Print

Personal data protection Policy

Published on July 17, 2019

The Autorité des Marchés Financiers (hereinafter also referred to as “the AMF”) ensures compliance with European Regulation n° 2016/679 on the protection of natural persons with regard to the processing of personal data (“GDPR”) and with the French Data Protection Act No. 78-17 of 6 January 1978, the provisions of which have been rewritten by Order No. 2018-1125 of 12 December 2018.

The Personal Data Protection Policy (hereinafter the "Policy") sets out the information relating to the personal data (hereinafter the "data") processed by the AMF, the purposes and basis for such processing, the sharing of such data with third parties, your rights relating to your data and the security measures put in place by the AMF to protect such data.

Scope

This Policy applies to data collected directly or indirectly within the framework of the AMF's missions and to data collected via the www.amf-france.org website (hereinafter the "AMF Website").

Data controller

The Autorité des Marchés Financiers (the AMF) (17 place de la Bourse 75002 Paris) is the data controller for your data. This means that the AMF determines the purposes of and means by which your data are processed.

The AMF has appointed a Data Protection Officer (DPO) who is your point of contact for all questions or requests relating to the processing of your data. You will find the contact details of the DPO below in the section “What are your rights and how to exercise them”.

Origin of the Data processed

The AMF is an independent public authority whose missions consist of ensuring the protection of savings invested in financial instruments, overseeing investor information and ensuring the proper functioning of markets in financial instrument (Article L. 621-1 of the French Monetary and Financial Code).

Within the framework of its missions, the AMF collects your data in several ways:

1. Data that you have provided yourself

  • for the performance of public interest duties or in the exercise of the public authority vested in the AMF: this includes, inter alia, personal data that you provide to us pursuant to a legal provision (for example, request for approval, examination of an approval for a financial transaction, an investigation or audit, monitoring of threshold crossing, short selling, etc.);
  • by subscribing to a newsletter or filling out a contact form on the AMF Website (for example, you wish to submit a complaint to the AMF Ombudsman); to know how audience measurement cookies are used on this website, please go to the “Legal Notice” section;
  • for an appointment with the AMF: this concerns data that you are required to enter on the visitor record sheet;
  • by taking part in a public consultation: this is data that identifies you, your function and other data that may be transmitted during public consultations organised by the AMF, primarily on draft legislation;
  • by entering into a contract with us: this is data that you provide to the AMF in a contractual context;
  • in the context of a notification of possible regulatory breaches (whistleblower): this consists of data such as your contact details and other data, communicated on this occasion (except if you choose to remain anonymous and you are effectively not identifiable).

2. Data obtained from third parties

Data may be obtained from third parties (investment services providers, electronic communications operators, Tracfin, etc.) as part of public interest duties and the exercise of the AMF’s public authority. It includes, for example:

  • transaction data provided to the AMF as part of its oversight duties pursuant to Article 26 of Regulation No. 600/2014 on markets in financial instruments;
  • data that are provided to the AMF within the framework of an investigation or an inspection.

For what purposes and on what does the AMF use your personal data?

The AMF collects, stores and uses your data:

  • for the purpose of complying with a legal obligation to which the AMF is subject, or for the purpose of carrying out its public interest missions listed in Article L. 621-1 of the French Monetary and Financial Code, or other duties assigned to it by all other provisions of national and European law and for the purpose of exercising the public authority with which it has been entrusted;
  • based on your consent;
  • on the basis of pre-contractual measures or the performance of a contract that the AMF has entered into with you or the entity for which you work, in order to provide us with all the information needed to take the decision to enter into a contract or to be able to communicate with you within the framework of the provision of services;

Time limit for storing personal data

The AMF keeps the data collected for as long as is strictly necessary for the purpose of the data processing and within the limits provided for by European and national legislation if it allows for a longer storage period. For example, data collected in the context of the approval and monitoring of market participants and asset management players are kept for 10 years after the end of the activity.

Data sharing

The AMF processes data only for the specific purposes for which they were collected or for purposes compatible with them, in accordance with the rules on further processing of data laid down in European and national regulations on the processing of personal data. The collected data are under no circumstances used for commercial purposes.

The AMF may share your data:

  • with investment services providers or companies established in France. Access by these services providers or companies to your data will be limited to what is strictly necessary for the AMF to carry out its duties;
  • in the case of derogations from Law No. 68-678 of 26 July 1968 on the disclosure of documents and information of an economic, commercial, industrial, financial or technical nature ("blocking law"), with institutions provided for by the French Monetary and Financial Code, such as:[1] the Banque de France, the Autorité de Contrôle Prudentiel et de Résolution (ACPR), the Haut Conseil du Commissariat aux Comptes (H3C), the European Securities and Markets Authority (ESMA), European and foreign (non-EU) authorities exercising similar powers, the International Organisation of Securities Commissions (IOSCO), the Financial Stability Board (FSB), the Bank for International Settlements (BIS) or the International Monetary Fund (IMF);
  • to report to the Public Prosecutor a crime or misdemeanour of which it is aware, pursuant to Article L. 621-20-1 of the French Monetary and Financial Code;
  • to respond to a request from the judiciary authorities acting in the case of criminal proceedings (Art. L. 621-4 of the French Monetary and Financial Code);
  • in the event of the transfer of investigative material to the National Financial Prosecutor (PNF), in accordance with the referral procedure specified in Article L. 465-3-6 of the French Monetary and Financial Code;
  • in administrative or judicial appeals against acts or decisions by the AMF and in all other proceedings to which the AMF is party.

In the case of data provided to it by a whistleblower, the AMF may only transmit such data to a third party under the conditions provided for in the Sapin 2 Act No 2016-1691 of 9 January 2016 and Instruction No 2018/13 specifying the procedural rules applicable to the receipt and processing of reports of offences.

[1] Articles L. 631-1, L. 631-2-1, L. 621-21-1, L. 632-1, L. 632-4, 632-6-1, L. 632-16 and the article L. 632-11-2 of the French Monetary and Financial Code.

Data transfers outside the European economic area

How and why does the AMF process your personal data

Given the international dimension of our oversight and investigation missions, the AMF may transfer your personal data to its counterparts located in the European Economic Area (EEA) and outside the EEA.

As a matter of principle, the AMF collects and processes personal data solely for the purpose of carrying out the duties entrusted to it, pursuant to Article L. 621-1 of the Monetary and Financial Code.

In the context of international cooperation with its foreign counterparts, the AMF undertakes to implement the guarantees set out in the Administrative Arrangement of 7 January 2019 for the transfer of personal data among the financial supervisory authorities of the European Economic Area (EEA) and the financial oversight authorities of non-EEA countries, without prejudice to the European Commission’s adequacy decisions with respect to certain  countries.[2]

In particular, when the AMF collects and processes personal data transferred in accordance with the Administrative Arrangement, it guarantees that it will:

  • only transfer adequate and relevant personal data limited to what is necessary for the purposes for which they are transmitted and subsequently processed;
  • have the appropriate technical and organisational measures in place to protect the personal data that have been sent to it against any unauthorised or unlawful processing and against their destruction, loss, modification or unauthorised disclosure;
  • keep the personal data for a period that is no longer than what is relevant and necessary for the purposes for which they are processed;
  • not take any decision, including profiling, with regard to a natural person solely on the basis of the automated processing of personal data, without human intervention;
  • not disclose your personal data for other purposes, in particular for commercial or marketing purposes.

What are your guarantees as regards the Administrative Arrangement?

With regard to the personal data transferred under the Administrative Arrangement, you may send a written request to the AMF in order to be informed by the AMF about the processing of your personal data, to access them, correct any inaccurate or incomplete personal data, as well request for their deletion, the limitation of their processing, or oppose their processing:

Nevertheless, due to the sensitive nature of our public interest mission and the professional secrecy to which we are bound, these guarantees could be limited in certain situations, in particular when they are likely to compromise the purposes of the processing operations concerned (Article 14(5)(b) of the GDPR), when they affect the professional secrecy to which the AMF is subject (Article 14(5)(d) of the GDPR and Articles L. 621-4 and L. 612-24 of the French Monetary and Financial Code) or when they compromise our oversight and enforcement actions (Article 48 of the French Data Protection Act).

In each case, the AMF will assess whether the restriction imposed is appropriate. The restriction imposed should be necessary and provided for by law, and will be maintained only for as long as the reason for the restriction remains.

What remedy do you have?

If you consider that your personal data have not been used in accordance with these guarantees, you may make a complaint to the authority that transferred the data, the authority receiving the data or both authorities. To do this, you can contact the AMF’s Data Protection Officer, whose contact details are given below. In this case, the authorities concerned shall endeavour to settle the complaint or dispute amicably as soon as possible.

Should the dispute remain unresolved, other means may be used to resolve it, unless the request is manifestly unfounded or excessive. These means include participation in mediation, as well as in other non-binding dispute resolution procedures initiated by the natural person or authority concerned.

Should the dispute fail to be resolved by cooperation of the authorities, mediation or by other non-binding dispute resolution procedures, and if the AMF considers that the receiving authority has not acted in accordance with the guarantees set out in the Administrative Arrangement, it will suspend the transfer of personal data to this authority, until it considers that the issue raised has been satisfactorily resolved by the receiving authority and will inform you accordingly.

Contact

For all questions or requests for information about these recourses, you may contact the AMF:

[2] Non-EEA countries recognised as presenting equivalent guarantees are: Switzerland, Argentina, Faroe Isles, Guernsey, Israel, Japan, Isle of Man, Jersey, New Zealand and Uruguay (https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en)

Protection of personal data

The AMF implements technical and organisational security measures to protect your data and to prevent all destruction, loss, alteration or modification, as well as any unauthorised access or disclosure, whether accidental or illegal.

Pursuant to Article L. 621-4 of the French Monetary and Financial Code, AMF staff and employees are bound by professional secrecy and may not disclose to any person or authority whatsoever the confidential information of which they have become aware (subject, however, to the exceptions mentioned in the answer to the “With whom do we share your data?” question in this Policy).

The AMF also asks its service providers who process data on its behalf to take the necessary security measures.

What are your rights and how can you exercise them ?

Under the GDPR, you have the rights specified in Articles 12 to 21 of the GDPR.

However, given the sensitive nature of our public interest mission and the professional secrecy to which we are bound, the exercise of these rights is likely to compromise the purposes of the processing operations concerned. Your guarantees may therefore be limited in certain situations in accordance with Article 14(5)(b) and (d) of the GDPR, Article 48 of the French Data Protection Act and Articles L. 621-4 and L. 612-24 of the French Monetary and Financial Code, for example for reasons of professional security or the proper conduct of an investigation.

Except in these cases, you may, at any time exercise your right of access to your personal information in order to complete, modify, correct, delete or oppose its processing for legitimate reasons in accordance with applicable data protection laws.

You may also sometimes request that the processing of your data be limited and, in some cases, you may ask us to transfer your data (if this is technically possible and within the limits of the AMF’s professional secrecy obligations) or to send them to another processing officer.

When the processing of your data is based on your consent, you may withdraw your consent at any time. This withdrawal will not affect the validity of the processing of your data prior to the withdrawal.

If you wish to exercise these rights, you must send a request with a copy of your ID card, passport or any other identity document:

We ask you for proof of your identity in order to ensure that we respect your data and do not send it to a third party.

If you contact us to exercise your rights, we will inform you within one month as from the receipt of your request of the action taken on it. If necessary, this period may be extended by two months, taking into account the complexity and number of requests (Article 12(3) of the GDPR). In this case, we will inform you within one month as from the receipt of your request. We reserve the right not to respond to request that are clearly unfounded or excessive. Your request will be kept as long as an appeal is possible.

At any time, if you consider that your rights have not been respected, you may also file a complaint with the French Data Protection Committee (Commission Nationale Informatique et Libertés, CNIL).

 

Page top

Legal information
Head of publications: The Executive Director of AMF Communication Directorate.
Contact: Communication Directorate – Autorité des marches financiers 17 place de la Bourse – 75082 Paris cedex 02