Article 6 Organisational requirements regarding outsourcing

  1. (1)

    Where a data reporting services provider arranges for activities to be performed on its behalf by third parties, including undertakings with which it has close links, it shall ensure that the third party service provider has the ability and the capacity, to perform the activities reliably and professionally.

  2. (2)

    A data reporting services provider shall specify which of the activities are to be outsourced, including a specification of the level of human and technical resources needed to carry out each of those activities.

  3. (3)

    A data reporting services provider that outsources activities shall ensure that the outsourcing does not reduce its ability or power to perform senior management or management body functions.

  4. (4)

    A data reporting services provider shall remain responsible for any outsourced activity and shall adopt organisational measures to ensure:

    1. (a)

      that it assesses whether the third party service provider is carrying out outsourced activities effectively and in compliance with applicable laws and regulatory requirements and adequately addresses identified failures;

    2. (b)

      the identification of the risks in relation to outsourced activities and adequate periodic monitoring;

    3. (c)

      adequate control procedures with respect to outsourced activities, including effectively supervising the activities and their risks within the data reporting services provider;

    4. (d)

      adequate business continuity of outsourced activities;

    For the purposes of point (d), the data reporting services provider shall obtain information on the business continuity arrangements of the third party service provider, assess its quality and, where needed, request improvements.

  5. (5)

    A data reporting services provider shall ensure that the third party service provider cooperates with the competent authority of the data reporting services provider in connection with outsourced activities.

  6. (6)

    Where a data reporting services provider outsources any critical function, it shall provide the competent authority with:

    1. (a)

      the identification of the third party service provider;

    2. (b)

      the organisational measures and policies with respect to outsourcing and the risks posed by it as specified in paragraph 4;

    3. (c)

      internal or external reports on the outsourced activities.

    For the purpose of the first sub paragraph 6, a function shall be regarded as critical if a defect or failure in its performance would materially impair the continuing compliance of the data reporting services provider with the conditions and obligations of its authorisation or its other obligations under the Data Reporting Services Regulations 2017.