Article 30 Outsourcing

GL

1.  Where a CSD outsources services or activities to a third party, it shall remain fully responsible for discharging all of its obligations under this Regulation and shall comply at all times with the following conditions:

(a) outsourcing does not result in the delegation of its responsibility;

(b) the relationship and obligations of the CSD towards its participants or issuers are not altered;

(c) the conditions for the authorisation of the CSD do not effectively change;

(d) outsourcing does not prevent the exercise of supervisory and oversight functions, including on-site access to acquire any relevant information needed to fulfil those functions;

(e) outsourcing does not result in depriving the CSD of the systems and controls necessary to manage the risks it faces;

(f) the CSD retains the expertise and resources necessary for evaluating the quality of the services provided, the organisational and capital adequacy of the service provider, for supervising the outsourced services effectively and for managing the risks associated with the outsourcing on an ongoing basis;

(g) the CSD has direct access to the relevant information of the outsourced services;

(h) the service provider cooperates with the competent authority and the relevant authorities in connection with the outsourced activities;

(i) the CSD ensures that the service provider meets the standards set down by the relevant data protection law which would apply if the service providers were established in the Union. The CSD is responsible for ensuring that those standards are set out in a contract between the parties and that those standards are maintained.

2.  The CSD shall define in a written agreement its rights and obligations and those of the service provider. The outsourcing agreement shall allow the CSD to terminate the agreement.

3.  A CSD and a service provider shall make available upon request to the competent authority and the relevant authorities all information necessary to enable them to assess the compliance of the outsourced activities with the requirements of this Regulation.

4.  The outsourcing of a core service shall be subject to authorisation under Article 19 by the competent authority.

5.  Paragraphs 1 to 4 shall not apply where a CSD outsources some of its services or activities to a public entity and where that outsourcing is governed by a dedicated legal, regulatory and operational framework which has been jointly agreed and formalised by the public entity and the relevant CSD and agreed by the competent authorities on the basis of the requirements established in this Regulation.