners, natural persons, who are external auditors;

 

3. The purpose of processing personal data within the SSPP.

According to Article 4(2) of Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC ("GDPR"), processing is -any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automatic means, such as:

collection,
recording,
organisation,
structuring,
storage,
adaptation or modification,
extraction,
consultation,
use,
disclosure by transmission, dissemination or otherwise making available,
alignment or combination,
restriction,
deletion or destruction.

The purposes for which ASF - SSPP collects personal data are:

- To process an application for authorisation to set up a pension company and authorisation to manage privately managed pension funds, based on: Law no. 411/2004 and Rule no. 22/2016,

- Settlement of an application for authorisation to establish a pension company and authorisation to manage voluntary pension funds, based on: Law no. 204/2006 and Regulation no. 23/15.04.2016

- Authorisation of the pension scheme prospectus, based on: Law No 411/2004 on privately administered pension funds; Law No 204/2006 on voluntary pension funds; Rule 22/2015 on privately administered pension fund authorisation, Rule No 23/2015 on voluntary pension fund authorisation,

- Approval of members of the management structure and persons holding key positions in entities regulated by the A.S.F., based on: Law no. 411/2004 on privately administered pension funds; Law no. 204/2006 on voluntary pension funds; Rule no. 22/2016 on the authorisation for the establishment of the pension company and the authorisation for the administration of privately administered pension funds, Rule no. 23/2016 on the authorisation for the establishment of the pension company and the authorisation for the administration of voluntary pension funds Regulation no. 14/2015 on the assessment and approval of members of the management structure and persons holding key positions in entities regulated by the A.S.F.,

- Authorisation to amend the articles of association as a result of changes in shareholding, BoD/SC members, Board members/General Manager, based on: Law No 411/2004 on privately administered pension funds; Law No 204/2006 on voluntary pension funds; Rule No 22/2016 on the authorisation to establish the pension company and the authorisation to administer privately administered pension funds, Rule No 23/2016 on the authorisation to establish the pension company and the authorisation to administer voluntary pension funds,

- Approval of the depositary of pension fund assets, based on: Act No 411/2004 on privately administered pension funds; Act No 204/2006 on voluntary pension funds; Rule No 11/2014 on the activity of depositing and custody of assets of privately administered pension funds , Rule No 10/2014 on the activity of depositing and custody of assets of voluntary pension funds,

 - Approval of the financial auditor, based on Law no. 411/2004 on privately administered pension funds; Law no. 204/2006 on voluntary pension funds; Rule no. 27/2015 on financial audit activity in entities authorised, regulated and supervised by the A.S.F.,

- Approval of transactions with shares of a manager and significant shareholders, based on: Law no. 411/2004 on privately administered pension funds, republished, as amended; Law no. 204/2006 on voluntary pension funds, as amended; Regulation no. 3/2016 on the applicable criteria and procedure for the prudential assessment of acquisitions and increases of shareholdings in entities regulated by the Financial Supervisory Authority,

- Amendment of the company contract, based on: Law No 411/2004 on privately administered pension funds, republished, as amended; Law No 204/2006 on voluntary pension funds, as amended; Rule 22/2015 on the authorisation of privately administered pension fund, Rule No 23/2015 on the authorisation of voluntary pension fund,

- Authorisation of merger of funds, based on: Act No 411/2004 on privately administered pension funds; Act No 204/2006 on voluntary pension funds; Rule No 12/2013 on the protection of participants in case of merger of privately administered pension funds, Rule No 26/2014 on the transfer of participants between privately administered pension funds; Rule No 1/2011 on the merger of voluntary pension funds; Rule No 14/2006 on the transfer of participants between voluntary pension funds,

- Authorisation/approval/approval/revocation/withdrawal of individual marketers, update of personal data of individual marketers under: Act No. 411/2004 on privately administered pension funds; Act No. 204/2006 on voluntary pension funds; Rule No. 22/2016 on the authorisation for the establishment of pension company and the authorisation for the administration of privately administered pension funds, Rule No. 23/2016 on the authorisation for the establishment of pension company and the authorisation for the administration of voluntary pension funds, Regulation No. 14/2015 on the evaluation and approval of members of the management structure and persons holding key positions in entities regulated by the ASF, Rule no. 27/2015 on the financial audit activity in entities authorized, regulated and supervised by the A.S.F., Rule No 22/2015 on the authorisation of privately administered pension funds, Rule No 23/2015 on the authorisation of voluntary pension funds, Rule No 11/2014 on the activity of deposit and custody of assets of privately administered pension funds, Rule No 10/2014 on the activity of deposit and custody of assets of voluntary pension funds 

- Authorization/approval of marketing agents legal entities, specialized legal entities amendment of the memorandum of association of private pension broker based on: Act No 411/2004 on privately administered pension funds; Act No 204/2006 on voluntary pension funds; Rule No 3/2013 on marketing activity of privately administered pension fund; Rule No 16/2013 on marketing activity of voluntary pension fund.

- Ensuring prudential supervision, supervision of compliance with the rules of conduct of authorised entities and control, based on the identification, prevention and management of risks, aligning risk supervision in line with best practices and international standards, creating and developing a system of adequate risk quantification and definition of risk profit of supervised entities taking into account best practices and means used internationally.

- Performance of a task resulting from the exercise of public authority, e.g. - Control of entities authorised by the A.S.F. on the basis of GEO 93/2012, Law 411/2004, Law 204/2006, GEO 50/2005, A.S.F. Regulation no. 11/2016; preparation of documents specific to the control activity (control sheets, questionnaires filled in by the controlled entities, explanatory notes requested from the controlled entities, notes of findings drawn up during the control, minutes of withdrawal of documents from the control, control minutes, control notes and information notes, control decisions, sanctions, hearings, action plans; addresses/information sheets on the results of the control

- Archiving both in physical and electronic format of documents, carrying out registry services for correspondence addressed to the A.S.F.-S.S.P.P. and sent by the A.S.F.-S.S.P.P.;

- Making referrals/reporting to the competent institutions in accordance with the legal regulations applicable to A.S.F. (e.g. referral to the prosecution authorities, reporting to EIOPA of sanctions in the private pension market and other information provided for in European Regulations and Directives).

 

4. Legal grounds for processing of personal data by the ASF- SSPP

The personal data managed by the ASF, under the terms of the law, are intended exclusively for use by the ASF in the performance of its legal duties and powers.

The ASF - SSPP processes personal data for the above-mentioned purposes on the following grounds:

- on the basis of the legal obligations incumbent on the ASF (exercise of its legal powers as the supervisory, regulatory, authorisation and control authority of entities in the private pension market, in accordance with the ASF's organisational and operational legislation and the legislation in force governing the specific activities of the sector);

- on the basis of the data subject's consent, if given (e.g.: assessment interview for a management or key position; hearing registration);

 

IV. Information on the protection of personal/personal data handled in the petitions process 

1. Personal data processed by the SRA in the petitions process:

Personal data is information relating to a natural person who can be identified or identifiable, directly or indirectly. The ASF processes the following categories of personal data:

- identification data: name, surname, name at birth of the person (where applicable), CNP, series and number of identity card, passport, driving licence, home address, correspondence address, e-mail, telephone (landline, fax, mobile), online identifier;

- information of a special nature, such as: medical data, data relating to vehicles owned, etc. contained in the documentation relating to the damage files opened with insurance companies;

- information of a financial nature (e.g. income, transaction data, transaction history, transactions carried out in a given period, holdings, income of the individual concerned, accounts opened with financial institutions and their balances/payments);

- information relating to the location of the execution of certain transactions (e.g. if certain transactions are executed in different trading venues);

- information relating to fraudulent/potentially fraudulent activity, consisting of data relating to charges and convictions for offences such as fraud, money laundering and terrorist financing;

- information relating to criminal offences or misdemeanours (e.g. tax/judicial records; administrative enquiries) but also decisions relating to individuals contained in court decisions and other acts of the judicial system;

- information resulting from the audio recording of telephone calls (content and metadata, e.g. call recorded in an insurance company call centre);

- signature (e.g. signature given in petitions provided to the A.S.F. by individuals or existing on documents submitted by entities regulated, authorised, monitored and controlled by the A.S.F. for the settlement of petitions);

- any other information deriving from them as a result of the processing carried out by the ASF (such as: registration number in the ASF register; various profiling necessary for the performance of the monitoring and control or prudential supervision activity, specific information on the authorisations carried out and/or sanctions granted by the ASF);

- information obtained from sources other than the data subject (information on personal data obtained from public institutions and authorities, from public registers, electronic databases, information available in social media as well as on the internet, or from authorized third parties, holders of such information, such as, but not limited to: the National Trade Register Office, the portal of Romanian courts administered by the Ministry of Justice, etc.);

- any other information that is necessary to carry out the activities of the ASF for the purposes set out below.

2. Categories of persons concerned in the petitions process

All natural persons whose personal data are processed are referred to as "Data Subjects".

The Financial Supervisory Authority, hereinafter referred to as the FSA, processes the personal data of the following categories of data subjects:

a) Natural persons within the entities operating in the non-banking financial markets regulated and supervised by the A.S.F., as a result of carrying out specific regulatory, authorisation, supervision, monitoring and control processes carried out by the A.S.F. in the exercise of the powers and duties provided for by the legislation in force, as follows, but without limitation:

- Shareholder; Offeror; Intermediary management person; Intermediary employee; Market operator employee; Persons concerned by the application of European regulations; Direct transfer applicant; Investor; Issuer administrator/person in charge of the issuer; Liquidator/Special administrator/judicial/financial auditors; Persons appointed as Coordinators of the Petition Analysis and Resolution Team or their substitutes;

- persons from the management of BAAR or FGA;

- Board/SC/Directorate member/persons exercising managerial responsibilities;

- Individuals holding senior management positions (BoD/SC members, Directors) or key functions (internal control, risk manager, internal auditor), distribution agents;

- various individuals requesting information on regulations as well as any other information/comments in the public consultation process/notifying exemption from certain regulations;

- natural persons who are assessors; persons mentioned in the documentation submitted, for whom there is or is not an obligation to notify;

b) Any natural person who submits or transmits a valid petition to the A.S.F., in accordance with the regulatory provisions in force, regarding the products and services offered/provided by the entities on the markets regulated and supervised by the A.S.F. or regarding the activity of the ASF or the aforementioned entities, such as but not limited to:

- various complainants, individuals;

- shareholders or investors, individuals;

- participants, beneficiaries, individuals;

- policyholders, injured parties, beneficiaries, contractors, individuals;

- natural persons interested in the application of non-banking financial legislation.

- various petitioners, natural persons, who are external auditors;

- individuals interested in the application of capital market legislation.

 

3. Purpose of collection and processing in the petitions process

Any operation or set of operations performed on personal data or on sets of personal data, with or without the use of automated means, such as:

  • collection,
  • recording,
  • organisation,
  • structuring,
  • storage,
  • adaptation or modification,
  • extraction,
  • consultation,
  • use,
  • disclosure by transmission, dissemination or otherwise making available,
  • alignment or combination,
  • restriction,
  • deletion or destruction.

Under the GDPR Regulation, the FSA is a personal data controller which determines the purpose and means of processing and contracts only with processors or associated controllers who have confidentiality and security guarantees.

In accordance with the legal provisions in force in the field of personal data protection, the ASF manages under secure conditions and only for the specified purposes, the personal data provided to it about the categories of individuals referred to in point 2.

In accordance with the legal provisions, the purposes of data collection are strictly related to the exercise of the legal powers of supervisory, regulatory, authorisation and control authority of the entities of the non-banking financial markets, in accordance with the legislation on the organisation and functioning of the ASF, with the legislation in force regulating the specific activities of the sectors of non-banking financial activity and with those of the Government Ordinance no. 27/2002 on the regulation of the activity of petition resolution, approved by Law no. 233/2002, with subsequent amendments and additions respectively:

  1. establishing and maintaining the legal framework necessary for the development and stable, efficient, fair and transparent functioning of, and promoting confidence in, the non-bank financial market;
  2. protecting operators and investors against unfair, abusive and fraudulent practices and informing and educating investors;
  3. protecting the rights of policyholders, policyholders, beneficiaries and injured parties;
  4. protection of the rights of participants and beneficiaries;
  5. identification of deficiencies and unfair and/or potentially abusive practices.

The purposes for which the ASF collects personal data are to process data on the basis of which the authority, its organisational structures, can take the best decisions regarding the regulation and supervision of non-banking financial markets, the entities on the regulated and supervised markets from the point of view of exercising the legal powers and duties of the ASF, in accordance with the regulations in force.

Thus, the purposes for which the ASF collects personal data in the process of solving petitions are:

- to resolve a petition relating to non-compliance with certain obligations by entities in the non-banking financial market;

- to identify possible shortcomings and unfair or potentially abusive practices;

- the presentation of specific situations for information or decision making;

- carrying out analyses in the light of petitions registered with the ASF or at market level;

- carrying out analyses in relation to MTPL claims files opened with insurance companies;

- Preparation of notes on the analysis of petitions registered with the ASF or at entity and/or market level;

- obtaining data and/or information necessary to resolve petitions;

- providing information at the request of other ASF directorates/departments;

- audio recordings of telephone conversations with the ASF in the call centre with the consent of the person concerned;

- archiving both in physical and electronic format of documents, performing registry services for correspondence addressed to the ASF - DRPP and sent by the ASF-DRPP;

- making referrals/reports to the competent institutions in accordance with the legal regulations applicable to the ASF (e.g. referral to the criminal prosecution authorities in the exercise of the powers conferred on the Authority).

Please note that personal data are sometimes used by the ASF for a number of secondary purposes (e.g. archiving, internal, external audit, etc.), which are always compatible with the main purposes for which the data were originally collected by the ASF.

4. On what grounds does the ASF process the personal data of applicants

The personal data handled by the ASF in the process of handling petitions, under the terms of the law, are intended exclusively for use by the ASF in the performance of its legal duties and powers.

The ASF processes personal data for the above-mentioned purposes on the following grounds:

- on the basis of the data subject's consent, if granted (e.g. call-center, petition);

- on the basis of the legal obligations incumbent on the ASF (exercise of the legal powers of supervisory, regulatory, licensing and control authority of entities in the non-banking financial markets, in accordance with the legislation on the organisation and functioning of the ASF, with the legislation in force regulating the specific activities of the sectors of activity and with those of the Government Ordinance no. 27/2002 on the regulation of the petitions settlement activity, approved by Law no. 233/2002, as amended).

 

V. The recipients of the personal data processed by ASF may be:

The data subject;
Legal representatives of the data subject;
Employees of the SFA with access rights;
Service providers: IT services (maintenance, software development), archiving in physical and/or electronic format; courier; audit; support services; market research.
Bailiffs and notary offices, external consultants advising or assisting the SFA in the exercise and defence of rights in court;
Financial regulatory and supervisory institutions in Romania and abroad (NBR, ASF counterparts in EU Member States and/or third countries, ESMA, EIOPA, EBA, IOSCO, etc.);
Judicial bodies in Romania and abroad, such as members of courts, arbitration courts, public prosecutors' offices;
Central and local public authorities in Romania (e.g. MAI, ANAF, ONPCSB, Competition Council, National Archives), and in other countries, police bodies;
Institutions investigating and supporting cyber security incidents;

 

In order to fulfil the purposes mentioned above, the ASF may transfer some categories of personal data outside Romania or EU/EEA countries to:

(i) the United States of America (under the existing EU/US Privacy Shield),

(ii) States to which the data subject consents to the transfer of data or to

(iii) other States (under appropriate safeguards such as standard contractual clauses or administrative arrangements to which the ASF is a party).

Thus, the transfer of data can be made either on the basis of an adequacy decision issued by the European Commission under Art. 45 of the GDPR attesting that the third state meets those criteria, or on the basis of adequate safeguards, which may be provided through standard data protection clauses adopted by the ANSPDCP and approved by the Commission in accordance with the examination procedure, or may be provided through provisions to be included in an administrative agreement between the SRA and the entity to which the data is transferred, which includes enforceable and effective rights for data subjects, and which must receive authorisation from the ANSPDCP. In this case, too, the data subjects must be informed in advance, at the latest on the date on which the data transfer is to take place.

VI. Storage period of personal data collected and/or processed

The storage period and the criteria used to determine the period shall be those laid down in the national legislation relating to the storage and archiving of documents containing the personal data concerned.

In order to achieve the aforementioned purposes, personal data will be processed by the ASF throughout the performance of its legal duties as supervisory, regulatory, licensing and control authority of entities in the non-banking financial markets, in accordance with the ASF's organisational and operational legislation and with the legislation in force regulating sector-specific activities, as well as after its completion in order to comply with the applicable legal obligations in the field, including but not limited to archiving provisions.

 

VII. Rights of the persons whose personal data are collected and/or processed

The data subject has the following rights:

  1. Right to information - the right to receive detailed information on the processing activities carried out by the ASF;
  2. Right of access - the data subject may request and obtain confirmation as to whether or not his or her personal data are processed by the ASF and, if so, may request access to them and to certain information. Upon request, the FSA will also issue a copy of the personal data processed, additional copies may be charged at the FSA's actual cost;
  3. Right to rectification - this is the right to have inaccurate personal data rectified and incomplete personal data completed;
  4. Right to erasure of data ("right to be forgotten") - applies in situations expressly covered by the GDPR Regulation (in particular in case of withdrawal of consent or if it is found that the processing of personal data was not lawful), the data subject may obtain the erasure of such data. Following such a request, the ASF may anonymise the data, depriving them of their personal nature and thus continue processing for statistical purposes. Furthermore, the right to be forgotten does not apply to the extent that the processing is necessary for the exercise of the right to freedom of expression and information; for compliance with a legal obligation to process under Union or national law applicable to the ASF or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the ASF, as well as for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, or for the establishment, exercise or defence of legal claims.
  5. The right to restrict processing - applies in situations expressly regulated by law (in particular if the accuracy of the data in question is contested during the period necessary to determine its inaccuracy or if the processing is unlawful and the data is not to be erased, but only restricted); Where processing has been restricted, such personal data may, with the exception of storage, be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or of a Member State.
  6. Right to object - the data subject may object at any time, on grounds relating to his or her particular situation, to processing carried out in the exercise of a public interest or in the exercise of an authorisation vested in the ASF; the ASF shall thus no longer process personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or the purpose of establishing, exercising or defending a legal claim.
  7. Right to data portability - this right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the ASF.
  8. The right to lodge a complaint - the person dissatisfied with the response/conduct of the SAA with regard to the protection of personal data may address the National Authority for Personal Data Protection and subsequently the courts;
  9. Right to withdraw consent - in cases where processing is based on consent, consent may be withdrawn at any time. Withdrawal of consent will only have effect for the future, the processing carried out prior to the withdrawal will remain valid;

The person concerned may exercise these rights, either individually or cumulatively, by sending a written request, dated and signed, to the headquarters of the A.S.F. in Bucharest, Splaiul Independenței no. 15, Sector 5, by fax: 021.659.60.51, 021.659.64.36 or by e-mail: office@asfromania.ro

In addition, a Data Protection Officer ("DPO") has been appointed at ASF level, who can be contacted if there are any queries on any aspect of personal data protection by sending a written, dated and signed request to the following contact details: Bucharest, Splaiul Independenței, nr. 15, Sector 5 or e-mail: dpo@asfromania.ro.

It is important to note that the scope of the obligations and rights set out in GDPR Regulation No 679/2018 (as provided for in Article 23) may be restricted by legislative measures in European or national law that apply to the data controller or processor, while respecting the essence of fundamental rights and freedoms and insofar as the restriction constitutes a necessary and proportionate measure in a democratic society.