SBSE-A/A
    
      
        
          0001114446
          XXXXXXXX
        
      
      
        true
        false
      
    
  
  
    
      
        338960
        UBS AG
        00-0000000
        338960
        0001114446
        BFM8T61CT2L1QCEMIK50
        
          BAHNHOFSTRASSE 45
          ZURICH
          V8
          CH 8001
        
        
          600 WASHINGTON BLVD.
          STAMFORD
          CT
          06901
        
        203-719-5241
        www.ubs.com
        
          
            Andrew
            Weg
          
          Executive Director
          12128826829
          andrew.weg@ubs.com
        
        
          
            Richard
            Kennedy
          
          Chief Compliance Officer
          442075684476
          richard.kennedy@ubs.com
        
      
      
        UBS AG
        338960
        Y
        N
        N
        Y
        Swiss Financial Markets Supervisory Authority
        UBS AG will satisfy the conditions the Commission has placed on UBS AG through its Order Granting Conditional Substituted Compliance in Connection With Certain Requirements Applicable to Non-U.S. Security-Based Swap Dealers Subject to Regulation in the Swiss Confederation, dated October 8, 2021, by complying with the relevant Swiss law provisions in accordance with its established policies and procedures and, to the extent necessary, by updating such policies and procedures.
        Y
        Swap Dealer
        N
        UBS AG is incorporated and domiciled in Switzerland and operates under art. 620ff. of the Swiss Code of Obligations as an Aktiengesellschaft, a corporation limited by shares. According to article 2 of the articles of association of UBS AG dated April 26, 2018, the purpose of UBS AG is the operation of a bank. Its scope of operations extends to all types of banking, financial, advisory, trading and service activities in Switzerland and abroad. UBS AG may establish branches and representative offices as well as banks, finance companies and other enterprises of any kind in Switzerland and abroad, hold equity interests in these companies, and conduct their management. UBS AG is authorized to acquire, mortgage and sell real estate and building rights in Switzerland and abroad. UBS AG may borrow and invest money on the capital markets. UBS AG is part of the group of companies controlled by the group parent company UBS Group AG.
        Y
        The Federal Reserve Board
        N
        N
        Y
        Y
      
      
        UBS AG
        338960
        Y
        Y
        Y
        Y
        N
        Y
        20
        N
      
    
    
      UBS AG
      338960
      
        
          Christopher
          M
          Leone
        
        Head of Global IB COO
        02/2019
        02/2019
        N
        301278
      
      
        
          Markus
          Ronner
        
        Group Chief Compliance and Governance Officer
        11/2018
        05/1981
        N
        518327
      
      
        
          Thomas
          Naratil
        
        Co-President Global Wealth Management and President
        01/2014
        07/1983
        N
        75619
      
      
        
          GEORGE
          ATHANASOPOULOS
        
        Co-Head Global Markets
        07/2013
        07/2010
        N
        451077
      
      
        
          Jason
          Baron
        
        Co-Head Global Markets
        03/2015
        10/1993
        N
        523561
      
      
        
          Beatriz
          Martin
          Jimenez
        
        Group Treasurer & UK Chief Executive
        03/2016
        11/2012
        N
        486000
      
      
        
          Robert
          Brooks
          Karofsky
        
        President Investment Bank
        10/2018
        12/2014
        N
        259774
      
      
        
          Rosalyn
          Zoe
          Lesperance
        
        Co-Head Global Banking
        09/2014
        09/2014
        N
        480988
      
      
        
          David
          Chin
        
        Head of IB APAC & China Country Head
        03/2018
        08/2017
        N
        510864
      
      
        
          FRANCISCO
          JAVIER
          OFICIALDEGUI
        
        Co-Head Global Banking
        03/2019
        07/2012
        N
        510863
      
      
        
          SIMON
          ROBERT
          SEDGWICK
        
        Non Core Strategy & Business Management
        03/2017
        08/2010
        N
        523590
      
      
        
          Dan
          Folke
          Persson
        
        Chief Risk Officer IB & NC&L & MTRC Group Head
        03/2014
        11/2006
        N
        523560
      
      
        
          Darryll
          Hendricks
        
        Americas COO
        09/2005
        09/2005
        N
        523559
      
      
        
          Catherine
          Ann
          Newcomb
        
        Co-Head GWM COO
        03/2011
        12/1984
        N
        515486
      
      
        
          Richard
          Saint John
          Kennedy
        
        Head C&ORC IB / UK
        03/2012
        03/2000
        N
        517849
      
      
        
          Ralph
          Adrianus Joseph Gerardus
          Hamers
        
        Group Chief Executive Officer
        11/2020
        09/2020
        N
        0534107 (not yet active) ING, 1991 to June 2020, final position CEO and Chairman Executive Board ING Group
      
      
        
          Iqbal
          Khan
        
        Co-President Global Wealth Management and President UBS EMEA
        10/2019
        10/2019
        N
        0532827 (not yet active) Credit Suisse AG, June 2013-June 2019, final position CEO International Wealth Management Ernst & Young AG, February 2001-2011, final position Industry Lead Partner Banking and Capital Markets, Private Banking Switzerland and EMEA
      
      
        
          Daniel
          Paul
          Rosenthal
        
        IB Head of Risk and Resource Management
        03/2021
        04/1996
        N
        0532828 (not yet active) 09/1992 to 04/1996: Chartered Accountant at Arthur Andersen
      
      
        
          David
          Howe
          Kelly
        
        GC Americas and Head, GC Transactions & Disclosure
        02/1992
        02/1999
        N
        0540729 (not yet active) No prior positions before joining UBS
      
      
        
          Paul
          Daniel
          Ritchie
        
        Head of Group Treasury Operating Office
        03/2020
        01/1999
        N
        0543433 (not yet active) No prior positions before joining UBS
      
    
    
      UBS AG
      338960
      AMENDED
      
        BFM8T61CT2L1QCEMIK50
        Commodities Futures Trading Commission
        UBS AG, is licensed as a bank in Switzerland and operates branches licensed in the United States and other jurisdictions. UBS provides a full range of banking services and is provisionally registered with the Commodities Futures Trading Commission as a swap dealer.
      
      
        
          
            Item 13A
            Ernst & Young AG
            
              Aeschengraben 27
              Basel
              V8
              CH-4002
            
            01-01-2021
          
        
        
          
            Item 13B
            ICE Clear Credit LLC
            
              353 North Clark Street, Suite 3100
              Chicago
              IL
              60654
            
            07-16-2011
          
          
            Item 13B
            ICE CLEAR EUROPE LIMITED
            
              5th floor Milton Gate, 60 Chiswell St
              London
              X0
              EC1Y 4SA
            
            06-27-2012
          
        
        
          
            Item 14
            UBS Group AG
            0001610520
            
              Bahnhofstrasse 45
              Zurich
              V8
              8001
            
            06-10-2014
          
          
            Item 14
            
              Ralph
              Hamers
            
            
              Bahnhofstrasse 45
              Zurich
              V8
              8001
            
            01-11-2020
            Mr. Hamers is the President of the Executive Board and the CEO of the parent company.
            ING, 1991 to June 2020, final position CEO and Chairman Executive Board ING Group (see also attached documentation)
          
          
            Item 14
            
              Christian
              Bluhm
            
            
              Bahnhofstrasse 45
              Zurich
              V8
              8001
            
            01-01-2016
            Mr. Bluhm is the Chief Risk Officer.
            He joined UBS from FMS Wertmanagement, where he had been Chief Risk & Financial Officer since 2010 and Spokesman of the Executive Board from 2012 to 2015. From 2004 to 2009, he worked for Credit Suisse, where he was Managing Director responsible for Credit Risk Management in Switzerland and Private Banking worldwide. Mr. Bluhm was Head of Credit Portfolio Management until 2008 and then Head of Credit Risk Management Analytics & Instruments after the financial crisis in 2008. From 2001 to 2004, he worked for Hypovereinsbank in Munich in Group Credit Portfolio Management, heading a team that specialized in Structured Finance Analytics.
          
          
            Item 14
            
              Kirt
              Gardner
            
            
              Bahnhofstrasse 45
              Zurich
              V8
              8001
            
            05-01-2021
            Mr. Gardner is the Chief Financial Officer.
            Mr. Gardner was the UBS CFO Wealth Management from 2013 to 2015. Prior to that, he held a number of leadership positions at Citigroup, including CFO and Head of Strategy within Global Transaction Services from 2010 to 2013, Head of Strategy, Planning and Risk Strategy for the Corporate and Institutional Division from 2006 to 2010 and Head of Global Strategy and Cost Management for the Consumer Bank from 2004 to 2006. Prior to that, Mr. Gardner held the position of Global Head of Financial Services Strategy for BearingPoint, for which he worked in Asia and New York for four years.
          
        
        
          
            Item 15
            UBS Group AG
            0001610520
            
              Bahnhofstrasse 45
              Zurich
              V8
              8001
            
            06-10-2014
          
        
      
    
    
      UBS AG
      338960
      
        Firm
        UBS AG, Stamford Branch
        
          600 Washington Boulevard
          Stamford
          CT
          06901
        
      
      Richard Kennedy
      Richard Kennedy
      Chief Compliance Officer
      10-29-2021
      
        Australian Securities and Investment Commission
        AFSL 231087
        C3
      
      
        Cayman Islands Monetary Authority
        98020
        E9
      
      
        Dubai Financial Services Authority
        F000321
        C0
      
      
        Financial Conduct Authority
        186958
        X0
      
      
        Financial Sector Conduct Authority
        T3
      
      
        Financial Services Agency
        1232 2723 605
        M0
      
      
        Hong Kong Monetary Authority
        003
        K3
      
      
        Jersey Financial Services Commission
        DC0182 FSB0866 IB0132 MSB0121
        Y9
      
      
        Monetary Authority Singapore
        U0
      
      
        Swiss Financial Market Supervisory Authority
        V8
      
    
    
      05-20-2022
      UBS AG
      Robert Karofsky
      Robert Karofsky
      President, UBS Investment Bank
    
  




lofrance
 
 
1
 
UBS AG London Branch
5 Broadgate
London
EC2M 2QS
 
Allen & Overy LLP
52, avenue Hoche
75379 Paris Cedex 08
Tel
+33
(0)1 40 06 54 00
Fax
+33 (0)1 40 06 54 54
Our ref
0036335
-
0000808
29 October
2021
Dear Sir or Madam
 
UBS SEC registration as a non-resident security-based swap dealer
 
1.
 
BACKGROUND
1.1
 
We understand that UBS AG, a bank authorised in Switzerland, is seeking to register with the United
States (
US
) Securities and
 
Exchange Commission (
SEC
) as a non-resident
 
security-based swap (
SBS
)
dealer (
SBSD
).
1.2
 
To register as an SBSD with the SEC, a non-resident SBSD
1
 
such as UBS AG must attach an opinion
of counsel to Form SBSE, SBSE-A or SBSE-BD affirming that the SBSD can, as
 
a matter of law:
(a)
 
provide the
 
SEC with
 
prompt access
 
to the
 
relevant books
 
and records
 
as defined
 
in paragraphs
3.3 to 3.5 (
Covered Books and Records
); and
 
(b)
 
submit to on-site
 
inspection and examination
 
of its Covered
 
Books and Records by
 
the SEC
(
On-Site Inspection
).
1.3
 
UBS Europe
 
SE FR
 
is a branch
 
of UBS
 
Europe SE incorporated
 
in Germany and
 
authorized to
 
provide
services in Germany and France (among other jurisdictions).
We
 
understand that French Branch
 
of UBS Europe
 
SE (
UBS ESE FR
) and respectively
 
“associated
persons”
2
 
employed by it are effecting SBS Transactions in the name and for the account of UBS AG
(
SBS Transactions
). These
 
SBS Transactions,
 
being entered
 
into with
 
UBS AG,
 
are booked
 
with UBS
AG, London Branch, and the underlying relevant clients are clients
 
of UBS AG, London Branch.
Accordingly,
 
UBS ESE
 
FR will
 
maintain certain
 
Covered Books
 
and Records
 
in
 
UBS ESE
 
FR
 
on
behalf of UBS AG.
Given that UBS
 
ESE FR is
 
acting in the
 
name and for
 
the account of
 
UBS AG, UBS
 
ESE FR and
 
UBS
AG
 
have
 
agreed
 
that
 
in
 
the
 
context
 
of
 
UBS
 
AG’s
 
business
 
as
 
an
 
SBSD,
 
the
 
Covered
 
Books
 
and
Records in relation
 
to the SBS Transactions will
 
be shared with UBS
 
AG, London Branch,
 
in London,
in particular for group-risk management purposes.
 
1.4
 
You
 
have asked us to issue an opinion affirming that
 
under applicable French law, UBS ESE FR
 
can
share with
 
and make
 
available to
 
UBS AG,
 
London Branch
 
the Covered
 
Books and
 
Records in
 
relation
to
 
the
 
SBS
 
Transactions,
 
such
 
that
 
this
 
information
 
will
 
be
 
held
 
by
 
UBS
 
AG,
 
London
 
Branch,
 
in
London.
1
 
 
In the case of a corporation, an SBSD will be “non
-
resident” if it is incorporated
 
in or has its principal place of business in any place not in
the United States (see 17 Code of Federal Regulations (
CFR
) § 240.15Fb2-4(a)(2)). As UBS AG is incorporated in Switzerland, UBS AG
fulfils this definition of a “non-resident” SBSD.
2
 
 
We do
not give any views regarding this assumption.
 
 
 
2
 
1.5
 
This opinion is structured as follows:
(a)
 
Section 2:
 
Summary of opinion;
 
(b)
 
Section 3:
 
Scope, assumptions and qualifications;
 
(c)
 
Section 4:
 
Revisions to applicable law;
(d)
 
Section 5:
 
Reliance and confidentiality;
(e)
 
Annex 1: Opinion; and
(f)
 
Annex 2: Assumptions.
2.
 
SUMMARY OF OPINION
2.1
 
Subject
 
to
 
the
 
assumptions and
 
qualifications below,
 
it
 
is
 
our
 
opinion that
 
UBS ESE
 
FR
 
can, as
 
a
matter of applicable
 
French law, share with and
 
make available to
 
the London Branch
 
of UBS AG,
 
the
Covered Books and Records in relation to the SBS Transactions.
Data Protection
3
 
2.2
 
Disclosure of personal
 
data (particularly special
 
categories of data
 
or criminal data)
 
relating to UBS
ESE FR’s
 
counterparties and staff
 
are subject to
 
certain restrictions under the
 
Data Protection Laws,
particularly where it involves a cross-border transfer to a country or territory the EU has not found to
have an ‘adequate’ data
 
protection regime (bearing in
 
mind that the
 
UK has now been
 
recognised as
being an ‘adequate’
 
territory for the
 
transfer of personal
 
data). In addition,
 
there are certain
 
legal bases
for making disclosures, and derogations from the prohibition
 
on international transfers that would be
available to UBS
 
ESE FR, should
 
UBS AG, London
 
Branch require UBS
 
ESE FR to
 
disclose Covered
Books
 
and
 
Records
 
containing
 
personal
 
data
 
to
 
UBS
 
AG
 
London
 
Branch
 
for
 
the
 
purposes
 
of
 
risk
management.
 
2.3
 
Our view
 
is that
 
the ‘legitimate
 
interests’ legal
 
basis for
 
processing personal
 
data would
 
provide an
applicable ground
 
under the
 
EU GDPR,
 
to enable
 
the disclosure
 
of Covered
 
Books and
 
Records to
UBS AG London Branch for the purpose of risk management.
 
Secrecy Rules
2.4
 
Article L. 511-33
et seq
. of the
 
French Monetary and
 
Financial Code (the
MFC
) govern the
 
disclosure
by a
 
credit institution,
inter alia
, of
 
confidential information
 
regarding any
 
existing or
 
former customer
(the
Secrecy Rules
).
2.5
 
The
 
Secrecy
 
Rules
 
notably
 
apply
 
to
 
branches
 
of
 
credit
 
institutions
 
operating
 
in
 
France
 
under
 
a
European passport, such as UBS ESE FR.
2.6
 
Information protected under the Secrecy Rules generally includes any information received by
 
credit
institutions in the course of their activities, provided that such information is sufficiently confidential
and
 
specific.
 
The
 
scope
 
of
 
the
 
Secrecy
 
Rules
 
is
 
broad
 
and
 
includes
 
any
 
information
 
related
 
to
 
a
customer, including their name and
 
any details regarding
 
their assets, debts,
 
transactions or operations
carried out on their account (even transactions contemplated but not executed).
 
2.7
 
French law
 
provides for
 
a few
 
exceptions to
 
the Secrecy
 
Rules, including
 
for risk
 
management and
consolidated supervision purposes
 
of institutions established
 
in France, in
 
the event of
 
a written and
case-specific waiver from the customer
 
or of a request from French
 
criminal or regulatory authorities.
 
3
 
 
Please refer to section
 
of
 
for definitions of Data Protection Laws, EU GDPR,
 
and the French Data Protection Act.
 
 
3
 
2.8
 
Failing any
 
such exceptions,
 
breaches of
 
the
 
Secrecy Rules
 
could result
 
in
 
criminal and
 
regulatory
sanctions and trigger risks of civil litigation.
2.9
 
We consider that Secrecy Rules do not prevent UBS ESE FR
 
from sharing with and making available
to the
 
London branch
 
of UBS
 
AG, the
 
Covered Books
 
and Records
 
in relation
 
to the
 
SBS Transactions.
Blocking Statute
 
2.10
 
The French
 
Statute No.
 
68-678 dated
 
26 July
 
1968, as
 
amended, governs
 
the request,
 
search for
 
or
disclosure of information of an
 
economic, commercial, industrial, financial
 
or technical nature, with a
view to
 
establishing evidence in
 
foreign judicial
 
or administrative proceedings
 
or in
 
relation thereto
(the
Blocking Statute
).
2.11
 
As
 
its
 
title
 
suggests,
 
the
 
Blocking
 
Statute
 
applies
 
to
 
documents
 
or
 
information
 
of
 
an
 
economic,
commercial,
 
industrial,
 
financial
 
or
 
technical
 
nature
 
that
 
are
 
located
 
in
 
France.
 
It
 
prohibits
 
the
request, investigation
 
or communication
 
of such
 
documents or
 
information in
 
the context
 
or with
 
a
view to foreign administrative or judicial proceedings.
 
2.12
 
Breaches of the Blocking Statute may lead to criminal sanctions and trigger
 
risks of civil litigation.
2.13
 
We
 
consider that the Blocking Statute does
 
not prevent UBS ESE FR from
 
sharing with and making
available to
 
the London
 
branch of UBS
 
AG, the Covered
 
Books and Records
 
in relation
 
to the
 
SBS
Transactions.
 
Privacy and Human Rights
2.14
 
Protection
 
for
 
the
 
general
 
fundamental
 
right
 
to
 
respect
 
for
 
private
 
and
 
family
 
life,
 
home
 
and
correspondence
” is
 
enshrined in
 
Article 8
 
of the
 
European Convention
 
on Human
 
Rights (
ECHR
).
This
 
right is
 
directly applicable
 
in
 
France. However,
 
it
 
is to
 
be highlighted
 
that, in
 
France, if
 
legal
persons have a right
 
to see their
 
correspondence protected, only natural persons
 
can rely on /
 
benefit
from a right to privacy
 
4
.
2.15
 
Actions in
 
respect of
 
Article 8
 
of the ECHR
 
require a
 
separate cause
 
of action,
 
such as
 
an action
 
arising
from a wrongful act or other legal obligation, such as under the Data Protection
 
Laws.
 
2.16
 
Article 8 ECHR is, as it were, the
 
legal foundation on which the GDPR
 
has been based. The GDPR is
detailing the
 
fundamental right
 
laid down
 
in Article
 
8 of
 
the ECHR.
 
Thus, Article
 
8 ECHR
 
and the
GDPR are
 
intertwined with each
 
other.
 
As long as
 
the provision
 
of information
 
by UBS ESE
 
FR to
the London branch
 
of UBS AG
 
falls entirely within
 
the scope of
 
and is in
 
compliance with the Data
Protection Laws, we consider the
 
general fundamental right set out in
 
Article 8 of the
 
ECHR will be
protected.
 
This summary opinion is not a substitute for the full expression of our views
 
set out in Annex 1.
3.
 
SCOPE, ASSUMPTIONS AND QUALIFICATIONS
3.1
 
This opinion
 
relates solely
 
to access
 
provided to
 
UBS AG,
 
through its
 
London Branch,
 
of Covered
Books and Records held on its behalf by UBS ESE FR in France.
 
3.2
 
This opinion has been prepared in accordance with UBS AG’s specific instructions as to the scope of
the opinion.
 
4
 
Cour de Cassation (French Supreme Court), Civ 1ère, 17 March 2016
 
 
 
4
 
3.3
 
This opinion only covers the provision and sharing by UBS ESE FR to UBS AG, London
 
Branch, of
the Covered Books and Records held in France by UBS ESE FR in
 
relation to the SBS Transactions.
Covered Books and Records include only those books and records which:
(a)
 
relate to the
 
US business
5
 
of the non-resident
 
SBSD.
6
 
These are the
 
records that relate
 
to an
SBS Transaction that is either:
(i)
 
entered into, or offered to be entered into, by or on behalf of the
 
non-resident SBSD,
with a
 
“U.S. Person” as
 
defined in
 
17 CFR
 
§ 240.3a71-3(a)(4)
7
 
(
US Person
) (other
than an SBS conducted through a foreign branch of such US Person
8
); or
(ii)
 
arranged, negotiated, or executed by
 
personnel of the non-resident SBSD
 
located in a
branch in the United States (
US branch
) or office or by personnel
 
of an agent of the
non-resident SBSD located in a US branch or office;
9
 
or
(b)
 
constitute
 
financial
 
records
 
necessary
 
for
 
the
 
SEC
 
to
 
assess
 
the
 
non-resident
 
SBSD’s
compliance with the SEC’s margin and capital requirements, if applicable.
10
 
3.4
 
Further
 
to
 
Assumption
 
1,
 
this
 
opinion
 
is
 
limited
 
to
 
those
 
types
 
of
 
records
 
that
 
are
 
relevant
 
to
prudentially regulated SBSDs,
 
which excludes financial
 
records as noted
 
in paragraph 3.3(b)
 
above.
 
For this opinion, the term “Covered Books and Records” extends to these
 
record types alone.
3.5
 
This opinion covers data relating
 
to SBS Transactions concluded
 
between UBS AG, London Branch
through UBS ESE FR employees qualifying as associated persons.
 
These SBS Transactions will only
be concluded by authorised
 
UBS ESE FR personnel,
 
with UBS ESE
 
FR acting in
 
the name and
 
for the
account
 
of
 
UBS
 
AG,
 
London
 
Branch.
 
The
 
Covered
 
Books
 
and
 
Records
 
in
 
relation
 
to
 
those
 
SBS
Transactions
 
will be,
 
as
 
agreed between
 
UBS ESE
 
FR
 
and UBS
 
AG, London
 
Branch, also
 
held in
London.
This opinion only covers SBS Transactions entered into by UBS AG where UBS ESE FR
 
is acting in
the
 
name
 
and
 
for
 
the
 
account
 
of
 
UBS
 
AG.
 
This
 
opinion
 
does
 
not
 
cover
 
data
 
relating
 
to
 
SBS
Transactions concluded between UBS ESE FR
 
and its own counterparties
 
(even though UBS ESE FR
may be
 
relying on
 
the counting exemption
 
set out in
 
17 CFR
 
§ 240.3a71-3(d) for
 
such transactions,
we are instructed
 
that this data
 
is not relevant
 
for the purposes
 
of 17 CFR
 
§ 240.15Fb2-4(c) and
 
so this
data is not within scope of this opinion).
3.6
 
The issues
 
addressed in
 
this opinion
 
apply equally
 
across the
 
different document
 
types which
 
constitute
the Covered Books and
 
Records based upon the
 
information actually contained
 
in each of the relevant
Covered Books and Records. We have not examined any such documents or records.
 
3.7
 
In giving this opinion, we have made the further assumptions set out
 
in Annex 2.
 
3.8
 
No opinion is expressed on matters of fact.
 
5
 
 
As defined in 17 CFR §240.3a71
-
3(a)(8).
 
6
 
 
Cross
-
Border Application of Certain
[SBS] Requirements, 85 Fed.
 
Reg. 6270, 6296 (Feb. 4, 2020) (the
SEC Guidance
).
 
7
 
 
A “
U.S. person
” means any person
 
that is “
(i) a natural person
 
resident in the U.S.; (ii)
 
a partnership, corporation,
 
trust, investment vehicle,
or other legal person organized,
 
incorporated, or established under the laws of the
 
United States or having its principal place of
 
business
in the United States; (iii) an account (whether
 
discretionary or non-discretionary) of a U.S. person; or (iv) an estate of
 
a decedent who was
a resident of the United States at the time of death.
” 17 CFR § 240.3a71-3(a)(4).
8
 
 
A “
foreign branch
” means “
any branch of a U.S. bank if: (i) the branch is located outside of the United States; (ii) the branch operates for
valid business reasons;
 
and (iii) the
 
branch is engaged
 
in the business
 
of banking and
 
is subject to
 
substantive banking regulation
 
in the
jurisdiction where located.
” (17 CFR § 240.3a71-3(a)(2)). An “
SBS conducted through a foreign branch
” means an SBS that is “
arranged,
negotiated, and executed by
 
a U.S. person
 
through a foreign
 
branch of such
 
U.S. person if:
 
(A) the foreign
 
branch is the
 
counterparty to
such security-based swap transaction; and (B) the
 
security-based swap transaction is arranged, negotiated, and executed on
 
behalf of the
foreign branch solely by persons located outside the United States.
” (17 CFR § 240.3a71-3(a)(3)(i)).
9
 
 
17 CFR
 
§
 
240.3a71
-
3(a)(8)(i)(B).
 
10
 
 
The requirement
 
set out
 
in this
 
paragraph
 
does not
 
apply to
 
UBS AG
 
because it
 
is not
 
subject to
 
the SEC’s
 
margin and
 
capital
requirements as it is assumed that UBS AG has a prudential
 
regulator – please see Assumption
 
set out in
 
lofrancep5i0.gif
 
5
4.
 
REVISIONS TO APPLICABLE LAW
 
4.1
 
This opinion relates solely to French law and
 
European Union (
EU
) law that is directly applicable in
France
 
(i.e.
 
regulations
 
pursuant
 
to
 
Art.
 
288(2)
 
of
 
the
 
Treaty
 
on
 
the
 
Functioning
 
of
 
the
 
European
Union),
 
in
 
each
 
case,
 
in
 
force
 
as
 
at
 
the
 
date
 
of
 
this
 
opinion.
 
We
 
have
 
no
 
obligation
 
to
 
notify
 
any
addressee of any change in any applicable law or its application after the date of
 
this opinion.
5.
 
RELIANCE AND CONFIDENTIALITY
5.1
 
This opinion is
 
given for the
 
sole benefit of
 
the addressee. It
 
may not be
 
relied upon by
 
anyone else
without our prior written consent.
5.2
 
This
 
opinion
 
is
 
not
 
to
 
be
 
disclosed
 
to
 
any
 
person
 
outside
 
of
 
UBS
 
AG’s
 
group
 
or
 
used,
 
circulated,
quoted or otherwise referred to for any
 
other purpose. However, we agree that
 
a copy of this opinion
letter may be disclosed:
 
(a)
 
where
 
disclosure is
 
required
 
or
 
requested
 
by
 
any
 
governmental, banking,
 
taxation
 
or
 
other
regulatory authority or similar body having jurisdiction over
 
UBS AG (including to the SEC
as
 
part
 
of
 
UBS
 
AG’s
 
SBSD
 
registration
 
application) or
 
by
 
the
 
rules
 
of
 
any
 
relevant
 
stock
exchange or pursuant to any applicable law or regulation; and
 
(b)
 
to
 
UBS
 
AG’s
 
affiliates,
 
and
 
any
 
of
 
their
 
officers,
 
directors,
 
employees,
 
auditors,
 
insurers,
reinsurers, insurance brokers and professional advisors (in their capacity
 
as such).
5.3
 
Any such disclosure
 
must be made
 
on the basis
 
that it is
 
for information purposes only,
 
no recipient
may rely
 
on this advice,
 
no client-lawyer relationship between
 
us and the
 
recipient arises following,
or as a
 
result of, any
 
such disclosure. We assume no
 
duty or liability
 
to any recipient,
 
and any recipient
under paragraph 5.2(b) above will be subject to the same restrictions on disclosure
 
as set out above.
5.4
 
We
 
assume no obligation
 
to advise
 
you or
 
any other person
 
or to
 
make any
 
investigations as to
 
any
legal
 
developments
 
or
 
factual
 
matters
 
arising
 
subsequent
 
to
 
the
 
date
 
hereof
 
that
 
might
 
affect
 
the
opinions expressed herein.
 
Yours
 
faithfully,
 
 
 
Allen & Overy LLP
 
 
6
ANNEX 1
 
OPINION
1.
 
DATA
 
PROTECTION
 
1.1
 
The General
 
Data Protection
 
Regulation 2016/679
 
(
EU GDPR
),
 
and the
 
Act n°78-17
 
of
 
6 January
1978 on information
 
technology, data files and
 
civil liberties
 
as modified
 
(
French DPA
) (together, the
Data Protection
 
Laws
) will
 
apply to
 
UBS ESE
 
FR’s
 
disclosure of
 
Covered Books
 
and Records
 
to
UBS AG
 
London Branch
 
for the
 
purpose of
 
risk management,
 
to the
 
extent that
 
these comprise
 
or
contain personal data.
 
Personal data is
 
data relating to
 
an identified or
 
identifiable living individual,
and may
 
therefore extend
 
to information
 
on UBS
 
ESE FR’s staff
 
and US
 
Person counterparties
 
of UBS
AG, London Branch with whom UBS ESE FR concludes SBS Transactions.
 
1.2
 
Under
 
the
 
Data
 
Protection Laws,
 
specific
 
additional restrictions
 
apply
 
for
 
data
 
relating
 
to
 
criminal
convictions and offences.
 
These laws also
 
impose heightened restrictions
 
on the processing
 
of ‘special
category data’
 
– this
 
is data
 
that reveals
 
racial or
 
ethnic background,
 
political opinions,
 
religious or
philosophical
 
beliefs,
 
or
 
trade
 
union
 
membership,
 
genetic
 
data,
 
biometric
 
data
 
when
 
used
 
for
 
ID
purposes, health information, data concerning sex life
 
or sexual orientation. As special category
 
data
are
 
less
 
likely
 
to
 
be
 
relevant
 
in
 
the
 
context
 
of
 
UBS
 
ESE
 
FR’s
 
disclosures
 
of
 
Covered
 
Books
 
and
Records, the laws applicable to these data have not been considered
 
in detail in this opinion.
1.3
 
Key restrictions
 
in the
 
Data Protection
 
Laws relating
 
to UBS
 
ESE FR’s
 
ability to
 
disclose personal
data to UBS AG, London Branch are set out below.
Legal basis for the disclosure
1.4
 
UBS ESE FR requires a legal basis
 
under Article 6 of the EU
 
GDPR to disclose personal data to UBS
AG
 
London
 
Branch
.
 
Data
 
cannot
 
be
 
disclosed
,
 
should
 
such
 
disclosure
 
breach
 
a
nother
 
legal
requirement under applicable French law (e.g. the Secrecy Rules – please see section 2). Whilst there
are a number of Article 6
 
legal bases on which UBS ESE FR
 
may seek to rely,
 
none on its own is so
comprehensive as
 
to cover
 
all actions
 
falling within
 
the scope of
 
risk management
 
activities.
 
UBS ESE
FR will therefore need to consider the most appropriate legal basis
 
to apply to any given situation.
1.5
 
The Article 6
 
legal bases that
 
seem the most
 
relevant and applicable
 
to UBS ESE
 
FR, together with
their respective limitations, are as follows:
(a)
 
Consent (Article 6(1)(a))
: In order for consent
 
to be valid under the
 
Data Protection Laws, it
must satisfy
 
the high
 
standard of
 
being a
 
freely-given, specific,
 
informed and
 
unambiguous
indication of
 
wishes. As
 
a practical
 
matter,
 
in France, it
 
would be
 
very difficult
 
to establish
that consent
 
is freely given
 
where information relates
 
to UBS ESE
 
FR staff,
 
in an employment
context,
 
due
 
to
 
the
 
inherent
 
imbalance
 
of
 
power
 
between
 
an
 
employer
 
and
 
its
 
staff
 
(for
example, staff
 
may believe there
 
could be negative
 
consequences should they
 
refuse to give
consent). Further, consent will only be
 
valid if UBS ESE FR offers its
 
staff a genuine choice
over how the data is used, and will only
 
continue to be an appropriate legal basis if
 
UBS ESE
FR also offers its staff the opportunity to withdraw consent at any time.
 
Consent might therefore not generally be
 
considered as a valid legal
 
basis for disclosure and
UBS ESE FR should rely on
 
an alternative basis for disclosure (e.g. the legitimate interests).
Please note that valid consent is assumed at Assumption 5.
(b)
 
Legitimate interests (Article
 
6(1)(f))
: This is
 
a more flexible
 
legal basis for
 
processing that
 
can
apply to a multitude of business purposes,
 
including with a view to ensuring compliance
 
with
regulatory obligations. To rely on the legitimate interests ground, UBS ESE FR must:
 
 
 
7
 
(i)
 
identify its,
 
or a
 
third party’s (e.g. UBS
 
AG, London
 
Branch’s) legitimate
 
interest (this
can include commercial interests, individual interests or
 
broader societal benefits) in
complying with UBS AG, London Branch’s disclosure request;
 
(ii)
 
show that the
 
disclosure of documents to
 
UBS AG, London
 
Branch is necessary
 
for
achieving these interests; and
 
(iii)
 
balance
 
these
 
interests
 
against
 
the
 
competing
 
interests,
 
rights
 
and
 
freedoms
 
of
 
the
individuals concerned, and satisfy itself that those
 
interests do not outweigh its own.
If individuals would not
 
reasonably expect the disclosure, or
 
if the disclosure would
cause
 
unjustified
 
harm
 
to
 
the
 
individuals,
 
the
 
interests
 
of
 
those
 
individuals
 
would
likely override the interests of UBS ESE FR or the third party.
An
 
individual
 
has
 
the
 
right
 
to
 
object
 
to
 
the
 
disclosure
 
of
 
their
 
personal
 
data
 
to
 
UBS
 
AG,
London Branch under this basis for processing,
 
and UBS ESE FR would need
 
to demonstrate
‘compelling’
 
legitimate
 
grounds
 
to
 
process
 
the
 
data
 
that
 
override
 
the
 
rights,
 
freedoms
 
and
interests of that individual.
The balancing of
 
legitimate interests against
 
the competing interests,
 
rights and freedoms
 
of
the
 
individuals
 
concerned should
 
be
 
made
 
on
 
a
 
case-by-case
 
basis
 
and
 
should
 
consider all
available facts.
 
In particular, Recital
 
47 of
 
the GDPR
 
states that,
 
when balancing
 
their interests
against
 
those
 
of
 
the
 
individuals
 
concerned,
 
controllers
 
should
 
take
 
into
 
account
 
the
reasonable expectations
 
of data
 
subjects based
 
on their
 
relationship with
 
the controller
”. With
this in mind, UBS ESE FR may argue that its interests are not outweighed
 
by those of the US
Person counterparties of UBS AG, London Branch with whom UBS ESE FR concludes SBS
Transactions or UBS ESE FR’s employees on the basis that:
(A)
 
US
 
Person
 
counterparties
 
of
 
UBS
 
AG,
 
London
 
Branch
 
with
 
whom
 
UBS
 
ESE
 
FR
concludes
 
SBS
 
Transactions
 
are
 
aware,
 
due
 
to
 
statements
 
contained
 
in
 
their
 
client
terms
 
of
 
business
 
with
 
UBS
 
AG,
 
and
 
due
 
to
 
their
 
understanding
 
as
 
sophisticated
investors,
 
that
 
client
 
management
 
(including
 
risk
 
management)
 
will
 
conducted
 
by
UBS
 
on
 
a
 
group-wide
 
basis,
 
and
 
so
 
certain
 
information
 
regarding
 
their
 
SBS
Transactions, including
 
in some
 
cases their personal
 
data, may
 
be disclosed to
 
UBS
AG, London Branch; and
(B)
 
the
 
employees whose
 
personal data
 
may
 
be disclosed
 
to
 
UBS AG,
 
London Branch
understand their role
 
will involve risk management
 
conducted by UBS
 
AG, London
Branch and understand
 
that, as
 
a result, certain
 
of their personal
 
data may
 
be disclosed
to UBS AG, London Branch.
 
(c)
 
Disclosure
 
is
 
necessary
 
for
 
compliance
 
with
 
a
 
legal
 
obligation
 
to
 
which
 
UBS
 
ESE
 
FR
 
is
subject (Article 6(1)(c))
: There must be
 
a French nexus in
 
order for UBS ESE
 
FR to be
 
able
to rely on this legal basis. Article 6(3) requires that the legal obligation must be laid down by
French or EU law,
 
although this does
 
not have to
 
be an explicit
 
statutory obligation, as long
as the application of
 
the law is
 
foreseeable to UBS ESE
 
FR as the
 
person subject to
 
it.
11
 
We
have not identified a relevant
 
French or EU law obligation
 
and so we do not consider
 
that it is
possible
 
for
 
UBS
 
ESE
 
FR
 
to
 
rely
 
on
 
this
 
legal
 
basis
 
for
 
the
 
disclosure
 
of
 
personal
 
data
contained in the Covered Books and Records from a French data protection
 
law perspective.
1.6
 
It is possible that information contained in Covered Books and Records provided by UBS ESE FR to
UBS AG, London Branch, including personal
 
data, might be disclosed to
 
the SEC in the course of
 
the
conduct of supervision
 
of UBS AG,
 
London Branch (in its
 
capacity as an
 
SEC-registered SBSD) by
the SEC. In this context, it is also relevant that:
11
 
 
Recital 41
EU GDPR.
 
 
 
8
 
(a)
 
Consent (Article 6(1)(a))
: The considerations set out in paragraph 1.5(a) above
 
relating to the
validity of consent apply in this context.
 
(b)
 
Legitimate interests (Article
 
6(1)(f))
: In this
 
context, to rely
 
on the legitimate
 
interests ground,
UBS ESE
 
FR must
 
conduct the
 
same balancing
 
of competing
 
factors as
 
described in
 
paragraph
1.5(b) above. In this context, it is relevant that:
 
(A)
 
US
 
Person
 
counterparties
 
of
 
UBS
 
AG,
 
London
 
Branch
 
with
 
whom
 
UBS
 
ESE
 
FR
concludes
 
SBS
 
Transactions
 
are
 
aware,
 
due
 
to
 
statements
 
contained
 
in
 
their
 
client
terms
 
of
 
business
 
with
 
UBS
 
AG,
 
of
 
the
 
US
 
nexus
 
when
 
they
 
engage
 
in
 
SBS
Transactions and, due
 
to their understanding
 
as sophisticated
 
investors, that
 
regulatory
oversight
 
will
 
be
 
exercised
 
by
 
the
 
SEC,
 
which
 
may
 
entail
 
certain
 
information
regarding their
 
SBS Transactions,
 
including in
 
some cases
 
their personal
 
data, to
 
be
disclosed to the SEC by UBS AG London Branch; and
(B)
 
the employees whose personal
 
data may be disclosed
 
to the SEC understand
 
their role
will involve SEC oversight due
 
to their status as ‘associated
 
persons’ for the purposes
of SBS Transactions
 
and understand
 
that, as a
 
result, certain
 
of their personal
 
data may
be
 
disclosed
 
to
 
the
 
SEC.
 
More
 
specifically,
 
each
 
associated
 
person
 
is
 
required
 
to
complete an
 
‘SBS associated
 
person questionnaire’,
 
which provides
 
advance notice
that their
 
activities may involve
 
the disclosure of
 
their personal data
 
to the
 
SEC and
potentially require them to undertake interviews with the SEC. Each employee that
 
is
an associated person is
 
also required to agree
 
or acknowledge their understanding
 
that
their data may be provided
 
to the SEC in connection
 
with the SEC’s oversight of SBS
Transactions.
It is also relevant to this balancing of interests that:
(1)
 
the SEC is expected to restrict
 
its information requests for, and use of, any information
 
to
only the information that
 
it requires for the
 
legitimate and specific
 
purpose of fulfilling
 
its
regulatory
 
mandate
 
and
 
responsibilities,
 
with
 
the
 
type
 
and
 
amount
 
of
 
personal
 
data
requested being targeted
 
based on risk
 
and related to
 
specific transactions, accounts
 
and
employees;
12
 
and
(2)
 
information, data and documents received by the SEC are expected to be maintained in a
secure manner and only disclosed pursuant to strict US confidentiality
 
laws
13
.
(c)
 
Disclosure
 
is
 
necessary
 
for
 
compliance
 
with
 
a
 
legal
 
obligation
 
to
 
which
 
UBS
 
ESE
 
FR
 
is
subject (Article 6(1)(c))
: For the
 
same reason as
 
described in paragraph
 
1.5(c) above, we
 
do
not consider that it is
 
possible for UBS ESE FR
 
to rely on this legal basis
 
for the disclosure of
personal data by UBS AG, London Branch to the SEC.
1.7
 
Based upon the
 
above, the legitimate
 
interests legal basis
 
for processing is
 
therefore likely to
 
be the
most appropriate Article
 
6 ground on which
 
UBS ESE FR
 
could rely in order
 
to disclose personal
 
data
included in Covered Books and Records.
 
1.8
 
It is considered very unlikely that
 
data included in Covered Books
 
and Records provided to UBS
 
AG,
London
 
Branch
 
will
 
include
 
special
 
categories
 
of
 
data.
 
Further,
 
UBS
 
ESE
 
FR
 
might
 
not
 
hold
 
all
information
 
described
 
in
 
17
 
C.F.R.
 
§§.18a-5(b)(8)(i)(A)
 
through
 
(H)
 
or
 
240.18a-
 
5(a)(10)(i)(A)
through (H), as the
 
case may be, for an
 
associated person who is not
 
a US Person.
14
 
However, to the
12
 
 
Please refer to Assumption
 
in Annex 2, as
 
well as Article
 
IV of the
 
Memorandum of Understanding
 
Concerning Consultation, Cooperation
and the Exchange of Information Related to the Supervision and Oversight of Certain
 
Cross-Border Over-the-Counter Derivatives Entities
In Connection with the Use
 
of Substituted Compliance by Such
 
Entities entered into among the SEC,
 
the FCA and the PRA (the
UK MoU
).
13
 
 
Please refer to Assumption
 
in Annex 2, as well as Article VII of the UK
 
MoU.
14
 
 
As we understand is as defined in 17 C.F.R. §240.3a71
-
3(a)(4)(i)(A)
.
 
 
 
 
9
 
extent that this
 
does occur, and
 
such information is held
 
by UBS ESE FR
 
in addition to
 
an Article 6
legal basis, UBS ESE FR will need to
 
establish an additional legal basis for processing under Article
9 of the EU GDPR and the French DPA
 
if it discloses special categories of data to UBS AG, London
Branch. Other than valid consent
15
 
and public interest, the Article
 
9 legal basis that may be applicable
to disclosure of Covered Books
 
and Records is processing
 
is necessary for the establishment,
 
exercise
or
 
defence of
 
legal claims
 
or
 
whenever courts
 
are acting
 
in their
 
judicial capacity
 
(Article 9(2)(f)).
However,
 
please
 
note
 
that
 
there
 
is
 
no
 
guidance
 
from
 
the
 
French
 
data
 
protection
 
authority
 
(the
“Commission Nationale de
 
l’Informatique et des Libertés”)
 
on the applicability of
 
this particular legal
basis and that it is uncertain whether this legal basis can be extended
 
to this case.
 
1.9
 
Similarly, processing of
 
personal data
 
relating to
 
criminal convictions
 
and offences
 
is highly
 
restricted,
and can
 
only be
 
disclosed where
 
is authorised
 
by a
 
rule of
 
EU law,
 
by the
 
French DPA
 
or by
 
other
French laws or rules that have the
 
force of law.
 
In the absence of such rule of
 
EU law,
 
by the French
DPA
 
or by other French laws or rules – and we are aware of no such law or rule that would authorise
this disclosure to UBS AG, London Branch –
 
UBS ESE FR could not disclose these personal data to
the
 
UBS
 
AG,
 
London
 
Branch.
 
In
 
practice,
 
this
 
restriction
 
on
 
UBS
 
ESE
 
FR
 
is
 
dealt
 
with
 
by
 
this
information being provided and/or transferred directly by the individual (here, staff of UBS ESE FR)
to the requesting party (here, UBS AG, London Branch).
 
 
Data protection principles
1.10
 
In addition to establishing a legal basis for the disclosure, UBS ESE FR would need to ensure that its
disclosures are compliant with the remaining
 
requirements under the Data Protection
 
Laws, including
the data protection principles set out in Article 5 of the EU GDPR.
 
For example, UBS ESE FR must:
(a)
 
be transparent with those whose personal
 
data is to be disclosed to UBS
 
AG, London Branch,
who must
 
be provided
 
with fair
 
processing information
 
(usually in
 
the form
 
of a
 
privacy notice
or statement);
(b)
 
with
 
respect
 
to
 
the
 
data
 
itself,
 
ensure
 
that
 
it
 
only
 
provides
 
personal
 
data
 
that
 
is
 
adequate,
relevant and limited
 
to what is
 
necessary in relation
 
to the purposes
 
of its regulatory
 
activities;
 
(c)
 
be careful to avoid participating
 
in ‘data dumps’ and should
 
consider withholding documents,
anonymising personal data
 
(or pseudonymising
 
data where full
 
anonymisation is not
 
possible)
and redacting personal data from documents as appropriate;
(d)
 
ensure that the data is accurate and, where necessary, kept up to date;
(e)
 
keep the personal data
 
in a form that enables
 
identification of individuals for
 
no longer than is
necessary for the purposes for which the personal data is processed;
 
and
(f)
 
ensure
 
that
 
the
 
confidentiality
 
and
 
integrity
 
of
 
personal
 
data
 
is
 
maintained,
 
and
 
as
 
such,
implement appropriate security measures (e.g. encryption) to protect
 
the personal data.
1.11
 
UBS AG,
 
London Branch is
 
bound by the
 
requirements of
 
the EU GDPR
 
(even though
 
it is established
outside the
 
EEA),
16
 
as well
 
as the
 
General Data
 
Protection Regulation
 
2016/679 as
 
it forms
 
part of
15
 
 
Article 9(2)(a) of the EU GDPR
.
 
16
 
 
Per Article 71 of the EU
-
UK Withdrawal Agreement
, the EU GDPR remains applicable in the UK
 
following the end on 31 December 2020
of the transition period
 
effecting the UK’s
 
exit from the EU
 
in respect of the
 
processing of personal data of
 
data subjects outside the
 
UK,
provided that the personal data: (a) were processed under EU law in
 
the UK before the end of the transition period;
 
or (b) are processed in
the UK
 
after the
 
end of
 
the transition period
 
on the
 
basis of
 
the EU-UK
 
Withdrawal Agreement.
 
In particular,
 
EU GDPR
 
applies in
 
the
absence of
 
an adequacy decision
 
made by
 
the European Commission
 
in respect
 
of the
 
UK. On
 
28 June
 
2021 the
 
European Commission
adopted adequacy decisions
 
for the UK, including Commission
 
Implementing Decision of 28.6.2021
 
pursuant to Regulation (EU) 2016/679
of
 
the
 
European
 
Parliament
 
and
 
of
 
the
 
Council
 
on
 
the
 
adequate
 
protection
 
of
 
personal
 
data
 
by
 
the
 
United
 
Kingdom
 
(the
European
Commission’s UK Adequacy Decision
), thereby enabling the free-flow of personal data from the
 
EU to the UK.
 
However, for the first time, the adequacy decisions each include a so-called ‘sunset clause', which strictly limits their duration. This means
that the decisions will automatically
 
expire four years after their
 
entry into force. After that
 
period, the adequacy findings might
 
be renewed,
but only if the UK
 
continues to ensure an
 
adequate level of data
 
protection. During these four
 
years, the European Commission
 
will continue
 
 
10
 
“retained EU law” in the UK as defined in the UK’s European Union (Withdrawal)
 
Act 2018 and the
UK’s
 
Data Protection Act
 
2018. Accordingly,
 
UBS AG, London
 
Branch must take
 
these EU GDPR
principles
 
into
 
account
 
when
 
requesting
 
access
 
to
 
the
 
Covered
 
Books
 
and
 
Records
 
(albeit
 
that
 
the
responsibility remains with UBS ESE
 
FR to ensure that
 
its disclosures comply with all
 
requirements
under the Data Protection Laws and to implement its own compliance
 
measures to that end).
International transfers
1.12
 
The
 
general
 
principle
 
in
 
the
 
EU
 
GDPR
 
is
 
that
 
UBS
 
ESE
 
FR
 
may
 
not
 
transfer
 
personal
 
data
 
to
 
a
jurisdiction outside the EEA, unless
 
it can satisfy a
 
condition for the transfer
 
as set out in
 
Chapter V
of the EU GDPR.
 
1.13
 
Article 45 of the
 
EU GDPR allows
 
for UBS ESE
 
FR to transfer
 
personal data to
 
a recipient outside
 
the
EEA
 
where
 
the
 
transfer
 
is
 
based
 
on
 
an
 
adequacy
 
decision
 
of
 
the
 
European
 
Commission.
 
For
 
the
purposes
 
of
 
providing
 
Covered
 
Books
 
and
 
Records
 
to
 
UBS
 
AG
 
London
 
Branch,
 
the
 
European
Commission’s
 
UK
 
Adequacy
 
Decision
 
allows
 
transfers
 
of
 
personal
 
data
 
from
 
the
 
EEA,
 
including
France, to
 
the UK
 
to be
 
made freely.
 
Any transfer
 
from UBS
 
ESE FR
 
to UBS
 
AG London
 
Branch
would therefore be
 
permitted without limitation
 
(provided that the
 
disclosure otherwise
 
complied with
the EU GDPR).
1.14
 
As noted above, it
 
is possible that UBS
 
AG, London Branch
 
might share information
 
provided to it by
UBS ESE FR with
 
the SEC. This
 
might involve an
 
international transfer of
 
this personal data from
 
the
UK to
 
the US.
 
Where this
 
occurs, such
 
personal data
 
would remain
 
subject to
 
the Data
 
Protection Laws
when held by
 
UBS AG, London
 
Branch and so
 
an international transfer made
 
by UBS AG,
 
London
Branch must comply with the Data Protection Laws.
17
 
1.15
 
In this regard it is helpful that the European
 
Commission’s UK Adequacy Decision addresses onward
transfers from the UK and notes that the regime on international transfers under the
 
UK GDPR
18
 
and
UK
 
Data
 
Protection
 
Act
 
2018
 
is
 
in
 
substance
 
identical
 
to
 
the
 
transfer
 
regime
 
under
 
the
 
EU
GDPR.
19
The primary
 
options available to
 
UBS AG London
 
Branch under the
 
Data Protection Laws
when making such a transfer are set out below.
1.16
 
Derogations
 
(Article
 
49)
20
:
 
Where
 
a
 
transfer
 
mechanism
 
adopted
 
by
 
the
 
European
 
Commission
 
in
respect of a transfer of personal data to the
 
US is not available (as is currently the case),
 
a transfer or
a set
 
of transfers to
 
the SEC of
 
personal data contained
 
in Covered Books
 
and Records provided
 
by
UBS ESE FR to UBS AG London Branch may take place pursuant to a derogation under EU
 
GDPR,
provided
 
that
 
the
 
conditions
 
of
 
such
 
a
 
derogation
 
are
 
met.
 
These
 
derogations
 
include
 
consent
 
and
legitimate interests,
 
which are
 
the derogations
 
most likely
 
applicable in
 
this situation,
 
together with
their respective conditions.
 
 
(a)
 
Consent
:
 
the
 
data
 
subject
 
would
 
have
 
to
 
explicitly
 
consent
 
to
 
the
 
proposed
 
transfer,
 
after
having been
 
informed of
 
the possible
 
risks of
 
such transfers
 
for the
 
data subject
 
due to
 
the
absence
 
of
 
an
 
adequacy
 
decision
 
and
 
appropriate
 
safeguards.
 
In
 
practice,
 
it
 
would
 
be
 
very
difficult to
 
establish that
 
consent is
 
freely given
 
where information
 
relates to
 
UBS ESE
 
FR
staff in an employment context, due
 
to the inherent imbalance of power
 
between an employer
and its staff (for
 
example, staff may believe
 
there could be negative
 
consequences should they
refuse to
 
give consent). Further,
 
consent will only
 
be valid if
 
UBS ESE
 
FR offers
 
its staff
 
a
genuine choice over how the data
 
is used as part of the
 
transfer, and will
 
only continue to be
to monitor the legal situation in the UK and could intervene at any point, if the UK deviates from the level of protection currently in place.
Should the Commission decide to renew the adequacy finding,
 
the adoption process would start again.
17
 
 
Article 44 sent. 1, Recital 101 of the EU GDPR
.
 
18
 
 
The
General Data Protection Regulation
 
2016/679 as it forms part
 
of “retained EU law” as
 
defined in the European Union
 
(Withdrawa
l) Act
2018 in the UK (
UK GDPR
).
19
 
 
Paragraph 2.5.7, recitals (74) and (75) of the
European Commission’s UK Adequacy Decision
.
 
20
 
 
The European
 
Data Protection
 
Board has
 
issued guidelines
 
to provide
 
guidance as
 
to the
 
application of
 
Article 49
 
of the
 
EU GD
PR on
derogations in the context of transfers of personal data to
 
third countries.
 
 
11
 
a valid derogation if UBS ESE FR also offers its staff the opportunity to withdraw consent at
any time. Consent
 
should therefore not
 
be considered as
 
a valid derogation
 
for disclosure of
personal data relating
 
to such staff and
 
UBS AG, London
 
Branch should rely
 
on an alternative
basis for transfers of personal data (e.g. the legitimate interests).
 
(b)
 
Legitimate interests
: In case consent
 
and none of the
 
other derogations are applicable, and
 
if
the transfer
 
(i) is not
 
repetitive, (ii) concerns
 
only a
 
limited number
 
of data
 
subjects, (iii) is
necessary for
 
the purposes
 
of compelling
 
legitimate interests
 
pursued by
 
UBS AG,
 
London
Branch, (iv) UBS
 
AG, London
 
Branch’s legitimate interests
 
are not
 
overridden by
 
the interests
or rights and freedoms of the data subjects, (v) UBS AG, London Branch has assessed all the
circumstances surrounding
 
the data
 
transfer,
 
and (vi) UBS
 
AG, London
 
Branch has,
 
on the
basis of
 
that assessment,
 
provided suitable
 
safeguards with
 
regard to
 
the protection
 
of personal
data, the
 
legitimate interests
 
derogation may
 
be relied
 
upon. In
 
such a
 
case, the
 
controller shall,
in addition
 
to providing
 
the information
 
referred to
 
in Articles
 
13 and
 
14 of
 
the EU
 
GDPR,
inform the data subject of the transfer and of the compelling
 
legitimate interests pursued.
Each of the consent and legitimate interest derogations need to be applied
 
on a case-by-case basis.
21
 
1.17
 
Access to Covered
 
Books and
 
Records granted
 
to the SEC
 
in the course
 
of On-Site
 
Inspections of
 
UBS
AG, London Branch
 
would not entail
 
UBS AG, London
 
Branch effecting an international
 
transfer and
so restrictions in Chapter V of the EU GDPR would not apply
 
to that situation.
2.
 
SECRECY RULES
2.1
 
Article
 
L.
 
511-33
et
 
seq
.
 
of
 
the
 
MFC
 
govern
 
the
 
disclosure
 
by
 
a
 
credit
 
institution,
inter
 
alia
,
 
of
confidential information regarding any existing or former customer (the
Secrecy Rules
).
2.2
 
Articles L.
 
511-33
 
I and
 
L. 511
 
-34 of
 
the MFC
 
apply to
 
branches of
 
credit institutions
 
operating in
France under a European passport, pursuant to Article L. 511-24 5° of the MFC.
Scope of protection
2.3
 
Information protected under the Secrecy Rules generally includes any information received by
 
credit
institutions in the course of their activities, provided that such information is sufficiently confidential
and
 
specific.
 
The
 
scope
 
of
 
the
 
Secrecy
 
Rules
 
is
 
broad
 
and
 
includes
 
any
 
information
 
related
 
to
 
a
customer, including their name and
 
any details regarding
 
their assets, debts,
 
transactions or operations
carried out on their account (even transactions contemplated but not executed).
 
2.4
 
The
 
Secrecy
 
Rules
 
apply
 
equally
 
to
 
individual
 
and
 
corporate
 
customers,
 
including
 
managers,
employees
 
and
 
counterparts of
 
corporate
 
customers. Anonymized
 
transaction
 
data,
 
which does
 
not
enable the direct or indirect identification of a customer, is not protected by the Secrecy Rules.
 
2.5
 
The view
 
of most
 
scholars and
 
practitioners is
 
that pursuant
 
to the
 
French principle
 
of territoriality,
the Secrecy Rules apply to information collected by
 
institutions established in France in the course of
their business
 
relationships with
 
a customer
 
or potential
 
customer, regardless of
 
their citizenship.
 
Thus,
information collected
 
by a
 
French branch
 
of a
 
foreign credit
 
institution operating
 
under a
 
European
passport in France
 
and transmitted
 
to its foreign
 
head office or
 
another foreign
 
branch remains covered
by the Secrecy Rules.
 
Application and relevant exceptions
2.6
 
We understand that UBS ESE FR will be acting in the name and for the account of UBS AG,
 
London
Branch in relation to the SBS
 
Transactions. In principle, information relating to the
 
SBS Transactions
21
 
 
Article 49(1) EU GDPR at sentence 1 paragr
aph (a) and sentence 2, respectively.
 
 
 
 
 
12
 
carried out in the name and for
 
the account of UBS AG, London Branch, by UBS ESE
 
FR should be
disclosed by UBS ESE FR to UBS AG, London Branch.
 
2.7
 
The information held by UBS ESE FR in relation to the SBS Transactions may contain details which
do not need to be disclosed to UBS
 
AG, London Branch or belong to UBS
 
AG, London Branch (such
as information pertaining
 
to the US
 
Person counterparty
 
of UBS AG,
 
London Branch); which
 
may fall
within the ambit of the Secrecy Rules applicable to UBS ESE FR.
 
Risk management and consolidated supervision
2.8
 
Pursuant to Article L.
 
511-34 of the
 
MFC, institutions established in
 
France belonging to a
 
financial
group
 
are
 
allowed
 
to
 
share
 
certain
 
information
 
with
 
foreign
 
entities
 
belonging
 
to
 
the
 
same
 
group,
provided that the headquarters of these
 
foreign entities are located in an
 
EU or EEA Member State, or
in
 
a
 
State
 
whose
 
authorities
 
have
 
entered
 
into
 
a
 
cooperation
 
agreement
 
with
 
the
 
French
 
Financial
Markets Authority (the
AMF
) or the French Banking Regulator (the
ACPR
).
2.9
 
This
 
exception
 
to
 
the
 
Secrecy
 
Rules
 
is
 
limited
 
to
 
information
 
which
 
is
 
deemed
 
necessary
 
for
 
the
purposes of:
 
Supervising the group entities on a consolidated basis;
 
Assisting the fight against money laundering and terrorism financing;
 
Detecting and preventing market abuse; or,
 
Managing conflicts of interest.
2.10
 
To that extent, we note that:
 
UBS AG,
 
London Branch and UBS ESE FR belong to the same group;
 
In relation
 
to the
 
SBS Transactions,
 
UBS AG
 
is subject
 
to regulatory
 
supervision by
 
Swiss
supervisory
 
authorities
 
(e.g. the
 
Financial
 
Market
 
Supervisory
 
Authority
 
(
FINMA
));
 
for
activities carried
 
out in
 
the London
 
Branch of
 
UBS AG,
 
also by
 
the UK
 
supervisory authorities
(the
 
Prudential Regulation
 
Authority
 
(
PRA
)
 
and
 
the
 
Financial
 
Conduct
 
Authority (
FCA
));
and, pursuant to UBS
 
AG’s status
 
as an SEC-registered SBSD (which includes
 
the activities
of UBS AG, London Branch),
 
the SEC;
 
UBS AG,
 
London Branch, is located in
 
the United Kingdom, whose authorities, for
 
instance
the PRA and
 
the FCA, executed
 
a MoU with
 
the ACPR
 
to formalise supervisory
 
cooperation
and information
 
sharing arrangements
 
[…]
in
 
order
 
to
 
promote
 
the integrity,
 
stability and
efficiency of the supervised entities and financial system
” on 10 April 2019
22
.
 
The headquarters of
 
UBS AG are
 
located in Switzerland,
 
whose authorities, for instance
 
the
Commission
 
fédérale
 
des
 
banques
(the
 
predecessor
 
to
 
FINMA)
 
executed
 
a
 
MoU
 
with
 
the
Commission bancaire
(the predecessor to
 
the ACPR) with
 
a view “
to cooperate and
 
exchange
all relevant
 
information for the
 
effective supervision of supervision
 
of financial markets
 
and
banking and financial institutions
”, on 2 December 2002
23
;
 
UBS ESE FR will
 
be effecting SBS Transactions
 
in the name and
 
for the account
 
of UBS AG,
London
 
Branch,
 
which
 
may
 
give
 
rise
 
to
 
a
 
variety
 
of
 
risks,
 
including
 
potential
 
money
laundering, market abuse or conflict of interest risks.
 
22
 
 
Available of the FCA website:
https://www.fca.org.uk/publication/mou/mou-acpr-boe-fca.pdf
.
23
 
 
A
vailable on the
ACPR
’s website
 
in French onl
y
:
https://acpr.banque-france.fr/sites/default/files/20021206-accord-entre-cb-cfb-suisse.pdf
.
 
 
 
13
 
2.11
 
Whilst the very purpose
 
of this exception is
 
to enable intra-group exchange
 
of information for internal
risk management
 
purposes, our
 
view is
 
that UBS
 
ESE FR
 
would be
 
able to
 
share information
 
with
UBS AG
 
London Branch
 
on the
 
basis of
 
such exception,
 
subject to
 
such information
 
being strictly
limited to
 
information obtained
 
or collected
 
by UBS
 
ESE FR
 
when acting
 
in the
 
name and
 
for the
account of UBS AG,
 
in the context of the SBS Transactions.
 
Waiver
2.12
 
Should it obtain a written waiver from the relevant customer,
 
UBS ESE FR would be in a position to
disclose protected
 
information
24
 
revolving around
 
that customer
 
to UBS AG
 
London Branch.
 
Pursuant
to Article
 
L. 511-33
 
of the
 
MFC, such
 
waiver must
 
be granted
 
on a
 
case-by-case basis
 
(i.e. general
consent allowing the transfer of information in any circumstance
 
may not be sufficient).
Request from French criminal or regulatory authorities
2.13
 
A branch of a credit institution operating under
 
a European passport in France cannot use the Secrecy
Rules to oppose disclosure to the French criminal and regulatory authorities.
25
 
Potential sanctions
2.14
 
Breaches of the
 
Secrecy Rules could
 
result in criminal
 
and regulatory sanctions,
 
and trigger risks
 
of
civil litigation.
Criminal sanctions
2.15
 
In the event of a breach
 
of the Secrecy Rules, the entity’s
 
directors and employees may incur up to 1
year’s imprisonment
 
and/or a
 
fine of
 
up to
 
EUR 15 000.
 
The entity
 
itself may
 
incur a
 
fine of
 
up to
EUR
 
75 000
 
as
 
well
 
as
 
additional
 
penalties,
 
such
 
as
 
the
 
temporary
 
or
 
definitive
 
closure
 
of
 
the
establishment that was used to commit the breach.
26
 
Regulatory sanctions
2.16
 
The ACPR
 
is in
 
charge of
 
monitoring compliance
 
by credit
 
institutions operating in
 
France under
 
a
European
 
passport
 
with
 
the
 
provisions
 
that
 
are
 
applicable
 
to
 
them
 
under
 
French
 
law,
 
taking
 
into
account the supervision performed
 
by the relevant authorities
 
of the Member State
 
in which they have
their
 
head
 
office
 
(which
 
are
 
solely
 
responsible,
 
in
 
particular,
 
for
 
the
 
assessment
 
of
 
their
 
financial
situation, their
 
operating conditions,
 
solvability,
 
liquidity and
 
their ability
 
to fulfil
 
at all
 
times their
commitments
 
with
 
respect
 
to
 
their
 
policy
 
holders,
subscribers
,
beneficiaries
 
and
 
reinsured
companies).
27
 
2.17
 
In this
 
context, the
 
ACPR has
 
inspection and sanction
 
powers, including
 
the power
 
to prohibit
 
such
credit institutions
 
from continuing to provide banking services on French territory.
28
 
2.18
 
If the ACPR notices
 
that a credit institution
 
operating in France under a
 
European passport breaches
or
 
may
 
breach
 
the
 
provisions of
 
Chapter
 
1
 
of
 
Title
 
1 of
 
Book
 
5
 
of
 
the
 
MFC
 
 
which
 
includes
 
the
Secrecy Rules –, it should
 
inform the relevant authorities
 
of the Member State
 
of the country in which
the credit institution has
 
its registered office, so
 
that the latter can
 
immediately take any measures
 
to
ensure compliance with these provisions.
 
Should it consider that
 
the latter have not fulfilled
 
or are not
going fulfil their obligations, it can make a request
 
for assistance to the European Banking Authority
in accordance with
 
Article 19 of
 
Regulation (EU) no.
 
1093/2010 of the
 
European Parliament and
 
of
24
 
 
See Article L. 511
-
33
 
I
 
of the MFC.
 
25
 
 
See
Article L. 511
-
33
I
of the MFC.
 
26
 
 
See Articles L. 571
-
1 and 571
-
4 of the MFC and Articles 226
-
13, 131
-
38 and 131
-
39 of the French Criminal Code.
 
27
 
 
See
Article L. 612
-
2 III of the MFC.
 
28
 
 
See Article L. 613
-
33 of the MFC.
 
 
 
 
 
 
 
14
 
the Council of 24
 
November 2010 establishing
 
a European Supervisory
 
Authority (European Banking
Authority).
29
 
Risk of litigation
 
2.19
 
Customers
 
and
 
third
 
parties
 
whose
 
protected
 
data
 
would
 
be
 
illicitly
 
transferred
 
could
 
seek
compensatory damages under French law. Punitive damages are not available.
2.20
 
To
 
seek compensation before the
 
French courts, the alleged
 
victims would need to
 
demonstrate (i) a
failure by UBS ESE FR (i.e. a breach of the Secrecy Rules), (ii) the damages they have
 
suffered, and
(iii) a direct link of causation between such failure and damages.
 
3.
 
BLOCKING STATUTE
 
3.1
 
The
 
Blocking
 
Statute
 
governs the
 
request,
 
search
 
for or
 
disclosure of
 
information of
 
an
 
economic,
commercial, industrial, financial
 
or technical nature,
 
with a view
 
to establishing evidence
 
in foreign
judicial or administrative proceedings or in relation thereto.
 
Scope of protection
3.2
 
The Blocking
 
Statute applies to
 
documents or information
 
of an
 
economic, commercial,
 
industrial,
financial
 
or technical
 
nature
 
that are
 
located
 
in
 
France and
 
prohibits the
 
request, investigation
 
or
communication of documents
 
or information in the
 
context or with a
 
view to foreign administrative
 
or
judicial proceedings.
 
Application and relevant exceptions
 
3.3
 
The prohibitions imposed by the Blocking Statute do not apply to transfers
 
of documents,
 
which:
 
are not made
 
in the context
 
or with a
 
view to foreign administrative
 
or judicial proceedings;
or,
 
are
 
made
 
in
 
compliance
 
with
 
applicable
 
French
 
law,
 
an
 
applicable
 
international
 
treaty
 
or
agreement (e.g. the
 
Hague Convention,
 
a Memorandum of
 
Understanding (
MoU
) entered into
by the ACPR or the AMF,
30
 
or a mutual legal assistance treaty)
31
.
3.4
 
In the case
 
at hand,
 
we understand
 
that the provision
 
and sharing
 
by UBS
 
ESE FR
 
to UBS
 
AG, London
Branch, of
 
the Covered
 
Books and
 
Records held
 
in France
 
by UBS
 
ESE FR
 
in relation
 
to the
 
SBS
Transactions:
 
would
 
be
 
made
 
for
 
risk
 
management
 
purposes,
 
given
 
the
 
role
 
of
 
UBS
 
ESE
 
FR,
 
and
respectively associated persons employed by UBS ESE
 
FR, to effect SBS Transactions in the
name and for the account of UBS AG,
and therefore,
 
 
would
 
not
 
be
 
made
 
in
 
the
 
context
 
or
 
with
 
a
 
view
 
to
 
foreign
 
administrative
 
or
 
judicial
proceedings.
 
3.5
 
In this context, we
 
believe that the Blocking
 
Statute should not prevent the
 
provision and sharing by
UBS ESE FR to
 
UBS AG, London
 
Branch, of the
 
Covered Books and
 
Records held in
 
France by UBS
ESE FR in relation to the SBS Transactions.
29
 
 
See Article R. 613
-
34 of
the MFC.
 
 
 
 
 
15
 
Potential sanctions
3.6
 
Breaches to
 
the Blocking
 
Statute may
 
lead to
 
criminal sanctions,
 
of up
 
to
 
6 months’
 
imprisonment
and/or a fine of up to EUR 18 000 for individuals or a fine of up to EUR 90
 
000 for entities.
 
3.7
 
A risk of civil
 
litigation may also
 
arise where parties
 
could evidence a
 
direct link of
 
causation between
the violation of the Blocking Statute and the damages they have suffered.
 
4.
 
PRIVACY
 
AND HUMAN RIGHTS
4.1
 
Article 8 of the
 
European Convention on Human
 
Rights (
ECHR
) confers a
 
general right to “
respect
for his private and
 
family life, his home
 
and his correspondence
”. This right is
 
directly applicable in
the
 
France
.
32
 
The
 
right
 
to
 
privacy
 
clearly
 
applies
 
to
 
natural
 
persons.
 
However,
 
in
 
France,
 
if
 
legal
persons have a right
 
to see their
 
correspondence protected, only natural persons
 
can rely on /
 
benefit
from a right to privacy
33
.
4.2
 
Article 8 ECHR
 
does not in
 
itself give rise
 
to a free-standing
 
cause of action
 
– instead an
 
action arising
from a wrongful act,
 
a breach of agreement
 
or other legal obligation,
 
such as under the
 
GDPR, must
be brought, and the court will then be obliged to consider the application
 
of Article 8 ECHR.
 
4.3
 
Article 8 ECHR is, as it were, the fundamental legal foundation on
 
which the GDPR has been based.
The GDPR elaborates
 
on the applicable
 
principles of and
 
the rules on the
 
protection of natural
 
persons
when it
 
comes to
 
processing of
 
personal data.
34
 
The ECHR
 
can further
 
be relied
 
upon when
 
interpreting
these
 
GDPR
 
principles
 
and
 
rules
 
if
 
necessary.
 
The
 
GDPR
 
can
 
therefore
 
be
 
seen
 
as
 
the
 
regulation
detailing the right laid down in Article 8 ECHR, when it comes to the processing
 
of personal data.
Application and exceptions
4.4
 
There shall be no interference
 
by a public authority with
 
the exercise of the right
 
to respect for private
and family life,
 
his home and
 
his correspondence, except
 
in situations
 
where the specific
 
conditions
set out under Article 8(2) of
 
the ECHR are met. Article
 
8 is therefore a qualified right,
 
meaning that it
can be breached in accordance with Article 8(2) – that is, where doing
 
so is:
(a)
 
in accordance with the law;
This
 
criterion
 
has
 
two
 
aspects:
 
the
 
measure
 
complained
 
about
 
must
 
have
 
some
 
basis
 
in
domestic law,
 
and secondly,
 
that the
 
domestic law
 
has to
 
be sufficiently
 
precise so
 
that an
individual can foresee with a reasonable degree of certainty the
 
consequences of their actions
or the circumstances in which the authority may take a particular course
 
of action.
35
 
(b)
 
is necessary in a democratic society;
 
This criterion
 
is intended
 
to ensure
 
the proportionality
 
of an
 
intrusion into
 
private life.
 
To meet
this criterion, there must be a “
pressing social need
” for the interference, and the interference
must be proportionate to that need.
36
 
and
(c)
 
in the interests
 
of national security,
 
public safety or the
 
economic well-being of the
 
country,
for
 
the
 
prevention
 
of
 
disorder
 
or
 
crime,
 
for
 
the
 
protection
 
of
 
health
 
or
 
morals,
 
or
 
for
 
the
protection of the rights and freedoms of others (i.e. a legitimate aim).
32
 
 
Article 9 of the French Civil Code and Article 226
-
15 of the French Criminal Code
 
33
 
Cour de Cassation (French Supreme Court), Civ 1ère, 17 March 2016
 
34
 
 
See also Whereas (1) and (2) GDPR.
 
35
 
 
Malone v UK [1984] ECHR 10 at 68.
 
36
 
Dudgeon v UK
 
(1982) 4 E.H.R.R. 149 at 164.
 
16
This
 
criterion
 
is
 
intended
 
to
 
ensure
 
that
 
the
 
purpose
 
of
 
an
 
intrusion
 
into
 
private
 
life
 
is
adequately serious so as to justify the intrusion.
 
 
 
 
 
 
17
 
ANNEX 2
 
ASSUMPTIONS
This opinion relies on the following assumptions:
1.
 
In the context of the SBS Transactions, UBS ESE FR will provide investment services in accordance
with all applicable French laws and regulations.
2.
 
UBS AG has
 
a “prudential regulator”
 
as defined by
 
Section 3 of
 
the US Securities
 
Exchange Act of
1934
 
(the
Securities Exchange
 
Act
).
 
As
 
such,
 
the
 
Covered Books
 
and
 
Records considered
 
in
 
this
opinion are limited to what a prudentially regulated SBSD must be able to
 
share with the SEC.
 
3.
 
Additionally, in accordance with SEC Guidance at
 
85 FR 6297, books and records pertaining to SBS
Transactions entered into prior to
 
the date that UBS
 
AG submits an application
 
for registration are not
Covered Books and Records.
 
4.
 
Where transfers
 
of personal
 
data are
 
made by
 
UBS ESE
 
FR to
 
UBS AG,
 
London Branch,
 
in the
 
absence
of an adequacy determination, such disclosure will be made in compliance with Articles 44
et seq
. of
the EU
 
GDPR and limited
 
to what
 
is necessary for
 
the purpose
 
of the
 
transfer (i.e. compliance
 
with
the
 
principle
 
of
 
data
 
minimisation,
 
e.g.
 
by
 
applying
 
less
 
intrusive
 
processing
 
activities
 
such
 
as
redaction).
5.
 
UBS AG or, as
 
the case may
 
be, UBS ESE
 
FR has obtained any
 
necessary prior consent
 
of the persons
(e.g
.
,
 
counterparties,
 
employees)
 
whose
 
information
 
is
 
or
 
will
 
be
 
included
 
in
 
Covered
 
Books
 
and
Records, to the extent, as considered in this opinion, such consent would constitute valid consent and
such consent has not
 
been withdrawn. Insofar as Covered Books
 
and Records relate to employees
 
of
UBS
 
ESE
 
FR,
 
such
 
employees
 
are
 
“associated
 
persons”
37
 
of
 
UBS
 
AG
 
for
 
purposes
 
of
 
17
 
CFR
 
§
240.18a-5(b)(8).
6.
 
Similarly,
 
UBS
 
ESE
 
FR
 
will
 
ensure
 
that
 
its
 
disclosures
 
are
 
compliant
 
with
 
the
 
data
 
protection
principles set out in Article 5 of the EU GDPR and the French DPA
38
.
 
7.
 
All terms
 
of business
 
entered into
 
by UBS
 
AG, London
 
Branch with
 
its clients
 
that are
 
US Person
counterparties
 
conducting
 
SBS
 
Transactions
 
contain
 
clear
 
statements
 
such
 
that
 
counterparties
 
are
aware
 
that
 
that
 
their
 
data
 
may
 
be
 
shared
 
with
 
UBS
 
group
 
affiliates
 
for
 
the
 
purposes
 
of
 
client
management
 
and
 
that
 
regulatory
 
oversight
 
will
 
be
 
exercised
 
by
 
regulatory
 
authorities
 
and
 
that
information regarding their transactions, including their personal data, can
 
be disclosed to regulatory
authorities
 
(for
 
example,
 
clause
 
10
 
of
 
the
 
terms
 
of
 
business
 
for
 
professional
 
clients
 
and
 
eligible
counterparties (March 2019)
39
).
8.
 
UBS AG
 
and UBS
 
ESE FR do
 
not include
 
the information
 
described in 17
 
C.F.R. §§.18a-5(b)(8)(i)(A)
through
 
(H)
 
or
 
240.18a-5(a)(10)(i)(A)
 
through
 
(H),
 
as
 
the
 
case
 
may
 
be,
 
in
 
questionnaires
 
or
applications for employment executed by an associated person who is not a US Person (as defined in
17
 
C.F.R.
 
§240.3a71-3(a)(4)(i)(A)),
 
unless
 
UBS
 
AG
 
or
 
UBS
 
ESE
 
FR
 
are
 
required
 
to
 
obtain
 
such
information under
 
applicable law
 
in
 
the jurisdiction
 
in which
 
the associated
 
person is
 
employed or
located or obtains such information in conducting a background check that is customary
 
for UBS AG
or
 
UBS
 
ESE
 
FR
 
in
 
that
 
jurisdiction
 
and
 
the
 
creation
 
or
 
maintenance
 
of
 
records
 
reflecting
 
that
information would not
 
result in a
 
violation of applicable
 
law in the
 
jurisdiction in which
 
the associated
person is employed or located.
37
 
 
We do not give any views regarding this assumption.
 
 
38
 
 
These principles are set out in
 
at section 1.
39
 
 
Available at:
 
https://www.ubs.com/global/en/investment-
bank/regulatory/_jcr_content/mainpar/toplevelgrid/col1/linklist_1815406319/link.1894740908.file/PS9jb250ZW50L2RhbS9JbnZlc3RtZ
W50QmFuay9kb2N1bWVudHMvaWJ0ZXJtcy90ZXJtcy1vZi1idXNpbmVzcy5wZ%20GY=/terms-of-business.pdf
.
 
 
18
 
9.
 
The SEC will,
 
as a matter
 
of practice, restrict
 
its information requests
 
to UBS AG,
 
London Branch for,
and use of, any information pursuant to its access to
 
UBS AG, London Branch’s Covered Books and
Records and
 
On-Site Inspections of
 
UBS AG, London
 
Branch to
 
only the
 
information that the
 
SEC
requires for the
 
legitimate and specific
 
purpose of fulfilling
 
its regulatory mandate
 
and responsibilities
by evaluating compliance with legal obligations designed to ensure the proper
 
legal administration of
SEC-regulated firms
 
(which includes
 
regulating, administering, supervising,
 
enforcing and
 
securing
compliance with the securities or derivatives laws in its jurisdiction).
10.
 
Information, data
 
and documents
 
received by
 
the SEC
 
are,
 
as a
 
matter of
 
practice, maintained
 
in
 
a
secure manner
 
and, under
 
strict US
 
laws of
 
confidentiality,
 
information about individuals
 
cannot be
onward
 
shared
 
save
 
for
 
certain
 
uses
 
publicly
 
disclosed
 
by
 
the
 
SEC,
 
including
 
in
 
an
 
enforcement
proceeding, pursuant
 
to a
 
valid and
 
non-exempt US
 
Freedom of
 
Information Act
 
(
FOIA
) request,
40
 
pursuant to a lawful request of the US Congress or a
 
properly issued subpoena, or to other regulators
who have demonstrated a need for the information and provide assurances
 
of confidentiality.
40
 
 
We
 
do not
 
give any
 
views in
 
the opinion
 
to matters
 
of US
 
law,
 
though we
 
understand that
 
information can
 
be
made public
 
pursuant to
requests under
 
the US
 
FOIA,
 
and that
 
certain information
 
is exempt
 
from such
 
requests, including
 
(among others):
 
(1) a
 
trade secret
 
or
privileged or confidential commercial or financial information
 
obtained from a person; (2) a
 
personnel, medical, or similar file the
 
release
of which would constitute a clearly unwarranted invasion of personal privacy; (3) information compiled for law enforcement purposes, the
release of which (a) could reasonably be expected to interfere with law enforcement proceedings;
 
(b) would deprive a person of a right to a
fair trial or an impartial adjudication; (c) could reasonably be expected to constitute an unwarranted
 
invasion of personal privacy; (d) could
reasonably
 
be
 
expected
 
to
 
disclose
 
the
 
identity
 
of
 
a
 
confidential
 
source;
 
(e)
 
would
 
disclose
 
techniques,
 
procedures,
 
or
 
guidelines
 
for
investigations or prosecutions;
 
or (f) could
 
reasonably be expected
 
to endanger an
 
individual's life or
 
physical safety; (4)
 
contained in or
related to examination, operating, or condition reports about financial
 
institutions that the SEC regulates or supervises.

nfa
nfap1i0.jpg
 
1
nfap2i0.jpg
 
2
nfap3i0.jpg
 
3
nfap4i0.jpg
 
4
nfap5i0.jpg
 
5
nfap6i0.jpg
 
6
nfap7i0.jpg
 
7
nfap8i0.jpg
 
8
nfap9i0.jpg
 
9
nfap10i0.jpg
 
10
 

schedulefsig

 

Text, letter

Description automatically generated

1 



sigforma

 

Text

Description automatically generated with low confidence

1 



Form SBSE-A

 

For Schedule  above  for  Principal  #17,  RALPH  ADRIANUS  JOSEPH  GERARDUS  HAMERS,  included  below  is  prior  investment-related  experience  (e.g.,  for  each  prior  position  employer,  job  title,  and  dates  of  service). 

1991–06/2020 at  ING  (held  below  positions)

2013–06/2020     ING CEO  and  Chairman  Executive  Board  ING  Group,  Management  Board  Banking  and Management Board  NN  Group  (until  2014;  Supervisory  Board  member  of  NN  Group  2014–2015) 

 

2011–2013        Chief Executive  Officer  ING  Belgium  and  Luxembourg 

2010–2011        Head of  Network  Management  for  Retail  Banking  Direct  International   

2007–2010        Global Head  of  the  Commercial  Banking  network 

2005–2007        Chief Executive  Officer  ING  Bank  Netherlands   

2002–2005        General Manager  ING  Bank  branch  network 

1999–2002        General Manager  ING  Romania 

1997–1999        Deputy General  Manager  Global  Lending  Risk  Management   

1995–1997        Head of  Media  Finance  Group 

1991–1995        Relationship Manager  Structured  Finance,  Global  Clients  division 

 

1989-1991            at ABN  AMRO  (held  below  position)  

1989-1991            Project and  Structured  Finance 

 

1 


 

For Schedule  above  for  Principal  #18,  IQBAL  KHAN,  included  below  is  prior  investment-related  experience  (e.g.,  for  each  prior  position  employer,  job  title,  and  dates  of  service). 

10 2015  –  06  2019  Credit  Suisse  AG;  CEO  International  Wealth  Management 

06 2013  –  09  2015  Credit  Suisse  AG;  CFO  Private  Banking  Wealth  Management 

05 2011  –  06  2013  Ernst  Young  AG;  Managing  Partner  Assurance  and  Advisory  Services  –  Financial  Services 

2009 –  2011  Ernst  Young  AG;  Industry  Lead  Partner  Banking  and  Capital  Markets,  Private  Banking  Switzerland  and  EMEA 

02 2001  –  2009  Ernst  Young;  Held  various  positions  within  the  company  while  completing  several  higher  education  diplomas. 

12 1997  –  01  2001  Treureva  AG;  Audit,  Trust  and  Tax  Advisory 

02 1996  –  11  1997  IDEWA  Treuhand  und  Buchhaltungs  AG;  Accounting 

08 1992  –  01  1996  Revor  AG  Treuhand-  Revisionsgesellschaft;  Accounting 



Form SBSE-A

 

For Schedule B Item 14 above - for RALPH ADRIANUS JOSEPH GERARDUS HAMERS, included below is prior investment-related experience (e.g., for each prior position - employer, job title, and dates  of  service). 

1991–06/2020 at  ING  held  below  positions: 

2013–06/2020       ING CEO  and  Chairman  Executive  Board  ING  Group,  Management  Board  Banking  and   Management  Board  NN  Group  (until  2014;  Supervisory  Board  member  of  NN  Group  2014–2015) 

2011–2013        Chief Executive  Officer  ING  Belgium  and  Luxembourg 

2010–2011        Head of  Network  Management  for  Retail  Banking  Direct  International   

2007–2010        Global Head  of  the  Commercial  Banking  network 

2005–2007        Chief Executive  Officer  ING  Bank  Netherlands   

2002–2005        General Manager  ING  Bank  branch  network 

1999–2002        General Manager  ING  Romania 

1997–1999        Deputy General  Manager  Global  Lending  Risk  Management   

1995–1997        Head of  Media  Finance  Group 

1991–1995        Relationship Manager  Structured  Finance,  Global  Clients  division 

 

1989-1991            at ABN  AMRO  (held  below  position)  

1989-1991            Project and  Structured  Finance 

 

1 


 

For Schedule  Item  14  above  for  IQBAL  KHAN,  included  below  is  prior  investment-related  experience  (e.g.,  for  each  prior  position  employer,  job  title,  and  dates  of  service). 

10 2015  –  06  2019  Credit  Suisse  AG;  CEO  International  Wealth  Management 

06 2013  –  09  2015  Credit  Suisse  AG;  CFO  Private  Banking  Wealth  Management 

05 2011  –  06  2013  Ernst  Young  AG;  Managing  Partner  Assurance  and  Advisory  Services  –  Financial  Services 

2009 –  2011  Ernst  Young  AG;  Industry  Lead  Partner  Banking  and  Capital  Markets,  Private  Banking  Switzerland  and  EMEA 

 

02 2001  –  2009  Ernst  Young;  Held  various  positions  within  the  company  while  completing  several  higher  education  diplomas. 

12 1997  –  01  2001  Treureva  AG;  Audit,  Trust  and  Tax  Advisory 

02 1996  –  11  1997  IDEWA  Treuhand  und  Buchhaltungs  AG;  Accounting 

08 1992  –  01  1996  Revor  AG  Treuhand-  Revisionsgesellschaft;  Accounting 

 

 

2 


 

For Schedule  Item  14  above  for  DANIEL  PAUL  ROSENTHAL  included  below  is  prior  investment-  related  experience  (e.g.,  for  each  prior  position  employer,  job  title,  and  dates  of  service). 

09/1992 to  04/1996:  Chartered  Accountant  at  Arthur Andersen

3 



 

 

 

 

 

By courier

Securities and Exchange Commission

100 F Street, NE

Washington, DC 20549- 1090

United States of America

 

With a copy to

UBS AG

Credit Suisse AG

 

(together the "Addressees" and each an "Addressee") 

 

 

Date

October 26, 2021

Reference

210054/SW-06336441/OFA

 

SBSD SEC Registration

Ladies and Gentlemen

We, Schellenberg Wittmer Ltd, are acting as special Swiss counsel to each of UBS AG and Credit Suisse AG (each a Bank) in connection with their applications for substituted compliance as non-US security-based swap (SBS) dealers (SBSDs) with the United States Securities and Exchange Commission (SEC). 

1.           Background

We have been requested to provide an opinion in connection with certain issues of Swiss law based on the facts described hereinafter with respect to:

 

1 


 

(i)           access by or on behalf of the SEC to the books and records relating to the "U.S. business" (as defined in SEC Rule 3a71-3(a)(8)[1]) of the Bank as a nonresident SBSD,[2] i.e., records that relate to an SBS transaction that is either (a) entered into, or offered to be entered into, by or on behalf of a Bank, with a U.S. person (other than a transaction conducted through a foreign branch of that person);[3] or (b) arranged, negotiated, or executed by personnel of the Bank located in a U.S. branch or office, or by personnel of an agent of the Bank located in a U.S. branch or office[4] (the SBS Business, such books and records related to the SBS Business the Books and Records); and 

(ii)          any on-site inspections and examinations by the SEC of the Books and Records taking place in Switzerland in relation to the SBS Business.

This legal opinion is provided in order to satisfy the requirement in SEC Rule 3a71-6(c)(2)(ii)[5] for the Banks to provide an opinion of counsel in connection with their application for substituted compliance.

As regards Books and Records that are relevant for the purposes of this legal opinion, they are held by each Bank as follows:

(i)           some Books and Records are physically held or electronically stored in Switzerland (the Swiss Books and Records); and

(ii)          some Books and Records are physically held or electronically stored in the United States (the US Books and Records). 

2.           Questions

Against this background we have been asked to analyze the following questions:

A.      Can the Bank, as a matter of Swiss law, provide the SEC with prompt access to the Swiss Books and Records?

B.      Can the Bank, as a matter of Swiss law, submit to on-site inspection and examination by the SEC in relation to the Swiss Books and Records?

C.      Does the Bank breach Swiss law by submitting to on-site inspections and the examination of its US Books and Records by the SEC in the US?

 


[1]           17 C.F.R. § 240.3a71-3(a)(8), available at https://ecfr.io/Title-17/Section-240.3a71-3.

[2]           See Cross-Border Application of Certain [SBS] Requirements, 85 Fed. Reg. 6270, 6296 (Feb. 4, 2020), available at: https://www.govinfo.gov/content/pkg/FR-2020-02-04/pdf/2019-27760.pdf (the “SEC Guidance”).

[3]           See 17 C.F.R § 240.3a71-3(a)(8)(i)(A), available at https://ecfr.io/Title-17/Section-240.3a71-3. A “U.S. person” means any person that is “(i) a natural person resident in the U.S.; (ii) a partnership, corporation, trust, investment vehicle, or other legal person organized, incorporated, or established under the laws of the United States or having its principal place of business in the United States; (iii) an account (whether discretionary or non-discretionary) of a U.S. person; or (iv) an estate of a decedent who was a resident of the United States at the time of death.” 17 C.F.R. § 240.3a71-3(a)(4), available at https://ecfr.io/Title-17/Section-240.3a71-3.  A “foreign branch” means “any branch of a U.S. bank if: (i) the branch is located outside of the United States; (ii) the branch operates for valid business reasons; and (iii) the branch is engaged in the business of banking and is subject to substantive banking regulation in the jurisdiction where located.” 17 C.F.R. § 240.3a71-3(a)(2), available at https://ecfr.io/Title-17/Section-240.3a71-3. An “SBS conducted through a foreign branch” means an SBS that is “arranged, negotiated, and executed by a U.S. person through a foreign branch of such U.S. person if: (A) the foreign branch is the counterparty to such security-based swap transaction; and (B) the security-based swap transaction is arranged, negotiated, and executed on behalf of the foreign branch solely by persons located outside the United States.” 17 C.F.R. § 240.3a71-3(a)(3)(i), available at https://ecfr.io/Title-17/Section-240.3a71-3.

[4]           See 17 C.F.R. § 240.3a71-3(a)(8)(i)(B), available at https://ecfr.io/Title-17/Section-240.3a71-3.

[5]           17 C.F.R. § 240.3a71-6(c)(2)(ii), available at https://ecfr.io/Title-17/Section-240.3a71-6.

2 


3.           Scope

This legal opinion is limited to matters of Swiss law arising in the context of (a) the access by the SEC to Swiss Books and Records, (b) the on-site inspections and examinations of such Swiss Books and Records by the SEC taking place in Switzerland and/or (c) the on-site inspections and examinations of US Books and Records by the SEC taking place in the US.

On the basis that each Bank has a "prudential regulator", this opinion does not cover financial records necessary to assess compliance with SEC margin and capital requirements.

4.           Documents reviewed

For the purposes of this opinion, we have examined the following documents:

(i)           a memorandum of understanding (MOU) between the SEC and the Swiss Financial Market Supervisory Authority (FINMA) concerning consultation, cooperation and the exchange of information related to the supervision and oversight of certain cross-border over-the-counter derivatives entities in connection with the use of substituted compliance by such entities dated August 8, 2021;

(ii)          a waiver issued by FINMA (the FINMA Waiver) dated August 5, 2021 concerning the transmission of, or access to, the Swiss Books and Records as required by the SEC;

(iii)         a permission issued by FINMA (the FINMA Permission) dated August 5, 2021 concerning the on-site inspection and examination by the SEC in relation to the Swiss Books and Records; and

(iv)         a Memorandum by the Federal Data Protection and Information Commissioner (FDPIC) dated June 25, 2021 concerning Swiss Firm Data Processing and Sharing of Information with the U.S. Securities and Exchange Commission (the FDPIC Memorandum). 

For the purposes of this opinion, we have reviewed no documents other than those mentioned in section 4.

5.           Assumptions

In giving our opinion, we have assumed the following:

5.1         The SBS Business consists of SBS transactions that are either (i) entered into, or offered to be entered into, by or on behalf of a Bank, with a U.S. person (other than a transaction conducted through a foreign branch of that person) or (ii) arranged, negotiated, or executed by personnel of the Bank located in a U.S. branch or office, or by personnel of an agent of the Bank located in a U.S. branch or office, in each case that are booked with a non-Swiss office of the Bank.

5.2         The SBS Business forms part of the Covered Activities as defined in the MOU (the Covered Activities).  

 

3 


 

5.3         The Swiss Books and Records are held with the Bank or a material group company of the Bank in the sense of article 2bis para. 1 lit. b Swiss Federal Banking Act of November 8, 1934 (the Banking Act). 

5.4         The access to, the transmission of and the on-site inspections and examinations of the Books and Records are regarding clients forming part of the SBS Business (the Relevant Clients) and employees of the Bank based in Switzerland (the Relevant Employees).  

5.5         The Relevant Clients are investment banking clients and the Books and Record are therefore not linked to the asset management, securities trading or deposit business for individual clients.

5.6         The Relevant Clients and Relevant Employees have been appropriately informed of the disclosure of the information to the SEC and have waived their rights that could conflict with the disclosure of information to the SEC, including without limitation such rights resulting from bank-client confidentiality, the applicable data protection rules, the employment relationships or applicable employment laws, as applicable, provided that, to the extent any such waivers are required under Swiss law for lawfully providing or making available the information to the SEC, (i) such waivers are validly given under Swiss law (including without limitation under Swiss civil law) or, if they are not governed by Swiss law, the applicable foreign law, and (ii) in respect of Relevant Employees, to the extent that such waiver may not validly be given, the disclosure of information is justified by the necessity to perform the contract with the Relevant Employees, an overriding private interest of the Bank or by an overriding public interest (each as further set out in the FDPIC Memorandum).

5.7         The disclosure of information and any on-site inspections and examinations are limited to information which is necessarily required for the supervisory and enforcement activity of the SEC, as required by the applicable data protection rules or, as applicable, as determined by FINMA.

5.8         Any processing of data by the Bank forming part of the Books and Records occurs in compliance with Swiss data protection rules, to the extent applicable (as further set out in the FDPIC Memorandum).

5.9         The access to, the transmission of and the on-site inspections and examinations of the Books and Records are exercised by the SEC and not by or on behalf of any other foreign authorities.

5.10      As regards the access to, and the transmission of, the Swiss Books and Records to the SEC and the on-site inspections and examinations of the Swiss Books and Records by the SEC, the SEC and/or the persons and/or organizations directly or indirectly active on behalf of the SEC in this respect (i) are bound by official or professional secrecy, notwithstanding provisions on the public nature of proceedings and the notification of the general public about such proceedings, (ii) will use the Swiss Books and Records exclusively for the lawful supervision (including enforcement) of financial institutions and financial markets under U.S. laws and regulations and (iii) will not forward the Swiss Books and Records to other authorities, courts or bodies for any purpose other than as stated under (ii).

 

4 


 

5.11      The access to, the transmission of and the on-site inspections and examinations of the Books and Records are taking place in compliance with the FINMA Waiver and/or the FINMA Permission and/or the MOU, to the extent needed.

5.12      Any on-site inspections and examinations of the US Books and Records occurs in the United States and, as ensured by the Bank, without the involvement of employees or other representatives or agents of the Bank or of a Bank group company located in Switzerland.

5.13      The Bank will keep US Books and Records in the United States in accordance with the SEC rules.

5.14      Information which is not covered by the FINMA Waiver (the FINMA Waiver Carve Out) and that may not be provided as Firm Information as defined in the MOU (the Firm Information) to the SEC under the MOU, may be delivered to the SEC by FINMA via administrative assistance channels or may be delivered to the SEC by a Bank directly in the absence of an objection of FINMA.

5.15      The FINMA Waiver, the FINMA Permission and the MOU are unconditionally given and in place, to the extent needed.

6.           Question A: Can the Bank, as a matter of Swiss law, provide the SEC with prompt access to the Swiss Books and Records?

6.1          Blocking Statute of article 271 para. 1 of the Swiss Criminal Code

6.1.1     Definition

Article 271 para. 1 of the Swiss criminal code of December 21, 1937 (CC) (Unlawful activities on behalf of a foreign state) protects Swiss territorial sovereignty and primarily aims at preventing foreign countries or parties to foreign proceedings from circumventing international conventions on judicial assistance.

6.1.2     Applicable to "Official Acts"

Pursuant to article 271 para. 1 CC, the actions conducted for a foreign state must have the characteristics of an official act to fall under this prohibition. The determination whether an action qualifies as an official act is solely based on Swiss law and not on foreign or international law. Article 271 para. 1 CC may, thus, even apply in cases where a foreign state would not consider its interests or its sovereignty affected. In this regard, the Swiss Federal Supreme Court held that any action, which "according to its nature" under Swiss law lies within the competence of a public authority, is reserved to the powers of the Swiss public authorities and must not be executed on Swiss territory without prior authorization by the competent Swiss authority.[6] 

The gathering, compiling and establishing of means of evidence (e.g. documents, witness statements, depositions, databases) for use in foreign court proceedings (whether civil, penal or administrative) is, in Switzerland, considered to be an official act within the meaning of article 271 para. 1 CC and may only be performed by Swiss authorities. Also, any direct service of subpoenas, summons and other court orders or official documents from a foreign state to a person or entity in Switzerland may violate article 271 para. 1 CC.

What constitutes "official acts" for these purposes is therefore interpreted extensively and includes also actions that – if executed lawfully – could in principle be executed by a foreign public authority or public official on Swiss territory but the legal requirements or procedures for such action have not been complied with (i.e. judicial assistance procedures).


[6]           See for example decision 114 IV 131 of the Swiss Federal Supreme Court.

5 


 

6.1.3     Disclosure permitted by Swiss law

The prohibition of article 271 para. 1 CC will not apply if the disclosure is permitted by Swiss law, including but not limited to any permitted transmission of information pursuant to article 42c of the Financial Market Supervision Act of June 22, 2007 (FINMASA). 

6.2         Article 42c para. 1 FINMASA

6.2.1     Definition

Pursuant to article 42c para. 1 FINMASA, supervised persons may transmit non-public information to the foreign financial market supervisory authorities responsible for them and to other foreign entities responsible for supervision provided:

(a)          the conditions set out in article 42 para. 2 FINMASA are fulfilled; and

(b)          the rights of clients and third parties are preserved.

Article 42c FINMASA only applies when information is transmitted from Switzerland to another country, i.e. across national borders and not when representatives of the foreign authority or entity are in Switzerland.[7]  In such other event, article 43 FINMASA applies (see section 7 below).

The purpose of article 42c para. 1 FINMASA is a carve out from article 271 para. 1 CC.[8]   

Article 42c FINMASA intends to allow, subject to certain requirements (see section 6.2.4 and 6.2.5 below), supervised parties to transmit non-public information to a foreign financial market supervisory authority without an authorization allowing the transfer of such information that would otherwise be required.[9] 

 


[7]           FINMA Circular 2017/6 Direct transmission of December 8, 2016, n. 4.

[8]           Explanatory Report to the Financial Market Infrastructure Act (FMIA) of September 3, 2014, p. 7620.

[9]           Such authorization would be required by the competent Federal Department (Departement) and Federal Chancellery (Bundeskanzlei) under article 31 para. 1 of the Ordinance on the Organization of the Government and the Administration of 25 November 1998 (OOGA).

6 


 

6.2.2     Supervised persons

As regards its personal scope, article 42c para. 1 FINMASA applies to all persons and entities supervised by FINMA pursuant to article 3 FINMASA.[10] 

The Bank, as a Swiss legal entity subject to prudential supervision by FINMA as a bank under the Banking Act, qualifies as a "supervised person" in the sense of article 42c FINMASA and therefore falls into its personal scope.

6.2.3     Transmission to foreign financial market supervisory authority

In the case at hand, the Swiss Books and Records shall be transmitted to the SEC.

As competent regulator under the US Securities Exchange Act of 1934 and the Securities Act of 1933, the SEC qualifies as a "foreign financial market supervisory authority" in the sense of article 42c FINMASA.

6.2.4     Article 42c para. 1 lit. a FINMASA

a.     Requirements of article 42 para. 2 FINMASA

Pursuant to article 42c para. 1 lit. a FINMASA, the requirements set out in article 42 para. 2 FINMASA must be met in order to exercise the rights of direct transmission.

Pursuant to article 42 para. 2 FINMASA, FINMA may transmit non-public information to foreign financial market supervisory authorities only if:

(a)          this information is used exclusively to implement financial market law, or it is forwarded for these purposes to other authorities, courts or bodies (speciality requirement); and

(b)          the requesting authorities are bound by official or professional secrecy, notwithstanding provisions on the public nature of proceedings and the notification of the general public about such proceedings (confidentiality requirement). 

In order to facilitate the work of supervised persons and to allow them to apply article 42c para. 1 lit. a FINMASA independently and uniformly, FINMA publishes a list of foreign financial market supervisory authorities to which FINMA has provided administrative assistance in the past. If an authority appears on the list, supervised persons may generally assume that the requirements of specialty and confidentiality under article 42 para. 2 FINMASA are met without further checks.[11]   

However, further assurances may be required, where (i) the requesting authority does not state the purpose for which information shall be used (which would not be relevant in the present circumstances where it is understood that the SEC makes the request in the context of the SBS Business) or (ii) there is a reason to suspect that requesting authority will not adhere to confidentiality or (iii) that it will not only use it in the context of enforcing financial market laws or that it will forward it to other authorities, courts or bodies for other purposes.[12]  Such assurance may be provided e.g. by a confirmation from the foreign authority or entity or with a written opinion from a local lawyer specialising in financial market law or an international law firm.[13]   

 


[10]          FINMA Circular 2017/6 Direct transmission of December 8, 2016, n. 2.

[11]          FINMA Circular 2017/6 Direct transmission of December 8, 2016, n. 21

[12]          FINMA Circular 2017/6 Direct transmission of December 8, 2016, n. 24 et seq.

[13]          FINMA Circular 2017/6 Direct transmission of December 8, 2016, n. 26.

7 


 

b.     SEC satisfying article 42 para. 2 FINMASA

The SEC is listed by FINMA as a foreign financial market supervisory authority to which it has provided administrative assistance in the past.[14] 

Furthermore, the purpose of the transmission of information is the ongoing oversight of the SBS Business and the Bank’s compliance with the applicable US law.

On this basis and on the assumptions that the SEC (i) is bound by official or professional secrecy, notwithstanding provisions on the public nature of proceedings and the notification of the general public about such proceedings, (ii) will use the Swiss Books and Records exclusively for the lawful supervision (including enforcement) of financial institutions and financial markets under US laws and regulations and (iii) will not forward the Swiss Books and Records to other authorities, courts or bodies for any purpose other than as stated under (ii), the SEC meets the requirements of article 42 para. 2 FINMASA.

The FINMA Waiver and the MOU may be considered as evidence that FINMA came to the same conclusion.

6.2.5     Article 42c para. 1 lit. b FINMASA

a.     Preservation of the rights of the clients and third parties

Article 42c FINMASA does not constitute a carve-out from business and bank-client confidentiality obligations, data protection regulations and rights resulting from employment relationships.[15]  Such rights of clients and third parties must therefore be complied with when applying article 42c FINMASA (article 42c para. 1 lit. b FINMASA).

 


[14]          See <https://finma.ch/de/ueberwachung/branchenuebergreifende-themen/direktuebermittlung/>.

[15]          FINMA Circular 2017/6 Direct transmission of December 8, 2016, n. 30; BSK FINMASA-du Pasquier/Menoud, Art. 42c N 30.

8 


 

For these purposes,

-         "Clients" are the natural persons and legal entities whom FINMASA and the financial market law intend to protect, in particular creditors and investors (article 5 FINMASA);[16] 

-         "Third parties" are all other natural persons and legal entities that are mentioned in the information to be transmitted or can be identified from it, including employees of supervised parties, authorised representatives and beneficial owners.[17] 

Neither the statutory rules of the FINMASA nor FINMA define how the rights of clients and third parties should be complied with in this context. The measures to be taken therefore depend on the specific case and the relevant provisions of the Swiss privacy, data protection and employment laws.

b.     Banking secrecy

To the extent that Relevant Clients have provided a valid consent to the disclosures to the SEC, the question does not arise whether the access to the Swiss Books and Records could constitute a breach of any Swiss banking secrecy obligations.

c.     Data protection

According to article 6 para. 2 Federal Act on Data Protection of June 19, 1992 (FADP) personal data may - under certain conditions, such as a consent, contractual clauses or overriding public interests - be transmitted to a country without, from the perspective of the FADP, an adequate level of data protection. The US falls into such category (see section 2.4 FDPIC Memorandum).

Pursuant to article 6 para. 2 lit. b and article 4 para. 5 FADP, consent is valid only if given in the specific case voluntarily on the provision of adequate information (“informed consent”). Additionally, consent must be given expressly in the case of processing of sensitive personal data or personality profiles (article 4 para. 5 FADP). Such consent is voluntarily given and valid, even though the Bank would not have been prepared to enter into a contract if the customer had not consented (see section 2.4.2 FDPIC Memorandum).

Alternatively, personal data may also be disclosed abroad if the processing is directly connected with the conclusion or the performance of a contract and the personal data is that of a contractual party (article 6 para. 2 lit. c FADP; see also section 2.4.3 FDPIC Memorandum). According to the FDPIC, in respect of the Relevant Clients, the transfer of customer data to the SEC can be based on article 6 para. 2 lit. c FADP provided that, in the individual case, there are not any overweighing interests of the data subject that would not allow the disclosure.

 


[16]          FINMA Circular 2017/6 Direct transmission of December 8, 2016, n. 16.

[17]          FINMA Circular 2017/6 Direct transmission of December 8, 2016, n. 17.

9 


 

Personal data may also be disclosed abroad if disclosure is essential in the specific case in order to safeguard an overriding public interest (article 6 para. 2 lit. d FADP). According to Swiss doctrine, an overriding public interest may exist in the event that a company is required by foreign law to disclose business records, for example in the context of supervision by a foreign regulatory authority. On the basis of these conditions, the FDPIC therefore assumes that a transfer of personal data to the SEC is, in principle, justified by an overriding public interest (see section 2.4.5 FDPIC Memorandum). This can be based on article 6 para. 2 lit. d FADP, provided that, in the individual case, there are not any overweighing interests of the data subject that would not allow the disclosure.

We understand that in case the transfer of Swiss Books and Records in the ordinary course of business is leading to an investigation of an individual, this would not be prohibited disclosures under the meaning of “overweighing interests of the data subject.” Otherwise no information could be transmitted, as it cannot be excluded that some information of the data subjects may theoretically lead to an investigation.

Even if a cross-border transfer is compatible with article 6 FADP, the fundamental data protection principles mentioned in articles 4, 5 and 7 FADP must still be observed when processing, including transferring, personal data (see section 2.5 FDPIC Memorandum).

d.     Employment law

As regards the Relevant Employees, the question may arise whether a consent to the disclosure to the SEC is valid from an employment law perspective. While such consent should be valid from the perspective of being an inherent condition to the performance of their roles with respect to the SBS Business, we cannot exclude that the consent would be invalidated on the basis that the relevant employees have no choice to withhold the consent (see section 2.4.4 FDPIC Memorandum). In such event, an alternative legal basis would be needed to provide access to the Swiss Books and Records to the SEC.

Article 328b of the Swiss Code of Obligations of 30 March 1911 (CO) states that the employer may handle data concerning the employee only to the extent that such data concern the employee’s suitability for his employment or are necessary for the performance of the employment contract.

We share the opinion of the FDPIC that a disclosure of employee data to the SEC should be viewed as necessary for the performance of the employment contract, in which case data processing is compatible with article 328b CO (see section 2.4.4 FDPIC Memorandum). As an alternative legal basis, the disclosure may be justified by overriding public interests (see section 2.4.4 FDPIC Memorandum). We do not have further caveats to raise in this respect other than the points set out in the FDPIC Memorandum.

 

10 


 

6.3         Obligation to notify FINMA

Pursuant to article 42c para. 3 FINMASA, the transmission of information qualified as being of substantial importance in accordance with article 29 para. 2 FINMASA must be reported to FINMA prior to making any such transmission.

Such information may either be subject to such reporting to FINMA regardless of the transmission under article 42c FINMASA or the transmission abroad is itself of substantial importance.[18]   

Pursuant to the FINMA Circular 2017/6, any information subject to the obligation of article 42c para. 3 FINMASA may not be transmitted abroad before FINMA provided a response.[19]   

FINMA informs the supervised party usually within five working days as to whether it requires the use of administrative assistance channels (see section 6.4 below) instead of allowing the supervised entity to proceed with the direct transmission.[20]  Also, note that FINMA may say that it only refrains from requiring the use of administrative assistance channels (see section 6.4 below) subject to certain conditions. However, please note that FINMA requested in its practice the use of administrative assistance channels only in exceptional circumstances.

If a supervised party intends to transmit information to a foreign authority or entity, FINMA may, in a general manner, waive the need for future transmissions to be reported to it prior to a transmission of such information either on its own initiative or on request.[21]   

Such a waiver has been given by FINMA with the FINMA Waiver (please also see section 6.4 below) and FINMA confirmed the validity and the scope of the FINMA Waiver in article II para. 25.b. and article IV para. 43 of the MOU. According to the FINMA Waiver, FINMA agreed that the Bank may report to FINMA simultaneously with the transmission to the SEC, and is not obliged to wait for FINMA's response.

When receiving a notice under article 42c para. 3 FINMASA, FINMA does not verify whether the conditions for transmission under article 42c para. 1 FINMASA are met, in particular whether the rights of clients and third parties are preserved. The supervised party is responsible for complying with these requirements.[22] 

6.4         Administrative assistance channels

Pursuant to article 42c para. 4 FINMASA, FINMA may require the use of administrative assistance channels instead of allowing the supervised entity to proceed with the direct transmission. FINMA may for instance use these powers for a specific  communication that came to FINMA's attention as result of the notice under article 42c para. 3 FINMASA.[23] 

 


[18]          FINMA Circular 2017/6 Direct transmission of December 8, 2016, n. 44 et seq.

[19]          FINMA Circular 2017/6 Direct transmission of December 8, 2016, n. 72 et seq.

[20]          FINMA Circular 2017/6 Direct transmission of December 8, 2016, n. 71.

[21]          FINMA Circular 2017/6 Direct transmission of December 8, 2016, n. 69.

[22]          FINMA Circular 2017/6 Direct transmission of December 8, 2016, n. 74.

[23]          Explanatory Report to the Financial Market Infrastructure Act (FMIA) of September 3, 2014, p. 7620.

11 


 

The FINMASA does not specify any specific conditions on the basis of which FINMA may use such powers. However, according to the FINMA Waiver, as applicable pursuant to the MOU, FINMA waived its rights to require the use of administrative assistance channels in accordance with article 42c para. 4 FINMASA with regard to information in connection with the SBS Business of the Bank, with the exception of the information forming part of the FINMA Waiver Carve Out, on the conditions that:

(1)     the information is used exclusively for the lawful supervision (including enforcement) of financial institutions and financial markets under US laws and regulations, or is forwarded to other authorities, courts or bodies for this purpose;

(2)     the SEC is bound by official or professional secrecy, notwithstanding provisions on the public nature of proceedings and the notification of the general public about such proceedings; and

(3)     the rights of clients and third parties resulting from bank client confidentiality, data protection laws or employment laws are preserved.

FINMA reiterated in article II. para. 25.a. of the MOU that Covered Firms as defined in the MOU (the Covered Firms) are authorized to transmit information relating to their Covered Activities to the SEC in writing or orally in line with the requirements (1) to (3) above. This also applies to each Bank as a Covered Firm falling into the scope of the MOU.

6.5         Supervisory privilege

Pursuant to article 42c para. 5 FINMASA and separately from article 42c para. 4 FINMASA, FINMA may make the transmission, publication or forwarding of files it is involved in in the context of its supervision subject to its approval if this is required for completing its supervisory roles and such approval does not conflict with overriding private or public interests. However, this "supervisory privilege” is limited to correspondence and communications between FINMA and the supervised entity.[24] 

Based on this provision, FINMA may in particular require its consent prior to the disclosure of any correspondence with FINMA, minutes of meetings with FINMA, FINMA audit reports or orders. We understand that the "supervisory privilege” is limited to the information according to the FINMA Waiver Carve Out.

However, the MOU overrides these FINMA powers as follows:

(i)     In the MOU, FINMA agrees to provide Firm Information to the SEC on an ongoing basis without the need for further assistance at the points in time as specified in the MOU (see article III. para. 34 MOU).

(ii)    FINMA further states that it also intends to provide Firm Information to the SEC upon request (see article III. para. 35 MOU).

We understand that such information may also be delivered to the SEC by a Bank directly in the absence of an objection by FINMA.

 


[24]          Urs Zulauf, Titel Kooperation oder Obstruktion? – 20 Jahre Amtshilfe im Finanzmarktrecht vom Börsengesetz zum FINFRAG, GesKR 215, p. 350 f.; Monsch/von der Crone, SZW 2015, p. 663.

12 


 

6.6         Conclusion

Based on the above and subject to the qualifications set forth herein (see section 9 below), we are of the opinion that the Bank can, as a matter of Swiss law, provide the SEC with prompt access to the Swiss Books and Records.

7.           Question B: Can the Bank, as a matter of Swiss law, submit to on-site inspection and examination by the SEC in relation to the Swiss Books and Records?

7.1          Blocking Statute of article 271 para. 1 of the Swiss Criminal Code

Reference is made to section 6.1 above.

7.2         Requirements of on-site inspections or examinations

7.2.1     Definition

Pursuant to article 43 para. 2 FINMASA, FINMA may permit foreign financial market supervisory authorities to carry out direct audits of supervised parties provided:

(a)          these authorities are responsible for the supervision of the audited supervised party as part of home country supervision (home regulators) or are responsible for supervising the activity of the audited supervised party in their territory (host regulators); and

(b)          the conditions for administrative assistance set out in article 42 para. 2 FINMASA are met.

7.2.2     FINMA permission requirement

As a result of the sovereignty of the Swiss Confederation and in line with the principles of international law, foreign financial market supervisory authorities may not carry out direct audits of supervised parties in the absence the FINMA permission as set out above.[25]  FINMA is free to determine the form in which it grants this permission. Such permission may also be given informally. Furthermore, the foreign authority is not a "party" to the proceedings concerning the approval of an on-site inspection in Switzerland. In general, there is no entitlement on the part of the foreign authorities or the supervised persons in Switzerland to the granting of such authorisation.

 


[25]          BSK FINMASA-Rayroux/Mehmetaj, Art. 43 N 8.

13 


 

By issuing the FINMA Permission, FINMA has given its permission to on-site visits and examinations to the SEC.

FINMA confirmed for Covered Firms and their Covered Activities the validity and the scope of the FINMA Permission in article V para. 46 of the MOU. This also applies to each Bank as a Covered Firm falling into the scope of the MOU.

7.2.3     Access by foreign authorities

A "foreign financial market supervisory authority" pursuant to article 42c para. 1 FINMASA (please see 6.2 above) also qualifies as such in the sense of article 43 para. 2 FINMASA. While article 43 para. 2 FINMASA does not explicitly mention "other foreign bodies entrusted with supervision", an on-site inspection and examination could also be conducted by third parties which are appointed by a foreign financial market supervisory authority or which are appointed by the supervised institution at the request of a foreign financial market supervisory authority to investigate a particular issue.[26] 

Where the foreign authority is a host regulator, it must have a specific connection to an activity carried out by the supervised entity to be examined in the territory of such foreign authority.[27]   

7.2.4     Requirements of article 42 para. 2 FINMASA

The on-site inspections and examinations must meet the conditions set out in article 42 para. 2 FINMASA (see section 6.2.4 above).

7.2.5     Information required for supervisory activity

Pursuant to article 43 para. 3 FINMASA, information may be collected through on-site inspections and examinations only if the collection of such information is required  for the supervisory activity of the foreign financial market supervisory authority. This includes in particular the information stated in article 43 para. 3 FINMASA, which is a non-exhaustive list.

Information which is not necessarily required for the supervisory activity of the SEC, as determined by FINMA, would not be covered by article 43 para. 3 FINMASA. Client information would usually fall into this category, unless it is at the same time relevant for the supervision of the FINMA supervised firm. However, the client may agree to the sharing of the relevant information.

Therefore, where the client has – as a pre-requisite to be able to deal with the Bank – consented to the sharing of relevant information with the competent foreign supervisory authority, the information may be provided on this basis also as part of article 43 para. 3 FINMASA, subject to the limitations resulting from the FINMA Permission (as stated in section 7.3 below).

 


[26]          FINMA Guidelines regarding on-site visits of March 3, 2017 (the Art. 43 FINMASA FINMA Guidelines), clause 2.2.

[27]          Art. 43 FINMASA FINMA Guidelines, Scope of Application.


 

7.3         Form of on-site inspections or examinations

According to the FINMA Permission and article V para. 46 of the MOU, FINMA grants the SEC a permission to conduct on-site inspections and examinations in relation to the Swiss Books and Records and to conduct informal interviews with employees of the Bank in connection with the SBS Business, to the extent necessary for the SEC's supervision of the SBS Business.

Except in cases of emergency, the SEC will have to notify FINMA two weeks in advance of a planned on-site inspection and examination. Both authorities should consult on the intended timeframe for, and the purpose and scope of, the on-site inspection and examination.

As specified in the FINMA Permission, on conclusion of each review of files or meeting with the Bank’s personnel during an on-site inspection and examination, the SEC's examination staff may take personal notes from the premises of the bank. These personal notes may not include client identifying information linked to the asset management, securities trading or deposit business for individual clients (article 43 para. 3bis FINMASA). However, such personal notes may include client identifying information concerning other clients, e.g., the Bank’s commercial customers, corporate finance customers, business and investment banking customers as well as interbank transactions, provided that the rights of these clients are preserved. The SEC’s staff may not take copies of any documents shown to them during the on-site inspection and examination that contain non-public information from the Banks’s premises. These documents must be left at the premises of the Bank. If the SEC wishes to obtain such documents, the SEC may request their transmission either from FINMA or from the Bank.

FINMA reiterated for Covered Firms, including each Bank, the conditions for on-site visits and examinations in article V para. 47 et seq. of the MOU. FINMA intends to transmit upon request of the SEC to the SEC relevant reports, or information in reports regarding inspections, examinations or compliance reviews it may have undertaken regarding the Covered Firm with respect to Covered Activities that are relevant to the SEC's on-site visit. FINMA may, at its discretion, or at the request of the SEC or of the Covered Firm, accompany the SEC during the on-site visit and assist in the on-site visit.

Article V para. 48 of the MOU further specifies that the SEC, following an on-site inspection or examination, will have to inform FINMA about any findings of the on-site inspection or examination and provide a copy of the letter or report issued by SEC to the Covered Firm summarizing the findings from the on-site inspection or examination.

Also, according to Article V para. 49 of the MOU, FINMA will notify the SEC in advance of any on-site visits FINMA plans to do in Switzerland in instances FINMA believes the on-site visit would be relevant to the SEC for fulfilling its supervisory mandate in relation to the Covered Firm and the Covered Activities. The SEC may, upon request and subject to the consent of FINMA, accompany FINMA during the parts of the on-site visit where the main focus is on the Covered Activities.

 

15 


 

7.4         Protection of client interests

Pursuant to article 43 para. 3bis FINMASA, if during on-site visits in Switzerland foreign financial market supervisory authorities wish to consult information linked directly or indirectly to the asset management, securities trading or deposit business for individual clients, FINMA shall collect this information itself and transmit it to the requesting authorities through the administrative assistance process (also referred to as "private banking carve-out").

The purpose of this private banking carve-out is to protect the privacy of Swiss or foreign clients managed by the supervised institution in Switzerland in the context of a long-standing bank-client relationship involving also the personal assets of the client. The carve-out aims at ensuring that the right of appeal of clients (who had not previously consented to the disclosure of their information to a foreign supervisory authority) is safeguarded. In contrast, where the client had consented to the disclosure in advance as in case of SBS transactions, the carve-out would de facto not apply.

However, the carve-out of article 43 para. 3bis FINMASA does not apply to the investment banking or commercial banking business.

7.5         Conclusion

Based on the above and subject to the qualifications set forth herein (see section 9 below), we are of the opinion that the Bank can, as a matter of Swiss law, submit to on-site inspection and examination by the SEC in relation to the Swiss Books and Records.

8.           Question C: Can the Bank, as a matter of Swiss law, submit to on-site inspection and examination by the SEC in relation to its US Books and Records?

8.1         Blocking Statute of article 271 para. 1 of the Swiss Criminal Code

Based on the assumption that any on-site inspections and examinations of the US Books and Records occurs in the United States and, as ensured by the Bank, without the involvement of employees or other representatives or agents of the Bank or of a Bank group company located in Switzerland, there is no action taking place on Swiss territory. On this basis, the on-site inspection and examination by the SEC in relation to its US Books and Records does not constitute a potential offence on Swiss territory and is therefore outside of the scope of application of article 271 para. 1 CC.

 

16 


 

8.2         Conclusion

Based on the above and subject to the qualifications set forth herein (see section 9 below), we are of the opinion that the Bank can, as a matter of Swiss law, submit to on-site inspection and examination by the SEC in relation to its US Books and Records.

9.           Qualifications

The opinions set forth herein in section 6.6, 7.5 and 8.2 are subject to the following qualifications:

9.1         The opinions expressed herein are limited to the laws of Switzerland as in force on the date hereof and as currently applied and construed by the courts of Switzerland. In the absence of statutory or established case law, we base our opinion on our independent professional judgement. We have not investigated and do not express or imply any opinion herein concerning any other laws, including without limitation with respect to the law of the place of booking of the SBS.

9.2         The exercise of discretion or the giving of an opinion by a third party or the reliance by any such party (in particular FINMA) on certain circumstances may not be valid unless such discretion is exercised reasonably or such opinion or reliance is based on reasonable grounds.

9.3         No opinion is expressed as to the accuracy of the facts set out or referred to in the documents reviewed or the factual background assumed therein.

9.4         Legal terms or concepts expressed in English in this opinion or in the MOU may not be identical to the concepts described by the same English terms as they exist under the laws of other jurisdictions.

 

17 


 

We express no opinion on matters of fact and we assume no obligation to advise the Addressee of any changes of factual or legal matters relevant to this legal opinion that may be brought to our attention after the date hereof. This legal opinion is strictly limited to the matters stated in it and to the confirmations set forth in sections 6, 7 and 8 and does not apply by implication to any other matters.

This opinion is furnished to the Addressee in connection with the SBSD registration of the Bank.

This opinion is governed by and construed in accordance with Swiss law. By relying on this opinion, the Addressee agrees that all disputes arising out of or relating to this opinion shall be subject to the exclusive jurisdiction of the competent courts of the city of Zurich (city district no. 1), Switzerland.

 

Yours sincerely

 

SCHELLENBERG WITTMER LTD

 

 

 

Olivier Favre

Martin Lanz

 

18 


 

Appendix 1

 

Financial Market Supervision Act of June 22, 2007

 

"Article 29 Duty to provide information and to report

1 The supervised persons and entities, their audit companies and auditors as well as persons or companies that are qualified investors or that have a substantial participation in the supervised persons and entities must provide FINMA with all information and documents that it requires to carry out its tasks.

2 The supervised persons and entities and the audit companies that conduct audits of them must also immediately report to FINMA any incident that is of substantial importance to the supervision."

 

" Article 42 Administrative assistance

1 In order to implement the financial market acts, FINMA may ask foreign financial market supervisory authorities to provide information.

2 It may transmit non-public information to foreign financial market supervisory authorities only if:

a. this information is used exclusively to implement financial market law, or is forwarded to other authorities, courts or bodies for this purpose;

b. the requesting authorities are bound by official or professional secrecy, notwithstanding provisions on the public nature of proceedings and the notification of the general public about such proceedings.

3 Paragraphs 1 and 2 apply by analogy to the exchange of information between FINMA and foreign authorities, courts and bodies involved in the restructuring and resolution of authorised parties.

4 The administrative assistance shall be carried out swiftly. FINMA shall observe the principle of proportionality. The transmission of information concerning persons who are manifestly uninvolved in the matter being investigated is not permitted.

5 FINMA may, in agreement with the Federal Office of Justice, authorise the forwarding of information to prosecution authorities for purposes other than those mentioned in paragraph 2 letter a, provided that mutual legal assistance in criminal matters is not excluded."  

 

 

19 


 

" Article 42c Transmission of information by supervised parties

1 Supervised parties may transmit non-public information to the foreign financial market supervisory authorities responsible for them and to other foreign entities responsible for supervision provided:

a. the conditions set out in Article 42 paragraph 2 are fulfilled;

b. the rights of clients and third parties are preserved.

2 Furthermore, they may transmit non-public information related to the transactions of clients and supervised parties to foreign authorities and to entities acting on the authorities' behalf if the rights of clients and third parties are preserved.

3 The transmission of information that is of substantial importance in accordance with Article 29 paragraph 2 must be reported to FINMA beforehand.

4 FINMA may reserve administrative assistance channels."

5 It may make the transmission, publication or forwarding of files in the context of supervision subject to its approval if this is in the interest of its task fulfilment and is not in conflict with overriding private or public interests."

 

" Article 43 Cross-border audits

1 In order to implement the financial market acts, FINMA may itself carry out direct audits of supervised persons and entities abroad or have such audits carried out by audit agents.

2 It may permit foreign financial market supervisory authorities to carry out direct audits of supervised parties provided:

a. these authorities are responsible for the supervision of the audited supervised party as part of home country supervision or are responsible for supervising the activity of the audited supervised party in their territory; and

b. the conditions for administrative assistance set out in Article 42 paragraph 2 are fulfilled.

3 Information may be collected through cross-border direct audits only if it is required for the supervisory activity of the foreign financial market supervisory authority. This includes in particular information on whether an institution throughout its group structure:

a. is appropriately organised;

b. records, limits and monitors in an appropriate manner the risks inherent in its business operations;

c. is managed by persons who guarantee proper business conduct;

d. fulfils the own funds and risk diversification regulations on a consolidated basis; and

e. properly complies with its reporting duties vis-à-vis the supervisory authorities.  

 

20 


 

3bis If during direct audits in Switzerland foreign financial market supervisory authorities wish to consult information linked directly or indirectly to the asset management, securities trading or deposit business for individual clients, FINMA shall collect this information itself and transmit it to the requesting authorities. The same applies to information which directly or indirectly relates to individual investors in collective investment schemes. Article 42a applies.

3ter FINMA may, for the purposes detailed in paragraph 3, allow the foreign financial market supervisory authority which is responsible for the consolidated supervision of the audited supervised party to consult a limited number of individual client dossiers. The dossiers must be selected randomly on the basis of predefined criteria.

4 FINMA may accompany the foreign authorities responsible for financial market supervision on their direct audits in Switzerland or arrange for them to be accompanied by an audit company or an audit agent. The supervised persons and entities concerned may request such accompaniment.

5 Establishments organised under Swiss law must provide the foreign financial market supervisory authorities and FINMA with the information required to carry out the direct audits or the information that FINMA requires to provide the administrative assistance, and must permit the inspection of their books.

6 Establishments are defined as:

a. subsidiaries, branch offices and representative offices of supervised persons and entities or of foreign institutions; and

b. other companies, provided their activity is included by a financial market supervisory authority in the consolidated supervision."

 

Swiss criminal code of December 21, 1937

" Article 271

1.  Any person who carries out activities on behalf of a foreign state on Swiss territory without lawful authority, where such activities are the responsibility of a public authority or public official,

any person who carries out such activities for a foreign party or organisation,

any person who facilitates such activities,

shall be liable to a custodial sentence not exceeding three years or to a monetary penalty, or in serious cases to a custodial sentence of not less than one year.  

2.  Any person who abducts another by using violence, false pretences or threats and takes him abroad in order to hand him over to a foreign authority, party or other organisation or to expose him to a danger to life or limb shall be liable to a custodial sentence of not less than one year.

 

21 


 

3.  Any person who makes preparations for such an abduction shall be liable to a custodial sentence or to a monetary penalty."

 

 

* * * * *

 



   

22 



loaustralia
 
loaustraliap1i0.gif
 
1
 
 
 
 
 
 
UBS AG Australia Branch
The Chifley Tower
 
2 Chifley Square
Sydney
NSW 2000
Allen & Overy
Level 25
85 Castlereagh Street
Sydney NSW 2000
Australia
PO Box A2498
Sydney South NSW 1235
 
Australia
Tel
+61 (0)2 9373 7700
Fax
+61 (0)2 9373 7710
One Bishops Square
London
 
E1 6AD
 
United Kingdom
Tel
+44 (0)20 3088 0000
Fax
+44 (0)20 3088 0088
Janna.Tay@allenovery.com
Our ref
0036335
-
0000808
20 October 2021
Dear Sir or Madam
 
UBS Australia Branch SEC registration as a non-resident security-based swap dealer
 
1.
 
BACKGROUND
1.1
 
We
 
understand that UBS AG (
UBS
), a bank authorised in Switzerland, is seeking to register with the
United States
 
(
US
) Securities
 
and Exchange
 
Commission (
SEC
) as
 
a non-resident
 
security-based swap
(
SBS
) dealer (
SBSD
).
1.2
 
To
 
register as an SBSD
 
with the SEC, a
 
non-resident SBSD
1
 
such as UBS must
 
attach an opinion of
counsel to Form SBSE, SBSE-A or SBSE-BD affirming that the SBSD can, as a
 
matter of law:
(a)
 
provide
 
the
 
SEC
 
with
 
prompt
 
access
 
to
 
the
 
relevant
 
books
 
and
 
records
 
as
 
defined
 
in
paragraphs 3.3 and 3.4 (
Covered Books and Records
); and
 
(b)
 
submit to on-site
 
inspection and examination
 
of its Covered
 
Books and Records by
 
the SEC
(
On-Site Inspection
).
1.3
 
UBS will
 
maintain certain
 
Covered Books
 
and Records
 
in its
 
Australia Branch
 
(
UBSAB
), which
 
is
authorised in Australia.
1.4
 
You
 
have asked
 
us to
 
issue an
 
opinion affirming
 
that UBSAB will
 
be able
 
to provide
 
the SEC
 
with
prompt access
 
to its
 
books and
 
records and
 
submit to
 
On-Site Inspection
 
by the
 
SEC in
 
accordance
with paragraph 1.2 above.
1
 
 
In the case of a corporation, an SBSD will be “non
-
resident” if it is incorporated in or has its principal place of business in any place not in
the United States (see
 
17 Code of Federal
 
Regulations (
CFR
) § 240.15Fb2-4(a)(2)). As
 
UBS is incorporated in
 
Switzerland, UBS fulfils
 
this
definition of a “non-resident” SBSD.
 
Allen & Overy is affiliated with Allen & Overy LLP,
 
a limited liability partnership registered in England and Wales with registered office
 
at One Bishops Square London E1 6AD. Allen
& Overy
 
LLP or
 
an affiliated
 
undertaking has
 
an office
 
in each
 
of: Abu
 
Dhabi, Amsterdam,
 
Antwerp, Bangkok,
 
Beijing, Belfast,
 
Bratislava, Brussels,
 
Budapest, Casablanca,
 
Dubai,
Düsseldorf, Frankfurt, Hamburg, Hanoi, Ho Chi Minh
 
City, Hong Kong, Istanbul, Jakarta (associated office), Johannesburg, London, Los Angeles,
 
Luxembourg, Madrid, Milan, Moscow,
Munich, New York, Paris, Perth,
 
Prague, Rome, São Paulo, Seoul, Shanghai, Silicon Valley,
 
Singapore, Sydney, Tokyo,
 
Warsaw, Washington,
 
D.C. and Yangon.
 
 
 
 
 
2
 
1.5
 
This opinion is structured as follows:
(a)
 
Section 2:
 
summary of opinion;
 
(b)
 
Section 3:
 
scope, assumptions and qualifications;
 
(c)
 
Section 4:
 
revisions to applicable law;
(d)
 
Section 5:
 
reliance and confidentiality;
(e)
 
Annex 1: Opinion; and
(f)
 
Annex 2: Assumptions.
1.6
 
For the purposes
 
of this opinion,
 
the legal or
 
natural person imparting the
 
information subject to
 
the
duty of
 
confidentiality will
 
be the
Rights Holder
and the
 
person receiving
 
that information,
 
in this
case UBSAB, will be the
Recipient.
 
2.
 
SUMMARY OF OPINION
Subject to the assumptions and qualifications below it is our opinion
 
that:
2.1
 
UBSAB can, as
 
a matter of
 
applicable Australian law, submit
 
to On-Site Inspection
 
by the SEC.
 
There
is
 
no
 
restriction
 
on
 
UBSAB
 
submitting
 
to
 
On-Site
 
Inspection
 
by
 
the
 
SEC.
 
The
 
remainder
 
of
 
this
opinion focuses on
 
UBSAB’s ability to disclose
 
information contained
 
in Covered Books
 
and Records
to the
 
SEC in
 
the course
 
of On-Site
 
Inspection in
 
Australia and
 
the ability
 
to provide
 
the SEC
 
with
prompt access to Covered Books and Records.
2.2
 
UBSAB can, as
 
a matter of
 
applicable Australian
 
law, provide the SEC
 
with prompt access
 
to Covered
Books and Records held by UBSAB in Australia
2
.
Disclosure of personal information
3
 
2.3
 
Disclosures of personal
 
information (particularly sensitive information)
 
relating to UBSAB’s
 
clients
and staff
 
are subject
 
to certain
 
restrictions under
 
the
Privacy Act
 
1988
 
(Cth) (
Privacy Act
) and
 
the
Australian Privacy Principles (
APPs
) (collectively, the
Australian privacy framework
), particularly
where
 
this
 
involves
 
a
 
cross-border
 
transfer
 
of
 
personal
 
information
 
to
 
a
 
jurisdiction
 
outside
 
of
Australia.
2.4
 
We
 
anticipate that UBSAB may have
 
to obtain the consent of
 
individuals to enable disclosure of
 
the
Covered Books and Records to the SEC and to permit
 
On-Site Inspection, and our view in this regard
is
 
that
 
the
 
UBSAB
 
Privacy
 
and
 
Credit
 
Reporting
 
Policy
 
 
Australia
 
dated
 
2
 
April
 
2020
4
 
(
UBS
Australian Privacy
 
Policy
)
 
already enables
 
UBSAB to
 
obtain that
 
consent in
 
accordance with
 
the
Australian
 
privacy
 
framework,
 
and
 
there
 
should
 
not
 
be
 
any
 
issues
 
in
 
disclosing
 
any
 
personal
information that may be contained in the Covered Books and Records to the SEC (also see paragraph
1.14 of
 
Annex 1).
 
Alternatively,
 
if this
 
is not
 
possible, UBSAB
 
may have
 
to fall
 
within exceptions
under
 
the
 
APPs.
 
It is
 
also likely
 
that
 
Australian law
 
will
 
require
 
an employer,
 
such
 
as
 
UBSAB,
 
to
obtain the consent of its employees to disclose any of their personal
 
information to the SEC.
2
 
 
Where a restriction on the ability
 
to transfer personal data or to
 
disclose confidential information applies, consent from th
e Rights Holder,
validly given in accordance with the relevant standard for
 
consent under each applicable legal obligation, would
 
allow for such information
to be
 
lawfully transferred
 
to the
 
SEC or
 
disclosed to
 
the
 
SEC during
 
On-Site Inspection.
 
Please note
 
that valid
 
consent is
 
assumed in
Assumption
 
3
 
 
Please refer to section
 
of
 
for definitions of the Privacy Act, the APPs,
 
personal information, and sensitive information.
4
 
 
The
UBS
 
Privacy
 
and
 
Credit
 
Reporting
 
Policy
 
Australia
 
da
ted
 
2
 
April
 
2020
 
that
 
can
 
be
 
accessed
 
at
https://www.ubs.com/global/en/legal/privacy/australia/_jcr_content/mainpar/toplevelgrid/col1/linklist/link_658648610.1183479955.file/b
Gluay9wYXRoPS9jb250ZW50L2RhbS9hc3NldHMvY2MvZ2xvYmFsL2xlZ2FsL2RvYy9wcml2YWN5LW5vdGljZS9jbGllbnQtcHJpdm
FjeS1ub3RpY2UtZW4tYXVzdHJhbGlhLnBkZg==/client-privacy-notice-en-australia.pdf
.
 
0036335-0000808 UKO1: 2005347595.6
 
3
2.5
 
As
 
disclosure
 
to
 
the
 
SEC
 
involves
 
a
 
cross-border
 
transfer,
 
UBSAB
 
will
 
also
 
have
 
to
 
satisfy
 
the
requirements for
 
overseas disclosure
 
of the
 
personal information.
 
UBSAB may
 
have to
 
take reasonable
steps to ensure that the SEC
 
does not breach the APPs in relation
 
to that information. This is typically
satisfied by way of
 
a contractual arrangement
 
entered into by
 
USBAB and the
 
SEC which requires
 
the
SEC
 
to
 
handle
 
the
 
personal
 
information
 
in
 
accordance
 
with
 
the
 
APPs.
 
However,
 
this
 
will
 
not
 
be
necessary if UBSAB can rely on independent legal advice
 
that establishes that the SEC is subject to a
law or
 
binding scheme similar
 
to the
 
APPs, or
 
if it
 
obtains the
 
consent of
 
individuals in
 
accordance
with the Australian privacy
 
framework (see our analysis
 
in paragraph 2.4
 
above and paragraph 1.14
 
of
Annex 1).
 
Common law duties of confidentiality
2.6
 
The general duty of confidentiality applies to information communicated in circumstances indicating
it
 
is
 
confidential.
 
The
 
banker’s
 
duty
 
of
 
confidentiality
 
arises
 
due
 
to
 
the
 
nature
 
of
 
the
 
relationship
between
 
a
 
banker
 
and
 
his
 
or
 
her
 
customer
 
(and
 
this
 
duty
 
does
 
not
 
apply
 
to
 
information
 
held
 
or
controlled by UBSAB that relates to any person other than its customers).
 
2.7
 
Disclosure with
 
consent, or
 
under another
 
recognised exception,
 
would not
 
amount to
 
a breach
 
of these
legal duties.
 
For example, confidential
 
information can be
 
disclosed with the
 
express consent of
 
the
person to whom such information relates.
2.8
 
We note that there are other exceptions
 
to the duty of
 
confidentiality such as
 
where disclosure is
 
in the
public interest.
 
However,
 
there must
 
be compelling
 
public interest
 
reasons for
 
the disclosure
 
as the
threshold is generally understood to be very high. It
 
may also be possible, where the information
 
held
regards clients, to rely on the bank’s own interest exception to the banker’s (but not the general) duty
of confidentiality, though this requires a case-by-case balancing of the competing factors in favour of
each of
 
the bank
 
and the
 
Rights Holder. Considering
 
the uncertainty
 
and high
 
bar to
 
meet for
 
disclosure
in the public
 
interest or bank’s own interest,
 
it is advisable
 
to seek express
 
consent to disclosure
 
as this
would establish a greater degree of certainty that the disclosure is made in accordance with the duties
of confidentiality.
2.9
 
These duties of confidentiality will not apply to any information contained in the Covered Books and
Records or
 
to On-Site
 
Inspection insofar
 
as information
 
made available
 
to the
 
SEC is
 
owned by
 
or
relates to UBSAB itself, rather than by
 
or to UBSAB’s clients or, in the case of the general duty only,
third parties or its staff.
2.10
 
There is
 
generally no
 
legal duty
 
of mutual
 
confidence implied
 
into contracts
 
of employment
 
within
Australia.
Privacy and Human Rights
2.11
 
Australia does
 
not have
 
a statutory or
 
constitutional framework of
 
human rights, and
 
most civil
 
and
political rights
 
of individuals
 
under Australian
 
law are
 
found within
 
the common
 
law as
 
well as
 
specific
pieces of legislation. In
 
this regard, the Australian
 
privacy framework, which sets
 
out a framework for
the processing of the personal information of individuals within Australia, can also be taken to be the
framework that provides individuals in Australia with a “right” to
 
privacy.
 
2.12
 
Although
 
Australia
 
has
 
signed,
 
ratified,
 
and
 
supports a
 
number
 
of
 
international
 
treaties
 
containing
rights against
 
unlawful interference to
 
privacy,
 
these have
 
no direct
 
bearing on
 
Australian domestic
law in respect of privacy.
 
This summary opinion is not a substitute for the full expression of our views
 
set out in Annex 1.
 
 
 
 
 
0036335
-
0000808 UKO1: 2005347595.6
 
 
 
 
4
 
3.
 
SCOPE, ASSUMPTIONS AND QUALIFICATIONS
3.1
 
This
 
opinion
 
relates
 
solely to
 
access
 
provided
 
to
 
the
 
SEC
 
of
 
Covered
 
Books
 
and
 
Records
 
held
 
by
UBSAB in Australia
 
and On-Site Inspection
 
of UBSAB by
 
the SEC in
 
Australia.
 
This opinion applies
equally to remote access from the
 
US to Covered Books and Records held
 
in Australia. This opinion
excludes books and records held in the US.
3.2
 
This opinion has been prepared in accordance with
 
UBS’s specific instructions as
 
to the scope of the
opinion. For this purpose you have issued us with guidance from a third party US law firm which we
have used to inform the scope of our opinion.
3.3
 
This opinion only covers access to
 
and the On-site Inspection of Covered
 
Books and Records. We are
instructed that Covered Books and Records include only those
 
books and records which:
(a)
 
relate to the
 
US business
5
 
of the non-resident
 
SBSD.
6
 
These are the
 
records that relate
 
to an
SBS that is either:
(i)
 
entered into, or offered to be entered into, by or on behalf of the
 
non-resident SBSD,
with a
 
“U.S. Person” as
 
defined in
 
17 CFR
 
§ 240.3a71-3(a)(4)
7
 
(
US Person
) (other
than an SBS conducted through a foreign branch of such US Person);
8
 
or
(ii)
 
arranged, negotiated, or executed by
 
personnel of the non-resident SBSD
 
located in a
branch in
 
the US
 
(
US branch
) or
 
office or
 
by personnel
 
of an
 
agent of
 
the non-resident
SBSD located in a US branch or office;
9
 
or
(b)
 
constitute
 
financial
 
records
 
necessary
 
for
 
the
 
SEC
 
to
 
assess
 
the
 
non-resident
 
SBSD’s
compliance with the SEC’s margin and capital requirements, if applicable.
10
 
3.4
 
Further
 
to
 
Assumption 1,
 
this
 
opinion
 
is
 
limited
 
to
 
those
 
types
 
of
 
records
 
that
 
are
 
relevant
 
to
prudentially regulated SBSDs,
 
which excludes financial
 
records as noted
 
in paragraph 3.3(b)
 
above.
For this opinion, the term “Covered Books and Records” extends to these
 
record types alone.
3.5
 
The issues
 
addressed in
 
this opinion
 
apply equally
 
across the
 
different document
 
types which
 
constitute
the Covered Books and
 
Records based upon the
 
information actually contained
 
in each of the relevant
Covered Books and Records. We have not examined any such documents or records.
3.6
 
In giving this opinion, we have made the further assumptions set out
 
in Annex 2.
 
3.7
 
No opinion is expressed on matters of fact.
 
5
 
 
As defined in 1
7 CFR §240.3a71
-
3(a)(8).
 
6
 
 
Cross
-
Border Application of Certain [SBS] Requirements,
 
85 Fed. Reg. 6270, 6296 (Feb. 4, 2020) (the
SEC Guidance
).
 
7
 
 
A “U.S. person” means any person that is “(i) a natural person resident
 
in the U.S.; (ii) a
partnership, corporation, trust, investment vehicle,
or other legal person organized, incorporated, or established under the laws of the United States or having its principal place of business in
the United States; (iii) an
 
account (whether discretionary or non-discretionary) of a
 
U.S. person; or (iv) an estate
 
of a decedent who was a
resident of the United States at the time of death.” 17 CFR
 
§ 240.3a71-3(a)(4).
8
 
 
A “foreign branch” means “any branch of
 
a U.S. bank if: (i)
 
the branch is located
outside of the United States; (ii)
 
the branch operates for
valid business
 
reasons; and
 
(iii) the
 
branch is
 
engaged in
 
the business
 
of banking
 
and is
 
subject to
 
substantive banking regulation
 
in the
jurisdiction where located” (17 CFR §
 
240.3a71-3(a)(2)). An “SBS conducted through a
 
foreign branch” means an SBS that
 
is “arranged,
negotiated, and executed by
 
a U.S. person through
 
a foreign branch of such
 
U.S. person if: (A) the
 
foreign branch is the counterparty
 
to such
security-based swap transaction; and (B) the security-based swap transaction is arranged, negotiated, and executed on behalf of the foreign
branch solely by persons located outside the United States” (17
 
CFR § 240.3a71-3(a)(3)(i)).
9
 
 
17 CFR § 240.3a71
-
3(a)(8)(i)(B).
 
10
 
 
The
 
requirement set
 
out
in this
 
paragraph
 
does
 
not
 
apply
 
to
 
UBSAB because
 
it is
 
not
 
subject to
 
the
 
SEC’s
 
margin
 
and
 
capital
requirements as it is assumed that UBSAB has a prudential regulator
 
– please see the assumptions set out in
 
 
0036335-0000808 UKO1: 2005347595.6
 
loaustraliap5i0.gif
 
5
 
4.
 
REVISIONS TO APPLICABLE LAW
 
4.1
 
We
 
are instructed that the SEC rules
11
 
require a non-resident SBSD to re-certify within 90
 
days after
any changes in the legal or regulatory framework that would:
(a)
 
impact the ability of the SBSD to provide prompt access to its Covered
 
Books and Records;
 
(b)
 
impact the
 
manner in
 
which it
 
would provide
 
prompt access
 
to its
 
Covered Books
 
and Records;
or
(c)
 
impact the ability of the SEC to conduct On-Site Inspections.
4.2
 
Upon a
 
change in
 
law or
 
regulatory framework
 
of the
 
sort outlined
 
in paragraph
 
4.1 above,
 
we are
instructed that the
 
SBSD is required
 
to submit a
 
revised opinion describing how,
 
as a matter
 
of law,
the SBSD will continue to meet its obligations.
 
4.3
 
This opinion relates solely to the laws of Australia in force as at the date of
 
this opinion. We
 
have no
obligation to notify any addressee of any change
 
in any applicable law or its application
 
after the date
of this opinion.
5.
 
RELIANCE AND CONFIDENTIALITY
5.1
 
This opinion is
 
given for the
 
sole benefit of
 
the addressee. It
 
may not be
 
relied upon by
 
anyone else
without our prior written consent.
5.2
 
This
 
opinion
 
is
 
not
 
to
 
be
 
disclosed
 
to
 
any
 
person
 
outside
 
of
 
UBS
 
AG’s
 
group
 
or
 
used,
 
circulated,
quoted or otherwise referred to for any
 
other purpose. However, we agree that
 
a copy of this opinion
letter may be disclosed:
 
(a)
 
where
 
disclosure is
 
required
 
or
 
requested
 
by
 
any
 
governmental, banking,
 
taxation
 
or
 
other
regulatory authority or similar body having jurisdiction over
 
UBS AG (including to the SEC
as
 
part
 
of
 
UBS
 
AG’s
 
SBSD
 
registration
 
application) or
 
by
 
the
 
rules
 
of
 
any
 
relevant
 
stock
exchange or pursuant to any applicable law or regulation; and
 
(b)
 
to
 
UBS
 
AG’s
 
affiliates,
 
and
 
any
 
of
 
their
 
officers,
 
directors,
 
employees,
 
auditors,
 
insurers,
reinsurers, insurance brokers and professional advisers (in their capacity as
 
such).
5.3
 
Any such disclosure
 
must be made
 
on the basis
 
that it is
 
for information purposes only,
 
no recipient
may rely
 
on this advice,
 
no client-lawyer relationship between
 
us and the
 
recipient arises following,
or as a
 
result of, any
 
such disclosure. We assume no
 
duty or liability
 
to any recipient,
 
and any recipient
under paragraph 5.2(b) above will be subject to the same restrictions on disclosure
 
as set out above.
5.4
 
We
 
assume no obligation
 
to advise
 
you or
 
any other person
 
or to
 
make any
 
investigations as to
 
any
legal
 
developments
 
or
 
factual
 
matters
 
arising
 
subsequent
 
to
 
the
 
date
 
hereof
 
that
 
might
 
affect
 
the
opinions expressed herein.
 
Yours
 
faithfully,
 
 
 
Allen & Overy
 
11
 
 
17 CFR § 240.15Fb2
-
4(c)(2).
 
 
0036335-0000808 UKO1: 2005347595.6
 
 
6
 
ANNEX 1
 
OPINION
1.
 
DATA
 
PROTECTION
1.1
 
The Australian privacy framework will
 
apply to UBSAB’s proposed disclosure of the Covered
 
Books
and
 
Records to
 
the
 
SEC to
 
the
 
extent that
 
these
 
comprise or
 
contain personal
 
information, and
 
the
APPs will apply to the extent that UBSAB is an “APP entity”.
12
 
1.2
 
Personal information is information or an
 
opinion relating to an identified or
 
a reasonably identifiable
individual, whether the information
 
or opinion is true
 
or not and whether
 
the information or opinion
 
is
recorded in a material form
 
or not.
13
 
As such, it may extend
 
to information on UBSAB
 
staff as well as
clients. The Privacy Act
 
explicitly recognises a number
 
of different types
 
of information as personal
information, but information
 
does not require
 
explicit recognition to
 
constitute personal information
under the Privacy Act.
 
1.3
 
Under the Privacy
 
Act, a higher
 
level of protection
 
applies for personal
 
information that is
 
sensitive
information
 
 
s
ensitive
 
information
 
is
 
personal
 
information
that
 
reveals
the
racial
 
or
 
ethnic
background,
 
political
 
opinions
 
or
 
associations
,
 
religiou
s
 
or
 
philosophical
 
beliefs,
 
trade
 
union
membership,
 
genetic
 
data,
 
biometric
 
data
 
when
 
used
 
for
 
ID
 
purposes,
 
health
 
information,
 
data
concerning sex life
 
or sexual orientation,
 
and criminal records
 
of individuals.
 
As sensitive information
is less likely to be relevant in
 
the context of UBSAB’s
 
disclosures to the SEC, the laws applicable to
this data have not been considered in any material detail in this opinion.
1.4
 
Key restrictions in the Australian
 
privacy framework relating to
 
UBSAB’s ability to disclose personal
data to the
 
SEC are set out below.
 
We
 
further note that data
 
(including personal information) cannot
be disclosed if doing so would breach another
 
legal requirement (e.g. confidentiality –
 
please also see
section 2 below).
 
Collection, use and disclosure of personal information under the Australian privacy
 
framework
1.5
 
UBSAB must
 
comply with
 
the Privacy
 
Act generally, as
 
well as
 
APP 3,
 
APP 6
 
and APP
 
8 in
 
particular,
in respect of
 
any proposed disclosure
 
of personal information
 
by UBSAB to
 
the SEC.
 
It should also
be
 
noted
 
that
 
while
 
compliance
 
with
 
APP
 
3,
 
APP
 
6
 
and
 
APP
 
8
 
(as
 
well
 
as
 
the
 
Australian
 
privacy
framework generally)
 
is required
 
by UBS
 
if it
 
wishes to
 
disclose personal
 
information to
 
the
 
SEC,
none of
 
the individual
 
APPs on
 
its own
 
is so
 
comprehensive as
 
to cover
 
all disclosures
 
of personal
information (including the disclosure
 
of personal information
 
to the SEC),
 
and UBSAB will need
 
to
consider the most appropriate legal basis to apply to any given situation.
1.6
 
The
 
APPs
 
are
 
set
 
out
 
in
 
Schedule 1
 
to
 
the
 
Privacy Act,
 
and they
 
constitute a
 
crucial
 
aspect of
 
the
Australian privacy framework’s data
 
protection principles.
 
The APPs govern
 
the standards, rights,
 
and
obligations regarding: the collection, use, and disclosure of personal
 
information; the governance and
accountability of APP entities;
 
the integrity and correction
 
of personal information; and
 
the rights that
individuals have to access their information.
 
1.7
 
The legal bases of APP 3, APP 6 and APP 8 are as follows:
(a)
 
APP 3 –
 
an APP entity can
 
only solicit and
 
collect personal information
 
where it is
 
reasonably
necessary for the APP’s
 
functions or activities, and the APP entity must collect that
 
personal
information directly from the individual (subject to exceptions) by
 
lawful and fair means;
 
 
12
 
 
An APP entity is
 
defined under the Privacy
 
Act to be an
 
agency organisation, including a
 
body corporate, that has
 
an annual t
urnover of over
AUD3,000,000 in a financial year. We have assumed at Assumption
 
that UBSAB is an APP entity.
13
 
 
Section 6 of the Privacy Act.
 
 
0036335-0000808 UKO1: 2005347595.6
 
 
7
 
(b)
 
APP 6
 
– an
 
APP entity
 
may use
 
or
 
disclose personal
 
information that
 
it holds
 
only for
 
the
purpose that it was collected, as detailed below, unless an exception applies; and
(c)
 
APP 8
 
 
an
 
APP entity
 
must
 
take
 
certain steps
 
to
 
protect
 
personal information
 
before
 
it
 
is
disclosed
 
overseas,
 
the
 
intent
 
being
 
that
 
the
 
APP
 
entity
 
must
 
endeavour
 
to
 
ensure
 
that
 
the
personal information will
 
receive a
 
level of
 
protection equivalent to
 
that provided under
 
the
Australian privacy framework.
 
1.8
 
An APP entity like UBSAB
 
can only collect personal information
 
directly from individuals which is
reasonably
 
necessary for
 
one
 
or
 
more
 
of
 
the
 
APP
 
entity’s
 
functions
 
or
 
activities
14
 
 
in
 
the
 
case
 
of
UBSAB,
 
it is arguable
 
that the compliance
 
with its contractual and
 
regulatory obligations under law
is
 
part
 
of
 
UBSAB’s
 
functions
 
or
 
activities.
 
As
 
such,
 
subject
 
to
 
UBSAB’s
 
compliance
 
with
 
the
Australian
 
privacy framework
 
(including in
 
particular APP
 
6
 
and
 
APP 8,
 
as
 
set
 
out
 
in
 
more
 
detail
below),
 
there
 
does
 
not
 
appear
 
to
 
be
 
any
 
issue
 
if
 
UBSAB
 
is
 
collecting
 
personal
 
information
 
from
individuals if it is for regulatory compliance.
1.9
 
Pursuant to APP 6,
 
an APP entity like UBSAB
 
can only use or disclose
 
personal information about
 
an
individual for the purpose that it
 
was collected (this is also referred to
 
as the
primary purpose
), and
generally,
 
for no
 
other purpose,
 
unless an
 
exception applies
 
– the
 
purpose of
 
APP 6
 
is
 
intended to
ensure that APP
 
entities will only
 
use and disclose
 
an individual’s
 
personal information for
 
only the
purposes for which
 
an individual would
 
expect his or
 
her personal information
 
to be used
 
or disclosed.
In
 
UBSAB’s
 
case,
 
assuming
 
that
 
UBSAB
 
has
 
a
 
comprehensive
 
privacy
 
policy
 
that
 
sets
 
out
 
that
UBSAB’s regulatory obligations are for
 
a purpose for
 
which an individual’s personal information
 
will
be used and/or disclosed, there does not appear
 
to be any issue with UBSAB’s proposed disclosure of
information in the Covered Books and Records (including personal information)
 
to the SEC.
 
1.10
 
It should also
 
be noted that
 
even if the
 
disclosure of information in
 
the Covered Books
 
and Records
(including personal information) to the SEC is not
 
considered a primary purpose, UBSAB could still
disclose such information
 
to the SEC
 
if an individual
 
consents to such
 
a disclosure –
 
in this regard,
 
the
main elements of establishing valid consent under the Australian privacy
 
framework are that the:
 
(a)
 
individual is adequately informed before giving consent;
 
(b)
 
individual gives consent voluntarily;
 
(c)
 
consent is current and specific; and
 
(d)
 
individual has the capacity to understand and communicate his or her consent.
 
Specifically,
 
UBSAB
 
must
 
ensure
 
that
 
the
 
consent
 
given
 
is
 
specific
 
to
 
the
 
disclosure
 
of
 
personal
information to a foreign regulator for the purposes of assessing UBSAB
 
for compliance.
 
Cross-border transfer of personal information
 
1.11
 
APP 8 requires APP entities such as UBSAB to, prior to disclosure of any personal information to an
overseas recipient, take
 
“reasonable steps” to
 
ensure that the
 
overseas recipient handles the
 
personal
information in accordance with the Australian
 
privacy framework, and does not
 
breach the Australian
privacy framework.
 
It should
 
also be
 
noted that,
 
under the
 
Australian privacy
 
framework, the
 
APP
entity remains accountable for an act or practice of the overseas
 
recipient.
 
1.12
 
The requirement
 
of taking
 
“reasonable steps”
 
under APP
 
8 typically
 
entails
 
an APP
 
entity entering
into
 
an
 
enforceable
 
contractual
 
arrangement
 
with
 
the
 
overseas
 
recipient
 
that
 
requires
 
the
 
overseas
recipient to handle personal information in accordance with the Australian
 
privacy framework.
 
 
 
14
 
 
APP
 
3.1.
 
 
0036335-0000808 UKO1: 2005347595.6
 
 
8
 
1.13
 
However, APP 8 also
 
allows for the
 
fact that it
 
may be difficult
 
for an APP
 
entity like UBSAB
 
to enter
into an enforceable contractual arrangement with an entity such as the SEC (especially given that the
SEC is a
 
public regulatory authority in
 
the US) and,
 
as such, APP
 
8 also provides
 
that if individuals
consent to an
 
APP entity like
 
UBSAB disclosing their
 
personal information to
 
an overseas recipient
like the SEC, then
 
UBSAB will be able to
 
do so without contravening APP 8,
 
noting that in order to
ensure that the consent provided by individuals under APP 8 is valid,
15
 
UBSAB will have to:
 
(a)
 
expressly and clearly inform
 
the individual, by providing either
 
an oral or written
 
statement,
that if
 
he or
 
she consents
 
to UBSAB
 
disclosing his
 
or her
 
personal information to
 
the SEC,
UBSAB will not
 
be accountable
 
under the Privacy
 
Act, and that
 
the individual will
 
not be able
to seek redress under the Australian privacy framework; and
(b)
 
ensure that any such statement:
 
(i)
 
be made
 
at the
 
time consent
 
is sought
 
(and that
 
UBSAB is
 
not relying
 
on assumed
prior knowledge of the individual); and
(ii)
 
also
 
explains
 
that
 
the
 
practical
 
effect
 
and
 
risks
 
associated
 
with
 
the
 
disclosure
 
of
information to the SEC, including (without limitation) that the:
(A)
 
SEC
 
is
 
subject
 
to
 
US
 
law
 
that
 
could
 
compel
 
the
 
disclosure
 
of
 
personal
information to a third party, such as an overseas authority;
(B)
 
SEC may
 
not be
 
subject to
 
any privacy
 
obligations or
 
to any
 
principles similar
to those set out in the Australian privacy framework; and
(C)
 
individual may not be able to seek redress in the US.
 
Consent under the Australian privacy framework
1.14
 
In
 
respect
 
of
 
the
 
consent
 
outlined
 
in
 
paragraphs
 
1.10
 
and
 
1.13
 
(and
 
under
 
the
 
Australian
 
privacy
framework generally),
 
we have
 
assumed at
 
Assumption 12
 
that at
 
the point
 
in time
 
that UBSAB
 
is
engaged by its customers who are
 
individuals, such individuals would have been required
 
to execute
comprehensive UBSAB data protection
 
and privacy documents (including
 
accepting all the
 
terms of
the UBS Australian Privacy Policy):
 
(a)
 
within
 
which
 
s
uch
 
individuals
declare
 
that
,
 
in
 
accordance
 
with
 
the
 
Australian
 
privacy
framework, they consent to UBS, amongst other things, disclosing their
 
personal information
to
 
a
 
foreign
 
regulator
 
like
 
the
 
SEC (as
 
set
 
out
 
in
 
section
 
7
 
of
 
the
 
UBS
 
Australian
 
Privacy
Policy); and
(b)
 
that
 
also
 
broadly
 
ensure
 
that
 
the
 
requirements
 
of
 
the
 
Australian
 
privacy
 
framework
 
are
satisfied
 
by UBSAB
.
 
 
15
 
 
Generally, consent must
 
be informed,
 
voluntary, current and
 
specific, and
 
given by
 
an individual
 
with the
 
capacity to
 
give co
nsent. In
 
ad
dition
to express consent as set out in the body of the Opinion, the Australian privacy framework recognises
 
implied consent. An APP entity does
not need express consent from
 
an individual to handle his
 
or her non-sensitive personal information,
 
but it must reasonably believe
 
that it
has his or
 
her implied consent. This
 
is where consent may
 
reasonably be inferred in
 
the circumstances from the
 
conduct of the individual
and the APP entity.
 
This is typically achieved by way of presenting the
 
individual with an opt-out option to the APP
 
entity’s disclosure of
his or her personal information for another purpose,
 
and allowing a period of time for the
 
exercise of that option. The design and conditions
of the option must still ensure that consent given is informed.
 
 
0036335-0000808 UKO1: 2005347595.6
 
 
9
 
Data protection principles
1.15
 
In
 
addition
 
to
 
establishing
 
a
 
legal
 
basis
 
for
 
the
 
disclosure,
 
UBSAB
 
would
 
need
 
to
 
ensure
 
that
 
its
disclosures
 
are
 
compliant
 
with
 
the
 
other
 
requirements
 
of
 
the
 
Australian
 
privacy
 
framework
 
 
for
example, UBSAB should:
(a)
 
ensure that
 
it only discloses
 
personal information
 
that is
 
adequate, relevant
 
and limited
 
to what
is necessary in relation to the purposes of its regulatory activities;
 
(b)
 
take reasonable steps
 
to ensure
 
that the personal
 
information is accurate,
 
up-to-date, complete,
and relevant;
16
 
(c)
 
keep the personal data
 
in a form that enables
 
identification of individuals for
 
no longer than is
necessary for the purposes for which the personal data is processed;
 
and
(d)
 
take active measures to
 
ensure that the security
 
of the personal information
 
is maintained, and
as
 
such, implement
 
appropriate security
 
measures to
 
protect
 
the
 
personal information
 
from
misuse, interference, loss, unauthorised access, modification, or disclosure.
17
 
2.
 
COMMON LAW
 
DUTIES OF CONFIDENTIALITY
2.1
 
The general and banker’s
 
duties of confidentiality are distinct duties.
 
However, the case law
 
on each
duty informs
 
the approach
 
to the
 
other,
 
with the
 
banker’s duty
 
existing in
 
acknowledgement of
 
the
specific circumstances that
 
arise as between
 
a bank and
 
its customers. Given
 
the common law
 
position
on these duties is
 
largely aligned and noting
 
further that Australian courts
 
may also consider decisions
made in other common law jurisdictions (including
 
England and Wales) in arriving in their decisions,
these are dealt with together here.
2.2
 
Where the Covered
 
Books and Records
 
do not contain
 
any relevant forms
 
of information which
 
attract
a
 
duty
 
of
 
confidentiality,
 
and
 
it
 
is
 
likely
 
that
 
many
 
aspects
 
of
 
the
 
information
 
required
 
will
 
not
(e.g. transaction data such as volumes and prices), these duties of
 
confidentiality will not apply.
Scope of duties
2.3
 
The
 
general
 
duty
 
of
 
confidentiality
 
imposes
 
obligations
 
of
 
confidence
 
upon
 
the
 
recipient
 
of
information if the following conditions are satisfied:
18
 
(a)
 
the
 
information
 
in
 
question
 
must
 
be
 
identified
 
with
 
specificity
 
and
 
generally,
 
non-specific
ideas are not protected under the general duty of confidentiality;
19
 
(b)
 
the information
 
must have
 
the ‘
necessary quality
 
of confidence
’; information
 
that is
 
public
property and public knowledge
’ cannot be protected;
20
 
(c)
 
it
 
must
 
have
 
been
 
received
 
by
 
the
 
recipient
 
in
 
circumstances
 
importing
 
an
 
obligation
 
of
confidence (i.e. the recipient
 
of the information knows or
 
ought to know that
 
the restrictions
have been placed upon the use of the information);
21
 
and
 
 
16
 
 
APP 10.2.
 
17
 
 
APP 11.1.
 
18
 
Optus Networks Pty Ltd v Telstra Corporation Ltd
 
(2010) 265 ALR 281 at 290.
19
 
O’Brien v Komesaroff
(1982) 150 CLR 310.
20
 
Saltman Engineering Co Ltd v Campbell Engineering Co Ltd
(1948) RPC 230 at 215.
21
 
Smith Kline & French Laboratories (Aust) Ltd v Secretary, Dept of Community Services and Health
 
(1990) 22 FCR 73 at 87.
 
0036335-0000808 UKO1: 2005347595.6
 
 
10
 
(d)
 
there must be
 
an actual or
 
threatened misuse of
 
the information without
 
the confider’s consent
and
 
the
 
receiver
 
of
 
information
 
will
 
still
 
be
 
liable
 
even
 
if
 
the
 
unauthorised
 
use
 
was
 
unintentional.
22
 
2.4
 
As the information contained in the
 
Covered Books and Records is not publicly available, it
 
is likely
to possess
 
this necessary
 
quality of
 
confidence insofar
 
as that
 
information relates
 
to a
 
third party
 
or
UBSAB’s clients or staff and is not information owned by or
 
relating to UBSAB itself. Where,
 
and to
the
 
extent
 
that,
 
the
 
Covered
 
Books
 
and
 
Records
 
concern
 
information
 
of
 
a
 
third
 
party
 
or
 
customer
information, this would likely
 
satisfy the requirement that
 
the Recipient knew or
 
ought to have known
that the information was to be treated confidentially.
 
2.5
 
The
 
common
 
law
 
banker’s
 
duty
 
of
 
banker-customer
 
confidentiality
 
is
 
established
 
by
Tournier
 
v
National Provincial and Union Bank of England
[1924] 1 KB 461 (
Tournier
) which has been widely
referred to
 
in Australia.
 
Under the
 
bank-customer duty
 
of confidentiality, banks,
 
such as
 
UBSAB, must
keep their customers’
 
affairs private
23
 
– in this
 
respect, the general
 
duty is broader than
 
the banker’s
duty as the general duty extends to benefit others, such as UBSAB’s staff.
 
(a)
 
The scope of the duty is wide – as Atkin LJ outlined in the judgment:
It
[the duty of confidentiality]
clearly goes beyond the state
 
of the account, that is,
 
whether
there is a debit or credit balance, and the amount of the balance. It must extend
 
at least to all
the transactions that go through the
 
account, and to the securities, if any,
 
given in respect of
the account
”.
24
 
(b)
 
The temporal scope of the banker’s duty is also wide. Atkin LJ judged that the banker’s
 
duty
of confidentiality “
extend
[s]
beyond the point when
 
the account is closed,
 
or cease
[s]
 
to be an
active account
”,
25
 
and this duty
 
also extends to cover
 
disclosures from one banking entity
 
to
another within the same corporate group.
26
 
2.6
 
No distinction is drawn in
 
the case law on either of
 
the general or banker’s duties regarding
 
the nature
of the person to whom the duty is owed – i.e. a natural or a legal person – and so
 
we consider that the
duties apply equally to any person irrespective of its legal status.
 
Unauthorised disclosure
2.7
 
A successful claim for breach
 
of confidentiality must demonstrate
 
that there has been an unauthorised
use of confidential information to the Rights Holder.
27
 
2.8
 
For those Covered Books
 
and Records that contain
 
customer, which is unlikely to include
 
all Covered
Books
 
and
 
Records,
 
these
 
duties
 
of
 
confidentiality
 
will apply
 
and
 
so
 
UBSAB
 
will
 
only
 
be
 
able
 
to
disclose Covered Books and Records
 
containing confidential information in un-redacted form where
one of the exceptions below is met.
2.9
 
Tournier
established four exceptions to the banker’s duty of confidentiality,
28
 
the first three of which
apply equally to the general duty of confidentiality:
 
(a)
 
where the disclosure is made by the express or implied consent of
 
the customer;
 
29
 
 
22
 
Talbot v General Television Corpot Pty Ltd
 
[1980] VR 224 at 239.
23
 
Tournier v National Provincial and Union Bank of England
 
[1924] 1 KB 461 at 473;
Smorgon v FCT
 
(1976) 134 CLR 475 at 487;
Brighton
v Australia and New Zealand Banking Group Ltd
[2011] NSWCA 152.
24
 
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 485.
25
 
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 485.
26
 
Bank of Tokyo Ltd v Karoon
[1987] 1 AC 45 at 54.
27
 
 
Megarry J in
Coco v A Clark (Engineers) Ltd
[1968] F.S.R. 415 at 421;
Optus Networks Pty Ltd v Telstra Corporation Ltd
 
(2010) 265 ALR
281 at 290.
28
 
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 485 at 473.
29
 
 
For the general duty of confidentiality:
t
his
 
was confirmed in
B v Brisbane North Regional Health Authority
 
(1994) 1 QAR 279 at 105.
 
0036335-0000808 UKO1: 2005347595.6
 
 
11
 
(b)
 
under compulsion of law;
(c)
 
where the disclosure is in the public interest; or
(d)
 
for the banker’s
 
duty of confidentiality
 
only,
 
where it is
 
in the interests
 
of the bank
 
to make
disclosure.
Consent
2.10
 
Disclosure of confidential information is permissible where the Rights Holder
30
 
has given its consent
to the disclosure
31
 
of its confidential information.
32
 
Compulsion of law
2.11
 
Information
 
that
 
would
 
otherwise
 
be
 
confidential
 
may
 
be
 
disclosed
 
when
 
required
 
by
 
a
 
statutory
provision
33
 
or court order.
34
 
2.12
 
To satisfy this
 
compulsion of
 
law exception
 
it is
 
likely that
 
UBSAB would
 
have to
 
rely on
 
an Australian
statute or court order
35
 
– a provision of
 
US law,
 
such as an SEC
 
Rule, is unlikely to be
 
sufficient for
this purpose.
(a)
 
While there are numerous statutory
 
provisions that require the disclosure of
 
information that
would otherwise be confidential,
36
 
none applies directly to this situation.
(b)
 
We
 
are
 
not
 
aware
 
of
 
any Australian
 
statute or
 
case
 
law which
 
would require
 
disclosure of
information to a foreign regulatory authority.
37
 
30
 
 
Where the banker’s duty of confidentiality applies this will be the
 
customer.
 
31
 
 
Due
to
 
the over
lap between bank confidentiality,
the Privacy Act,
 
and other data protection laws
 
(as discussed in paragraph
), it would
be advisable to clarify when obtaining
 
consent that another, separate, legal basis applied
 
to the processing of the personal information
 
under
data protection laws.
 
32
 
 
While
 
it is possible to rely on implied consent, there is likely to be a high bar to meet in order to d
o so. In
Turner v Royal Bank of Scotland
Plc
[1999] 2 All E.R, regarding the banker’s duty of confidentiality, it
 
was decided that established market practice of sharing of customer
information between banks (which
 
practice was generally known
 
only to the
 
banks themselves) did not
 
amount to implied consent
 
of the
customer as this practice was not known by the customer. To amount to implied consent, the practice under which disclosure is made must
be “
notorious, certain and reasonable
” (
Turner v Royal
 
Bank of Scotland Plc
[1999] 2 All E.R
 
664 at 670, Sir
 
Richard Scott VC quoting
from
Chitty on Contracts
 
(27th edn, 1994), vol I,
 
para 13-014).
 
It remains unclear how Australian
 
courts will decide on the
 
implied consent
but it is normal practice to reply on the express consent.
The practice
 
of sharing
 
information with
 
local regulators
 
in order
 
to enable
 
banking business
 
to be
 
conducted within
 
the relevant
 
local
jurisdiction is, in our experience, well established such
 
that it might be considered “
notorious, certain and reasonable
”. In this context, it is
possible that
 
much of
 
the information
 
contained in
 
the Covered
 
Books and
 
Records would
 
be information
 
of a
 
sort that
 
customers (and
particularly more sophisticated customers of the kind
 
that would normally be offered
 
services by UBSAB in respect of
 
SBSs) may expect
would be shared with the SEC.
 
In part, the ability
 
to rely on
 
implied consent will
 
depend on the
 
information provided to
 
customers when UBSAB
 
provides services in
 
SBSs.
If no information about the jurisdiction or
 
regulators involved is provided then UBSAB
 
would rely on the customer’s own understanding
 
of
regulatory obligations on banks, the US
 
nexus and the SEC’s
 
role in these services. Conversely,
 
if customers are informed that
 
UBSAB’s
activity in SBSs is conducted on a cross-border basis
 
into the US and is subject to oversight by
 
the SEC then the ability to rely on
 
implied
consent increases. Similarly,
 
if customers are informed that
 
detailed information on all
 
aspects of UBSAB’s
 
activity in SBSs is
 
subject to
examination by the SEC then the ability to rely on implied consent
 
increases further still.
33
 
 
See the
 
example given
 
by Bankes
 
LJ in
Tournier
 
v National
 
Provincial &
 
Union Bank
 
[1924] 1
 
K.B 461
 
at 473
 
of the
 
Bankers’ Books
Evidence Act 1879.
 
34
 
 
F
or the general duty of confidentiality:
eg
 
courts may order that confidential documents be provided in the
 
discovery process
, as confirmed
in
Campbell v Tameside Metropolitan Borough Council
[1982] QB 1065.
 
For the banker’s duty of confidentiality:
X AG and others v A bank
 
[1983] 2 All ER at 475.
35
 
 
We
 
think the greater weight of
 
judicial authority supports this view.
 
See for example
FDC Co Ltd v
 
Chase Manhattan Bank NA
 
[1990] 1
HKLR 277,
 
283 (Sir
 
Alan Huggins
 
VP), 292
 
(Silke JA).
 
See also
 
Sir Lawrence
 
Collins, ‘Choice
 
of Law
 
and Choice
 
of Jurisdiction
 
in
International Securities
 
Transactions’ (2001)
 
5 Singapore
 
Journal of
 
International and
 
Comparative Law
 
618. According
 
to the
 
leading
decision in
Joachimson v Swiss Bank Corporation
 
[1921] 3 KB 110, a bank account is located at the
 
place where the records of the account
are kept.
36
 
 
For
 
example
,
 
banks
 
as
 
reporting entities
 
under
 
the
Anti-Money Laundering
 
and
 
Counter-Terrorism
 
Financing Act
 
2006
 
(Cth)
 
may be
compelled to
 
disclose information
 
about their
 
customers to
 
the
 
Australian Transaction
 
Reports and
 
Analysis Centre.
 
Disclosure in
 
this
circumstance would be an authorised use and as such would
 
not constitute a breach of confidence.
37
 
 
While
various Australian statutes require disclosures
 
and specifical
ly provide for the obligation under these
 
statutes to take priority over the
duty of confidentiality, there is no basis for disclosure of confidential information to be based on
 
compulsion of foreign law. However, the
 
Australian Securities & Investments Commission (
ASIC
) works closely with a range of international organisations,
 
foreign regulators and
law enforcement agencies
 
(including the SEC). ASIC
 
makes and receives
 
international requests in
 
relation to investigations,
 
compliance and
surveillance, delegations and
 
licensing/due diligence and
 
general referrals. Many
 
international organisations and
 
foreign regulators make
requests for assistance under
 
international cooperation agreements including the
 
IOSCO Multilateral Memorandum of Understanding
 
and
other
 
bilateral Memoranda
 
of
 
Understanding;
 
where authorised,
 
ASIC uses
 
the
Mutual Assistance
 
In
 
Business Regulation
 
Act 1992
 
to
exercise compulsory powers to obtain documents, information
 
or testimony on behalf of foreign regulators.
 
0036335-0000808 UKO1: 2005347595.6
 
 
12
 
(c)
 
Equally, a US court order is
 
also unlikely to be
 
sufficient for this purpose:
 
it was held in
X AG
and others v A bank
[1983] 2 All ER at
 
475 that a subpoena requiring disclosure issued
 
by a
foreign
 
court
 
did
 
not
 
qualify
 
as
 
compulsion
 
by
 
law
 
on
 
the
 
basis
 
that
 
“[t]
he
 
fact
 
is
 
that
confidentiality
 
is
 
not
 
rendered
 
illegal
 
by
 
a
 
subpoena
 
requiring
 
disclosure,
 
which
 
is
 
to
 
be
contrasted with some form of legislation to that end
”.
38
 
Public interest
2.13
 
Determining whether the public interest exception applies
 
requires a balance to be struck between the
rights of the
 
Rights Holders and
 
the public interest
 
in the SEC
 
obtaining that information.
39
 
The test
to be
 
applied when
 
considering whether
 
confidentiality should
 
be breached
 
in favour
 
of freedom
 
of
expression is whether,
 
in all the circumstances,
 
it is in the
 
public interest that the
 
duty of confidence
should be breached.
40
 
2.14
 
Disclosure in the public interest has
 
been narrowly construed by
 
the Australian courts, and the burden
is
 
for UBSAB
 
to
 
justify
 
disclosure of
 
confidential information
41
 
(rather than
 
for e.g.
 
a customer
 
to
justify
 
continued
 
confidentiality).
 
The
 
general
 
position
 
is
 
that
 
voluntary
 
disclosure,
 
including
 
in
relation to disclosures
 
to the police
 
in respect of suspicions
 
of criminal activity, would breach
 
the duty
of confidence other
 
than as permitted
 
under statute,
42
 
indicating that there
 
is a high bar
 
to be met when
arguing that a
 
disclosure was
 
made lawfully
 
in pursuit
 
of a
 
greater public
 
interest. Bankes
 
LJ suggested
in
Tournier
that
 
national
 
security
 
concerns
 
would
 
meet
 
this
 
criterion,
43
 
while
 
Atkin
 
LJ
 
gave
 
the
example of disclosure in the interest of preventing fraud or crime.
44
 
2.15
 
There are
 
also cases
 
which draw
 
a distinction
 
between disclosing
 
information to
 
prevent “frauds
 
or
crimes” versus disclosure of past criminal
 
conduct. The courts in Australia have
 
held that the former
case does authorise the
 
disclosure of confidential information,
 
but the latter case does
 
not.
45
 
However,
there
 
is
 
some
 
precedent
 
for
 
public
 
interest
 
in
 
effective
 
regulation
 
and
 
supervision
 
of
 
banking
institutions outweighing the public interest in maintaining confidentiality.
46
 
 
2.16
 
We
 
think
 
there
 
is
 
significant
 
uncertainty
 
about
 
the
 
scope
 
of
 
the
 
public
 
interest
 
exception
 
to
confidentiality. While disclosing information to
 
prevent a crime or a fraud does seem
 
to be generally
accepted as overriding
 
the public interest
 
in confidentiality, it is unclear
 
how far the
 
exception extends
beyond this principle. Therefore
 
we think any decision
 
to disclose confidential
 
information in reliance
on
 
the
 
public
 
interest
 
exception
 
is
 
likely
 
to
 
require
 
a
 
specific
 
examination
 
of
 
the
 
facts
 
and
circumstances of each case. Given the
 
narrow and uncertain scope of this exception,
 
we do not think
this exception is
 
likely to provide
 
a consistent basis
 
on which UBSAB
 
may rely in
 
order to disclose
information to the SEC.
 
38
 
 
While
both
X AG and
 
others v A
 
Bank
[1983] All ER
 
464 and in
A v B
 
Bank
 
Unreported, 13 August 1990
 
(see Hirst J’s
 
judgment in the
subsequent case
of A and Others v B Bank v (Governor
 
and Company of the Bank of England
 
intervening)
 
[1992] 3 WLR 705). While these
are banker’s
 
duty of
 
confidentiality cases,
 
a more
 
general application
 
of the
 
principles can
 
still likely
 
be used.
 
For the
 
general duty
 
of
confidentiality: eg courts may
 
order that confidential documents
 
be provided in the
 
discovery process, as confirmed
 
in
Campbell v Tameside
Metropolitan Borough Council
[1982] QB 1065.
39
 
Spelman v Express Newspapers
[2012] EWHC 355 (QB) at [44]-[52].
40
 
Prince of Wales v Associated Newspapers Ltd (CA)
[2007] 3 WLR at 68.
 
In the context of that case, it is relevant that
 
the test is not simply
whether the information
 
is a matter
 
of public
 
interest, as, unlike
 
disclosure to the
 
SEC, that
 
case involves
 
public dissemination
 
of information.
There is
 
High Court dictum
 
supporting that a
 
public interest exception
 
would be available
 
in an
 
action for
 
breach of the
 
general duty
 
of
confidence:
Australian Broadcasting
 
Corporation v
 
Lenah Game
 
Meats Pty
 
Ltd
 
(2001) 208
 
CLR 199,
 
244 per
 
Gleeson CJ
 
citing with
approval
Hellewell v Chief Constable of
 
Derbyshire
 
[1995] 4 AII ER 473,
 
476 per law J.
 
Furthermore, information concerning matters of
‘iniquity in the sense of a crime, civil wrong or
 
serious misdeed of public importance’ will be treated in Australia as lacking
 
the necessary
quality of confidence required
 
for protection, so that
 
the need for a exception
 
of public interests will
 
not arise:
Corrs Pavey Whiting &
 
Byrne
v Collector of Customs
 
(1987) 74 ALR 428, 250 per Gunmmow J).
41
 
Price Waterhouse v BCCI Holdings (Luxembourg) SA
 
[1992] BCLC 583 at 597.
42
 
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 474.
43
 
Tournier v National Provincial and Union Bank of
 
England
[1924] 1 KB 461
 
at 485 at 473 where
 
Bankes LJ quotes Lord Finlay’s judgment
in
Weld-Blundell v Stephens
[1920] A.C. 956
 
at 965 where “
danger to the state
” was given as
 
an example where an
 
exception could be made
to the duty of confidentiality.
44
 
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 486.
45
 
Bodnar v Townsend
 
(2003) 12 Tas R
 
232;
Kelly v Hawkesbury
 
Two Pty Ltd (No
 
3)
 
(Unreported, Supreme
 
Court of New South
 
Wales, Young
J, 26 November 1987); see also Brown’s
Trustees v Hay
 
(1898) 35 SLR 877, 880.
46
 
Price Waterhouse v BCCI Holdings (Luxembourg) SA
 
[1992] BCLC 583 at 596 and 601.
 
0036335-0000808 UKO1: 2005347595.6
 
 
13
 
In the interests of the bank
2.17
 
In
 
limited
 
cases,
 
disclosure
 
of
 
confidential
 
information
 
that
 
is
 
subject
 
to
 
the
 
banker’s
 
duty
 
of
confidentiality may
 
be permissible
 
where it
 
is in
 
the interests
 
of the
 
bank. This
 
exception does
 
not
apply to information that
 
is subject to the
 
general duty of confidentiality.
 
However, we consider
 
that
this exception is available to information that is subject to both such duties, leaving only
 
information
that does not relate to customers (eg information relating to staff) beyond the scope of
 
this exception.
 
2.18
 
It is clearly in
 
the interests of UBSAB
 
to comply with the
 
SEC’s requests.
 
However, the majority
 
of
case law on this exception points to there being a high bar to meet.
 
2.19
 
In
X AG
 
and others
 
v A
 
Bank
[1983] All
 
ER 464
 
it was
 
held that
 
a bank
 
could not
 
comply with
 
a
subpoena
 
from
 
a
 
New
 
York
 
court
 
without
 
breaching
 
its
 
duty
 
of
 
confidentiality.
 
However,
 
in
considering arguments based on the banker’s own
 
interest, Leggatt J judged that it was not clearly in
the bank’s
 
own interests
 
to comply
 
with the
 
subpoena, as
 
the bank
 
would not,
 
as a
 
matter of
 
fact in
that particular case, face any serious detriment for its failure to
 
comply.
47
 
In contrast, Bankes LJ gave
the example
 
in
Tournier
of a
 
bank commencing
 
an action
 
against a
 
customer where
 
the customer’s
overdraft is in arrears, acknowledging that, in
 
that situation, the banker would be able
 
to disclose the
amount of the
 
overdraft in its
 
claim. These cases suggest
 
that the bank’s
 
own interest exception will
be construed
 
narrowly and
 
the court
 
will take
 
a view
 
on whether
 
the bank’s own
 
interests are
 
genuinely
threatened by
 
non-disclosure. In
 
the context
 
of requests
 
by the
 
SEC, it
 
is assumed
 
that failure
 
to comply
could result in
 
enforcement action and potentially even
 
the cessation of
 
UBSAB’s ability
 
to conduct
SBS business in US markets. Accordingly, it is expected that UBSAB may face serious detriment for
a failure to comply with the SEC’s demands, and so this exception may be available to UBSAB.
2.20
 
However, to
 
rely on this
 
exception, UBSAB must
 
balance its interests
 
in complying with
 
the SEC’s
disclosure request against
 
the competing interest
 
of its customers
 
in the banker’s
 
duty of confidence
being maintained,
 
and UBSAB
 
must satisfy
 
itself that
 
those interests
 
do not
 
outweigh its
 
own. This
would need
 
to be
 
assessed on
 
a case-by-case
 
basis and
 
we think
 
the only
 
clear situation
 
in which
 
a
bank may
 
disclose customer information
 
based on
 
its own
 
interests is
 
to take
 
enforcement action or
participate in
 
litigation where
 
this information is
 
required. Given
 
the narrow
 
and uncertain
 
scope of
this exception, we do not think this
 
exception is likely to provide a consistent
 
basis on which UBSAB
may rely in order to disclose information to the SEC.
Employment law and confidentiality in Australia
2.21
 
In Australia, there is no legal duty of
 
mutual confidence implied into contracts of
 
employment. While
UK
 
cases
 
such
 
as
Malik
 
v
 
Bank
 
of
 
Credit
 
and
 
Commercial
 
International
 
SA
 
(In
 
Compulsory
Liquidation)
 
held there
 
is such
 
a duty
 
(albeit limited
 
to conduct
 
that is
 
calculated to
 
destroy or
 
seriously
damage the
 
relationship of trust
 
and confidence), in
 
2014 the
 
High Court of
 
Australia reviewed that
decision (among others) and determined
 
that no such duty
 
is exists in
 
Australia. See
Commonwealth
Bank of Australia v Barker
 
[2014] HCA 32.
2.22
 
Employers are, however,
 
required to deal
 
with the personal
 
information of employees in
 
accordance
with the
 
Privacy Act
 
– legislation
 
will not
 
apply if
 
the information
 
is of
 
a certain
 
type and
 
is being
used for
 
a purpose
 
directly related
 
to the
 
employment relationship.
 
This is
 
known as
 
the ‘employee
records exemption’.
 
This exemption
 
is
 
unlikely to
 
apply to
 
employees’ personal
 
information being
provided to a foreign government regulator.
 
Accordingly, it is
 
likely that employees’ consent will be
required. Employers
 
which employ
 
staff in
 
Australia which
 
are also
 
operating in
 
the US
 
will often
obtain that consent by way of an express clause in each employee’s employment contract.
 
47
 
X AG and others v A bank
 
[1983] 2 All ER at 475.
 
0036335-0000808 UKO1: 2005347595.6
 
14
3.
 
PRIVACY
 
AND HUMAN RIGHTS
Right to privacy
3.1
 
Australia does
 
not have
 
a statutory or
 
constitutional framework of
 
human rights, and
 
most civil
 
and
political rights
 
of individuals
 
under Australian
 
law are
 
found within
 
the common
 
law as
 
well as
 
specific
pieces of legislation.
 
The right to privacy in Australia is set out in the Australian privacy
 
framework.
International law
 
3.2
 
Australia is
 
a signatory
 
to, has
 
ratified, and supports
 
a number of
 
international treaties that
 
enshrine
human rights and civil and political
 
rights, including the International Covenant
 
on Civil and Political
Rights
 
(
ICCPR
)
and
 
the
 
Univ
ersal
 
Declaration
 
of
 
Human
 
Rights
 
(
UDHR
),
 
and
 
while
 
these
international treaties
 
do recognise
 
that individuals
 
have a
 
right against
 
unlawful interference
 
with one’s
privacy, it should be noted that:
(a)
 
the UDHR
 
is not
 
a binding
 
international treaty, and
 
does not
 
have the
 
force of
 
law in
 
Australia;
and
(b)
 
Australia never
 
formally ratified
 
and adopted
 
the provisions
 
of the
 
ICCPR into
 
the body
 
of
Australian law.
 
3.3
 
In
 
order
 
for
 
the
 
obligations set
 
out
 
in
 
any
 
international
 
treaty
 
to
 
apply
 
in
 
Australia, the
 
Australian
Parliament has to pass legislation that adopts such obligations and give such international obligations
the force of law in Australia, and Australia has not passed any legislation that seeks to give the rights
outlined in international treaties such as the UDHR and the ICCPR
 
the force of law in Australia.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
0036335-0000808 UKO1: 2005347595.6
 
 
15
 
ANNEX 2
 
ASSUMPTIONS
This opinion relies on the following assumptions:
1.
 
We are instructed that UBS
 
AG, including UBSAB,
 
has a “prudential
 
regulator” as defined
 
by Section
3 of
 
the US Securities
 
Exchange Act of
 
1934 (the
Securities Exchange Act
). As such,
 
the Covered
Books and Records considered
 
in this opinion are
 
limited to what a
 
prudentially regulated SBSD
 
must
be able to share with the SEC.
2.
 
Additionally,
 
we
 
are
 
instructed
 
that
 
in
 
accordance
 
with
 
SEC
 
Guidance
 
at
 
85
 
FR
 
6297,
 
books
 
and
records
 
pertaining
 
to
 
SBS
 
transactions
 
entered
 
into
 
prior
 
to
the
 
date
 
that
UBSAB
 
submits
 
an
application for registration are not Covered Books and Records.
 
3.
 
UBSAB
 
has
 
obtained
 
any
 
necessary
 
prior
 
consent
 
of
 
the
 
persons
 
(e.g.
 
counterparties,
 
employees)
whose information is or will be included
 
in Covered Books and Records in order to
 
provide the SEC
with
 
access
 
to
 
its
 
Covered
 
Books
 
and
 
Records
 
or
 
to
 
allow
 
On-Site
 
Inspections,
 
to
 
the
 
extent,
 
as
considered in this opinion,
 
such consent would constitute
 
valid consent and such
 
consent has not been
withdrawn. Insofar as
 
Covered Books and
 
Records relate to
 
employees of UBSAB,
 
such employees
are “associated
 
persons” of
 
UBS for
 
purposes of
 
17 CFR
 
§ 240.18a-5(b)(8)
 
who have
 
agreed to
 
sharing
of their personal/employment
 
information with the SEC
 
in the event of a
 
request for information from
the SEC.
4.
 
The SEC will restrict
 
its information requests
 
for, and use of, any information
 
pursuant to its access
 
to
Covered Books
 
and Records and
 
On-Site Inspections to
 
only the
 
information that
 
it requires
 
for the
legitimate and specific purpose of fulfilling
 
its regulatory mandate and responsibilities by
 
evaluating
compliance with
 
legal obligations
 
designed to
 
ensure the proper
 
legal administration
 
of SEC-regulated
firms (which includes regulating,
 
administering, supervising, enforcing
 
and securing compliance with
the
 
securities or
 
derivatives laws
 
in its
 
jurisdiction) and
 
to
 
prevent and/or
 
enforce against
 
potential
illegal behaviour.
 
5.
 
Similarly, UBSAB will ensure that its disclosures are compliant with the data protection
 
principles as
set out
 
in the
 
Australian privacy
 
framework.
48
 
We
 
understand that
 
UBSAB’s
 
general experience
 
in
responding
 
to
 
information
 
requests
 
from
 
the
 
SEC
 
(or
 
other
 
US
 
and
 
non-US
 
regulators)
 
leads
 
it
 
to
maintain a belief, which it
 
considers to be reasonable,
 
that UBSAB can and (subject
 
to any changes in
applicable law and
 
regulation and/or the
 
approach of relevant
 
regulators) will continue
 
to be
 
able to
comply with these data
 
protection principles in the
 
course of making disclosures
 
of the sort
 
required
when providing access to Covered Books and Records and submitting
 
to On-Site Inspection.
49
 
6.
 
It is the SEC’s
 
practice to limit the type and amount of
 
personal data it requests during examinations
to
 
targeted
 
requests based
 
on risk
 
and related
 
to
 
specific clients
 
and accounts,
 
and employees.
 
The
requested information may include some sensitive information under
 
the Privacy Act (as described in
paragraph
 
1.3
 
of
 
Annex
 
1
 
to
 
this
 
opinion).
 
We
 
understand
 
that
 
this
 
aligns
 
with
 
UBSAB’s
 
general
experience in responding to information requests from the SEC, leading it to maintain
 
a belief, which
it considers to be
 
reasonable, that this
 
assumption is, and
 
will remain, accurate
 
(subject to any changes
in applicable law and regulation and/or the approach of relevant regulators).
50
 
 
 
48
 
 
These principles are set out in
 
at section
 
49
 
 
See the SEC Guidance at 85 FR 6298.
 
50
 
 
See the SEC Guidance at 85 FR 6298.
 
 
0036335-0000808 UKO1: 2005347595.6
 
 
16
 
7.
 
Information, data and documents received
 
by the SEC are
 
maintained in a secure manner
 
and, under
strict
 
US
 
laws
 
of
 
confidentiality,
 
information
 
about
 
individuals
 
cannot
 
be
 
onward-shared
 
save
 
for
certain
 
uses
 
publicly disclosed
 
by
 
the
 
SEC, including
 
in
 
an
 
enforcement proceeding,
 
pursuant to
 
a
valid and non-exempt US Freedom of
 
Information Act (
FOIA
) request,
51
 
pursuant to a lawful request
of the
 
US Congress
 
or a
 
properly issued
 
subpoena, or
 
to other
 
regulators who
 
have demonstrated
 
a
need for the information and provide assurances of confidentiality.
8.
 
UBSAB is an APP entity as defined under the Privacy Act.
9.
 
UBSAB has a
 
comprehensive privacy policy
 
that sets out
 
that UBSAB’s regulatory obligations
 
are for
a purpose for which an individual’s personal information will be used and/or disclosed.
10.
 
At
 
each
 
point
 
in
 
time
 
that
 
UBSAB
 
is
 
engaged
 
(i.e. at
 
on-boarding)
 
by
 
its
 
customers
 
who
 
are
individuals,
 
such
 
individuals
 
would
 
have
 
been
 
required
 
to
 
execute
 
comprehensive
 
UBSAB
 
data
protection and
 
privacy documents
 
(including accepting
 
all the
 
terms of
 
the UBS
 
Australian Privacy
Policy):
 
(a)
 
within
 
which
 
such
 
individuals
 
declare
 
that,
 
in
 
accordance
 
with
 
the
 
Australian
 
privacy
framework, they consent to UBS, amongst other things, disclosing
 
their personal information
to
 
a
 
foreign
 
regulator
 
like
 
the
 
SEC (as
 
set
 
out
 
in
 
section
 
7
 
of
 
the
 
UBS
 
Australian
 
Privacy
Policy); and
(b)
 
that also
 
ensure that
 
the requirements
 
of
 
the Australian
 
privacy framework
 
are satisfied
 
by
UBSAB.
51
 
 
We
 
do not
 
give any
 
views in
 
the opinion
 
to matters
 
of US
 
law,
 
though we
 
understand that
 
information can
 
be made
 
public pursua
nt to
requests under
 
the US
 
FOIA, and
 
that certain
 
information is
 
exempt from
 
such requests,
 
including (among
 
others): (a)
 
a trade
 
secret or
privileged or confidential commercial or financial information
 
obtained from a person; (b)
 
a personnel, medical, or similar
 
file the release
of which would constitute a clearly unwarranted invasion of personal privacy; (c) information compiled for law enforcement purposes, the
release of which:
 
(i) could reasonably be expected to interfere with
 
law enforcement proceedings; (ii) would deprive a person
 
of a right to a
fair trial or an
 
impartial adjudication; (iii)
 
could reasonably be
 
expected to constitute an
 
unwarranted invasion of
 
personal privacy; (iv) could
reasonably
 
be
 
expected
 
to
 
disclose
 
the
 
identity
 
of
 
a
 
confidential
 
source;
 
(v)
 
would
 
disclose
 
techniques,
 
procedures,
 
or
 
guidelines
 
for
investigations or prosecutions; or (vi)
 
could reasonably be expected to endanger an individual’s life or physical safety; and (d) contained in
or related to examination, operating, or condition reports about
 
financial institutions that the SEC regulates or supervises.
 
0036335-0000808 UKO1: 2005347595.6

lojapan
 
 
 
 
lojapanp1i0.gif
 
1
 
Privileged and Confidential
 
 
 
 
MEMORANDUM
 
To:
 
UBS AG
 
 
 
From:
 
Daisuke Tanimoto
 
 
Mina Obu
 
 
Anderson Mori & Tomotsune
 
 
 
 
 
 
Re:
 
Advice on legal issues regarding access to books and records and on
-
site inspections by
the SEC to UBS Securities Japan Co., Ltd.
 
Date:
 
October
 
19, 2021
 
 
 
This memorandum addresses your queries regarding the issues that may arise in connection with the
potential inspection of UBS Securities Japan Co., Ltd. (“
USJ
”) by the United States (
US
) Securities
and Exchange Commission (
SEC
) in Japan.
 
 
1.
 
BACKGROUND AND ASSUMPTIONS
 
1.1
 
We
 
understand that UBS AG (
UBS
), a bank authorised in
 
Switzerland, is seeking to register
with the SEC as a non-resident security-based swap (
SBS
) dealer (
SBSD
).
1.2
 
To
 
register as
 
an SBSD
 
with the
 
SEC, a
 
non-resident SBSD
1
, such
 
as UBS,
 
must attach
 
an
opinion of counsel
 
to Form SBSE,
 
SBSE-A or SBSE-BD
 
affirming that
 
the SBSD
 
can, as a
matter of law:
(a)
 
provide the
 
SEC with
 
prompt access
 
to the
 
relevant books
 
and records
 
as defined
 
in
paragraphs 3.3 to 3.5 (
Covered Books and Records
); and
 
(b)
 
submit to on-site
 
inspection and
 
examination of its
 
Covered Books and
 
Records by the
SEC (
On-Site Inspection
).
 
1.3
 
SBS transactions involving staff located in Japan will be concluded by staff of
 
USJ, which is
incorporated in
 
Japan and
 
authorised to
 
engage in
 
a financial
 
instrument business
 
based on
the
 
registration
 
as
 
a
 
Financial
 
Instrument
 
Business
 
Operator
 
(the
 
FIBO
”)
2
 
under
 
the
Financial Instruments and Exchange
 
Act (as amended, the
 
FIEA
”). Accordingly,
 
UBS will
maintain certain Covered Books and Records in USJ.
1
 
 
In the case
 
of a corporation,
 
an SBSD
 
will be “non
-
resident
” if it
 
is incorporated
 
in or has
 
its principal
 
place
of business in any place not
 
in the United States (see
 
17 Code of Federal Regulations
 
(
CFR
) § 240.15Fb2-
4(a)(2)). As UBS is incorporated in Switzerland,
 
UBS fulfils this definition of a “non-resident” SBSD.
2
 
 
USJ
 
is registered
 
as
 
a Type
-
I
 
FIBO,
 
Type
-
II
 
FIBO
 
and Investment
 
Management Business
 
Operator (as
defined under Article 28 (1), (2) and (4) of the FIEA).
 
 
 
2
 
 
1.4
 
You have asked us to
 
issue an opinion
 
affirming that USJ
 
will be able
 
to provide the
 
SEC with
prompt
 
access
 
to
 
its
 
books
 
and
 
records
 
and
 
submit
 
to
 
On-Site
 
Inspection
 
by
 
the
 
SEC
 
in
accordance with paragraph
 
 
1.5
 
This opinion is structured as follows:
(a)
 
Section
:
;
 
(b)
 
Section
:
;
 
(c)
 
Section
:
 
(d)
 
Section
:
 
(e)
 
: Opinion; and
(f)
 
: Assumptions.
 
1.6
 
For the purposes of this opinion, the
 
legal or natural person imparting the
 
information subject
to
 
the
 
duty
 
of
 
confidentiality
 
will
 
be
 
the
Rights
 
Holder
and
 
the
 
person
 
receiving
 
that
information, in this case USJ, will be the
Recipient.
 
 
2.
 
SUMMARY OF OPINION
 
Subject to the assumptions and qualifications below, it is our opinion that:
 
2.1
 
USJ can,
 
as matter
 
of applicable
 
Japanese law, submit
 
to On-Site
 
Inspection by
 
the SEC.
 
There
is no restriction
 
on USJ submitting to
 
On-Site Inspection by
 
the SEC under Japanese
 
law. The
remainder
 
of
 
this
 
opinion
 
focuses
 
on
 
USJ’s
 
ability
 
to
 
disclose
 
information
 
contained
 
in
Covered Books and Records to the SEC in
 
the course of On-Site Inspection in
 
Japan and the
ability to provide the SEC with prompt access to Covered Books and Records.
 
 
2.2
 
USJ
 
can,
 
as
 
a
 
matter
 
of
 
applicable
 
Japanese
 
law,
 
provide
 
the
 
SEC
 
with
 
prompt
 
access
 
to
Covered Books and Records held by USJ in Japan
3
.
 
 
DATA
 
PROTECTION
 
2.3
 
The Act
 
on the
 
Protection of
 
Personal Information
 
(the “APPI”)
 
will apply
 
to USJ’s disclosure
of the information
 
in Covered
 
Books and Records
 
to the SEC
 
to the extent
 
that these comprise
or contain Personal Data, which will be defined in 7.2 of Annex 1.
 
 
2.4
 
USJ must
 
obtain consent
 
from the
 
relevant individuals
 
(i.e. data
 
subjects) for
 
provision of
 
their
Personal
 
Data
 
to
 
the
 
SEC
 
unless
 
such
 
provision
 
of
 
Personal
 
Data
 
falls
 
within
 
exemptions
given in the APPI.
 
3
 
 
Where a restriction on the
 
ability to transfer personal data or
 
to disclose confidential informatio
n applies,
consent from
 
the
 
Rights Holder
 
or
 
approval by
 
the
 
FSA,
 
validly given
 
in
 
accordance with
 
the
 
relevant
standard for consent
 
or approval under
 
each applicable legal
 
or regulatory obligation,
 
would allow for
 
such
information to
 
be lawfully transferred
 
to the SEC
 
or disclosed
 
to the SEC
 
during On-Site
 
Inspection. Please
note that valid consent and approval is assumed in
 
Assumptions 3 and 4.
 
 
3
 
2.5
 
If USJ obtains consent from the relevant
 
individual, USJ can provide the Personal
 
Data to the
SEC without being in breach of the APPI.
 
 
JAPANESE LAW
 
DUTIES OF CONFIDENTIALITY
 
2.6
 
If USJ enters into a
 
contract which includes a confidentiality clause
 
with other parties such as
their
 
customers
 
or
 
counterparties
 
to
 
their
 
transactions,
 
the
 
disclosure
 
of
 
information
 
to
 
the
SEC would
 
be a violation
 
of the
 
clause unless it
 
fall within
 
exemptions stipulated under
 
the
contracts. Therefore,
 
USJ may be
 
contractually liable
 
for damages
 
arising from the
 
disclosure.
 
2.7
 
Even if there is no specific contractual provisions
 
restricting the disclosure of information, it
is generally understood that
 
financial institutions owe the
 
duty of confidentiality in relation
 
to
customer
 
information
 
under
 
Japanese
 
law.
 
This
 
has
 
been
 
affirmed
 
by
 
a
 
judgement
 
by
 
the
Supreme Court of Japan.
 
 
2.8
 
Disclosure with consent would not amount to a breach of these legal duties.
 
RELATIONSHIP
 
WITH REGULATOR
 
IN JAPAN
 
2.9
 
As USJ
 
is subject
 
to supervision
 
of the
 
Japanese regulatory
 
authorities (including
 
the Financial
Services Agency (the
 
“FSA”) and other
 
relevant Japanese governmental
 
organizations, each
a “Japanese regulatory authority”) pursuant to the financial regulatory legislation
 
such as the
FIEA, the
 
disclosure of
 
information relevant
 
to the
 
communications with
 
the relevant
 
Japanese
regulatory authority (or
 
an entity acting on
 
its behalf
4
), may be
 
subject to restrictions and
 
may
require prior approval from the relevant Japanese regulatory authority.
 
2.10
 
In particular,
 
the result of
 
on-site inspection conducted
 
by a Japanese
 
regulatory authority is
generally considered as
 
confidential by the
 
FSA. In practice,
 
the disclosure of
 
the result of
 
on-
site inspection and relevant information is subject to the prior written approval of the FSA.
 
 
2.11
 
If
 
USJ
 
discloses
 
such
 
confidential
 
information
 
to
 
the
 
SEC
 
without
 
the
 
FSA’s
 
approval,
 
it
might lead to administrative action by the FSA depending on the situation.
 
This summary opinion is not a substitute for the full expression of our views set out in
 
 
3.
 
SCOPE, ASSUMPTIONS AND QUALIFICATIONS
 
3.1
 
This opinion relates solely
 
to access provided to
 
the SEC of Covered
 
Books and Records
 
held
by
 
USJ
 
in
 
Japan
 
and
 
On-Site
 
Inspection
 
of
 
USJ
 
by
 
the
 
SEC
 
in
 
Japan.
This
 
opinion
 
applies
equally to
 
remote access
 
from the
 
US to
 
Covered Books
 
and Records
 
held in
 
Japan.
This opinion
excludes books and records held in the US.
 
Where matters considered in this opinion are not
governed by
 
laws applying
 
to the
 
entirety of
 
Japan, this
 
opinion relates
 
solely to
 
matters of
Japanese law.
4
 
 
It is
 
not expected
 
that the
 
SEC, when
 
conducting On
-
Site Inspections, would
 
be acting
 
on behalf
 
of any
Japanese regulatory authority.
 
 
4
 
 
3.2
 
This opinion has
 
been prepared in
 
accordance with UBS’s specific
 
instructions as to
 
the scope
of the opinion. For this
 
purpose you have issued us
 
with guidance from a third
 
party US law
firm which we have used to inform the scope of our opinion.
 
3.3
 
This opinion only covers
 
access to and
 
the On-site Inspection
 
of Covered Books
 
and Records.
 
Covered Books and Records include only those books and records which:
 
(a)
 
relate to the US business
5
 
of the non-resident SBSD.
6
 
These are the records that relate
to an SBS that is either:
(i)
 
entered into, or offered
 
to be entered into,
 
by or on behalf
 
of the non-resident
SBSD
 
with
 
a
 
“U.S.
 
Person”
 
as
 
defined
 
in
 
17
 
CFR
 
§
 
240.3a71-3(a)(4)
7
 
(
US
Person
) (other
 
than an
 
SBS conducted
 
through a
 
foreign branch
 
of such
 
US
Person
8
); or
 
(ii)
 
arranged, negotiated, or
 
executed by the
 
personnel of
 
the non-resident
 
SBSD
located in a branch in the US (
US branch
) or office or by the personnel of
 
an
agent of the non-resident SBSD located in a US branch or office;
9
 
or
 
(b)
 
constitute financial records
 
necessary for the SEC
 
to assess the
 
non-resident SBSD’s
compliance with the SEC’s margin and capital requirements, if applicable.
10
 
 
3.4
 
Further to Assumption 1,
 
this opinion is limited
 
to those types of records
 
that are relevant to
prudentially regulated SBSDs, which excludes financial records as noted in paragraph 3.3(b)
above.
 
For this opinion,
 
the term “Covered
 
Books and Records”
 
extends to these
 
record types
alone.
3.5
 
This opinion covers data relating to:
(a)
 
SBS
 
transactions
 
with
 
US
 
persons,
 
insofar
 
as
 
this
 
data
 
is
 
held
 
by
 
USJ
 
(e.g.
 
voice
recordings and
 
client communications)
 
(some data
 
relating to
 
such transactions
 
may
5
 
 
As defined in 17 CFR §240.3a71
-
3(a)(8).
 
6
 
 
Cross
-
Border Application
 
of Certain
 
[SBS] Requirements,
 
85 Fed.
 
Reg. 6270,
 
6296 (Feb.
 
4, 2020)
 
(the
SEC Guidance
).
 
7
 
 
A
 
“U.S.
 
person”
 
means
 
any
 
person
 
that
 
is
 
“(i)
 
a
 
natural
 
person
 
res
ident
 
in
 
the
 
U.S.;
 
(ii)
 
a
 
partnership,
corporation, trust, investment vehicle,
 
or other legal person
 
organized, incorporated, or established
 
under
the laws of the United States or having its principal place of business in the United States; (iii) an account
(whether discretionary or
 
non-discretionary) of a
 
U.S. person;
 
or (iv)
 
an estate
 
of a
 
decedent who
 
was a
resident of the United States at the time
 
of death.” 17 CFR § 240.3a71-3(a)(4).
8
 
 
A “foreign
 
branch” means
 
“any branch
 
of a
 
U.S. bank
 
if: (i)
 
the br
anch is
 
located outside
 
of the
 
United
States; (ii) the branch operates
 
for valid business reasons; and
 
(iii) the branch is engaged
 
in the business of
banking
 
and
 
is
 
subject
 
to
 
substantive banking
 
regulation in
 
the
 
jurisdiction where
 
located.” (17
 
CFR
 
§
240.3a71-3(a)(2)).
 
An
 
“SBS
 
conducted
 
through
 
a
 
foreign
 
branch”
 
means
 
an
 
SBS
 
that
 
is
 
“arranged,
negotiated, and executed by a U.S. person through
 
a foreign branch of such U.S. person if: (A) the foreign
branch
 
is
 
the
 
counterparty
 
to
 
such
 
security-based
 
swap
 
transaction;
 
and
 
(B)
 
the
 
security-based
 
swap
transaction is arranged, negotiated, and executed
 
on behalf of the foreign branch solely
 
by persons located
outside the United States.” (17 CFR § 240.3a71-3(a)(3)(i)).
9
 
 
17 CFR § 240.3a71
-
3(a)(8)(i)(B).
 
10
 
 
The re
quirement set
 
out in this
 
paragraph
 
does not apply
 
to USJ because
 
it is not
 
subject to the
 
SEC’s
margin
 
and
 
capital
 
requirements
 
as
 
it
 
is
 
assumed
 
that
 
USJ
 
has
 
a
 
prudential
 
regulator
 
 
please
 
see
 
the
assumptions set out in
 
 
 
5
 
be held by
 
UBS in other
 
jurisdictions – access
 
to and On-Site
 
Inspection by the SEC
of data that is held in other jurisdictions is not within scope of this opinion); and
(b)
 
the activities
 
of the
 
staff of
 
USJ pertaining
 
to SBS
 
transactions (irrespective
 
of whether
the transaction is with a US person or a non-US person).
This
 
opinion
 
does
 
not
 
cover
 
data
 
relating
 
to
 
SBS
 
transactions
 
with
 
non-US
 
persons
 
(even
though these will be concluded
 
by staff of USJ acting in
 
the name and for
 
the account of UBS
as a ‘Related Entity’ of
 
UBS, we are instructed
 
that this data is
 
not relevant for the
 
purposes
of substituted compliance and so this data is not within scope of this opinion).
 
3.6
 
The issues addressed in this opinion apply equally across the different document types which
constitute the Covered Books
 
and Records based
 
upon the information
 
actually contained in
each of
 
the relevant Covered
 
Books and Records.
 
We have not examined
 
any such documents
or records.
 
 
3.7
 
In giving this opinion, we have made the further assumptions set out in Annex 2.
 
3.8
 
No opinion is expressed on matters of fact.
 
 
3.9
 
Japanese
 
legal
 
concepts
 
expressed
 
in
 
the
 
English
 
language
 
may
 
not
 
be
 
identical
 
to
corresponding concepts
 
described by
 
the equivalent English
 
terms as
 
they exist
 
under the
 
laws
of other jurisdictions.
 
 
4.
 
REVISIONS TO APPLICABLE LAW
 
4.1
 
We
 
note that
 
the SEC
 
rules
11
 
require a
 
non-resident SBSD
 
to re-certify
 
within 90
 
days after
any changes in the legal or regulatory framework that would:
(a)
 
impact
 
the
 
ability
 
of
 
the SBSD
 
to
 
provide
 
prompt access
 
to
 
its
 
Covered Books
 
and
Records;
 
(b)
 
impact the manner in which it would provide
 
prompt access to its Covered Books and
Records; or
(c)
 
impact the ability of the SEC to conduct On-Site Inspections.
 
4.2
 
Upon a change in law or regulatory framework of the
 
nature outlined in paragraph 4.1 above,
the SBSD
 
is required
 
to submit
 
a revised
 
opinion describing
 
how, as a
 
matter of
 
law, the SBSD
will continue to meet its obligations.
 
4.3
 
This opinion
 
relates solely
 
to the
 
laws of
 
Japan in
 
force as
 
at the
 
date of
 
this opinion.
 
We
have
 
no
 
obligation
 
to
 
notify
 
any
 
addressee
 
of
 
any
 
change
 
in
 
any
 
applicable
 
law
 
or
 
its
application after the date of this opinion.
 
5.
 
RELIANCE AND CONFIDENTIALITY
 
5.1
 
This opinion
 
is given
 
for the
 
sole benefit
 
of the
 
addressee.
 
It may
 
not be
 
relied upon
 
by anyone
else without our prior written consent.
11
 
 
17 CFR § 240.15Fb2
-
4(c)(2).
 
 
6
 
5.2
 
This
 
opinion
 
is
 
not
 
to
 
be
 
disclosed
 
to
 
any
 
person
 
outside
 
of
 
UBS
 
AG’s
 
group
 
or
 
used,
circulated, quoted
 
or otherwise
 
referred to
 
for any
 
other purpose.
 
However,
 
a copy
 
of this
opinion letter may be disclosed:
 
(a)
 
where disclosure
 
is required
 
or requested
 
by any
 
governmental, banking,
 
taxation or
other regulatory
 
authority or
 
similar body
 
having jurisdiction
 
over UBS
 
AG (including
to the SEC as part of UBS AG’s SBSD registration application) or by the rules of any
relevant stock exchange or pursuant to any applicable law or regulation; and
 
 
(b)
 
to
 
UBS
 
AG’s
 
affiliates,
 
and
 
any
 
of
 
their
 
officers,
 
directors,
 
employees,
 
auditors,
insurers, reinsurers, insurance
 
brokers and
 
professional advisors
 
(in their
 
capacity as
such).
 
5.3
 
Any such
 
disclosure must
 
be made
 
on the
 
basis that
 
it is
 
for information
 
purposes only,
 
no
recipient may rely
 
on this advice,
 
no client-lawyer relationship
 
between us and
 
the recipient
arises following, or as a result of, any such disclosure.
 
We assume no duty
 
or liability to any
recipient, and any recipient under paragraph 5.2(b) will be subject to the same restrictions on
disclosure as set out above.
 
5.4
 
We
 
assume no obligation to
 
advise you or any other
 
person or to make
 
any investigations as
to any legal developments or
 
factual matters arising subsequent to the
 
date hereof that might
affect the opinions expressed herein.
 
Yours
 
faithfully,
 
 
Anderson Mori & Tomotsune
 
 
 
 
7
 
ANNEX 1
 
OPINION
1.
 
INTRODUCTION
1.1
 
USJ can,
 
as matter
 
of applicable
 
Japanese law, submit
 
to On-Site
 
Inspection by
 
the SEC.
 
There
is no restriction on USJ submitting to On-Site Inspection by the SEC under Japanese law.
 
1.2
 
Pursuant
 
to
 
Article
 
189
 
of
 
the
 
Financial
 
Instruments
 
and
 
Exchange
 
Act
 
(the
 
“FIEA”),
 
the
Prime Minister
 
of Japan
 
may,
 
upon on
 
request of
 
the foreign
 
financial authority,
 
cooperate
with the
 
foreign regulatory
 
authority if
 
they find
 
it appropriate.
 
In this
 
regard, the
 
FSA has
executed memorandum of understandings (the MOU) with other
 
foreign financial regulatory
authorities including the
 
SEC
12
, which sets
 
forth the framework
 
of information exchange
 
with
the foreign financial
 
regulatory authorities.
 
While the MOU
 
is not legally
 
binding, the FSA
may provide the SEC with information in light of the MOU.
13
 
1.3
 
For completeness,
 
if the
 
SEC’s
 
actions involve
 
the exercise
 
of jurisdictional
 
authority (e.g.,
on-site
 
compulsory
 
criminal
 
investigation)
 
in
 
Japan,
 
the
 
SEC
 
may
 
need
 
to
 
obtain
 
approval
from the
 
Japanese government
 
pursuant to
 
the international
 
laws principle,
 
so as
 
to respect
Japanese sovereignty under the international laws generally recognized in Japan.
 
1.4
 
If the intended action does not involve a mandatory action and is
 
carried out with the consent
of the
 
relevant parties
 
(e.g. making
 
written or
 
phone inquiries
 
or investigation
 
with the
 
consent
of relevant parties), this would not be regarded as an action involving jurisdictional authority
nor an infringement of Japanese sovereignty.
 
1.5
 
These international
 
law issues
 
are of
 
potential relevance
 
only to
 
the SEC
 
as a
 
US governmental
organization,
 
but would
 
not restrict
 
USJ from submitting
 
to On-Site
 
Inspection by the
 
SEC.
The remainder
 
of this
 
opinion focuses
 
on USJ’s
 
ability to
 
disclose information
 
contained in
Covered Books and Records to the SEC in the course of On-Site Inspection and the ability to
provide the SEC with prompt access to Covered Books and Records.
 
1.6
 
USJ
 
can,
 
as
 
a
 
matter
 
of
 
applicable
 
Japanese
 
law,
 
provide
 
the
 
SEC
 
with
 
prompt
 
access
 
to
Covered Books and Records held by USJ in Japan, as described in Sections 2 to 4 below.
 
2.
 
DATA
 
PROTECTION
2.1
 
Under the
 
APPI, “Personal
 
Data”, as
 
defined in
 
the APPI,
 
encompasses “Personal Information
constituting a Personal Information Database”, and “Personal Information” is in turn defined
broadly
 
as
 
“information
 
relating
 
to
 
a
 
living
 
individual”,
 
and
 
includes
 
among
 
other
 
things
information
 
such
 
as
 
“name,
 
date
 
of
 
birth,
 
or
 
other
 
descriptions
 
etc….
 
stated,
 
recorded
 
or
otherwise
 
expressed
 
using
 
voice,
 
movement
 
or
 
other
 
methods
 
in
 
a
 
document,
 
drawing
 
or
electromagnetic
 
record
 
(meaning
 
a
 
record
 
kept
 
in
 
an
 
electromagnetic
 
form…
 
whereby
 
a
specific individual can be identified (including those
 
which can be readily collated with other
information and thereby identify a specific individual)”.
 
“Personal Information Database” is
defined, in summary, as a database of Personal Information that enables key word searches.
 
12
 
 
https://www.fsa.go.jp/news/newse/e20020517
-
1.html
 
 
13
 
 
In this
 
regard,
 
the MOU
 
between the
 
FSA and
 
SEC only
 
clarifies the
 
intention of
 
information exchange
and does not override the regulation in Article
 
189 of the FIEA.
 
 
 
8
 
2.2
 
The information
 
contained it
 
the Covered
 
Books and
 
Records Personal
 
Data would
 
include
Personal Information
 
on USJ’s
 
employees and
 
individuals who
 
work for
 
USJ’s
 
clients, and
USJ may
 
be considered
 
to use
 
a database
 
of Personal
 
Information. As
 
a result,
 
USJ will
 
be
subject
 
to
 
the
 
APPI
 
as
 
a
 
business
 
operator
 
using
 
a
 
Personal
 
Information
 
Database
 
for
 
its
business within
 
the meaning
 
under Article
 
2(3)
 
of the
 
APPI. Accordingly,
 
the APPI
 
would
apply to USJ’s
 
disclosure of Covered Books
 
and Records to the
 
SEC to the extent
 
that these
comprise or contain Personal Data.
 
2.3
 
As a general
 
rule, a business
 
operator handling personal
 
information shall
 
not, except in
 
the
following cases, provide Personal Data to a third party without obtaining the prior consent of
the relevant individual (i.e. data subject). As the APPI does not provide
 
a specific exemption
for
 
disclosures
 
to
 
a
 
foreign
 
regulatory
 
authority
 
(including
 
the
 
SEC),
 
such
 
disclosure
 
is
generally
 
subject
 
to
 
the
 
consent
 
of
 
the
 
relevant
 
individual
 
unless
 
it
 
falls
 
within
 
specified
exemptions as described follows:
(a)
 
Exemptions under Article 23 of the APPI
 
Article 23
 
of
 
the
 
APPI provides
 
the
 
following exemptions
 
where the
 
Personal
 
Data
can be provided to a third party without consent of the relevant individuals:
(i)
 
Cases where
 
the provision
 
of Personal
 
Data is
 
based on
 
laws and
 
regulations
(which means Japanese laws and regulations);
(ii)
 
Cases where the
 
provision of Personal
 
Data is necessary
 
for the protection
 
of
the life, body, or property of an individual and in which it is difficult to obtain
the consent of the person;
 
(iii)
 
Cases
 
where
 
the
 
pr
ovision
 
of
Personal
 
Data
 
is
 
especially
 
necessary
 
for
improving
 
public
 
health
 
or
 
promoting
 
the
 
sound
 
growth
 
of
 
children
 
and
 
in
which it is difficult to obtain the consent of the person; and
(iv)
 
Cases where the provision
 
of Personal Data is
 
necessary for cooperating with
a (Japanese) state
 
organization, a local government
 
(in Japan), or
 
an individual
or a
 
business operator
 
entrusted by
 
one of
 
the foregoing
 
in executing
 
the affairs
prescribed
 
by
 
(Japanese)
 
laws
 
and
 
regulations
 
and
 
in
 
which
 
obtaining
 
the
consent of the person are likely to impede the execution of the affairs.
(b)
 
Exemptions under Article 24 of the APPI
Article 24 of the
 
APPI stipulates the
 
rules specific to
 
provision of Personal Data
 
to a
third party in
 
a foreign country.
 
While Article 24 of
 
the APPI generally prohibits
 
the
provision of Personal Data to a third party in a foreign country without consent of the
relevant individual, it also provides following exemptions:
 
(i)
 
The foreign
 
country which
 
has established
 
a personal
 
information protection
system equivalent
 
to the
 
standards in
 
Japan in
 
regard to
 
the protection
 
of an
individual's
 
rights and
 
interests is
 
not regarded
 
as
 
“a foreign
 
country”
 
in the
context of Article 24 of
 
the APPI. As of today, only the countries belonging to
European Union
 
and
 
the
 
United
 
Kingdom,
 
but not
 
the
 
US are
 
designated
 
as
foreign countries that are eligible under this exemption
14
; and
14
 
 
Personal Information Protection Commission
 
Notification No. 1 of 2019
 
 
 
9
 
(ii)
 
A person establishing a system conforming to standards
 
prescribed by rules of
the
 
Personal
 
Information
 
Protection
 
Commission
 
as
 
necessary
 
for
continuously
 
taking
 
action
 
equivalent
 
to
 
those
 
that
 
a
 
personal
 
information
handling
 
business
 
operator
 
in
 
Japan
 
shall
 
take
 
concerning
 
the
 
handling
 
of
Personal Data does
 
not fall within
 
“a third party”
 
in the context
 
of Article 24
of
 
the
 
APPI. While
 
Article
 
11-2
 
of
 
the
 
Enforcement
 
Ordinance of
 
the
 
APPI
sets
 
forth
 
the
 
requirement
 
for
 
such
 
system
15
,
 
whether
 
such
 
system
 
is
established would be determined case by case basis.
2.4
 
We have assumed, at Assumption 3, that USJ has obtained any necessary prior consent
 
of the
relevant individuals. As such, provision of Personal Data to the SEC is permissible.
3.
 
JAPANESE LAW
 
DUTIES OF CONFIDENTIALITY
3.1
 
Under Japanese
 
contract
 
law,
 
if USJ
 
enters into
 
a contract
 
which includes
 
a confidentiality
clause with other parties such
 
as customers or counterparties of
 
transactions, disclosure to the
SEC would be a
 
violation of that clause
 
unless it fall within
 
exemptions stipulated under the
contracts. Therefore, in such a scenario, USJ may be contractually liable for damages arising
from the disclosure.
3.2
 
Even
 
if
 
there
 
is
 
no
 
specific
 
contractual
 
restriction,
 
it
 
is
 
generally
 
understood
 
that
 
financial
institutions owe the
 
duty of confidentiality
 
in relation to
 
customer information under
 
Japanese
law.
 
In
 
this
 
regard,
 
the
 
judgement
 
by
 
the
 
Supreme
 
Court
 
of
 
Japan
 
on
 
December
 
11,
 
2007
stated that
 
financial institutions
 
have duties
 
of confidentiality
 
in relation
 
to information
 
related
to
 
its
 
customers,
 
including
 
transaction
 
information
 
or
 
credit
 
information
,
 
based
 
on
 
a
contractual relationship or
 
business practice and
 
shall not
 
disclose such information
 
without
reasonable reason.
 
3.3
 
Where such confidentiality duties are
 
relevant for the benefit
 
of USJ’s
 
customers, disclosure
of confidential
 
information of
 
such customers
 
to the
 
SEC is
 
permissible where
 
the relevant
customers
 
have
 
given
 
prior
 
consent.
 
We
 
have
 
assumed,
 
at
 
Assumption
 
3,
 
that
 
USJ
 
has
obtained any necessary prior consent of the relevant individuals.
 
4.
 
RELATIONSHIP
 
WITH REGULATOR
 
IN JAPAN
4.1
 
As
 
USJ
 
is
 
subject
 
to
 
supervision
 
of
 
the
 
Japanese
 
regulatory
 
authority
 
including
 
the
 
FSA
pursuant to the
 
financial regulatory legislation
 
such as the
 
FIEA, the disclosure
 
of information
relevant
 
to
 
communications
 
with
 
a
 
Japanese
 
regulatory
 
authority
 
may
 
require
 
the
 
prior
approval of that authority.
4.2
 
In particular, the results of an
 
on-site inspection conducted by a
 
Japanese regulatory authority
are generally
 
considered to
 
be confidential
 
by the
 
FSA. In
 
practice, the
 
disclosure of
 
the results
15
 
 
Article 11
-
2 of the Enforcement
 
Ordinance of the
 
APPI set forth
 
the requirement for
 
the system as follows:
 
(i)
 
Implementation of
 
measures
 
in
 
accordance
 
with
 
the
 
purport
 
of
 
the
 
APPI
 
is
 
ensured
 
between
 
a
business
 
operator
 
handling
 
personal
 
information
 
and
 
a
 
person
 
who
 
receives
 
the
 
provision
 
of
personal data in an appropriate and reasonable manner with
 
regard to the handling of the personal
data by the person who receives the provision.
(ii)
 
The
 
person
 
who
 
receives
 
the
 
provision
 
of
 
personal
 
data
 
is
 
accredited
 
under
 
the
 
international
framework pertaining to the handling of personal
 
information
 
 
10
 
of an
 
on-site inspection
 
and relevant
 
information is
 
subject to
 
prior written
 
approval to
 
the
FSA.
16
 
4.3
 
If USJ discloses such
 
confidential information to the
 
SEC without the FSA’s
 
approval, it may
negatively
 
affect
 
the
 
relationship
 
between
 
the
 
FSA
 
and
 
USJ.
 
As
 
the
 
FSA
 
has
 
broad
discretionary supervisory power over USJ, the FSA might take
 
administrative actions against
USJ depending on
 
the situation surrounding
 
the disclosure of
 
such confidential information.
Therefore, the FSA’s
 
approval may be required
 
in practice. We have assumed, at Assumption
4, that USJ has obtained any necessary prior approval from the FSA.
16
 
 
In this
 
regard, Item 10
 
(3) (iii) of
 
the Guideline
 
on Secu
rities Monitoring published
 
by FSA
 
requires the
financial
 
institution
 
which
 
underwent
 
the
 
inspection
 
to
 
make
 
application
 
to
 
the
 
FSA
 
for
 
request
 
to
disclosure the result of the inspection to a third
 
party.
 
 
 
11
 
ANNEX 2
 
ASSUMPTIONS
This opinion relies on the following assumptions:
1.
 
UBS
 
AG,
 
including
 
USJ
 
has
 
a
 
“prudential
 
regulator”
 
as
 
defined
 
by
 
Section
 
3
 
of
 
the
 
US
Securities Exchange Act of
 
1934 (the Securities Exchange
 
Act).
 
As such, the Covered
 
Books
and
 
Records
 
considered
 
in
 
this
 
opinion
 
are
 
limited
 
to
 
what
 
a
 
prudentially
 
regulated
 
SBSD
must be able to share with the SEC.
 
2.
 
Additionally, in accordance with SEC Guidance
 
at 85 FR 6297, books and records
 
pertaining
to
 
SBS
 
transactions
 
entered
 
into
 
prior
 
to
 
the
 
date
 
that
 
USJ
 
submits
 
an
 
application
 
for
registration are not Covered Books and Records.
 
3.
 
USJ has obtained any
 
necessary prior consent
 
of the persons (e.g
.
, counterparties, employees)
whose information is
 
or will be
 
included in Covered
 
Books and Records
 
in order to
 
provide
the SEC with access
 
to its Covered Books
 
and Records or to
 
allow On-Site Inspections, to the
extent, as
 
considered in
 
this
 
opinion, such
 
consent would
 
constitute valid
 
consent and
 
such
consent has not been withdrawn.
 
Insofar as Covered Books and Records relate to
 
employees
of USJ, such employees are “associated persons” of UBS for purposes of 17 CFR § 240.18a-
5(b)(8) who have
 
agreed to
 
sharing of their
 
personal/employment information with
 
the SEC
in the event of a request for information from the SEC.
4.
 
Where
 
information
 
relevant
 
to
 
the
 
communications
 
with
 
a
 
Japanese
 
regulatory
 
authority,
including the result
 
of an on-site inspection
 
conducted by a Japanese regulatory
 
authority,
 
is
included in Covered
 
Books and Records, USJ
 
has received any necessary
 
prior approval from
such Japanese regulatory authority to disclose such information to the SEC.
5.
 
The SEC will restrict its information requests for,
 
and use of, any information pursuant to its
access to Covered Books and Records and On-Site Inspections to only the information that it
requires
 
for
 
the
 
legitimate
 
and
 
specific
 
purpose
 
of
 
fulfilling
 
its
 
regulatory
 
mandate
 
and
responsibilities by evaluating
 
compliance with legal
 
obligations designed to
 
ensure the proper
legal
 
administration
of
SEC
-
regulated
 
firm
s
 
(which
 
includes
 
regulating,
 
administering,
supervising, enforcing and
 
securing compliance with
 
the securities or
 
derivatives laws in
 
its
jurisdiction) and to prevent and/or enforce against potential illegal behaviour.
 
6.
 
We understand
 
that USJ’s general experience in responding
 
to information requests from the
SEC (or other
 
US and non-US
 
regulators) leads it
 
to maintain a
 
belief, which it
 
considers to
be
 
reasonable,
 
that
 
USJ
 
can
 
and
 
(subject
 
to
 
any
 
changes
 
in
 
applicable
 
law
 
and
 
regulation
and/or the approach of relevant regulators) will continue to be able to comply with these data
protection principles in the course of making disclosures of the sort required when providing
access to Covered Books and Records and submitting to On-Site Inspection.
17
 
7.
 
It
 
is
 
the
 
SEC's
 
practice
 
to
 
limit
 
the
 
type
 
and
 
amount
 
of
 
personal
 
data
 
it
 
requests
 
during
examinations to
 
targeted requests
 
based on
 
risk and
 
related to
 
specific clients
 
and accounts,
and employees.
 
We understand that this
 
is in
 
line with
 
USJ’s general experience in
 
responding
to
 
information
 
requests
 
from
 
the
 
SEC,
 
leading
 
it
 
to
 
maintain
 
a
 
belief,
 
which
 
it
 
considers
reasonable,
 
that
 
this
 
assumption
 
is,
 
and
 
will
 
remain,
 
accurate
 
(subject
 
to
 
any
 
changes
 
in
applicable law and regulation and/or the approach of relevant regulators).
 
18
 
17
 
 
See the SEC Guidance at 85 FR 6298.
 
18
 
 
See the SEC Guidance at 85 FR 6298
 
 
 
12
 
8.
 
Information, data and
 
documents received by the
 
SEC are maintained
 
in a secure
 
manner and,
under strict
 
US laws
 
of confidentiality, information
 
about individuals
 
cannot be
 
onward shared
save for certain uses publicly disclosed by the SEC, including in an enforcement proceeding,
pursuant
 
to
 
a
 
valid
 
and
 
non-exempt
 
US
 
Freedom
 
of
 
Information
 
Act
 
(
FOIA
)
 
request,
19
 
pursuant to
 
a lawful
 
request of
 
the US
 
Congress or
 
a properly
 
issued subpoena,
 
or to
 
other
regulators
 
who
 
have
 
demonstrated
 
a
 
need
 
for
 
the
 
information
 
and
 
provide
 
assurances
 
of
confidentiality.
9.
 
Any data held
 
by USJ that
 
is subject to
 
a disclosure request
 
from the SEC,
 
either by way
 
of
access or On-Site
 
Inspection, will
 
be held by
 
USJ in
 
Japan and will
 
provided directly
 
to the
SEC by USJ (and not via UBS AG or another entity).
19
 
 
We do not give any views in the opinion to matters of US law, though we understand that information can
be made public pursuant to requests under
 
the US FOIA, and that certain information
 
is exempt from such
requests, including (among others): (1) a trade secret or
 
privileged or confidential commercial or financial
information obtained
 
from a
 
person; (2)
 
a personnel,
 
medical, or
 
similar file
 
the release
 
of which
 
would
constitute
 
a
 
clearly
 
unwarranted
 
invasion
 
of
 
personal
 
privacy;
 
(3)
 
information
 
compiled
 
for
 
law
enforcement
 
purposes,
 
the
 
release
 
of
 
which
 
(a)
 
could
 
reasonably
 
be
 
expected
 
to
 
interfere
 
with
 
law
enforcement proceedings; (b) would deprive a person of a right to a
 
fair trial or an impartial adjudication;
(c)
 
could
 
reasonably
 
be
 
expected
 
to
 
constitute
 
an
 
unwarranted
 
invasion
 
of
 
personal
 
privacy;
 
(d)
 
could
reasonably be
 
expected to
 
disclose the
 
identity of
 
a
 
confidential source;
 
(e)
 
would disclose
 
techniques,
procedures, or
 
guidelines for
 
investigations or
 
prosecutions; or
 
(f) could
 
reasonably be
 
expected to
 
endanger
an individual's
 
life or
 
physical safety; (4)
 
contained in
 
or related
 
to examination,
 
operating, or
 
condition
reports about financial institutions that the
 
SEC regulates or supervises.

lonetherlands
 
lonetherlandsp1i0.gif
 
1
 
 
 
UBS AG London Branch
5 Broadgate
London
EC2M 2QS
Allen & Overy LLP
Apollolaan 15
Amsterdam 1076 AB Amsterdam
Tel
+31 20 674 1000
Fax
+
31 20 674 1111
Our ref
0036335
-
0000808
22 October 2021
Dear Sir or Madam
 
UBS AG SEC registration as a non-resident security-based swap dealer
 
1.
 
BACKGROUND
1.1
 
We understand that UBS AG, a bank authorised in Switzerland, is seeking to register with the United
States (
US
) Securities and
 
Exchange Commission (
SEC
) as a non-resident
 
security-based swap (
SBS
)
dealer (
SBSD
).
1.2
 
To register as an SBSD with the SEC, a non-resident SBSD
1
 
such as UBS AG must attach an opinion
of counsel to Form SBSE, SBSE-A or SBSE-BD affirming that the SBSD can, as
 
a matter of law:
(a)
 
provide the
 
SEC with
 
prompt access
 
to the
 
relevant books
 
and records
 
as defined
 
in paragraphs
3.3 and 3.5 (
Covered Books and Records
); and
 
(b)
 
submit to on-site
 
inspection and examination
 
of its Covered
 
Books and Records by
 
the SEC
(
On-Site Inspection
).
1.3
 
Associated persons of UBS
 
AG located in the
 
Netherlands who effect
 
SBS transactions on behalf
 
of
UBS
 
AG
 
will
 
be
 
employed
 
by
 
the
 
Dutch
 
branch
 
of
 
UBS
 
Europe
 
SE
 
(
UBS
 
ESE
 
NL
)
 
which
 
is
 
a
subsidiary of
 
UBS incorporated in
 
Germany and authorised
 
to provide
 
services in Germany
 
and the
Netherlands (among
 
other jurisdictions).
 
Accordingly,
 
UBS ESE
 
NL will
 
maintain certain
 
Covered
Books and Records in the Netherlands on behalf of UBS AG.
 
1.4
 
You have asked us to issue
 
an opinion affirming
 
that (a) UBS
 
AG will be
 
able to provide
 
the SEC with
prompt
 
access
 
to
 
its
 
Covered
 
Books
 
and
 
Records
 
that
 
are
 
maintained
 
by
 
UBS
 
ESE
 
NL
 
in
 
the
Netherlands and
 
(b) UBS
 
ESE NL
 
can
 
submit to
 
On-Site Inspection
 
by the
 
SEC of
 
UBS AG’s Covered
Books and Records it maintains on behalf of UBS AG,
 
in each case in accordance with paragraph 1.2
above.
2
 
1
 
 
In the case of a corporation, an SBSD will be
“non
-
resident” if it is incorporated in or has its principal place of business in any place not in
the United States (see 17 Code of Federal Regulations (
CFR
) § 240.15Fb2-4(a)(2)). As UBS AG is incorporated in Switzerland, UBS AG
fulfils this definition of a “non-resident” SBSD.
2
 
 
In accordance with Assumption
10
in Annex 2, this
 
opinion does not cover the
 
direct provision of Covered
 
Books and Records by
 
UBS ESE
 
NL to the SEC as this information will instead be provided
 
to UBS AG London Branch and sent by UBS AG London
 
Branch to the SEC.
 
Allen &
 
Overy LLP
 
is a
 
limited liability
 
partnership registered
 
in England
 
and Wales
 
with registered
 
number OC306763.
 
It is
 
authorised and
 
regulated by
 
the Solicitors
 
Regulation
Authority of England and Wales.
 
The term partner is used to
 
refer to a member of Allen &
 
Overy LLP or an employee or
 
consultant with equivalent standing and qualifications.
 
A list
of the members of Allen & Overy LLP and of the non-members who are designated as partners is open
 
to inspection at its registered office, One Bishops Square, London E1 6AD.
Allen & Overy LLP or an affiliated undertaking has an office in each of: Abu Dhabi,
 
Amsterdam, Antwerp, Bangkok, Beijing, Belfast, Bratislava, Brussels, Budapest, Casablanca, Dubai,
Düsseldorf, Frankfurt, Hamburg, Hanoi, Ho Chi Minh
 
City, Hong Kong, Istanbul, Jakarta (associated office), Johannesburg, London, Los Angeles,
 
Luxembourg, Madrid, Milan, Moscow,
Munich, New York, Paris, Perth,
 
Prague, Rome, São Paulo, Seoul, Shanghai, Silicon Valley,
 
Singapore, Sydney, Tokyo,
 
Warsaw, Washington,
 
D.C. and Yangon.
 
 
2
 
1.5
 
This opinion is structured as follows:
(a)
 
Section 2:
 
Summary of opinion;
 
(b)
 
Section 3:
 
Scope, assumptions and qualifications;
 
(c)
 
Section 4:
 
Revisions to applicable law;
(d)
 
Section 5:
 
Reliance and confidentiality;
(e)
 
Annex 1: Opinion; and
(f)
 
Annex 2: Assumptions.
 
2.
 
SUMMARY OF OPINION
Subject to the assumptions and qualifications below, it is our opinion that:
2.1
 
UBS ESE NL can,
 
as matter of applicable
 
Dutch law, submit to On-Site Inspection
 
by the SEC. There
is no restriction on UBS ESE NL submitting to On-Site Inspection
 
by the SEC. The remainder of this
opinion focuses
 
on UBS
 
ESE NL’s
 
ability to
 
disclose information
 
contained in
 
Covered Books
 
and
Records to the
 
SEC in the course
 
of On-Site Inspection in
 
the Netherlands and the
 
ability to provide
UBS AG London Branch with prompt access to Covered Books and Records.
2.2
 
UBS ESE
 
NL can,
 
as a
 
matter of
 
applicable Dutch
 
law, provide the
 
SEC with
 
prompt access
 
to Covered
Books and Records held
 
by UBS ESE NL
 
in the Netherlands
 
either by disclosure of
 
Covered Books
and Records
 
to UBS
 
AG London
 
Branch for
 
the purpose of
 
providing information to
 
the SEC
 
or to
the SEC in the course of On-Site Inspections in the Netherlands.
3
 
Data Protection
4
 
2.3
 
Disclosures of personal data (particularly special categories of data
 
or criminal data) relating to UBS
ESE
 
NL’s
 
clients
 
and
 
staff
 
are
 
subject
 
to
 
certain
 
restrictions
 
under
 
the
 
Data
 
Protection
 
Laws,
particularly where this involves a cross-border transfer
 
to a non-EEA country or
 
territory the EU has
not
 
found to
 
have an
 
‘adequate’ data
 
protection regime.
 
However,
 
there are
 
certain legal
 
bases for
making
 
disclosures,
 
and
 
derogations
 
from
 
the
 
prohibition
 
on
 
international
 
transfers,
 
that
 
would
 
be
available to UBS ESE NL’s
 
were it to be required by the
 
SEC to make available personal data either
by disclosure of
 
Covered Books and
 
Records to UBS
 
AG London Branch
 
for the purpose
 
of providing
information to the SEC or to the SEC in the course of On-Site Inspections
 
in the Netherlands.
2.4
 
We anticipate that the legitimate interests legal basis for processing is
 
likely to be the most applicable
ground under
 
the GDPR
 
(and the
 
Dutch Implementation
 
Act) to
 
enable disclosure
 
of and
 
access to
Covered Books and Records to UBS AG London Branch for the purpose of providing information to
the SEC
 
and to
 
permit On-Site
 
Inspection.
 
To
 
the extent
 
that UBS
 
ESE NL
 
relies on
 
the legitimate
interest legal
 
basis, it
 
will also
 
need to
 
take into
 
account the
 
guidance of
 
the Dutch
 
Data Protection
Authority (
Autoriteit Persoonsgegevens,
the
Dutch DPA
) to satisfy
 
the conditions
 
for processing.
5
 
We
note that UBS ESE NL would need to assess the ability to rely on
 
this legal basis in each case.
3
 
 
Where a restriction on the
 
ability to transfer personal
 
data applies, consent from
 
the individual, validly given
 
in accordanc
e with the relevant
standard for
 
consent under
 
each applicable
 
legal obligation,
 
would allow
 
for such
 
information to
 
be lawfully
 
transferred to
 
the SEC
 
or
disclosed to the SEC during On-Site Inspection. Please
 
note that valid consent is assumed in Assumption 6.
 
4
 
 
Please refer to section 1 of Annex 1 for def
initions of Data Protection Laws, GDPR, and the Dutch
 
GDPR Implementation Act.
 
5
 
 
Dutch
 
DPA,
 
“Standard
 
explanation
 
legal
 
basis
 
‘legitimate
 
interest’”,(
Normuitleg
 
grondslag
 
‘gerechtvaardigd
 
belang’
)
 
(see
<https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/normuitleg_gerechtvaardigd_belang.pdf>
 
accessed
 
21
 
September
2021) (only available in Dutch)
.
 
 
0036335-0000808 UKO1: 2005491828.9
 
 
 
3
 
Duties of confidentiality under Dutch law
2.5
 
There
 
are
 
no
 
legal
 
obligations
 
from
 
a
 
Dutch
 
law
 
perspective,
 
other
 
than
 
the
 
data
 
protection
 
legal
obligations
 
set
 
out
 
in
 
paragraph
 
2.3
 
to
 
2.4
 
above,
 
that
 
prohibit
 
UBS
 
ESE
 
NL
 
from
 
providing
 
any
information to the SEC,
 
either when providing the
 
SEC with access to Covered
 
Books and Records or
when permitting
 
an On-Site
 
Inspection. However,
 
there is
 
a remote
 
risk that
 
an individual of
 
whom
information
 
is
 
disclosed
 
brings
 
an
 
action
 
on
 
the
 
basis
 
of
 
a
 
wrongful
 
act
 
(
onrechtmatige
 
daad
).
6
 
Whether such action will be successful depends on the circumstances at hand.
 
Privacy and Human Rights
2.6
 
Protection
 
for
 
the
 
general
 
fundamental
 
right
 
to
 
respect
 
for
 
private
 
and
 
family
 
life,
 
home
 
and
correspondence
” is
 
enshrined in
 
Article 8
 
of the
 
European Convention
 
on Human
 
Rights (
ECHR
).
This right
 
is directly
 
applicable in
 
the Netherlands.
 
Actions in
 
respect of
 
Article 8
 
ECHR require
 
a
separate cause of action, such as an action arising
 
from a wrongful act or other legal obligation, such
as under the Data Protection Laws.
 
2.7
 
Article 8 ECHR is, as it were, the
 
legal foundation on which the GDPR
 
has been based. The GDPR is
detailing the fundamental
 
right laid down
 
in Article 8
 
ECHR. Thus, Article
 
8 ECHR and
 
the GDPR
are intertwined with each other. As long as
 
the provision of information to the SEC by UBS ESE NL
falls entirely within the scope of and is in compliance
 
with the Data Protection Laws, we consider the
general fundamental right set out in Article 8 ECHR will be protected.
 
This summary opinion is not a substitute for the full expression of our views
 
set out in Annex 1.
3.
 
SCOPE, ASSUMPTIONS AND QUALIFICATIONS
3.1
 
This opinion relates solely to access provided to the SEC
 
by UBS AG, through its London Branch, of
Covered
 
Books
 
and
 
Records
 
held
 
on
 
its
 
behalf
 
by
 
UBS
 
ESE
 
NL
 
in
 
the
 
Netherlands
 
and
 
On-Site
Inspection of
 
UBS ESE
 
NL by
 
the SEC
 
in the
 
Netherlands.
 
This opinion
 
applies equally
 
to remote
access from
 
the United
 
States to
 
Covered Books
 
and Records
 
held in
 
the Netherlands.
 
This opinion
excludes books and
 
records held in
 
the US. Where
 
matters considered in
 
this opinion are
 
not governed
by laws applying to the entirety
 
of the Netherlands,
 
this opinion relates solely to
 
matters of Dutch law
and European Union (
EU
) law that is directly applicable in the Netherlands (i.e. regulations pursuant
to Art. 288(2) of the Treaty on the Functioning of the European Union).
3.2
 
This opinion has been prepared in accordance with UBS AG’s specific instructions as to the scope of
the opinion.
 
For this purpose you have issued us
 
with guidance from a third party US
 
law firm which
we have used to inform the scope of our opinion.
6
 
 
We
 
assume there are no
 
contractual confidentiality clauses in place
 
betwee
n UBS ESE
 
NL and any other
 
party, see
 
also paragraph 2.3 of
Annex 1 and Assumption 12 as set out in Annex 2.
 
0036335-0000808 UKO1: 2005491828.9
 
 
4
 
3.3
 
This opinion
 
only covers
 
access to
 
and the
 
On-site Inspection
 
of Covered
 
Books and
 
Records.
 
Covered
Books and Records include only those books and records which:
(a)
 
relate to the
 
US business
7
 
of the non-resident
 
SBSD.
8
 
These are the
 
records that relate
 
to an
SBS that is either:
(i)
 
entered into, or offered to be entered into, by or on behalf of the
 
non-resident SBSD,
with a
 
“U.S. Person” as
 
defined in
 
17 CFR
 
§ 240.3a71-3(a)(4)
9
 
(
US Person
) (other
than an SBS conducted through a foreign branch of such US Person
10
); or
(ii)
 
arranged, negotiated, or executed by
 
personnel of the non-resident SBSD
 
located in a
branch in the United States (
US branch
) or office or by personnel
 
of an agent of the
non-resident SBSD located in a US branch or office;
11
 
or
(b)
 
constitute
 
financial
 
records
 
necessary
 
for
 
the
 
SEC
 
to
 
assess
 
the
 
non-resident
 
SBSD’s
compliance with the SEC’s margin and capital requirements, if applicable.
12
 
3.4
 
Further
 
to
 
Assumption
 
1,
 
this
 
opinion
 
is
 
limited
 
to
 
those
 
types
 
of
 
records
 
that
 
are
 
relevant
 
to
prudentially regulated SBSDs,
 
which excludes financial
 
records as noted
 
in paragraph 3.3(b)
 
above.
 
For this opinion, the term “Covered Books and Records” extends to these
 
record types alone.
3.5
 
This opinion covers data relating to:
 
(a)
 
SBS transactions with concluded
 
between UBS AG (through
 
its associated persons employed
by UBS ESE NL) and US Person counterparties,
 
insofar as this data is held on
 
behalf of UBS
AG by
 
UBS ESE
 
NL (e.g.
 
voice recordings
 
and client
 
communications) (these
 
transactions
will be concluded
 
by staff of
 
UBS ESE NL
 
acting in the
 
name and for
 
the account of
 
UBS AG
London
 
Branch
 
and
 
so
 
some
 
data
 
relating
 
to
 
such
 
transactions
 
will
 
be
 
held
 
by
 
UBS
 
AG
London Branch
 
in the
 
United Kingdom
 
(
UK
)
 
– access
 
to Covered
 
Books and
 
Records and
On-Site
 
Inspections
 
by
 
the
 
SEC
 
of
 
data
 
that
 
is
 
held
 
in
 
the
 
UK
 
is
 
not
 
within
 
scope
 
of
 
this
opinion); and
 
(b)
 
The activities of the staff of UBS ESE NL pertaining to UBS AG’s
 
SBS transactions that are
also arranged,
 
negotiated, or
 
executed by
 
personnel of
 
UBS AG
 
located in
 
a US
 
branch or
office or by
 
personnel of an agent
 
of UBS AG located in
 
a US branch or
 
office (irrespective
of whether UBS AG’s counterparty is a US Person or a non-US Person).
 
This opinion
 
only covers
 
transactions entered
 
into by UBS
 
AG where
 
UBS ESE
 
NL is acting
 
on behalf
of UBS AG.
 
This opinion does
 
not cover data
 
relating to SBS
 
transactions concluded between
 
UBS
ESE
 
NL
 
and
 
its
 
own
 
counterparties
 
(even
 
though
 
UBS
 
ESE
 
NL
 
may
 
be
 
relying
 
on
 
the
 
counting
exemption set out in 17 CFR § 240.3a71-3(d) for such transactions, we are instructed that this data is
not relevant for the
 
purposes of 17 CFR
 
§ 240.15Fb2-4(c) and so this
 
data is not within
 
the scope of
this opinion).
 
7
 
 
As defined in 17 CFR §240.3a71
-
3(a)(8).
 
8
 
 
Cross
-
Border Application of Certain
 
[SBS] Requirements, 85 Fed.
 
Reg. 6270, 6296 (Feb. 4, 2020) (the
SEC Guidance
).
 
9
 
 
A “U.S. person” means any person that is “(i) a natural person resident
 
in the U.S.; (ii) a partnership, corporation, trust,
investment vehicle,
or other legal person organized, incorporated, or established under the laws of the United States or having its principal place of business in
the United States; (iii) an
 
account (whether discretionary or non-discretionary) of a
 
U.S. person; or (iv) an estate
 
of a decedent who was a
resident of the United States at the time of death.” 17 CFR
 
§ 240.3a71-3(a)(4).
10
 
 
A “foreign branch” means “any branch of
 
a U.S. bank if: (i)
 
the branch is located outside of the
 
United States; (ii) the bran
ch operates for
valid business
 
reasons; and
 
(iii) the
 
branch is
 
engaged in
 
the business
 
of banking
 
and is
 
subject to
 
substantive banking regulation
 
in the
jurisdiction where located.” (17 CFR § 240.3a71-3(a)(2)). An “SBS conducted through a
 
foreign branch” means an SBS that is “arranged,
negotiated, and executed by
 
a U.S. person through
 
a foreign branch of such
 
U.S. person if: (A) the
 
foreign branch is the counterparty
 
to such
security-based swap transaction; and (B) the security-based swap transaction is arranged, negotiated, and executed on behalf of the foreign
branch solely by persons located outside the United States.” (17
 
CFR § 240.3a71-3(a)(3)(i)).
11
 
 
17 CFR
 
§
 
240.3a71
-
3(a)(8)(i)(B).
 
12
 
 
The requirement
 
set out
 
in this
 
paragraph 3.3(b)
 
does n
ot apply
 
to UBS
 
AG because
 
it is
 
not
 
subject to
 
the SEC’s
 
margin and
 
capital
requirements as it is assumed that UBS AG has a prudential
 
regulator – please see Assumption 1 set out in Annex
 
2.
 
0036335-0000808 UKO1: 2005491828.9
 
 
5
 
3.6
 
The issues
 
addressed in
 
this opinion
 
apply equally
 
across the
 
different document
 
types which
 
constitute
the Covered Books and
 
Records based upon the
 
information actually contained
 
in each of the relevant
Covered Books and Records.
 
We have not examined any such documents or records.
 
3.7
 
In giving this opinion, we have made the further assumptions set out
 
in Annex 2.
 
3.8
 
No opinion is expressed on matters of fact.
 
3.9
 
As a
 
practical matter,
 
it may
 
be particularly
 
difficult to
 
establish that
 
consent is
 
freely given
 
where
information relates
 
to UBS ESE
 
NL staff because
 
consent is very
 
difficult to rely
 
on in an
 
employment
context, due to the inherent imbalance of power between an employer and its staff (for example, staff
may
 
believe
 
there
 
could
 
be
 
negative
 
consequences
 
should
 
they
 
refuse
 
to
 
give
 
consent).
 
Further,
consent will only be valid if UBS
 
ESE NL offers its staff
 
a genuine choice over how the data is
 
used
and
 
will
 
only
 
continue
 
to
 
be
 
an
 
appropriate
 
legal
 
basis
 
if
 
UBS
 
ESE
 
NL
 
also
 
offers
 
its
 
staff
 
the
opportunity to withdraw consent
 
at any time.
 
Where consent is relied
 
upon in this opinion,
 
it is on the
basis that this practical matter has been overcome.
 
Where consent is not available as a legal basis for
disclosure (including where valid consent
 
cannot be obtained), UBS
 
ESE NL may be
 
able to rely on
an alternative basis for disclosure (e.g. the legitimate
 
interest exception).
4.
 
REVISIONS TO APPLICABLE LAW
 
4.1
 
We
 
note
 
that
 
the
 
SEC
 
rules
13
 
require
 
a
 
non-resident
 
SBSD
 
to
 
re-certify
 
within
 
90
 
days
 
after
 
any
changes in the legal or regulatory framework that would:
(a)
 
impact the ability of the SBSD to provide prompt access to its Covered Books
 
and Records;
 
(b)
 
impact the
 
manner in
 
which it
 
would provide
 
prompt access
 
to its
 
Covered Books
 
and Records;
or
(c)
 
impact the ability of the SEC to conduct On-Site Inspections.
4.2
 
Upon a change in law or regulatory framework of the sort outlined in paragraph 4.1
 
above, the SBSD
is required to submit a revised opinion describing how, as a matter of law,
 
the SBSD will continue to
meet its obligations.
 
4.3
 
This opinion relates solely to the laws of the Netherlands
 
and EU law that is directly applicable in the
Netherlands (i.e. regulations pursuant to
 
Art. 288(2) of the Treaty on the Functioning
 
of the European
Union),
 
in
 
each
 
case,
 
in
 
force
 
as
 
at
 
the
 
date
 
of
 
this
 
opinion.
 
We
 
have no
 
obligation to
 
notify
 
any
addressee of any change in any applicable law or its application after the date of
 
this opinion.
5.
 
RELIANCE AND CONFIDENTIALITY
5.1
 
This opinion is given
 
for the sole benefit of
 
the addressee.
 
It may not be relied
 
upon by anyone else
without our prior written consent.
5.2
 
This
 
opinion
 
is
 
not
 
to
 
be
 
disclosed
 
to
 
any
 
person
 
outside
 
of
 
UBS
 
AG’s
 
group
 
or
 
used,
 
circulated,
quoted or otherwise referred to for any other purpose.
 
However, we agree that a copy of this opinion
letter may be disclosed:
 
(a)
 
where
 
disclosure is
 
required
 
or
 
requested
 
by
 
any
 
governmental, banking,
 
taxation
 
or
 
other
regulatory authority or similar body having jurisdiction over
 
UBS AG (including to the SEC
as
 
part
 
of
 
UBS
 
AG’s
 
SBSD
 
registration
 
application) or
 
by
 
the
 
rules
 
of
 
any
 
relevant
 
stock
exchange or pursuant to any applicable law or regulation; and
 
13
 
 
17 CFR § 240.15Fb2
-
4(c)(2).
 
 
0036335-0000808 UKO1: 2005491828.9
lonetherlandsp6i0.gif
 
6
(b)
 
to
 
UBS
 
AG’s
 
affiliates,
 
and
 
any
 
of
 
their
 
officers,
 
directors,
 
employees,
 
auditors,
 
insurers,
reinsurers, insurance brokers and professional advisors (in their capacity
 
as such).
5.3
 
Any such disclosure
 
must be made
 
on the basis
 
that it is
 
for information purposes
 
only,
 
no recipient
may rely
 
on this advice,
 
no client-lawyer relationship between
 
us and the
 
recipient arises following,
or as a
 
result of,
 
any such
 
disclosure.
 
We assume no duty
 
or liability
 
to any
 
recipient, and
 
any recipient
under paragraph 5.2(b) above will be subject to the same restrictions on disclosure
 
as set out above.
5.4
 
We
 
assume no obligation
 
to advise
 
you or
 
any other person
 
or to
 
make any
 
investigations as to
 
any
legal
 
developments
 
or
 
factual
 
matters
 
arising
 
subsequent
 
to
 
the
 
date
 
hereof
 
that
 
might
 
affect
 
the
opinions expressed herein.
 
Yours
 
faithfully,
 
 
Allen &Overy LLP
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
0036335-0000808 UKO1: 2005491828.9
 
 
7
 
ANNEX 1
 
OPINION
1.
 
DATA
 
PROTECTION
1.1
 
The
 
General Data
 
Protection Regulation
 
2016/679 (
GDPR
),
 
and the
 
implementation thereof
 
in
 
the
Dutch
 
GDPR
 
Implementation
 
Act
 
(
Uitvoeringswet
 
Algemene
 
verordening
 
gegevensbescherming
)
(together, the
Data Protection Laws
) will apply to UBS ESE NL’s
 
disclosure of Covered Books and
Records to UBS AG
 
London Branch for the
 
purpose of providing information to
 
the SEC and to
 
the
SEC in the
 
course of On-Site Inspections,
 
to the extent that
 
these comprise or contain
 
personal data.
Personal
 
data
 
is
 
data
 
relating
 
to
 
an
 
identified
 
or
 
identifiable
 
living
 
individual,
 
so
 
may
 
extend
 
to
information on UBS ESE NL’s
 
staff as well as clients.
 
1.2
 
Under
 
the
 
Data
 
Protection Laws,
 
specific
 
additional restrictions
 
apply
 
for
 
data
 
relating
 
to
 
criminal
convictions and
 
offences.
 
These laws
 
also impose
 
heightened restrictions
 
on the
 
processing of
 
‘special
category
 
personal
 
data’
 
 
this
 
is
 
data
 
that
 
reveals
 
racial
 
or
 
ethnic
 
background,
 
political
 
opinions,
religious or philosophical beliefs, or trade union membership, genetic data, biometric data when used
for ID
 
purposes, health
 
information, data
 
concerning sex
 
life or
 
sexual orientation.
 
As special
 
category
data are
 
less likely
 
to be
 
relevant in
 
the context
 
of UBS
 
ESE NL’s
 
disclosures to the
 
SEC, the laws
applicable to this data have not been considered in detail in this opinion.
1.3
 
Key restrictions
 
in the
 
Data Protection
 
Laws relating
 
to UBS
 
ESE NL’s
 
ability to
 
disclose personal
data to the SEC are set out below.
Legal basis for the disclosure
1.4
 
UBS ESE NL requires a legal basis under Article 6 GDPR to disclose personal data
 
to the SEC in the
course
 
of
 
On-Site Inspections
 
and to
 
provide
 
UBS
 
AG London
 
Branch
 
with
 
access
 
to
 
its
 
Covered
Books and Records for the purpose of providing information to the SEC.
 
Data cannot be disclosed if
doing so would
 
breach another legal requirement.
 
Whilst there are a
 
number of Article 6
 
legal bases
on
 
which
 
UBS
 
ESE
 
NL
 
may
 
seek
 
to
 
rely,
 
none
 
on
 
its
 
own
 
is
 
so
 
comprehensive
 
as
 
to
 
cover
 
all
disclosures
 
of personal data to
 
the SEC, so UBS
 
ESE NL will
 
need to consider the
 
most appropriate
legal basis to apply to any given situation.
1.5
 
The Article 6 legal bases most applicable to UBS ESE NL, together
 
with their respective limitations,
are as follows:
(a)
 
Consent (Article 6(1)(a))
: In order for consent
 
to be valid under the
 
Data Protection Laws, it
must satisfy
 
the high
 
standard of
 
being a
 
freely-given, specific,
 
informed and
 
unambiguous
indication of wishes.
14
 
(b)
 
Legitimate interests
 
(Article 6(1)(f))
: This
 
is one
 
of the
 
more flexible
 
legal bases
 
for processing
that
 
can
 
apply
 
to
 
a
 
multitude
 
of
 
purposes.
 
The
 
Dutch
 
DPA
 
interprets
 
this
 
legal
 
basis
 
very
strictly.
 
The
 
Dutch
 
DPA
 
has
 
previously
 
issued
 
an
 
opinion
 
that
 
compliance
 
with
 
(foreign)
regulatory
 
obligations could
 
qualify
 
as
 
legitimate
 
interests.
 
The
 
Dutch DPA
 
has
 
given
 
this
view in
 
relation to
 
foreign whistleblowing
 
requirements.
15
 
The Dutch
 
DPA states that
 
(foreign)
legal
 
obligations
 
could
 
qualify
 
as
 
a
 
legitimate
 
interest,
 
and
 
that
 
the
 
consequences
 
for
 
the
14
 
 
Please also refer to limitations
 
on the applicability of
 
consent discussed in paragraph
3.9
 
of section
 
3
:
scope, assumptions and
 
qualifications
.
 
Please note that valid consent is assumed at Assumption
 
5 in Annex 2.
15
 
 
Dutch DPA,
 
Whistle blowing
 
opinion D
utch DPA,
 
January 2006. Please
 
note that this
 
opinion was issued
 
under the predecessor of
 
the
GDPR (Directive 95/46/EC of the European Parliament and of the Council of 24 October
 
1995 on the protection of individuals with regard
to
 
the
 
processing
 
of
 
personal
 
data
 
and
 
on
 
the
 
free
 
movement
 
of
 
such
 
data)
 
(see
 
<
https://autoriteitpersoonsgegevens.nl/sites/default/files/downloads/uit/z2004-1233_opinie_whblowing.pdf> accessed 21 September
 
2021).
As the “legitimate interest” legal
 
basis was also included in this
 
predecessor, we expect that the opinion of
 
the Dutch DPA in relation hereto
remains the same.
 
 
0036335-0000808 UKO1: 2005491828.9
 
 
 
8
 
companies
 
in
 
case
 
they
 
cannot
 
comply
 
with
 
these
 
obligations
 
will
 
have
 
to
 
be
 
taken
 
into
account. To rely on the legitimate interests ground, UBS ESE NL must:
 
(i)
 
identify its, or a third
 
party’s
legitimate interest
 
(this can include individual
 
interests
or
 
broader
 
societal
 
benefits)
 
in
 
complying
 
with
 
the
 
SEC’s
 
disclosure
 
request.
 
The
Dutch DPA
 
specifically states
 
in its
 
guidance that
 
‘meeting obligations
 
imposed on
an entity
 
or institution’
 
qualifies as
 
a legitimate
 
interest
16
. The
 
Dutch DPA emphasizes
that
 
the
 
interest
 
must
 
be
 
real,
 
concrete
 
and
 
direct,
 
and
 
can
 
be
 
both
 
tangible
 
and
intangible. According to the Dutch DPA, a general interest such as ‘society’ does not
qualify as a legitimate interest;
 
(ii)
 
show that the disclosure of documents
 
by UBS ESE NL to the
 
SEC is
necessary
 
for
achieving these legitimate interests; and
 
(iii)
 
balance these legitimate
 
interests against the
 
competing interests, rights
 
and freedoms
of the individuals concerned, and satisfy itself
 
that those interests do not outweigh its
own. If
 
individuals would
 
not reasonably
 
expect the
 
disclosure, or
 
if the
 
disclosure
would
 
cause
 
unjustified
 
harm
 
to
 
the
 
individuals,
 
the
 
interests
 
of
 
those
 
individuals
would likely override the interests of UBS ESE NL or the third party.
An individual
 
has the
 
right to
 
object on
 
grounds relating to
 
his or
 
her particular
 
situation to
the disclosure of their personal data
 
to the SEC under this basis for
 
processing, and UBS ESE
NL would then need to
 
demonstrate ‘compelling’ legitimate grounds to process the
 
data that
override the rights, freedoms and interests of that individual.
The balancing of
 
legitimate interests against
 
the competing interests,
 
rights and freedoms
 
of
the
 
individuals
 
concerned should
 
be
 
made
 
on
 
a
 
case-by-case
 
basis
 
and
 
should
 
consider all
available facts.
 
In particular, Recital
 
47 of
 
the GDPR
 
states that,
 
when balancing
 
their interests
against
 
those
 
of
 
the
 
individuals
 
concerned,
 
controllers
 
should
 
take
 
into
 
account
 
the
reasonable expectations
 
of data
 
subjects based
 
on their
 
relationship with the
 
controller
”. With
this
 
in
 
mind,
 
UBS ESE
 
NL may
 
argue
 
that
 
its interests
 
are
 
not
 
outweighed by
 
those
 
of
 
its
clients or its employees on the basis that:
(A)
 
clients are
 
aware, due
 
to
 
statements contained
 
in their
 
terms
 
of business
 
with UBS
AG,
 
of
 
the
 
US
 
nexus
 
when
 
they
 
engage
 
in
 
SBS
 
transactions
 
and,
 
due
 
to
 
their
understanding as
 
sophisticated investors,
 
that regulatory
 
oversight will
 
be exercised
by
 
the
 
SEC,
 
which
 
may
 
entail
 
certain
 
information
 
regarding
 
their
 
transactions,
including in some cases their personal data, to be disclosed to the SEC;
 
and
(B)
 
the employees whose
 
personal data may
 
be disclosed to
 
the SEC understand
 
their role
will involve SEC
 
oversight due
 
to their being
 
classified as
 
‘associated persons’
 
for the
purposes of SBS
 
transactions and understand
 
that, as a
 
result, certain of their
 
personal
data
 
may
 
be
 
disclosed
 
to
 
the
 
SEC.
 
More
 
specifically,
 
each
 
associated
 
person
 
is
required
 
to
 
complete
 
an
 
‘SBS
 
associated
 
person
 
questionnaire’,
 
which
 
provides
advance notice that
 
their activities may
 
involve the
 
disclosure of their
 
personal data
to the SEC and
 
potentially require them to undertake
 
interviews with the SEC. Each
employee that is an
 
associated person is also
 
required to agree or
 
acknowledge their
understanding
 
that
 
their
 
data
 
may
 
be
 
provided
 
to
 
the
 
SEC
 
in
 
connection
 
with
 
the
SEC’s oversight of SBS transactions.
 
 
16
 
 
Dutch
 
DPA,
 
“Standard
 
explanation
 
legal
 
basis
 
‘legitimate
 
interest’”,(
Normuitleg
 
grondslag
 
‘gerechtvaardigd
 
belang’
)
 
(see
<
 
https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/normuitleg_gerechtvaardigd_belang.pdf>
 
accessed 21 September
 
2021
)
(only available in Dutch)
.
 
0036335-0000808 UKO1: 2005491828.9
 
 
9
 
In addition, while focused on
 
the relationship between the SEC
 
and the ECB, the existence of
the Memorandum of Understanding entered into by the
 
SEC and the European Central Bank
(
ECB
)
17
 
(the
ECB MoU
)
18
 
arguably reflects an acceptance in the EU that the SEC
 
has a duty
to
 
regulate
 
SBS
 
markets
 
and
 
may
 
need
 
to
 
access
 
information,
 
including
 
personal
 
data,
maintained by financial institutions located in the Netherlands for this purpose.
19
 
Also relevant to this balancing of interests are that the SEC will:
(1)
 
restrict its
 
information requests
 
for, and
 
use of,
 
any information
 
to only
 
the information
that
 
it
 
requires
 
for
 
the
 
legitimate
 
and
 
specific
 
purpose
 
of
 
fulfilling
 
its
 
regulatory
mandate
 
and
 
responsibilities
 
and
 
to
 
prevent
 
and/or
 
enforce
 
against
 
potential illegal
behaviour, with the type
 
and amount of personal data requested being
 
targeted based
on risk and related to specific clients and accounts, and employees;
20
 
and
(2)
 
information,
 
data
 
and
 
documents
 
received
 
by
 
the
 
SEC
 
are
 
maintained
 
in
 
a
 
secure
manner and only disclosed pursuant to strict US confidentiality laws.
21
 
(c)
 
Disclosure
 
is
 
necessary
 
for
 
compliance
 
with
 
a
 
legal
 
obligation
 
to
 
which
 
UBS
 
ESE
 
NL
 
is
subject (Article 6(1)(c))
: There must be a
 
Dutch nexus in order for
 
UBS ESE NL to be able
 
to
rely on this
 
legal basis. Article
 
6(3) GDPR
 
requires that the
 
legal obligation
 
must be laid
 
down
by EU law or Dutch law, although this does not have to be an explicit statutory obligation, as
long as the application of the law is foreseeable to UBS ESE NL as the person
 
subject to it.
22
 
In the
 
context of
 
this legal
 
basis for
 
processing, an
 
SEC request
 
in
 
the absence
 
of
 
a EU
 
or
Dutch
 
legal
 
requirement
 
(e.g.
 
a
 
lawful
 
request
 
from
 
the
 
Dutch
 
Central
 
Bank
 
(
De
Nederlandsche
 
Bank,
DNB
)
 
or
 
the
 
Dutch
 
Authority
 
for
 
the
 
Financial
 
Markets
 
(
Autoriteit
Financiële
 
Markten
,
AFM
)
in
 
the
 
exercise
 
of
 
its
 
powers
 
under
the
 
Dutch
 
Financial
Supervision Act (
Wet
 
op het financieel toezicht
) or from another
 
European legislator) would
not justify the disclosure to
 
the SEC as being necessary
 
for compliance with such an
 
foreign
law obligation.
We further note that the ECB MoU does not create any legally binding obligations.
23
 
(d)
 
Disclosure is necessary
 
for the performance
 
of a task
 
carried out
 
in the public
 
interest (Article
6(1)(e))
:
 
According
 
to
 
the
 
Dutch
 
interpretation
 
of
 
this
 
legal
 
basis,
 
only
 
entities
 
who
 
are
performing a public
 
task or are vested
 
with public authority
 
are able to rely
 
on this legal basis.
European or
 
Dutch law must
 
lay down
 
these public
 
tasks or
 
the vested
 
public authority
 
and
designate the entity
 
who will carry
 
out these tasks,
 
and therefore may
 
be able to
 
process the
personal data
 
involved. In
 
general, only
 
(semi-)public institutions
 
will be
 
able to
 
base their
processing on this legal basis. The Dutch DPA acknowledges this view.
24
 
As a result, it
 
is not possible for
 
UBS ESE NL to
 
rely on this legal
 
basis. UBS ESE NL will
not be
 
performing a public
 
task, or vested
 
with authority under
 
Dutch law or
 
European law.
17
 
 
As UBS Europe SE
 
qualifies as a “significant institution”
 
within the meaning of
 
Art. 6(4) of the Regulation
 
der (EU) No. 1024/2013 (the
Single Supervisory Mechanism Regulation
), it is, as regards prudential supervision, also
 
subject to direct supervision by the ECB.
18
 
 
The
 
Memorandum of
 
Understanding between
 
the
 
United States
 
Securities and
 
Exchange Commission
 
and
 
the
 
European Central
 
Bank
concerning consultation, cooperation and the exchange of information related
 
to the supervision and oversight of certain cross-border over-
the-counter derivatives entities
 
in connection
 
with the
 
use of
 
substituted compliance by
 
such entities dated
 
16 August
 
2021 (available
 
at
https://www.bankingsupervision.europa.eu/legalframework/mous/html/ssm.mou_2021_sec~220403db9b.en.pdf).
19
 
 
For the avoidance
 
of doubt, we
 
note however that
the ECB MoU does
 
not stipulate
 
any exemptions from the
 
compliance with applicable
data protection rules under the GDPR, including from the
 
international transfer rules.
20
 
 
Please r
efer to Assumptions
6 and 8
in Annex 2, as well as Article II
 
and
 
paragraph 49 of the ECB MoU.
 
21
 
 
Please refer to Assumption
9
in Annex 2, as well as paragraph 56 of the ECB MoU.
 
22
 
 
Recital 41 GDPR.
 
23
 
 
Article II paragraph 27 of the ECB MoU
.
 
24
 
 
Dutch
 
DPA,
FAQ
 
“Are
 
you
 
allowed
 
to
 
process
 
personal
 
data?”,
 
(see
<https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/algemene
-
informatie-avg/mag-u-persoonsgegevens-verwerken> reviewed on
 
10 September 2021) (only available in Dutch).
 
 
0036335-0000808 UKO1: 2005491828.9
 
 
10
 
For the avoidance
 
of doubt, the
 
SEC will also
 
not be able
 
to rely on
 
this legal basis,
 
as their
powers are not laid down in either Dutch law or European law.
 
1.6
 
Based
 
upon
 
the
 
above,
 
the
 
legitimate
 
interests
 
legal
 
basis
 
for
 
processing
 
is
 
likely
 
to
 
be
 
the
 
most
appropriate Article 6 GDPR ground on which UBS ESE NL could rely in relation to
 
its disclosure of
Covered Books and Records to the SEC and to permit On-Site Inspection.
1.7
 
It is
 
considered very
 
unlikely that
 
data included
 
in Covered
 
Books and
 
Records or
 
disclosed to
 
the
SEC during On-Site Inspections will include special categories of data.
 
Further, UBS ESE NL might
not
 
hold
 
all
 
information
 
described
 
in
 
17
 
C.F.R.
 
§§.18a-5(b)(8)(i)(A)
 
through
 
(H)
 
or
 
240.18a-
5(a)(10)(i)(A)
 
through
 
(H),
 
as
 
the
 
case
 
may
 
be
 
an
 
associated
 
person
 
who
 
is
 
not
 
a
 
US
 
Person.
25
 
However, to the extent that this
 
does occur, and such information
 
is held by UBS
 
ESE NL, in addition
to an Article
 
6 GDPR legal basis,
 
UBS ESE NL will
 
need to establish
 
an exemption under
 
Article 9
GDPR (and its
 
equivalent in
 
Articles 22 to
 
33 Dutch GDPR
 
Implementation Act) if
 
it discloses special
categories of data to the SEC, such as where it is necessary for the establishment, exercise or defence
of legal claims. Other than valid consent,
26
 
the Article 9 GDPR exemption that is most
 
likely to apply
to disclosure
 
of Covered
 
Books and
 
Records is
 
“processing is
 
necessary for
 
the establishment,
 
exercise
or
 
defence of
 
legal claims
 
or
 
whenever courts
 
are
 
acting in
 
their
 
judicial capacity”
 
(Article 9(2)(f)
GDPR). Although
 
the Dutch
 
GDPR Implementation
 
Act has
 
included several
 
other exemptions
 
for
processing special categories of personal data, none of these additional bases
 
is likely to be available
for disclosing special categories of personal data to the SEC by UBS
 
ESE NL.
1.8
 
Similarly as set out for special categories of personal data, UBS ESE NL processing
 
of personal data
relating to criminal
 
convictions and offences
 
is highly restricted,
 
and can only
 
be disclosed when
 
there
is
 
an
 
exemption
 
set
 
out
 
in
 
Articles
 
32
 
or
 
33
 
Dutch
 
GDPR
 
Implementation
 
Act
 
applicable.
 
The
exemption most
 
likely to
 
apply to
 
disclosure of
 
Covered Books
 
and Records
 
is “processing
 
is necessary
for the establishment,
 
exercise or
 
defence of
 
legal claims
 
or whenever courts
 
are acting
 
in their judicial
capacity” (Article 32(d) Dutch
 
GDPR Implementation Act)
27
. Also, the Dutch GDPR
 
Implementation
Act
 
has
 
included
 
several
 
other
 
exemptions
 
for
 
processing
 
of
 
personal
 
data
 
relating
 
to
 
criminal
convictions and offences, however, none of these exemptions are likely to
 
be available for disclosing
personal data relating to criminal convictions and offences to the SEC by UBS ESE
 
NL.
 
Data protection principles
1.9
 
In addition to establishing a legal basis for the disclosure, UBS ESE NL would need
 
to ensure that its
disclosures are compliant with the remaining
 
requirements under the Data Protection Laws,
 
including
the data protection principles set out in Article 5 GDPR.
 
For example, UBS ESE NL must:
(a)
 
be
 
transparent with
 
those whose
 
personal data
 
is
 
to
 
be
 
disclosed to
 
the
 
SEC, who
 
must
 
be
provided
 
with
 
fair
 
processing
 
information
 
(usually
 
in
 
the
 
form
 
of
 
a
 
privacy
 
notice
 
or
statement);
(b)
 
with
 
respect
 
to
 
the
 
data
 
itself,
 
ensure
 
that
 
it
 
only
 
provides
 
personal
 
data
 
that
 
is
 
adequate,
relevant and limited
 
to what is
 
necessary in relation
 
to the purposes
 
of its regulatory
 
activities;
 
(c)
 
be careful to avoid participating
 
in ‘data dumps’ and should
 
consider withholding documents,
anonymising personal data
 
(or pseudonymising
 
data where full
 
anonymisation is not
 
possible)
and redacting personal data from documents as appropriate;
(d)
 
ensure that the data is accurate and, where necessary, kept up to date;
25
 
 
As we understand,
is as defined in 17 C.F.R. §240.3a71
-
3(a)(4)(i)(A).
 
26
 
 
Article 9(2)(a)
 
GDPR
 
 
please also
 
refer
 
to limitations
 
on the
 
applicability of
 
consent discussed
 
in paragraph
3.9
 
of
 
section
 
3
:
scope,
assumptions and qualifications.
27
 
 
See also
A
rticle 3
3 Dutch GDPR Implementation Act.
 
 
0036335-0000808 UKO1: 2005491828.9
 
 
11
 
(e)
 
keep the personal data
 
in a form that enables
 
identification of individuals for
 
no longer than is
necessary for the purposes for which the personal data is processed;
 
and
(f)
 
ensure
 
that
 
the
 
confidentiality
 
and
 
integrity
 
of
 
personal
 
data
 
is
 
maintained,
 
and
 
as
 
such,
implement appropriate security measures (e.g. encryption) to protect
 
the personal data.
1.10
 
Whilst it is possible
 
that the SEC has
 
taken these principles
 
into account in its
 
request for access
 
to the
Covered Books and Records, responsibility remains with
 
UBS ESE NL to verify
 
this and implement
its own compliance measures.
International transfers
1.11
 
The general
 
principle in
 
the GDPR
 
is that UBS
 
ESE NL
 
may not
 
transfer personal
 
data to
 
a jurisdiction
outside the EEA,
 
unless it can satisfy a condition for the transfer as set out
 
in Chapter V GDPR.
 
1.12
 
Article 45 GDPR allows UBS ESE NL to transfer personal data to a recipient outside the EEA where
the transfer
 
is based
 
on adequacy
 
decision of
 
European Commission.
 
For the
 
purposes of
 
providing
Covered
 
Books
 
and
 
Records
 
to
 
UBS
 
AG
 
London
 
Branch,
 
the
 
adequacy
 
decision
 
of
 
the
 
European
Commission currently in effect in
 
respect of the UK
28
 
allows transfers of personal data
 
from the EEA,
including the Netherlands, to the UK to be made freely. Any transfer from UBS ESE NL to UBS AG
London
 
Branch
 
would
 
therefore
 
be
 
permitted
 
without
 
limitation
 
(provided
 
that
 
the
 
disclosure
otherwise complied with the EU GDPR).
1.13
 
It should be noted that
 
under Article 44 sent. 1, Recital
 
101 of the EU GDPR any
 
onward transfer of
UBS ESE NL’s
 
Covered Books and
 
Records by UBS AG
 
London Branch to
 
the SEC is
 
still subject
to
 
the
 
transfer
 
requirements
 
of
 
the
 
EU
 
GDPR.
 
In
 
this
 
regard
 
it
 
is
 
helpful
 
that
 
the
 
European
Commission’s adequacy decision
 
for the UK addresses onward
 
transfers from the UK and
 
notes that
the regime on international
 
transfers under the
 
UK GDPR
29
 
and UK Data
 
Protection Act 2018 is
 
in
substance identical
” to
 
the transfer
 
regime under
 
the EU
 
GDPR.
30
 
The primary
 
options available
 
to
UBS
 
AG
 
London
 
Branch
 
pursuant
 
to
 
this
 
EU
 
GDPR restriction
 
applicable to
 
UBS ESE
 
NL
 
when
disclosing UBS ESE NL’s
 
Covered Books and Records to the SEC in the US are as follows:
 
(a)
 
Derogations (Article 49)
: Where a transfer mechanism
 
adopted by the European
 
Commission
in respect
 
of the
 
US is
 
not available
 
(as is
 
currently the
 
case), derogations
 
for specific
 
situations
from the
 
transfer prohibition
 
are potentially
 
available under
 
EU GDPR
 
for facilitating
 
UBS
AG London Branch’s
 
transfer of personal
 
data contained in
 
UBS ESE NL’s
 
Covered Books
and Records to the SEC. The derogations include:
31
 
(i)
 
Consent:
 
In order to
 
be consent to
 
be valid under
 
the Data
 
Protection Laws, it
 
must
satisfy the
 
high standards
 
of being
 
a freely-given,
 
specific, informed
 
and unambiguous
indication of wishes.
32
 
(ii)
 
Legitimate
 
interests:
 
Article 49
 
GDPR makes
 
clear
 
that
 
reliance
 
on
 
the
 
derogation
based on
 
a compelling
 
legitimate interest,
 
may only
 
take place
 
if (A) the
 
transfer is
not repetitive,
 
(B) the transfer
 
concerns only
 
a limited
 
number of
 
data subjects,
 
(C) the
transfer is
 
necessary for
 
the purposes
 
of compelling
 
legitimate interests
 
pursued by
UBS
 
ESE
 
NL,
 
(D) UBS
 
ESE
 
NL’s
 
legitimate
 
interests
 
are
 
not
 
overridden
 
by
 
the
28
 
 
Commission Implementing Decision of 28.6.2021
 
pursuant to Regulation (EU) 2016/679 of the
 
European
Parliament and of the Council on
the adequate protection of
 
personal data by the United
 
Kingdom. Please note that
 
in the future the adequacy
 
decision may be withdrawn,
 
not
prolonged or restricted and that the current adequacy decision is
 
limited to four years.
29
 
 
The General Data Protection Regulation
 
2016/679 as it forms part
 
of “retained EU law” as
 
defined in the European Union
 
(Withd
rawal) Act
2018 in the UK.
30
 
 
Paragraph 2.5.7, recitals (74)
 
and (75) of
 
the Commission Implementing Decision of
 
28.6.2021 pursuant to Regulation
 
(EU) 2016
/679 of
the European Parliament and of the Council on the adequate
 
protection of personal data by the United Kingdom.
31
 
 
These dero
gations should
not
 
be considered a blanket approval for UBS ESE NL to transfer
 
data to the SEC under this basis.
32
 
 
Please also refer to limitations on the
 
applicability of consent discussed in paragraph
 
3.9 of section 3: scope assumptions a
nd qualificatio
ns.
Please note that valid consent is assumed in Assumption
 
5 of Annex 2.
 
0036335-0000808 UKO1: 2005491828.9
 
12
interests
 
of
 
rights
 
and freedoms
 
of
 
the
 
individuals involved,
 
(E) UBS
 
ESE
 
NL
 
has
assessed all
 
the circumstances
 
surrounding the
 
data transfer,
 
and (F)
 
UBS ESE
 
NL
has, on
 
the basis
 
of that
 
assessment provided
 
suitable safeguards
 
with regard
 
to the
protection of
 
data. UBS
 
ESE NL
 
must also
 
ensure it
 
applies the
 
‘necessary’ test
 
to
ensure that only the personal data necessary for the SEC’s purposes is transferred.
UBS ESE NL should not rely on any of the
 
derogations for making transfers on a large scale
and/or in
 
a systematic manner,
 
and their use
 
must be considered
 
on a case-by-case
 
basis for
separate requests
 
of the
 
SEC,
 
with UBS
 
ESE NL
 
keeping records
 
of the
 
transfers that
 
evidence
the careful analysis that led them to rely on that derogation.
 
1.14
 
Access to Covered Books and
 
Records granted to the SEC
 
in the course of On-Site Inspections
 
would
not entail UBS ESE NL effecting an
 
international transfer and so restrictions in Chapter V of the
 
EU
GDPR would not apply to that situation.
 
1.15
 
AFM or DNB
 
route
: In certain
 
situations, for example where
 
UBS ESE NL
 
considers the transfer of
data to UBS AG London Branch for the purpose of providing information to the SEC to be high risk,
it may
 
be possible
 
to arrange
 
for the
 
disclosure to
 
be made
 
to the
 
AFM or
 
DNB,
 
which could
 
then
transfer the data to the SEC in the
 
US. However, we note that there
 
is no administrative arrangement
to govern the
 
transfer of personal data
 
between the two regulators
 
and the SEC, that
 
aims to comply
with GDPR principles. As the AFM
 
or DNB are able to rely
 
on other derogations, such as
 
the transfer
is
 
necessary for
 
important reasons
 
of
 
public interest
 
(which is
 
not
 
available to
 
UBS ESE
 
NL), this
route
 
may
 
avoid
 
UBS
 
ESE
 
NL
 
being
 
responsible
 
for
 
ensuring
 
the
 
international
 
transfer
 
was
 
fully
compliant with the GDPR.
2.
 
DUTIES OF CONFIDENTIALITY UNDER DUTCH LAW
 
2.1
 
There is no bank secrecy obligation
 
laid down in Dutch law with
 
respect to data exchanged between
 
a
financial institution
 
and a
 
client.
 
Therefore, UBS
 
ESE
 
NL
 
is
 
not limited
 
in
 
providing
 
information
contained in
 
Covered Books and
 
Records to the
 
SEC and
 
in permitting the
 
SEC to
 
conduct On-Site
Inspections from
 
a Dutch
 
financial regulatory
 
law perspective.
 
Further,
 
Dutch law
 
does
 
not
 
have a
general blocking statute that prohibits UBS ESE NL from providing any data
 
to the SEC.
 
2.2
 
Although there is
 
no obligation laid
 
down in Dutch
 
law that prohibits
 
UBS ESE NL
 
from providing
information contained
 
in Covered
 
Books and
 
Records to
 
the SEC
 
and in
 
permitting the
 
SEC to
 
conduct
On-Site
 
Inspections,
 
it
 
follows
 
from
 
Dutch
 
law
 
that
 
an
 
action
 
on
 
the
 
basis
 
of
 
a
 
wrongful
 
act
(
onrechtmatige daad
) may
 
be brought
 
against UBS
 
ESE NL,
 
if the
 
following requirements
 
are met
(article 6:162 Dutch Civil Code):
 
(a)
 
there is a
 
wrongful act. The
 
following scenarios
 
are deemed
 
to be wrongful
 
acts: (i) a
 
violation
of a right; (ii) an act
 
or omission breaching a duty imposed by law
 
or a rule; or (iii) an
 
act or
omission breaching unwritten law pertaining to proper social conduct;
 
(b)
 
the wrongful act must
 
be attributable (
toerekenbaar
) to the party
 
who commits the wrongful
act;
 
(c)
 
the party against whom the wrongful act was committed suffers damages (
schade
);
 
(d)
 
there is causality between the
 
wrongful act committed and
 
the damages suffered (
causaliteit
);
and
 
(e)
 
the violated
 
standard, as
 
set out
 
under paragraph
 
2.2(a) above,
 
serves to
 
protect against
 
the
damages suffered by the party against whom the wrongful act was committed (
relativiteit
).
 
 
0036335-0000808 UKO1: 2005491828.9
 
 
 
 
13
 
Whether such
 
action succeeds
 
depends highly
 
on the
 
circumstances at
 
hand, and
 
each disclosure
 
of
information should
 
be assessed
 
on a
 
case-by-case basis.
 
We believe however
 
that the
 
risk of
 
such claim
being honoured by a
 
court is remote if
 
the disclosure of
 
personal data is allowed
 
under the GDPR,
 
and
there is no applicable
 
confidentiality condition applicable between UBS ESE NL and its client.
33
 
2.3
 
UBS ESE NL should
 
take into account the
 
contractual terms agreed upon
 
with its client or
 
employers,
under which UBS ESE
 
NL could be prohibited from
 
disclosing any information contained
 
in Covered
Books and
 
Records to the
 
SEC and
 
in permitting the
 
SEC to
 
conduct On-Site Inspections.
 
We
 
have
assumed at Assumption 11 of Annex 2 that no such contractual terms exist.
3.
 
PRIVACY
 
AND HUMAN RIGHTS
3.1
 
Article 8
 
ECHR confers
 
a general
 
right to
 
respect for
 
his private
 
and family
 
life, his
 
home and
 
his
correspondence
”. This
 
right is
 
directly applicable
 
in the
 
Netherlands.
34
 
The right
 
to privacy
 
clearly
applies to
 
natural persons.
 
In certain
 
situations legal
 
persons,
 
such as
 
companies, have
 
been held
 
to
benefit from a right to privacy in
 
certain situations. The European Court
 
of Human Rights assumed in
a September
 
2014 case
 
that the
 
reputation of
 
a company
 
fell
 
under the
 
notion of
 
private life
 
under
Article 8 ECHR.
35
 
3.2
 
Article 8 ECHR
 
does not in
 
itself give rise
 
to a free-standing
 
cause of action
 
– instead an
 
action arising
from a
 
wrongful act
(onrechtmatige daad
), a
 
breach of
 
agreement or
 
other legal
 
obligation, such
 
as
under the
 
GDPR, must
 
be brought,
 
and the
 
court will
 
then be
 
obliged to
 
consider the
 
application of
Article 8 ECHR.
 
3.3
 
Article 8 ECHR is, as it were, the fundamental legal foundation on
 
which the GDPR has been based.
The GDPR elaborates
 
on the applicable
 
principles of and
 
the rules on the
 
protection of natural
 
persons
when it
 
comes to
 
processing of
 
personal data.
36
 
The ECHR
 
can further
 
be relied
 
upon when
 
interpreting
this GDPR law if necessary. The GDPR can therefore
 
be seen as the regulation detailing
 
the right laid
down in
 
Article 8
 
ECHR, when it
 
comes to
 
the processing
 
of personal
 
data. The GDPR
 
and Article
ECHR cannot be seen entirely separately from each other.
Application and exceptions
3.4
 
Article 8 is a qualified right,
 
meaning that it can be breached
 
in accordance with Article 8(2) – that
 
is,
where doing so is:
(a)
 
in accordance with the law;
This
 
criterion
 
has
 
two
 
aspects:
 
the
 
measure
 
complained
 
about
 
must
 
have
 
some
 
basis
 
in
domestic law,
 
whether that is an act of parliament (
wet in formele zin
), delegated
 
legislation
or
 
case
 
law,
 
and
 
secondly,
 
that
 
the
 
domestic
 
law
 
has
 
to
 
be
 
sufficiently
 
precise
 
so
 
that
 
an
individual can foresee with a reasonable degree of certainty
 
the consequences of their actions
or
 
the
 
circumstances
 
in
 
which
 
the
 
authority
 
may
 
take
 
a
 
particular
 
course
 
of
 
action.
37
 
The
relevant consideration
 
on the
 
first aspect
 
is the
 
legal basis
 
on which
 
the court
 
would allow
Article 8
 
ECHR to
 
be breached.
 
The second
 
aspect in
 
effect requires
 
that the
 
domestic law
cannot be so broad as
 
to enable arbitrary action.
 
In determining whether to
 
allow information
to be
 
provided to
 
the SEC,
 
the court
 
would have
 
to balance
 
the relevant
 
legal duty
 
with the
merits
 
of
 
permitting
 
disclosure.
 
These
 
duties
 
of
 
confidence
 
establish
 
limits
 
on
 
the
 
court’s
actions, thus preventing arbitrary action by the court.
 
 
33
 
 
We refer to Assumption 13 as
set out in
Annex 2
 
regarding confidentiality conditions.
 
34
 
 
Article 94 Dutch Constit
ution law.
 
35
 
Firma EDV Für Sie, EFS Elecktronische Datenverarbeitung Dienstleistungs
 
GMBH v Germany
 
Application 32783/08.
36
 
 
See also considerans (1) and (2) GDPR.
 
37
 
 
Malone v UK [1984] ECHR 10 at 68.
 
 
0036335-0000808 UKO1: 2005491828.9
 
 
14
 
(b)
 
is necessary in a democratic society;
 
This criterion
 
is intended
 
to ensure
 
the proportionality
 
of an
 
intrusion into
 
private life.
 
To meet
this criterion, there must be a “
pressing social need
” for the interference, and the interference
must be proportionate to that need.
38
 
and
(c)
 
in the interests
 
of national security,
 
public safety or the
 
economic well-being of the
 
country,
for
 
the
 
prevention
 
of
 
disorder
 
or
 
crime,
 
for
 
the
 
protection
 
of
 
health
 
or
 
morals,
 
or
 
for
 
the
protection of the rights and freedoms of others (i.e. a legitimate aim).
This
 
criterion
 
is
 
intended
 
to
 
ensure
 
that
 
the
 
purpose
 
of
 
an
 
intrusion
 
into
 
private
 
life
 
is
adequately serious so as to justify the intrusion.
 
3.5
 
As
 
the
 
GDPR
 
and
 
Article
 
8
 
ECHR
 
cannot
 
been
 
seen
 
entirely
 
separately
 
from
 
each
 
other,
 
and
 
the
provision of
 
information to
 
the SEC
 
by UBS
 
ESE NL
 
will, insofar
 
this contains
 
personal data,
 
fall
entirely within the scope of
 
the GDPR, we consider that
 
the criteria set out in
 
paragraph 3.5 are met,
as long as UBS ESE NL complies with the requirements set out in paragraphs
 
1.1 to 1.12 above.
38
 
Dudgeon v UK
 
(1982) 4 E.H.R.R. 149 at 164.
 
0036335-0000808 UKO1: 2005491828.9
 
 
15
 
ANNEX 2
 
ASSUMPTIONS
This opinion relies on the following assumptions:
1.
 
UBS AG has
 
a “prudential regulator”
 
as defined by
 
Section 3 of
 
the US Securities
 
Exchange Act of
1934.
 
As
 
such,
 
the
 
Covered
 
Books
 
and
 
Records
 
considered
 
in
 
this
 
opinion
 
are
 
limited
 
to
 
what
 
a
prudentially regulated SBSD must be able to share with the SEC.
 
2.
 
Additionally, in accordance with SEC Guidance at
 
85 FR 6297, books and records pertaining to SBS
transactions entered into prior to the date that UBS AG submits an application for registration are not
Covered Books and Records.
 
3.
 
In relation to each disclosure of information, UBS ESE NL will assess each disclosure to the SEC on
a case-by-case basis and will verify, for each disclosure of information based on the circumstances at
hand, whether
 
all requirements
 
under Dutch
 
law, including but
 
not limited
 
to the
 
Data Protection
 
Laws,
are met.
 
4.
 
Where transfers of
 
personal data are
 
made to the
 
SEC in the
 
absence of an
 
adequacy determination,
such disclosure will
 
be made in
 
compliance with Articles 44
et seq
. of the
 
EU GDPR and
 
limited to
what
 
is
 
necessary
 
for
 
the
 
purpose
 
of
 
the
 
transfer
 
(i.e.
 
compliance
 
with
 
the
 
principle
 
of
 
data
minimisation, e.g. by applying less intrusive processing
 
activities such as redaction).
5.
 
UB ESE NL or, as the case may be, UBS AG has obtained
 
any necessary prior consent of the persons
(e.g
.
,
 
counterparties,
 
employees)
 
whose
 
information
 
is
 
or
 
will
 
be
 
included
 
in
 
Covered
 
Books
 
and
Records in order
 
to provide the
 
SEC with access
 
to its Covered
 
Books and Records
 
or to allow
 
On-
Site
 
Inspections,
 
to
 
the
 
extent,
 
as
 
considered
 
in
 
this
 
opinion,
 
such
 
consent
 
would
 
constitute
 
valid
consent and such
 
consent has not
 
been withdrawn.
 
Insofar as Covered
 
Books and Records
 
relate to
employees of UBS ESE NL,
 
such employees are “associated persons” of UBS AG
 
for purposes of 17
CFR §
 
240.18a-5(b)(8)
 
who have agreed
 
to sharing
 
of their
 
personal/employment information with
the SEC in the event of a request for information from the SEC.
 
6.
 
The SEC will restrict
 
its information requests
 
for, and use of, any information
 
pursuant to its access
 
to
Covered Books
 
and Records and
 
On-Site Inspections to
 
only the
 
information that
 
it requires
 
for the
legitimate and specific purpose of fulfilling
 
its regulatory mandate and responsibilities by
 
evaluating
compliance with
 
legal obligations
 
designed to
 
ensure the proper
 
legal administration
 
of SEC-regulated
firms (which includes regulating,
 
administering, supervising, enforcing
 
and securing compliance with
the
 
securities or
 
derivatives laws
 
in its
 
jurisdiction) and
 
to
 
prevent and/or
 
enforce against
 
potential
illegal behaviour.
 
7.
 
Similarly,
 
UBS
 
ESE
 
NL
 
will
 
ensure
 
that
 
its
 
disclosures
 
are
 
compliant
 
with
 
the
 
data
 
protection
principles set out in Article 5 GDPR.
39
 
We understand that UBS’
 
general experience in responding to
information requests from the SEC (or other US and
 
non-US regulators) leads it to maintain a belief,
which it considers to be reasonable, that
 
UBS ESE NL can and (subject to
 
any changes in applicable
law and regulation
 
and/or the
 
approach of relevant
 
regulators, including the
 
Dutch DPA) will continue
 
to be able
 
to comply with
 
these data protection
 
principles in the
 
course of making disclosures
 
of the
sort
 
required
 
when
 
providing
 
access
 
to
 
Covered
 
Books
 
and
 
Records
 
and
 
submitting
 
to
 
On-Site
Inspection.
40
 
8.
 
It is the SEC's
 
practice to limit the type
 
and amount of personal data
 
it requests during examinations
to targeted
 
requests based
 
on risk
 
and related
 
to specific
 
clients and
 
accounts, and
 
employees.
 
The
requested
 
information
 
may
 
include
 
some
 
limited
 
criminal
 
records
 
data
 
and
 
‘special
 
category
 
data’
39
 
 
These principles are set out in Annex 1 at paragraph
 
1.9.
 
40
 
 
See the
SEC
 
G
ui
dance at 85 FR 6298
.
 
 
0036335-0000808 UKO1: 2005491828.9
 
 
16
 
under the GDPR (as described in paragraph 1.2 of Annex 1 to
 
this opinion).
 
We understand that
 
this
aligns with UBS’
 
general experience in responding
 
to information requests
 
from the SEC,
 
leading it
to
 
maintain
 
a
 
belief,
 
which
 
it
 
considers
 
to
 
be
 
reasonable,
 
that
 
this
 
assumption is,
 
and
 
will
 
remain,
accurate
 
(subject
 
to
 
any
 
changes
 
in
 
applicable
 
law
 
and
 
regulation
 
and/or
 
the
 
approach
 
of
 
relevant
regulators, including the Dutch DPA).
41
 
9.
 
Information, data and documents received
 
by the SEC are
 
maintained in a secure manner
 
and, under
strict
 
US
 
laws
 
of
 
confidentiality,
 
information
 
about
 
individuals
 
cannot
 
be
 
onward
 
shared
 
save
 
for
certain
 
uses
 
publicly disclosed
 
by
 
the
 
SEC, including
 
in
 
an
 
enforcement proceeding,
 
pursuant to
 
a
valid and non-exempt US Freedom of
 
Information Act (
FOIA
) request,
42
 
pursuant to a lawful request
of the
 
US Congress
 
or a
 
properly issued
 
subpoena, or
 
to other
 
regulators who
 
have demonstrated
 
a
need for the information and provide assurances of confidentiality.
10.
 
Any data held by UBS ESE NL that is subject to a disclosure request from the SEC, either by way of
access or On-Site Inspection, will be held by UBS
 
ESE NL in the Netherlands.
 
Whilst UBS ESE NL
will be subject to direct On-Site Inspection
 
by the SEC in the Netherlands,
 
UBS ESE NL will provide
access to its Covered
 
Books and Records (beyond On-Site
 
Inspections) to UBS AG London
 
Branch,
rather than providing this access directly to the SEC.
11.
 
No confidentiality condition which would restrict
 
disclosure to the SEC is
 
applicable in any contract
between UBS ESE NL and
 
the individual (either a legal entity
 
or a natural person) whose information
will
 
be
 
included
 
in
 
Covered
 
Books
 
and
 
Records
 
made
 
available
 
to
 
the
 
SEC
 
or
 
subject
 
to
 
On-Site
Inspection by the SEC.
12.
 
All terms of
 
business entered into
 
with clients conducting
 
SBS transactions contain clear
 
statements
such that
 
clients are
 
aware that
 
that regulatory
 
oversight will
 
be exercised
 
by regulatory
 
authorities
and that
 
information regarding
 
their transactions,
 
including their
 
personal data,
 
can be
 
disclosed to
regulatory authorities (for example, clause 10, and
 
in particular clause 10(b) of the terms
 
of business
for professional clients and eligible counterparties (March 2019)
43
).
13.
 
UBS AG does not include the information
 
described in 17 C.F.R. §§.18a-5(b)(8)(i)(A) through (H) or
240.18a-5(a)(10)(i)(A)
 
through
 
(H),
 
as
 
the
 
case
 
may
 
be,
 
in
 
questionnaires
 
or
 
applications
 
for
employment
 
executed
 
by
 
an
 
associated
 
person
 
who
 
is
 
not
 
a
 
US
 
Person
 
(as
 
defined
 
in
 
17
 
C.F.R.
§240.3a71-3(a)(4)(i)(A)), unless UBS
 
AG is required to
 
obtain such information under
 
applicable law
in the jurisdiction in which
 
the associated person is employed
 
or located or obtains such
 
information
in conducting a background check that is customary for UBS AG in that jurisdiction and the
 
creation
or maintenance of records reflecting that information
 
would not result in a violation of applicable
 
law
in the jurisdiction in which the associated person is employed or located.
41
 
 
See the
SEC
 
G
uidance at 85 FR 6298
.
 
42
 
 
We
 
do not
 
give any
 
views in
 
the opinion
 
to matters
 
of US
 
law,
 
though we
 
understand that
 
information can
 
be
made public
 
pursuan
t to
requests under
 
the US
 
FOIA, and
 
that certain
 
information is
 
exempt from
 
such requests,
 
including (among
 
others): (1)
 
a trade
 
secret or
privileged or confidential commercial or financial information
 
obtained from a person; (2) a
 
personnel, medical, or similar file the
 
release
of which would constitute a clearly unwarranted invasion of personal privacy; (3) information compiled for law enforcement purposes, the
release of which (a) could reasonably be expected to interfere with law enforcement proceedings;
 
(b) would deprive a person of a right to a
fair trial or an impartial adjudication; (c) could reasonably be expected to constitute an unwarranted
 
invasion of personal privacy; (d) could
reasonably
 
be
 
expected
 
to
 
disclose
 
the
 
identity
 
of
 
a
 
confidential
 
source;
 
(e)
 
would
 
disclose
 
techniques,
 
procedures,
 
or
 
guidelines
 
for
investigations or prosecutions;
 
or (f) could
 
reasonably be expected
 
to endanger an
 
individual's life or
 
physical safety; (4)
 
contained in or
related to examination, operating, or condition reports about financial
 
institutions that the SEC regulates or supervises.
43
 
 
Available
 
at:
 
https://www.ubs.com/global/en/investment
-
bank/regulatory/_jcr_content/mainpar/toplevelgrid/col1/linklist_1815406319/
link.1894740908.file/PS9jb250ZW50L2RhbS9JbnZlc3RtZW50QmFuay9kb2N1bWVudHMvaWJ0ZXJtcy90ZXJtcy1vZi1idXNpbmVzcy
5wZ GY=/terms-of-business.pdf.
 
0036335-0000808 UKO1: 2005491828.9

logermany
 
logermanyp1i0.gif
 
1
 
 
 
 
 
UBS AG London Branch
5 Broadgate
London
EC2M 2QS
Allen & Overy LLP
Bockenheimer Landstraße 2
60306 Frankfurt am Main
 
Germany
Our ref
0036335
-
0000808
22 October 2021
Dear Sir or Madam
 
UBS SEC registration as a non-resident security-based swap dealer
 
1.
 
BACKGROUND
1.1
 
We understand that UBS AG, a bank authorised in Switzerland, is seeking to register with the United
States (
US
) Securities and
 
Exchange Commission (
SEC
) as a non-resident
 
security-based swap (
SBS
)
dealer (
SBSD
).
1.2
 
To register as an SBSD with the SEC, a non-resident SBSD
1
 
such as UBS AG must attach an opinion
of counsel to Form SBSE, SBSE-A or SBSE-BD affirming that the SBSD can, as
 
a matter of law:
(a)
 
provide
 
the
 
SEC
 
with
 
prompt
 
access
 
to
 
the
 
relevant
 
books
 
and
 
records
 
as
 
defined
 
in
paragraphs
 
to
 
(
Covered Books and Records
); and
 
(b)
 
submit to on-site
 
inspection and examination
 
of its Covered
 
Books and Records by
 
the SEC
(
On-Site Inspection
).
1.3
 
Associated persons
 
of UBS
 
AG located
 
in Germany
 
who effect
 
SBS transactions on
 
behalf of
 
UBS
AG
 
will
 
be
 
employed
 
by
 
UBS
 
Europe
 
SE
 
(
UBS
 
ESE
),
 
which
 
is
 
incorporated
 
in
 
Germany
 
and
authorised to provide services in
 
Germany (among other jurisdictions).
 
Accordingly, UBS
 
ESE will
maintain certain Covered Books and Records in Germany on behalf of UBS
 
AG.
1.4
 
You have asked us to issue
 
an opinion affirming
 
that (a) UBS AG
 
will be able
 
to provide the
 
SEC with
prompt access to
 
its Covered
 
Books and
 
Records that are
 
maintained by
 
UBS ESE in
 
Germany and
(b) UBS ESE can
 
submit to On-Site
 
Inspection by the
 
SEC of UBS
 
AG’s Covered Books and Records
it maintains on behalf of UBS AG, in each case accordance with paragraph
2
 
 
 
1
 
 
In the case of a corporation, an SBSD will be “non
-
resident” if it is incorporated
 
in or has its principal place of business in any place not in the
United States (see 17
 
Code of Federal Regulations
 
(
CFR
) § 240.15Fb2-4(a)(2)). As
 
UBS AG is incorporated
 
in Switzerland, UBS AG
 
fulfils this
definition of a “non-resident” SBSD.
2
 
 
In accord
ance with Assumption
 
in
, this opinion does not
 
cover the direct provision of Covered
 
Books and Records by UBS
 
ESE to
the SEC as this information will instead be provided
 
to UBS AG London Branch and sent by UBS AG London
 
Branch to the SEC.
 
Allen &
 
Overy LLP
 
is a
 
limited liability
 
partnership registered
 
in England
 
and Wales
 
with registered
 
number OC306763.
 
It is
 
authorised and
 
regulated by
 
the Solicitors
 
Regulation
Authority of England and Wales.
 
The term partner is used to refer
 
to a member of Allen & Overy
 
LLP or an employee or consultant
 
with equivalent standing and qualifications.
 
A list
of the members of Allen & Overy LLP and of the non-members who are designated as partners is open
 
to inspection at its registered office, One Bishops Square, London E1 6AD.
Allen & Overy LLP or an affiliated undertaking has an office in each of: Abu Dhabi,
 
Amsterdam, Antwerp, Bangkok, Beijing, Belfast, Bratislava, Brussels, Budapest, Casablanca, Dubai,
Düsseldorf, Frankfurt, Hamburg, Hanoi, Ho Chi Minh
 
City, Hong Kong, Istanbul, Jakarta (associated office), Johannesburg, London, Los Angeles,
 
Luxembourg, Madrid, Milan, Moscow,
Munich, New York, Paris, Perth,
 
Prague, Rome, São Paulo, Seoul, Shanghai, Silicon Valley,
 
Singapore, Sydney, Tokyo,
 
Warsaw, Washington,
 
D.C. and Yangon.
 
 
 
 
 
 
 
2
 
Düsseldorf
Dreischeibenhaus 1
 
40211 Düsseldorf
 
Tel +49 (0)211
 
2806 7000
 
Fax +49 (0)211 2806 7800
 
Ellen Birkemeyer
 
Dr. Hans Diekmann
 
Dr. Christian Eichner
 
Dr. Jens Matthes
 
Dr. Stephan Neuhaus
 
Dr. Jan Schröder
 
Counsel
 
Kyrill Chilevych
 
Dr. Michael Fink
 
Anne Fischer
 
Dr. Achim Schmid
 
Frankfurt
Haus am OpernTurm
 
Bockenheimer Landstraße 2
 
60306 Frankfurt am Main
 
Tel +49 (0)69 2648 5000
 
Fax +49 (0)69 2648 5800
 
Dr. Alexander Behrens
 
Dr. Wolf R. Bussian
 
John Coburn
 
Dr. Michael H. Ehret
 
Dr. Stefan Henkelmann
 
Dr. Franz Bernhard Herding
 
Dr. Matthias Horn
 
Dr. Michiel Huizinga
 
Dr. Hartmut Krause
 
Dr. Hans-Peter Löw
 
Anna Masser
 
Dr. Olaf Meisen
 
Wolfgang Melzer
 
Thomas Neubaum
 
Dr. Udo H. Olgemöller
 
Marc O. Plepelits
 
Dr. Sven Prüfer
 
Dr. Knut Sauer
 
Martin Scharnke
 
Dr. Jochen Scheel
 
Thomas Ubber
 
Dr. Heike Weber
 
Dr. Michael Weiß
 
Jan Erik Windthorst
 
Dr. Marc Zimmerling
 
Senior Counsel
 
Peter H. Hoegen
 
Counsel
 
Boris Alexander Blunck
 
Dr. Jan-Hendrik Bode
 
Lennart Dahmen
 
Matthias Fischer
 
Dr. Mark Hallett
 
Woldemar Häring
 
Dr. Roman A. Kasten
 
Christian Klöpfer
 
Stefan Kuhm
 
Dr. Tim Nikolas Müller
 
Jens Nollmann
 
Dr. David T.
 
Schmid
 
Dr. Esther Schmidt-Naumann
 
Dr. Sebastian Schulz
 
Tim Spranger
 
Dr. Katharina Stüber
 
Dr. Andre P.
 
H. Wandt
 
Peter Wehner
 
Alexander Wüpper
 
Of Counsel
 
Stephan Funck
 
Frank Herring
 
Hamburg
Hanseatic Trade Center
 
Kehrwieder 12
 
20457 Hamburg
 
Tel +49 (0)40 82221 20
 
Fax +49 (0)40 82221 2200
 
Dr. Börries Ahrens
 
Dr. Nicolaus Ascherfeld
 
Markulf Behrendt
 
Dr. Ellen Braun
 
Dr. Christian Hilmes
 
Dr. Nils Koffka
 
Max Landshut
 
Dr. Helge Schäfer
 
Dr. Hans Schoneweg
 
Counsel
 
Marie-Luise von Buchwaldt
 
Dr. René Galle
 
Dr. Rüdiger Klüber
 
Dr. Jonas Wittgens
 
München
Maximilianstraße 35
 
80539 München
 
Tel +49 (0)89 71043 3000
 
Fax +49 (0)89 71043 3800
 
Dr. Gottfried E. Breuninger
 
Dr. Jan Ebersohl
 
Dr. Joachim Feldges
 
Dr. Astrid Krüger
 
Dr. Magnus Müller
 
Dr. Hendrik Röhricht
 
Dr. Walter Uebelhoer
 
Dr. Alexander Veith
 
Counsel
 
Dr. Ilja Baudisch
 
Dr. Alice Broichmann
 
Christina Habermayr
 
Dr. Dirk Schade
 
Dr. Bettina Scharff
 
Dr. Jens Wagner
 
Eda Zhuleku
 
 
 
 
 
 
 
 
 
0036335-0000808 UKO1: 2005527215.20
 
 
 
 
3
 
1.5
 
This opinion is structured as follows:
(a)
 
Section
:
 
(b)
 
Section
:
;
 
(c)
 
Section
:
 
(d)
 
Section
:
 
(e)
 
: Opinion; and
(f)
 
: Assumptions.
 
1.6
 
For the purposes
 
of this opinion,
 
the legal or
 
natural person imparting the
 
information subject to
 
the
duty of
 
confidentiality will
 
be the
Rights Holder
and the
 
person receiving
 
that information,
 
in this
case UBS ESE, will be the
Recipient.
 
2.
 
SUMMARY OF OPINION
Subject to the assumptions and qualifications below, it is our opinion that:
2.1
 
UBS ESE can, as
 
matter of applicable German law,
 
submit to On-Site Inspection by
 
the SEC. There
is no restriction
 
or general blocking
 
statute on UBS
 
ESE submitting to
 
On-Site Inspection by
 
the SEC.
 
The
 
remainder
 
of
 
this
 
opinion
 
focuses
 
on
 
UBS
 
ESE’s
 
ability
 
to
 
disclose
 
information
 
contained
 
in
Covered Books
 
and Records
 
to the SEC
 
in the course
 
of On-Site
 
Inspection in Germany
 
and the ability
to provide UBS AG London Branch with prompt access to Covered Books
 
and Records.
2.2
 
UBS ESE can, as a
 
matter of applicable German law, provide the SEC
 
with prompt access to
 
Covered
Books and Records
 
held by UBS
 
ESE in Germany
 
either by disclosure
 
of Covered Books
 
and Records
to UBS AG London Branch for the purpose of providing information to the SEC or to the SEC in the
course of On-Site Inspections in Germany.
3
 
Data Protection
4
 
2.3
 
Disclosures of personal data (particularly special categories of data
 
or criminal data) relating to UBS
ESE’s clients and staff
 
are subject to certain restrictions under the Data Protection Laws, particularly
where this involves a cross-border transfer
 
to a country or territory the European Commission
 
has not
found to
 
have an
 
‘adequate’ data
 
protection regime.
5
 
However, there are
 
certain legal
 
bases for
 
making
disclosures, and derogations from
 
the prohibition on international
 
transfers, that would be
 
available to
UBS ESE
 
were it
 
to be
 
required by the
 
SEC to make
 
available personal data
 
either by
 
disclosure of
Covered Books and Records to UBS AG London Branch for the purpose of providing information to
the
 
SEC or
 
to
 
the
 
SEC in
 
the
 
course
 
of
 
On-Site
 
Inspections in
 
Germany.
 
We
 
note
 
that
 
these legal
restrictions and derogations that UBS
 
ESE would rely on when
 
making disclosures to the SEC are
 
the
same
 
legal
 
requirements
 
as
 
referred
 
to
 
and
 
reflected
 
in
 
the
 
“Memorandum
 
of
 
Understanding
concerning consultation, cooperation and
 
the exchange of
 
information related to the
 
supervision and
oversight of
 
certain cross-border
 
over-the-counter derivatives
 
entities in
 
connection with
 
the use
 
of
substituted
 
compliance
 
by
 
such
 
entities”
 
entered
 
into
 
between
 
the
 
SEC
 
and
 
the
 
German
 
Federal
Financial
 
Supervisory
 
Authority
 
(
Bundesanstalt
 
für
 
Finanzdienstleistungsaufsicht
 
 
BaFin
)
 
(the
3
 
 
Where a restriction
 
on the ability
 
to
grant access to,
transfer
 
or other disclose
personal data or
 
to disclose confidential
 
information applies,
 
consent
from the Rights Holder, validly given
 
in accordance with the relevant standard for consent under each applicable
 
legal obligation, would allow
for such information to be lawfully transferred to the
 
SEC or disclosed to the SEC during On-Site Inspection.
 
Please note that valid consent is
assumed in Assumption
 
4
 
 
Please refer to section
 
of
 
for definitions of Data Protection Laws, EU GDPR
 
and the BDSG.
5
 
 
According to
 
Article
 
44 of
 
the EU
 
GDPR, any
 
transfer of
 
personal data
 
to third
 
countries or
 
international organizations
 
must, in
 
addition to
complying with Chapter V of the EU GDPR, also meet
 
the conditions of the other provisions of the EU GDPR.
 
0036335-0000808 UKO1: 2005527215.20
 
 
 
 
4
 
BaFin
 
MoU
).
6
 
A
 
similar
 
Memorandum
 
of
 
Understanding
 
was
 
entered
 
into
 
by
 
the
 
SEC
 
and
 
the
European Central Bank (
ECB
)
7
 
(the
ECB MoU
).
8
 
2.4
 
We
 
anticipate
 
that
 
the
 
legitimate
 
interests
 
legal
 
basis
 
for
 
processing
 
would
 
provide
 
an
 
applicable
grounds under the EU
 
GDPR to enable
 
disclosure of Covered
 
Books and Records
 
to UBS AG London
Branch for the purpose of providing information to the SEC and to
 
permit On-Site Inspection.
 
Banking Secrecy Principle
2.5
 
The German banking secrecy principle
 
(the
German Banking Secrecy Principle
) applies in respect
of
 
all
 
business and
 
private information
 
on
 
the
 
client obtained
 
by
 
a
 
bank on
 
the basis
 
or
 
within the
context of
 
its client
 
business pursuant
 
to a
 
contractual relationship
 
with the
 
client. In
 
Germany,
 
the
banking secrecy principle is primarily a matter of contract law.
 
Against this background,
 
the German
Banking Secrecy
 
Principle does
 
not differentiate
 
between (i)
 
customer data;
 
and (ii)
 
data of
 
natural
persons or
 
legal entities,
 
provided that
 
the data
 
are obtained
 
on the
 
basis or
 
within the
 
context of
 
a
customer business pursuant to a contractual relationship with a client governed
 
by German law.
2.6
 
UBS ESE
 
may share information
 
contained in
 
the Covered Books
 
and Records
 
or obtained
 
by the
 
SEC
through On-Site
 
Inspections either
 
(i) where
 
they are
 
not in
 
the scope
 
of application
 
of the
 
German
Banking Secrecy Principle or
 
(ii) where the
 
sharing is legally
 
justified as it
 
is either required
 
by law
or the relevant
 
clients have consented
 
to the disclosure.
 
A client’s consent can be
 
expressed implicitly.
 
2.7
 
German laws and orders of German authorities
 
clearly justify a sharing of information covered
 
by the
German Banking Secrecy Principle.
 
There is, however, no case law
 
or administrative practice or
 
clear
legal literature as
 
regards the “conflict”
 
between foreign statutes
 
and foreign orders
 
on the one
 
hand
and the
 
German Banking
 
Secrecy Principle
 
on the
 
other hand.
 
Hence, the
 
legal situation
 
is unclear.
That said, in our view there
 
are good reasons to believe that data
 
sharing can be justified in relation
 
to
the German Banking
 
Secrecy Principle by
 
either (i) implied
 
consent or (ii)
 
a combination of
 
the US
statutes / the SEC orders in combination with the BaFin MoU / ECB
 
MoU.
Principle of territoriality
2.8
 
According to
 
the general
 
territorial principle
 
of international
 
law,
 
a state
 
that wishes
 
to take
 
action
outside
 
its
 
sovereign
 
borders
 
is,
 
as
 
a
 
general
 
rule,
 
referred
 
to
 
private
 
law,
 
because
 
the
 
territorial
principle of
 
international law
 
limits the
 
validity of
 
its sovereign
 
acts to
 
its national
 
territory.
 
In this
respect, the SEC is in
 
principle not authorized to take sovereign action,
 
including On-Site Inspection
of and obtaining
 
access to Covered
 
Books and Records,
 
in Germany.
 
However, such a permission
 
can
be found
 
in the
 
BaFin MoU between
 
BaFin and SEC
 
and also
 
in the
 
ECB MoU between
 
ECB
 
and
SEC.
9
 
While the BaFin
 
MoU and the
 
ECB MoU are
 
non-binding, in our view
 
it should allow
 
those
actions to be taken without a breach of the general principle of territoriality.
Privacy and Human Rights
2.9
 
Protection
 
for
 
the
 
general
 
fundamental
 
right
 
to
 
respect
 
for
 
private
 
and
 
family
 
life,
 
home
 
and
correspondence
” is
 
enshrined in
 
Article 8 of
 
the European
 
Convention on
 
Human Rights
 
(
ECHR
).
This right is directly applicable in Germany.
 
Actions in respect of Article 8 ECHR require a separate
cause of action, such as an action arising from a wrongful act or other legal obligation, such as
 
under
the Data
 
Protection Laws.
 
However, we note
 
that the
 
ECHR only
 
confers rights
 
on private
 
law subjects
6
 
 
Available at
https://www.sec.gov/files/15122020-substituted-compliance-mou-germany-final-signatures.pdf.
 
7
 
 
As UBS
 
ESE qualifies
 
as
a “significant
 
institution
” within
 
the
 
meaning of
 
Art.
 
6(4) of
 
the Regulation
 
der (EU)
 
No. 1024/2013
 
(the
Single
Supervisory Mechanism Regulation
), it is, as regards prudential supervision, also subject to
 
direct supervision by the ECB.
8
 
 
The Memorandum of
 
Understanding between
 
the United States
Securities and Exchange
 
Commission and the
 
European Central Bank
 
concerning
consultation, cooperation
 
and the
 
exchange of
 
information related
 
to the
 
supervision and
 
oversight of
 
certain cross-border
 
over-the-counter
derivatives
 
entities
 
in
 
connection
 
with
the
 
use
 
of
 
substituted
 
compliance
 
by
 
such
 
entities
 
dated
 
16
 
August
 
2021
 
(available
 
at
https://www.bankingsupervision.europa.eu/legalframework/mous/html/ssm.mou_2021_sec~220403db9b.en.pdf
).
9
 
 
Article II paragraph 25
et seq
. of the ECB MoU and Article II paragraph 26
et seq.
of the BaFin MoU.
 
0036335-0000808 UKO1: 2005527215.20
 
 
5
vis-à-vis the
 
state and
 
not among
 
themselves. Consequently,
 
the ECHR
 
is not
 
directly applicable to
UBS ESE.
2.10
 
Article 8 ECHR is, as it were, the
 
legal foundation on which the GDPR
 
has been based. The GDPR is
detailing the fundamental
 
right laid down
 
in Article 8 ECHR.
 
Thus, Article 8
 
ECHR and the
 
GDPR
are intertwined with each other. As long as
 
the provision of information to
 
the SEC by UBS ESE falls
entirely
 
within
 
the
 
scope
 
of
 
and
 
is
 
in
 
compliance
 
with
 
the
 
Data
 
Protection
 
Laws,
 
we
 
consider
 
the
general fundamental right set out in Article 8 ECHR will be protected.
This summary opinion is not a substitute for the full expression of our views
 
set out in
 
3.
 
SCOPE, ASSUMPTIONS AND QUALIFICATIONS
3.1
 
This opinion relates solely to access provided to the SEC
 
by UBS AG,
 
through its London Branch, of
Covered Books
 
and Records
 
held on
 
its behalf
 
by UBS ESE
 
in Germany
 
and On-Site
 
Inspection of
UBS ESE
 
by the
 
SEC in
 
Germany.
 
This opinion
 
applies equally
 
to
 
remote access
 
from the
 
United
States to Covered
 
Books and Records
 
held in the
 
Federal Republic of
 
Germany. This opinion excludes
books and records held in the US.
3.2
 
This opinion has been prepared in accordance with UBS AG’s specific instructions as to the scope of
the opinion.
 
For this purpose you have issued us
 
with guidance from a third party US
 
law firm which
we have used to inform the scope of our opinion.
3.3
 
This opinion covers data relating to:
(a)
 
SBS transactions
 
concluded between UBS
 
AG (through
 
its associated
 
persons employed
 
by
UBS ESE) and US Person
 
counterparties,
 
insofar as this data is
 
held on behalf of UBS
 
AG by
UBS
 
ESE
 
(e.g.
 
voice
 
recordings
 
and
 
client
 
communications)
 
(these
 
transactions
 
will
 
be
concluded by staff
 
of UBS ESE
 
acting in the
 
name and for the
 
account of UBS AG
 
London
Branch and
 
so some
 
data relating
 
to such
 
transactions will
 
be held
 
by UBS
 
AG London
 
Branch
in the United
 
Kingdom (
UK
) – access
 
to Covered Books
 
and Records and
 
On-Site Inspections
by the SEC of data that is held in the UK is not within scope of this opinion);
 
and
(b)
 
the activities of the staff of UBS ESE pertaining to
 
UBS AG’s SBS transactions that are also
arranged, negotiated, or
 
executed by personnel
 
of UBS AG
 
located in a
 
US branch or
 
office
or
 
by
 
personnel
 
of
 
an
 
agent
 
of
 
UBS
 
AG
 
located
 
in
 
a
 
US
 
branch
 
or
 
office
 
(irrespective
 
of
whether UBS AG’s counterparty is a US Person or a non-US Person).
This opinion only covers transactions
 
entered into by UBS AG
 
where UBS ESE is acting
 
on behalf of
UBS AG.
 
This opinion does not
 
cover data relating to
 
SBS transactions concluded between
 
UBS ESE
and its own counterparties (even though UBS ESE may be relying on the counting exemption set out
in 17 CFR §
 
240.3a71-3(d) for such transactions,
 
we are instructed that
 
this data is not
 
relevant for the
purposes of 17 CFR § 240.15Fb2-4(c) and so this data is not within scope
 
of this opinion.
 
 
 
 
 
0036335-0000808 UKO1: 2005527215.20
 
 
6
 
3.4
 
This opinion
 
only covers
 
access to
 
and the
 
On-site Inspection
 
of Covered
 
Books and
 
Records.
 
Covered
Books and Records include only those books and records which:
(a)
 
relate to the US business
10
 
of the non-resident SBSD.
11
 
These are the records that relate to an
SBS that is either:
(i)
 
entered into, or offered to be entered into, by or on behalf of the
 
non-resident SBSD,
with a “U.S. Person”
 
as defined in 17
 
CFR § 240.3a71-3(a)(4)
12
 
(
US Person
) (other
than an SBS conducted through a foreign branch of such US Person
13
); or
(ii)
 
arranged, negotiated, or executed by
 
personnel of the non-resident SBSD
 
located in a
branch in the United States (
US branch
) or office or by personnel
 
of an agent of the
non-resident SBSD located in a US branch or office;
14
 
or
(b)
 
constitute
 
financial
 
records
 
necessary
 
for
 
the
 
SEC
 
to
 
assess
 
the
 
non-resident
 
SBSD’s
compliance with the SEC’s margin and capital requirements, if applicable.
15
 
3.5
 
Further
 
to
 
Assumption
,
 
this
 
opinion
 
is
 
limited
 
to
 
those
 
types
 
of
 
records
 
that
 
are
 
relevant
 
to
prudentially regulated SBSDs,
 
which excludes financial
 
records as noted
 
in paragraph
.
 
For this opinion, the term “Covered Books and Records” extends to these
 
record types alone.
3.6
 
The issues
 
addressed in
 
this opinion
 
apply equally
 
across the
 
different document
 
types which
 
constitute
the Covered Books and
 
Records based upon the
 
information actually contained
 
in each of the relevant
Covered Books and Records.
 
We have not examined any such documents or records.
 
3.7
 
In giving this opinion, we have made the further assumptions set out
 
in
.
 
3.8
 
No opinion is expressed on matters of fact.
 
3.9
 
As a
 
practical matter,
 
it may
 
be particularly
 
difficult to
 
establish that
 
consent is
 
freely given
 
where
information relates
 
to UBS
 
ESE staff
 
because consent
 
is very
 
difficult to
 
rely on
 
in an
 
employment
context, due to the inherent imbalance of power between an employer and its staff (for example, staff
may
 
believe
 
there
 
could
 
be
 
negative
 
consequences
 
should
 
they
 
refuse
 
to
 
give
 
consent).
 
Further,
consent will only be valid if UBS ESE offers
 
its staff a genuine choice over how the data is used
 
and
will only continue to be an
 
appropriate legal basis if UBS ESE
 
also offers
 
its staff the opportunity to
withdraw consent at any time.
 
Where consent is relied upon in this opinion,
 
it is on the basis that this
practical matter
 
has been
 
overcome.
 
Where consent
 
is not
 
available as
 
a legal
 
basis for
 
disclosure
(including where valid
 
consent cannot be
 
obtained), UBS ESE
 
may be
 
able to rely
 
on an alternative
basis for disclosure (e.g. the legitimate interest basis or another exception for international transfer of
personal data).
 
 
10
 
 
As defined in 17 CFR §240.3a71
-
3
(a)(8).
 
11
 
 
Cross
-
Border Application of Certain [SBS] Requirements,
 
85 Fed.
 
Reg. 6270, 6296 (Feb. 4, 2020) (the
SEC Guidance
).
 
12
 
 
A “U.S. person” means any person
 
that is “(i) a natural
 
person resident in the U.S.;
 
(ii) a partnership, corporation, trust,
i
nvestment vehicle, or
other legal
 
person organized,
 
incorporated, or
 
established under the
 
laws of
 
the United
 
States or
 
having its
 
principal place
 
of business
 
in the
United States; (iii) an account (whether discretionary or
 
non-discretionary) of a U.S. person; or (iv) an
 
estate of a decedent who was a
 
resident
of the United States at the time of death.” 17 CFR
 
§ 240.3a71-3(a)(4).
13
 
 
A “foreign branch” means “any branch of a U.S. bank if: (i) the branch is located outside of the United States; (ii) the bran
c
h operates for valid
business reasons; and (iii)
 
the branch is engaged
 
in the business of
 
banking and is
 
subject to substantive banking regulation
 
in the jurisdiction
where located.” (17 CFR §
 
240.3a71-3(a)(2)). An “SBS conducted through a
 
foreign branch” means an SBS
 
that is “arranged, negotiated, and
executed by a U.S.
 
person through a foreign
 
branch of such U.S.
 
person if: (A) the foreign
 
branch is the counterparty
 
to such security-based swap
transaction; and (B) the security-based swap transaction is arranged, negotiated, and executed on behalf of the foreign branch solely by persons
located outside the United States.” (17 CFR § 240.3a71-3(a)(3)(i)).
14
 
 
17 CFR
 
§
 
240.3a71
-
3(a)(8)(i)(B).
 
15
 
 
The requirement set
 
out in this paragraph
 
does not apply
 
to UBS AG because
 
it is not subject
 
to the SEC’s margin and
 
capital requirements
as it is assumed that UBS AG has a prudential regulator –
 
please see Assumptions
 
set out in
 
 
0036335-0000808 UKO1: 2005527215.20
 
 
7
 
4.
 
REVISIONS TO APPLICABLE LAW
 
4.1
 
We
 
note
 
that
 
the
 
SEC
 
rules
16
 
require
 
a
 
non-resident
 
SBSD
 
to
 
re-certify
 
within
 
90
 
days
 
after
 
any
changes in the legal or regulatory framework that would:
(a)
 
impact the ability of the SBSD to provide prompt access to its Covered
 
Books and Records;
 
(b)
 
impact the
 
manner in
 
which it
 
would provide
 
prompt access
 
to its
 
Covered Books
 
and Records;
or
(c)
 
impact the ability of the SEC to conduct On-Site Inspections.
4.2
 
Upon a change in law or regulatory framework of the sort outlined in paragraph
 
above, the SBSD
is required to submit a revised opinion describing how, as a matter of law,
 
the SBSD will continue to
meet its obligations.
 
4.3
 
This opinion relates solely to
 
the laws of the Federal Republic
 
of Germany and European Union
 
(
EU
)
law that is directly
 
applicable in Germany
 
(i.e. regulations pursuant
 
to Art. 288(2)
 
of the Treaty on the
Functioning of the European Union), in each case, in force as at the date of this opinion.
 
We have no
obligation to notify any addressee of any change
 
in any applicable law or its application
 
after the date
of this opinion.
5.
 
RELIANCE AND CONFIDENTIALITY
5.1
 
This opinion is given
 
for the sole benefit of
 
the addressee.
 
It may not be relied
 
upon by anyone else
without our prior written consent.
5.2
 
This
 
opinion
 
is
 
not
 
to
 
be
 
disclosed
 
to
 
any
 
person
 
outside
 
of
 
UBS
 
AG’s
 
group
 
or
 
used,
 
circulated,
quoted or otherwise referred to for any other purpose.
 
However, we agree that a copy of this opinion
letter may be disclosed:
 
(a)
 
where
 
disclosure is
 
required
 
or
 
requested
 
by
 
any
 
governmental, banking,
 
taxation
 
or
 
other
regulatory authority or similar body having jurisdiction over
 
UBS AG (including to the SEC
as
 
part
 
of
 
UBS
 
AG’s
 
SBSD
 
registration
 
application) or
 
by
 
the
 
rules
 
of
 
any
 
relevant
 
stock
exchange or pursuant to any applicable law or regulation; and
 
(b)
 
to
 
UBS
 
AG’s
 
affiliates,
 
and
 
any
 
of
 
their
 
officers,
 
directors,
 
employees,
 
auditors,
 
insurers,
reinsurers, insurance brokers and professional advisors (in their capacity
 
as such).
5.3
 
Any such disclosure
 
must be made
 
on the basis
 
that it is
 
for information purposes only,
 
no recipient
may rely
 
on this advice,
 
no client-lawyer relationship between
 
us and the
 
recipient arises following,
or as a
 
result of,
 
any such
 
disclosure.
 
We assume no duty
 
or liability
 
to any
 
recipient, and
 
any recipient
under paragraph
 
will be subject to the same restrictions on disclosure as set out above.
5.4
 
We
 
assume no obligation
 
to advise
 
you or
 
any other person
 
or to
 
make any
 
investigations as to
 
any
legal
 
developments
 
or
 
factual
 
matters
 
arising
 
subsequent
 
to
 
the
 
date
 
hereof
 
that
 
might
 
affect
 
the
opinions expressed herein.
 
 
16
 
 
17 CFR § 240
.15Fb2
-
4(c)(2).
 
 
0036335-0000808 UKO1: 2005527215.20
logermanyp8i0.gif
 
8
Yours
 
faithfully,
 
Allen & Overy LLP
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
0036335-0000808 UKO1: 2005527215.20
 
 
9
 
ANNEX 1
 
OPINION
1.
 
DATA
 
PROTECTION
1.1
 
The
 
General
 
Data
 
Protection
 
Regulation
 
2016/679
 
(
EU
 
GDPR
),
 
and
 
the
 
German
 
Federal
 
Data
Protection Act (
Bundesdatenschutzgesetz
 
BDSG
) (together, the
Data Protection Laws
) will apply
to UBS ESE’s disclosure of Covered Books and Records to UBS AG London Branch for the purpose
of providing information to
 
the SEC and to
 
the SEC in the course
 
of On-Site Inspections, to
 
the extent
that
 
these
 
comprise
 
or
 
contain
 
personal
 
data.
 
Personal
 
data
 
is
 
data
 
relating
 
to
 
an
 
identified
 
or
identifiable living individual, so may extend to information on UBS
 
ESE staff as well as clients.
 
1.2
 
Under
 
the
 
Data
 
Protection Laws,
 
specific
 
additional restrictions
 
apply
 
for
 
personal
 
data
 
relating to
criminal convictions and
 
offences.
17
 
These laws also
 
impose heightened
 
restrictions on
 
the processing
of
 
‘special
 
category personal
 
data’
 
 
this
 
is
 
personal
 
data
 
that reveals
 
racial
 
or
 
ethnic
 
background,
political
 
opinions,
 
religious
 
or
 
philosophical
 
beliefs,
 
or
 
trade
 
union
 
membership,
 
genetic
 
data,
biometric
 
data
 
when
 
used
 
for
 
ID
 
purposes,
 
health
 
information,
 
data
 
concerning
 
sex
 
life
 
or
 
sexual
orientation
18
.
 
As special
 
category personal
 
data are
 
less likely
 
to be
 
relevant in
 
the context
 
of UBS
ESE’s
 
disclosures to
 
the SEC,
 
the laws
 
applicable to
 
this data
 
have not
 
been considered
 
in detail
 
in
this opinion.
1.3
 
Key restrictions in
 
the Data Protection
 
Laws relating to
 
UBS ESE’s
 
ability to disclose
 
personal data
to the SEC are set out below.
Legal basis for the disclosure
1.4
 
UBS ESE requires a legal basis under Article 6 of the
 
EU GDPR to disclose personal data to the SEC
in the
 
course of
 
On-Site Inspections
 
and to
 
provide UBS
 
AG London
 
Branch with
 
access to
 
its Covered
Books and
 
Records for
 
the purpose
 
of providing
 
information to
 
the
 
SEC.
 
Personal data
 
cannot be
disclosed if
 
doing so
 
would breach
 
another legal
 
requirement (e.g. banking
 
secrecy –
 
please see
 
section
).
 
Whilst there
 
are a
 
number of
 
Article 6 legal
 
bases on
 
which UBS
 
ESE may
 
seek to
 
rely,
none of its
 
own is so
 
comprehensive as to cover
 
all disclosures of personal
 
data to the SEC,
 
so UBS
ESE will need to
 
consider the most appropriate legal
 
basis to apply to
 
any given situation on
 
a case-
by-case basis.
1.5
 
The Article 6 legal bases most
 
applicable to UBS ESE, together with their
 
respective limitations, are
as follows:
(a)
 
Consent (Article
 
6(1)(a) EU
 
GDPR)
: In order
 
for consent
 
to be
 
valid under
 
the Data
 
Protection
Laws,
 
it
 
must
 
satisfy
 
the
 
high
 
standard
 
of
 
being
 
a
 
freely-given,
 
specific,
 
informed
 
and
unambiguous indication of wishes.
19
 
(b)
 
Legitimate interests
 
(Article 6(1)(f)
 
EU GDPR)
: This
 
is one
 
of the
 
most flexible
 
legal bases
for processing
 
that can
 
apply to
 
a multitude
 
of business
 
purposes, including
 
with respect
 
to
ensuring compliance with
 
regulatory obligations. To
 
rely on
 
the legitimate interests
 
ground,
UBS ESE must:
 
17
 
 
Article
 
10 of the EU GDPR.
 
18
 
 
Article
 
9(1) of the EU GDPR.
 
19
 
 
Please also refer to limitations
 
on the applicability of
 
consent discussed in paragraph
 
of section
:
 
We
note that German data protection authorities are in practice particularly strict in relation to
 
accepting employee consent as freely given and that
under Section 26(2)
 
of the BDSG,
 
the employee’s level
 
of dependence
 
in the employment
 
relationship and
 
the circumstances
 
under which
 
consent
was given must be taken into account in assessing
 
whether such consent was freely given.
 
That said, it may prove almost impossible
 
in practice
to obtain valid employee consent from UBS ESE’s
 
staff for the purpose of disclosing their personal data
 
to a non-EU based authority.
 
Consent
might therefore
 
not generally
 
be considered
 
as a
 
valid legal
 
basis for
 
disclosure of
 
UBS ESE’s
 
staff data
 
and UBS
 
ESE should
 
rely on
 
an
alternative basis for disclosure (e.g. the legitimate interests).
 
Please note that valid consent is assumed in Assumption
 
 
0036335-0000808 UKO1: 2005527215.20
 
 
10
 
(i)
 
identify its,
 
or a
 
third party’s legitimate
 
interest (this
 
can include
 
commercial interests,
individual
 
interests
 
or
 
broader
 
societal
 
benefits)
 
in
 
complying
 
with
 
the
 
SEC’s
disclosure request;
 
(ii)
 
show that
 
the
 
disclosure of
 
documents to
 
the SEC
 
is
 
necessary for
 
achieving these
interests; and
 
(iii)
 
balance
 
these
 
interests
 
against
 
the
 
competing
 
interests,
 
rights
 
and
 
freedoms
 
of
 
the
individuals concerned, and satisfy itself that those interests
 
do not outweigh its own.
 
If individuals would not
 
reasonably expect the disclosure,
 
or if the
 
disclosure would
cause
 
unjustified
 
harm
 
to
 
the
 
individuals,
 
the
 
interests
 
of
 
those
 
individuals
 
would
likely override the interests of UBS ESE or the third party.
An individual has the right to object to the disclosure of their personal
 
data to the SEC under
this basis
 
for processing,
 
and UBS
 
ESE would
 
need to
 
demonstrate ‘compelling’ legitimate
grounds to process the data that override the rights, freedoms and interests
 
of that individual.
The balancing of
 
legitimate interests against
 
the competing interests,
 
rights and freedoms
 
of
the
 
individuals
 
concerned should
 
be
 
made
 
on
 
a
 
case-by-case
 
basis
 
and
 
should
 
consider all
available facts.
 
In particular, Recital
 
47 of
 
the GDPR
 
states that,
 
when balancing
 
their interests
against
 
those
 
of
 
the
 
individuals
 
concerned,
 
controllers
 
should
 
take
 
into
 
account
the
reasonable expectations
 
of data
 
subjects based
 
on their
 
relationship with the
 
controller
”. With
this in mind, UBS ESE may
 
argue that its interests are
 
not outweighed by those of its
 
clients
or its employees on the basis that:
(i)
 
clients are
 
aware, due
 
to
 
statements contained
 
in their
 
terms
 
of business
 
with UBS
AG, the US nexus when they engage in SBS transactions and, their understanding as
sophisticated investors, that regulatory
 
oversight will be exercised
 
by the SEC, which
may entail
 
certain information
 
regarding their
 
transactions, including
 
in some
 
cases
their personal data, to be disclosed to the SEC; and
(ii)
 
the employees whose
 
personal data may
 
be disclosed to
 
the SEC understand
 
their role
will involve SEC
 
oversight due
 
to their being
 
classified as
 
‘associated persons’
 
for the
purposes of SBS
 
transactions and understand
 
that, as a result,
 
certain of their
 
personal
data
 
may
 
be
 
disclosed
 
to
 
the
 
SEC.
 
More
 
specifically,
 
each
 
associated
 
person
 
is
required
 
to
 
complete
 
an
 
‘SBS
 
associated
 
person
 
questionnaire’,
 
which
 
provides
advance notice that
 
their activities may
 
involve the
 
disclosure of their
 
personal data
to the SEC and
 
potentially require them to undertake
 
interviews with the SEC.
 
Each
employee that is an
 
associated person is also
 
required to agree or
 
acknowledge their
understanding
 
that
 
their
 
data
 
may
 
be
 
provided
 
to
 
the
 
SEC
 
in
 
connection
 
with
 
the
SEC’s oversight of SBS transactions.
 
In addition,
 
while focused
 
on the
 
relationship between the
 
SEC and
 
BaFin, the
 
existence of
the BaFin
 
MoU arguably
 
reflects an
 
acceptance in
 
Germany that
 
the SEC
 
has a
 
duty to
 
regulate
SBS markets and may need to access information
 
maintained by financial institutions located
in
 
Germany for
 
this purpose.
 
This
 
argument
 
is
 
further supported
 
by the
 
ECB MoU,
 
which
similarly reflects an understanding of the SEC’s
 
duties and an acceptance regarding the need
for information, including personal data, to be provided to the SEC.
20
 
Also relevant to this balancing of interests are that the SEC will:
 
 
20
 
 
For the avoidance of
 
doubt, we note however
 
that neither the BaFin
 
MoU nor the ECB
 
MoU stipulates any exemptions
 
from the com
pliance with
applicable data protection rules under the GDPR, including from
 
the international transfer rules.
 
0036335-0000808 UKO1: 2005527215.20
 
 
11
 
(i)
 
restrict
 
its
 
information
 
requests
 
for,
 
and
 
use
 
of,
 
any
 
information
 
to
 
only
 
the
information
 
that
 
it
 
requires
 
for
 
the
 
legitimate
 
and
 
specific
 
purpose
 
of
 
fulfilling
 
its
regulatory mandate
 
and responsibilities
 
and to
 
prevent and/or
 
enforce against
 
potential
illegal behaviour, with the type and amount of personal
 
data requested being targeted
based on risk and related to specific clients and accounts, and employees;
21
 
and
(ii)
 
information,
 
data
 
and
 
documents
 
received
 
by
 
the
 
SEC
 
are
 
maintained
 
in
 
a
 
secure
manner and only disclosed pursuant to strict US confidentiality laws.
22
 
(c)
 
Disclosure is
 
necessary for compliance
 
with a legal obligation
 
to which UBS ESE
 
is subject
(Article 6(1)(c) EU GDPR)
: There must be a German or EU law nexus in order
 
for UBS ESE
to
 
be able
 
to
 
rely
 
on this
 
legal basis.
 
Article 6(3)
 
of
 
the
 
EU
 
GDPR requires
 
that the
 
legal
obligation must be laid down by EU law
 
or EU Member State law,
 
to which the controller is
subject to,
 
although this
 
does not
 
have to
 
be an
 
explicit statutory
 
obligation, as
 
long as
 
the
application of the law is foreseeable to UBS ESE as the person subject
 
to it.
23
 
In the context of
 
this legal basis for processing,
 
an SEC request in
 
the absence of a
 
German or
EU legal requirement (e.g.
 
a lawful request
 
from BaFin in
 
the exercise of
 
its powers) would
not justify the disclosure as being necessary for compliance with
 
such an obligation.
We
 
further
 
note that
 
neither the
 
BaFin MoU
 
nor
 
the ECB
 
MoU
 
create any
 
legally binding
obligations.
24
 
(d)
 
Disclosure is necessary
 
for the performance
 
of a
 
task carried
 
out in the
 
public interest (Article
6(1)(e) EU
 
GDPR)
:
 
According to
 
German data
 
protection authorities’
 
and legal
 
literature’s
interpretation of this legal basis, only entities who or are officially entrusted with performing
public tasks or
 
are vested
 
with public
 
authority are
 
able to
 
rely on this
 
legal basis.
25
 
As a result
it is
 
not possible
 
for UBS
 
ESE to
 
rely on
 
this legal
 
basis for
 
the disclosure
 
of personal
 
data
contained in the Covered Books and Records
 
from a German data protection law
 
perspective.
 
(e)
 
Disclosure is
 
necessary for the
 
establishment, exercise or
 
defence of legal
 
claims unless the
data subject has
 
an overriding interest
 
in not having
 
the data processed
 
(Section 24(1) no.2
BDSG)
:
 
The effects of the
 
disclosure on the data
 
subject must be assessed on
 
a case-by-case
basis, taking into account in
 
particular if the disclosure of
 
personal data is truly necessary
 
or
if there are
 
less intrusive ways
 
to fulfil UBS
 
ESE’s interest
 
in the establishment, exercise
 
or
defence of legal claims.
 
Based upon the above, the legitimate
 
interests basis for processing is
 
likely to be the most appropriate
Article 6
 
EU GDPR grounds
 
on which
 
UBS ESE
 
could rely
 
in relation
 
to its
 
disclosure of Covered
Books and Records to the SEC and to permit On-Site Inspection.
1.6
 
It is considered very unlikely that personal data included in Covered Books and Records or disclosed
to the SEC during On-Site Inspections will include special categories of personal data.
 
Further, UBS
ESE
 
might
 
not
 
hold
 
all
 
information
 
described
 
in
 
17
 
C.F.R.
 
§§.18a-5(b)(8)(i)(A)
 
through
 
(H)
 
or
240.18a-5(a)(10)(i)(A) through
 
(H), as the
 
case may be
 
an associated person
 
who is not
 
a US Person.
26
 
However, to the extent that this does
 
occur,
 
and such information is held by UBS ESE, in addition to
an
 
Article
 
6
 
EU
 
GDPR
 
legal
 
basis,
 
UBS
 
ESE
 
will
 
need
 
to
 
establish
 
an
 
additional
 
condition
 
for
processing under Article
 
9 of
 
the EU
 
GDPR if
 
it discloses special
 
categories of personal
 
data to
 
the
21
 
 
Please refer to Assumptions
 
and
 
in
, as well as Article
 
II paragraphs 44, 54
 
of the BaFin MoU
 
and
 
Article II paragraph 49
 
of the ECB
MoU.
22
 
 
Please refer to Assumption
 
in
, as well as paragraph 60 of the BaFin MoU and
 
paragraph 56 of the ECB MoU.
23
 
 
Recital 41
E
U GDPR
.
 
24
 
 
Article II paragraph
 
28 of the BaFin MoU / Article II paragraph 27 of the
 
ECB MoU.
 
25
 
 
See
 
DSK
 
short
 
paper
 
no.
 
4
 
(
Kurzpapier
 
Nr.
 
4
 
Datenübermittlung
 
in
 
Drittländer
),
 
available
 
at
https://www.datenschutzkonferenz
-
online.de/media/kp/dsk_kpnr_4.pdf
26
 
 
As we understand is as defined in 17 C.F.R. §240.3a71
-
3(a)(4)(i)(A).
 
 
0036335-0000808 UKO1: 2005527215.20
 
 
12
 
SEC, such as
 
where it is
 
necessary for the
 
establishment, exercise or defence
 
of legal claims.
 
Other
than valid consent,
27
 
the Article 9 EU GDPR conditions that
 
are most likely to apply to disclosure of
special categories of personal data contained in the Covered Books and Records
 
are:
(a)
 
processing is necessary for
 
the establishment, exercise or
 
defence of legal
 
claims or whenever
courts are acting in
 
their judicial capacity
 
(
Article 9(2)(f) EU GDPR and Section 24(1) no.
2
 
BDSG)
; and
(b)
 
processing is necessary
 
for reasons of
 
substantial interest,
 
on the
 
basis of
 
domestic or
 
Member
State
 
law
 
(
Article 9(2)(g) EU GDPR)
.
1.7
 
Although Sections 22
 
and 26(3)
 
BDSG provides
 
for additional
 
legal bases
 
for the
 
processing of
 
special
categories of
 
personal data,
 
none of
 
these additional
 
bases is
 
likely to
 
be available
 
for disclosing
 
special
categories of
 
personal data to
 
the SEC
 
by UBS ESE,
 
as these legal
 
bases refer to
 
the processing for
purposes of preventive
 
medicine or
 
where the processing
 
is required
 
under employment
 
or social
 
laws.
 
1.8
 
Similarly,
 
UBS ESE’s
 
processing of
 
personal data
 
relating to
 
criminal
 
convictions and
 
offences
 
or
related
 
security
 
measures
 
is
 
highly
 
restricted,
 
and
 
can
 
only
 
be
 
disclosed
 
based
 
on
 
Article
 
6(1)
 
EU
GDPR
 
under
 
the
 
control
 
of
 
official
 
authority
 
or
 
when
 
the
 
processing
 
is
 
authorised
 
by
 
EU
 
or
 
EU
Member State law providing for appropriate
 
safeguards for the rights and freedoms
 
of data subjects.
28
 
It
 
is
 
recognised
 
by
 
the
 
legislative
 
memorandum
29
 
to
 
the
 
BDSG
 
that
 
Section 26
 
BDSG
 
is
 
such
 
EU
Member State
 
law that
 
allows processing
 
of
 
criminal data
 
without the
 
control of
 
official
 
authority.
That
 
is,
 
to
 
the
 
extent
 
that
 
the
 
disclosure
 
of
 
criminal
 
data
 
is
necessary
 
for
 
the
 
performance
 
of
 
the
employment relationship
, Section 26 BDSG could allow on a
 
case-by-case assessment the disclosure
of UBS ESE staff’s criminal data.
30
 
Data protection principles
1.9
 
In
 
addition to
 
establishing a
 
legal basis
 
for
 
the
 
disclosure, UBS
 
ESE
 
would need
 
to
 
ensure that
 
its
disclosures are compliant with the remaining
 
requirements under the Data Protection
 
Laws, including
the data protection principles set out in Article 5 of the EU GDPR.
 
For example, UBS ESE must:
(a)
 
be
 
transparent with
 
those whose
 
personal data
 
is
 
to
 
be
 
disclosed to
 
the
 
SEC, who
 
must
 
be
provided
 
with
 
fair
 
processing
 
information
 
(usually
 
in
 
the
 
form
 
of
 
a
 
privacy
 
notice
 
or
statement);
(b)
 
with
 
respect
 
to
 
the
 
data
 
itself,
 
ensure
 
that
 
it
 
only
 
provides
 
personal
 
data
 
that
 
is
 
adequate,
relevant and limited
 
to what is
 
necessary in relation
 
to the purposes
 
of its regulatory
 
activities;
 
(c)
 
be careful to avoid participating
 
in ‘data dumps’ and should
 
consider withholding documents,
anonymising personal data
 
(or pseudonymising
 
data where full
 
anonymisation is not
 
possible)
and redacting personal data from documents as appropriate;
(d)
 
ensure that the data is accurate and, where necessary, kept up to date;
(e)
 
keep the personal data
 
in a form that enables
 
identification of individuals for
 
no longer than is
necessary for the purposes for which the personal data is processed;
 
and
(f)
 
ensure
 
that
 
the
 
confidentiality
 
and
 
integrity
 
of
 
personal
 
data
 
is
 
maintained,
 
and
 
as
 
such,
implement appropriate security measures (e.g. encryption) to protect
 
the personal data.
27
 
 
Article
 
9(2)(a)
 
EU
 
GDPR
 
please
 
also
 
refer
 
to
 
l
imitations on
 
the
 
applicability
 
of
 
consent
 
discussed
 
in
 
paragraph
 
of
 
section
:
 
Please note that valid consent is assumed in Assumption
 
28
 
 
Article
 
10 sent.
 
1 EU GDPR.
 
29
 
 
BT
-
Drs. 18/11325, p.
 
97.
 
30
 
 
W
e note, however,
 
that in our
 
experience German data protection
 
authorities tend to apply
 
the necessi
ty test rather
 
strictly in the employment
context in practice.
 
 
0036335-0000808 UKO1: 2005527215.20
 
 
13
 
1.10
 
Whilst it is possible
 
that the SEC has
 
taken these principles
 
into account in its
 
request for access
 
to the
Covered Books
 
and Records, responsibility
 
remains with
 
UBS ESE
 
to ensure
 
that any
 
disclosure of
personal
 
data
 
in
 
the
 
Covered
 
Books
 
and
 
Records
 
comply
 
with
 
all
 
requirements
 
under
 
the
 
Data
Protection Laws and to verify this and implement its own compliance
 
measures.
 
International transfers
1.11
 
The general
 
principle in
 
the EU
 
GDPR is
 
that UBS
 
ESE may
 
not transfer
 
personal data
 
to a
 
jurisdiction
outside the
 
European Economic
 
Area, unless
 
it can
 
satisfy a
 
condition for
 
the transfer
 
as set
 
out in
Chapter V of the EU GDPR.
 
1.12
 
Article 45
 
of the
 
EU GDPR allows
 
for UBS
 
ESE to
 
transfer personal
 
data to
 
a recipient
 
outside the
EEA
 
where
 
the
 
transfer
 
is
 
based
 
on
 
an
 
adequacy
 
decision
 
of
 
the
 
European
 
Commission.
 
For
 
the
purposes of
 
providing Covered
 
Books and
 
Records to
 
UBS AG
 
London Branch,
 
the adequacy
 
decision
of the
 
European Commission
 
currently in
 
effect in
 
respect of
 
the UK
31
 
allows transfers
 
of personal
data from the EEA, including Germany, to the UK to be made freely.
 
Any transfer from UBS ESE to
UBS AG
 
London Branch
 
would therefore
 
be permitted
 
without limitation
 
(provided that
 
the disclosure
otherwise complied with the EU GDPR).
 
1.13
 
It should be noted that
 
under Article 44 sent. 1, Recital 101 of the
 
EU GDPR any onward transfer of
UBS ESE’s Covered Books and Records by
 
UBS AG London Branch
 
to the SEC is still
 
subject to the
transfer requirements of
 
the EU GDPR.
 
In this
 
regard it is
 
helpful that the
 
European Commission’s
adequacy decision for
 
the UK addresses
 
onward transfers from the
 
UK and notes that
 
the regime on
international
 
transfers
 
under
 
the
 
UK
 
GDPR
 
and
 
UK
 
DPA
 
2018
 
is
 
in
 
substance
 
identical
 
to
 
the
transfer regime
 
under
 
the EU
 
GDPR.
32
 
The
 
primary options
 
available to
 
UBS
 
AG London
 
Branch
pursuant to this
 
EU GDPR restriction applicable to
 
data originating from UBS ESE
 
when disclosing
the UBS ESE’s Covered Books and Records to the SEC in the US are as follows:
(a)
 
Derogations (Article
 
49 EU
 
GDPR)
: Where
 
a transfer
 
mechanism adopted by
 
the European
Commission in
 
respect of
 
the US
 
is not
 
available (as
 
is currently
 
the case),
 
derogations for
specific situations from the transfer prohibition are potentially available under EU GDPR for
facilitating
 
UBS
 
AG
 
London
 
Branch’s
 
transfer
 
of
 
personal
 
data
 
contained
 
in
 
UBS
 
ESE’s
Covered Books and Records to the SEC.
 
These derogations include:
(i)
 
Consent
: relying on
 
consent to enable
 
an international transfer
 
requires that UBS
 
ESE
has
 
(A) explicitly
 
stated
 
to
 
the
 
Rights
 
Holder
 
that
 
the
 
data
 
protection
 
level
 
at
 
the
recipient is
 
not comparable
 
to the
 
data protection
 
level in
 
Germany,
 
noting that
 
the
controller
 
will
 
not
 
be
 
able
 
to
 
ensure
 
that
 
an
 
adequate level
 
data
 
protection level
 
is
achieved by
 
using a
 
transfer mechanism
 
available under
 
the EU
 
GDPR,
 
with the
 
result
that their personal data will not be subject to data protection that is equivalent to that
established under the
 
EU GDPR,
 
and (B) included in
 
the consent form a
 
description
of the data protection laws and practices in the recipient country (i.e. in this case, the
US), so that the data subject is in a position to make an informed decision
33
;
34
 
and
 
(ii)
 
legitimate interests:
 
a data transfer on the basis
 
of legitimate interests may only take
place if (A) the transfer
 
is not repetitive, (B) concerns only
 
a limited number of
 
data
subjects, (C)
 
is necessary for the purposes of compelling legitimate interests pursued
31
 
 
Commission Implementing Decision
 
of 28.6.2021
 
pursuant to Regulation (EU) 2016/679 of the European Parliament and of the
Council
 
on the
adequate protection
 
of personal
 
data by
 
the
 
United Kingdom.
 
Please note
 
that in
 
the
 
future the
 
adequacy decision
 
may be
 
withdrawn, not
prolonged or restricted and that the current adequacy decision is
 
limited to four years.
32
 
 
Paragraph 2.5
.7, recitals
 
(74) and
 
(75) of
 
the
Commission Implementing Decision
 
of 28.6.2021
 
pursuant to
 
Regulation (EU) 2016/679
 
of the
European Parliament and of the Council on the adequate protection
 
of personal data by the United Kingdom.
33
 
 
[
Local guidance – source to be added
]
34
 
 
Please note that valid consent is assumed in Assumption
 
 
 
0036335-0000808 UKO1: 2005527215.20
 
 
14
 
by UBS ESE, (D) UBS ESE’s
 
legitimate interests are not overridden by the interests
or
 
rights
 
and
 
freedoms
 
of
 
the
 
Rights
 
Holder,
 
(E)
 
UBS
 
ESE
 
has
 
assessed
 
all
 
the
circumstances surrounding
 
the data transfer
 
and (F)
 
UBS ESE has,
 
on the
 
basis of that
assessment,
 
provided
 
suitable
 
safeguards
 
with
 
regard
 
to
 
the
 
protection
 
of
 
personal
data. UBS
 
ESE must
 
inform the
 
Data Protection
 
Authority of
 
the State
 
of Hesse
 
(being
UBS ESE’s supervisory authority
 
for data protection)
 
of the transfer.
 
UBS ESE
 
must,
in addition to providing the information referred to in
 
Articles 13 and 14 EU GDPR,
inform
 
the
 
data
 
subject
 
of
 
the
 
transfer
 
and
 
of
 
the
 
compelling
 
legitimate
 
interests
pursued.
 
Each of the
 
consent and legitimate interest
 
derogations need to be
 
applied on a
 
case-by-case
basis.
35
 
We
 
note
 
that
 
the
 
derogation
 
that
 
the
 
transfer
 
is
 
strictly
 
necessary
 
for
 
important
 
reasons
 
of
public interest will likely not be applicable from a German data protection
 
perspective.
 
(b)
 
BaFin route
: In certain situations, for example where UBS ESE
 
considers the transfer of data
to UBS AG
 
London Branch for
 
the purpose of
 
providing information to
 
the SEC to
 
be high
risk, it may
 
be possible to
 
arrange for the
 
disclosure to be
 
made to
 
BaFin, which could
 
then
transfer the data
 
to the SEC
 
in the US.
36
 
This route would
 
avoid UBS ESE
 
and UBS AG
 
being
responsible for ensuring the
 
international onward transfer
 
was fully compliant with
 
Article 44
sent. 1, Recital 101 of the EU GDPR.
1.14
 
Access to Covered Books and
 
Records granted to the SEC
 
in the course of On-Site Inspections
 
would
not
 
entail
 
UBS
 
ESE
 
effecting
 
an
 
international
 
transfer
 
and
 
so
 
restrictions
 
in
 
Chapter
 
V
 
of
 
the
 
EU
GDPR would not apply to that situation.
 
2.
 
BANKING SECRECY PRINCIPLE (
BANKGEHEIMNIS
)
General considerations
2.1
 
Note
 
that
 
the
 
banking
 
secrecy
 
principle
 
is
 
only
 
relevant
 
for
 
UBS
 
ESE
 
where
 
the
 
contractual
relationships with the customers are governed by German law.
2.2
 
According
 
to
 
the
 
German
 
banking
 
secrecy
 
principle
 
(the
German
 
Banking
 
Secrecy
 
Principle
),
 
a
credit
 
institution,
 
such
 
as
 
UBS
 
ESE,
 
is
 
obliged
 
to
 
treat
 
any
 
client-related
 
information
 
as
 
being
confidential
 
and
 
to
 
disclose
 
this
 
information
 
only
 
on
 
a
 
need
 
to
 
know
 
basis
by
 
applying
 
strict
safeguarding measures.
 
In Germany,
 
the banking
 
secrecy principle
 
is primarily
 
a matter
 
of contract
law.
 
It is
 
not codified
 
in the
 
German civil
 
code (
Bürgerliches Gesetzbuch
) or
 
other laws.
 
However,
according to
 
the jurisprudence
 
of the
 
German Federal
 
High Court
 
(
Bundesgerichtshof
), the
 
German
Banking Secrecy
 
Principle constitutes
 
an ancillary
 
obligation of
 
the banking
 
contract between
 
the bank
and its customer and forms therefore part of each contractual banking relationship
 
between a German
bank and its
 
customers governed by German
 
law.
 
In recognition of
 
that fact, the
 
duty to observe
 
the
German Banking Secrecy Principle has been incorporated
 
in No. 2(1) of the standard General Terms
and Conditions for Banks (
Allgemeine Geschäftsbedingungen
 
AGB-Banken
).
 
2.3
 
Against
 
this
 
background,
 
the
 
German
 
Banking
 
Secrecy
 
Principle
 
does
 
not
 
differentiate
 
between
(i) customer data; and (ii) data of natural persons or legal entities, provided that the data are obtained
by UBS ESE on the basis or within the context of its customer business/contractual
 
relationship.
2.4
 
Though, on the
 
one hand, it is
 
undisputed that each bank can
 
generally modify the AGB-Banken for
their
 
own
 
purposes,
 
it
 
is
 
on
 
the
 
other
 
hand
 
unclear
 
to
 
what
 
extent
 
the
 
German
 
Banking
 
Secrecy
Principle
 
can
 
be
 
waived
 
by
 
such
 
modification.
 
It
 
can
 
be
 
expected
 
that
 
there
 
is
 
a
 
customary
 
law
35
 
 
Article 49(1) EU GDPR at sentence
 
1 paragraph (a) and sentence
 
2, respectively.
 
36
 
 
See
Article
 
48 EU GDPR.
 
 
0036335-0000808 UKO1: 2005527215.20
 
 
 
15
 
foundation (
Gewohnheitsrecht
) to
 
the German
 
Banking Secrecy
 
Principle, according
 
to which
 
such
principle is
 
such an
 
essential part
 
of the
 
relationship between
 
a bank
 
and its
 
client that
 
it cannot
 
be
carved
 
out. For
 
clarification purposes,
 
we would
 
therefore like
 
to
 
highlight that
 
a
 
mere deletion
 
of
No. 2(1) AGB-Banken would not result
 
in the German Banking Secrecy Principle
 
being inapplicable.
Scope of protection under the German Banking Secrecy Principle
2.5
 
The German Banking Secrecy
 
Principle applies in respect
 
of all business and
 
private information on
the
 
client
 
obtained
 
by
 
a
 
bank
 
on
 
the
 
basis
 
or
 
within
 
the
 
context
 
of
 
its
 
client
 
business/contractual
relationship, i.e. not only personal data.
 
Furthermore, the German Banking Secrecy Principle applies
to
 
all
 
outward
 
as
 
well
 
as
 
inward
 
processes
 
of
 
the
 
bank.
 
Hence,
 
even
 
inside
 
the
 
bank
 
only
 
those
individuals which
 
have a
 
legitimate interest
 
may have
 
access to
 
the data
 
subject to
 
the German
 
Banking
Secrecy Principle (“need to know” principle).
2.6
 
Anonymised data
 
(i.e. data
 
that has
 
been amended
 
in such
 
a way
 
that it
 
is technically
 
impossible to
trace it back
 
to specific persons
 
or is only
 
possible with disproportionate effort)
 
or redacted data
 
are
not included
 
in the
 
scope of
 
the German
 
Banking Secrecy
 
Principle and
 
can be
 
transferred to
 
third
parties without further restrictions related to the bank secrecy.
2.7
 
Consequently, where Covered
 
Books and Records do not contain any relevant forms
 
of business and
private information on the client obtained by UBS ESE on the basis or within the context of its client
business/contractual
 
relationship
 
(e.g. transaction
 
data
 
such
 
as
 
volumes
 
and
 
prices)
 
the
 
German
Banking
 
Secrecy
 
Principle will
 
not
 
apply,
 
and
 
hence
 
UBS
 
ESE
 
can
 
share
 
the
 
information
 
without
customer consent.
Sharing of information – general limitations on sharing of information within the scope of the German
Banking Secrecy Principle
2.8
 
As a general remark, it should be noted that there is neither case law nor legal literature discussing in
detail the limits of the German Banking Secrecy Principle if it comes to sharing information with US
authorities such as the
 
SEC. This is probably mainly
 
due to the fact
 
that traditionally data protection
rules were stricter than the banking secrecy limits and that there are few instances where data sharing
results in damages
 
to the customer
 
which would justify
 
a legal
 
proceeding. Therefore, it
 
seems very
difficult to
 
precisely determine
 
to what
 
extent data
 
may be
 
shared with
 
SEC for
 
the purpose
 
of the
registration as an SBSD in the US.
2.9
 
According to No.
 
2(1) of the
 
AGB-Banken which
 
incorporates the general
 
principles developed
 
on the
German Banking Secrecy
 
Principle UBS ESE
 
may share
 
information falling within
 
the scope of
 
the
German Banking Secrecy Principle only if:
(a)
 
required by law,
(b)
 
the client has consented to the disclosure, or
(c)
 
the bank
 
is authorised
 
to provide
 
a bank
 
notification requested
 
by another
 
bank (
Bankauskunft
)
(cf. No. 2(1) sent. 1 AGB-Banken).
37
 
Sharing of information if “required by law” – assessment
2.10
 
Although
 
information
 
contained
 
in
 
the
 
Covered
 
Books
 
and
 
Records
 
or
 
obtained
 
through
 
On-Site
Inspections is covered by
 
the German Banking Secrecy Principle,
 
it may be shared
 
if there is a
 
legal
obligation/requirement
 
to
 
do
 
so,
 
i.e.
 
where
 
a
 
law
 
to
 
which
 
the
 
bank
 
is
 
subject
 
to
 
requires
 
that
 
the
information shall
 
be disclosed
 
(
Legal Requirement
). Such
 
Legal
 
Requirements are
 
included, inter
37
 
 
As the third option mentioned in the
 
AGB
-
Banken, disclosing data
 
on the basis of a bank notification
, is not relevant in the case at
 
hand, it is not
further discussed in this opinion.
 
 
0036335-0000808 UKO1: 2005527215.20
 
 
 
 
16
alia,
 
in
 
German
 
tax,
 
criminal
 
law,
 
AML
 
and
 
regulatory
 
law
 
provisions
 
(c.f.
Kümpel/Mülbert/Früh/Seyfried, Bank-
 
und Kapitalmarktrecht,
 
No. 2 AGB-Banken:
 
Bankgeheimnis
und Bankauskunft, Recital 3_254).
2.11
 
As far
 
as it
 
is based
 
on Legal
 
Requirements, a
 
data-sharing request
 
does not
 
contradict the
 
German
Banking Secrecy Principle.
 
However, the question is whether
 
these considerations can
 
also be applied
in the case
 
at hand where the
 
information request is not
per se
 
based on German law,
 
but on foreign
law:
Sec 44(1) of the German Banking Act as Legal Requirement
2.12
 
Pursuant to Sec. 44(1) of the German Banking Act (
Kreditwesengesetz
KWG
), BaFin and the ECB
have the
 
power to
 
request from
 
institutions information
 
about all
 
business activities,
 
documentation
and,
 
if
 
necessary,
 
copies,
 
and
 
also
 
to
 
perform
 
on-site
 
inspections.
 
Consequently,
 
the
 
disclosure
 
of
information based on this provision does not contradict the German Banking
 
Secrecy Principle.
 
2.13
 
However, this specific
 
power is only available to
 
BaFin and the ECB to
 
oblige UBS ESE to disclose
client-related information vis-à-vis BaFin and the ECB themselves. It is not clear whether this power
applies
 
equally to
 
investigations conducted
 
by
 
the
 
ECB to
 
support foreign
 
regulators such
 
as
 
SEC
because
BaFin
 
and
the
ECB
 
are
 
subject
 
to
 
professional
 
secrecy
 
requirements
 
when
 
sharing
information. In any event, Sec. 44(1) KWG would only allow measures undertaken by BaFin and the
ECB
 
to
 
support
 
SEC,
 
but
 
by
 
no
 
means
 
measures
 
undertaken
 
by
 
SEC
 
directly.
 
As
 
this
 
opinion
 
is
focussed on the latter, Sec. 44(1) KWG will not constitute a sufficient legal basis in the case at hand.
17 CFR 240.18a-6(g)
as Legal Requirement
2.14
 
Pursuant to
 
17 CFR
 
240.18a-6(g)a non-resident
 
security-based swap
 
dealer and
 
non-resident major
security-based swap participant applying
 
for registration must
 
provide the SEC
 
access to Books
 
and
Records and
 
must allow
 
for On-Site
 
Inspections. This
 
might justify
 
the sharing
 
of information
 
with
UBS AG London Branch for the purpose of providing information to the SEC or with the SEC in the
course of On-Site Inspections in Germany.
2.15
 
In general, only legal requirements
 
to which UBS ESE is directly
 
subjected may justify the disclosure
and sharing of client-related information with
 
UBS AG London Branch for
 
the purpose of providing
information to the SEC or
 
with the SEC in
 
the course of On-Site
 
Inspections in Germany.
 
UBS ESE
is
 
primarily authorised
 
and supervised
 
in Germany
 
and therefore
 
subject to
 
local rules.
 
We
 
are not
aware
 
of
 
any
 
legal
 
literature
 
or
 
case
 
law
 
dealing with
 
the
 
question
 
of
 
whether foreign
 
statute
 
may
justify the disclosure of
 
information subjected to
 
the German Banking Secrecy
 
Principle. Therefore, it
is uncertain, whether such a US rule may justify the disclosure of client-related
 
information.
 
Order of a court / administrative order as Legal Requirement
2.16
 
Legal literature considers an order of
 
a foreign court to be sufficient to override the
 
legal duties of the
German
 
Banking
 
Secrecy Principle.
 
This
 
should
 
also
 
apply
 
to
 
the
 
disclosure
 
of
 
information
 
in
 
the
event
 
of
 
a
 
request
 
for
 
information
 
from
 
a
 
foreign
 
authority,
 
provided
 
that
 
this
 
is
 
enforceable
 
in
Germany
 
or
 
where
 
for
 
example,
 
the
 
foreign
 
authority
 
has
 
prosecutorial
 
powers
 
(c.f.
 
Wech,
 
das
Bankgeheimnis, p. 458; Canaris, Bankvertragsrecht, Recital 62).
 
 
 
0036335
-
0000808 UKO1: 2005527215.20
 
 
 
 
 
 
 
 
17
 
2.17
 
In the case of
 
the SEC, SEC
 
measures are generally
 
not enforceable in
 
Germany and the SEC
 
does not
have prosecutorial powers in
 
Germany.
 
Therefore, as in the
 
case of US
 
law,
 
it is unclear
 
whether an
SEC order
 
can justify
 
sharing of
 
data. However,
 
in
 
any event,
 
to rely
 
on this
 
exception, UBS
 
ESE
would need to
 
balance its interests
 
in complying with
 
the SEC’s disclosure
 
request against the
 
German
Banking Secrecy
 
Principle and
 
UBS ESE
 
must satisfy
 
itself that
 
the customer
 
interests do
 
not outweigh
its own; this needs to be assessed in practice on a case-by-case basis (c.f. Canaris,
 
Bankvertragsrecht,
Recital 62).
BaFin
 
MoU as Legal Requirement
38
 
2.18
 
Pursuant to Article IV paragraph
 
44 of the BaFin MoU,
 
the SEC is able do
 
directly request Books and
Records when necessary to fulfil its regulatory mandate or to conduct On-Site Inspections. However,
in this
 
regard we
 
note the
 
following: (i)
 
The BaFin
 
MoU is
 
a public
 
law arrangement.
 
It is
 
unclear
whether it
 
can have
 
an effect
 
on the
 
German Banking
 
Secrecy Principle
 
which is,
 
as set
 
out above,
rooted in civil law. (ii)
 
More importantly, pursuant to Article II paragraph 28 of the BaFin MoU,
 
the
BaFin MoU “
does not create any
 
legally binding obligations,
 
confer any rights
 
or supersede domestic
laws, nor should it
 
be construed as an
 
agreement to limit
 
the protection and
 
safeguards provided
 
by
the laws applicable
 
to the authorities
 
and does not
 
confer upon any
 
person the right
 
or ability, directly
or
 
indirectly,
 
to
 
obtain,
 
suppress,
 
or
 
exclude
 
any
 
information
 
or
 
to
 
challenge
 
the
 
exchange
 
of
information under this MoU
.
Consequently, the BaFin MoU lacks the authority of statue.
 
2.19
 
Nevertheless, whilst
 
the
 
position is
 
not
 
free from
 
doubt, in
 
our
 
view one
 
could well
 
argue
 
that the
combination of
 
the BaFin
 
MoU, the
 
US laws
 
and the
 
SEC orders
 
justify the
 
sharing of
 
data from
 
a
banking secrecy perspective.
2.20
 
Sharing of information in case of “consent” – assessment
2.21
 
In case there is no Legal Requirement on the basis of which client-related information sharing can be
justified, sharing of
 
client data protected
 
by the German
 
Banking Secrecy Principle
 
may only be
 
based
on customer consent.
2.22
 
Customer consent
 
exists in
 
the form
 
of implied
 
or explicit
 
consent: There
 
are recognised
 
circumstances
in which the
 
sharing and disclosure
 
of client-related
 
data is in
 
the interest of
 
the relevant
 
client. In such
cases,
 
the
 
German
 
Banking
 
Secrecy
 
Principle shall
 
not
 
prevent the
 
disclosure or
 
sharing of
 
client-
related data as
 
the sharing of
 
customer data
 
is justified by
 
implied consent (
konkludente Einwilligung
).
Otherwise, explicit consent would be required.
Explicit consent
2.23
 
Generally
 
speaking,
 
explicit
 
consent
 
can
 
always
 
justify
 
information
 
sharing.
 
Such
 
explicit
 
consent
must be provided on a case-by-case basis for the duration of the contractual relationship. This
 
means,
that a consent in
 
form of a more
 
general consent, i.e. consent
 
allowing the transfer of
 
information to
the US in any circumstance may not be sufficient. Please note that we have assumed
 
at Assumption
 
of
 
that UBS ESE has validly obtained such explicit consent.
Implied
 
consent (disclosure of information in the clients’ interest)
2.24
 
In an
 
economy of
 
scale with
 
regard to
 
the provision
 
of services
 
by UBS
 
ESE and
 
the receipt
 
of services
by the customers,
 
the sharing
 
of information
 
is a key
 
requirement for the
 
efficient running of
 
a banking
business. The German Banking Secrecy
 
Principle shall not compromise this
 
(c.f. WM 2000, p. 503).
Therefore, it is
 
recognised that the
 
sharing of information
 
can be justified
 
by implied consent
 
where
such
 
sharing
 
of
 
information
 
is,
 
from
 
a
 
broader
 
perspective,
 
in
 
the
 
interest
 
of
 
the
 
customers.
 
This
requires, however, a balancing
 
of interests.
38
 
 
The ECB MoU contains similar rules.
 
 
0036335-0000808 UKO1: 2005527215.20
 
18
2.25
 
As a
 
consequence of
 
the registration
 
of UBS AG
 
as a
 
SBSD in
 
the US,
 
we understand
 
that the
 
customer
benefits by
 
having access to
 
a wider range
 
of products. While
 
not being a
 
typical case
 
of sharing
 
of
information for
 
an economy
 
of scale,
 
we nevertheless
 
believe that
 
one can
 
well argue
 
that such
 
benefits
can form the basis of an implied consent.
 
2.26
 
However, as
 
mentioned, to rely
 
on this exception,
 
UBS ESE must
 
balance its interests in
 
complying
with the SEC’s disclosure request against the principle of the German Banking Secrecy Principle and
UBS ESE must satisfy itself that those
 
interests do not outweigh its own. While
 
this would need to be
assessed on
 
a case-by-case
 
basis, it
 
seems that,
 
as a
 
matter of
 
principle, for
 
those clients
 
who personally
make
 
use
 
of
 
the
 
opportunities
 
resulting
 
from
 
the
 
access
 
to
 
SBS
 
transactions,
 
such
 
benefits
 
may
outweigh the data sharing.
 
Potential sanctions in case of a breach of the German Banking Secrecy Principle – Overview
2.27
 
A
 
breach
 
of
 
banking
 
secrecy
 
has
 
civil
 
law
 
consequences for
 
UBS
 
ESE.
 
It
 
entitles
 
the
 
customer
 
to
terminate the contract
 
with UBS ESE
 
without notice (c.f.
 
No. 18(2) AGB-Banken)
 
as well as
 
to claims
for damages, injunctive relief and claims for restitution or deletion
 
of the data.
2.28
 
Note that
 
a successful
 
claim for
 
breach of
 
banking secrecy must
 
demonstrate that
 
there has
 
been an
unauthorised use of confidential information to the detriment of
 
the Rights Holder, i.e. the customer.
3.
 
PRINCIPLE OF TERRITORIALITY
3.1
 
According to
 
the general
 
territorial principle
 
of international
 
law,
 
a state
 
that wishes
 
to take
 
action
outside
 
its
 
sovereign
 
borders
 
is,
 
as
 
a
 
general
 
rule,
 
referred
 
to
 
private
 
law,
 
because
 
the
 
territorial
principle of
 
international law
 
limits the
 
validity of
 
its sovereign
 
acts to
 
its national
 
territory.
 
In this
respect, the SEC is in
 
principle not authorized to take sovereign action,
 
including On-Site Inspection
and obtaining access to
 
Covered Books and
 
Records, in Germany. However, such a
 
permission can be
found in an MoU between BaFin and the SEC. While this MoU
 
is non-binding, in our view it should
allow those actions to be taken without a breach of the general
 
territorial principle.
***
 
 
 
 
 
 
 
 
 
 
 
0036335-0000808
 
UKO1: 2005527215.20
 
 
19
 
ANNEX 2
 
ASSUMPTIONS
This opinion relies on the following assumptions:
1.
 
UBS AG has
 
a “prudential regulator”
 
as defined by
 
Section 3 of
 
the US Securities
 
Exchange Act of
1934 (the
Securities Exchange
 
Act
).
 
As such,
 
the Covered
 
Books and
 
Records considered
 
in this
opinion are limited to what a prudentially regulated SBSD must be able to
 
share with the SEC.
 
2.
 
Additionally, in accordance with SEC Guidance at
 
85 FR 6297, books and records pertaining to SBS
transactions entered into prior to the date that UBS AG submits an application for registration are not
Covered Books and Records.
 
3.
 
Where transfers of
 
personal data are
 
made to the
 
SEC in the
 
absence of an
 
adequacy determination,
such disclosure will
 
be made in
 
compliance with Articles 44
et seq.
 
of the EU
 
GDPR and limited
 
to
what
 
is
 
necessary
 
for
 
the
 
purpose
 
of
 
the
 
transfer
 
(i.e.
 
compliance
 
with
 
the
 
principle
 
of
 
data
minimisation, e.g. by applying less intrusive processing activities
 
such as redaction).
4.
 
UBS ESE
 
or, as
 
the case may
 
be, UBS
 
AG has obtained
 
any necessary prior
 
consent of the
 
persons
(e.g
.
,
 
counterparties,
 
employees)
 
whose
 
information
 
is
 
or
 
will
 
be
 
included
 
in
 
Covered
 
Books
 
and
Records in order
 
to provide the
 
SEC with access
 
to its Covered
 
Books and Records
 
or to allow
 
On-
Site
 
Inspections,
 
to
 
the
 
extent,
 
as
 
considered
 
in
 
this
 
opinion,
 
such
 
consent
 
would
 
constitute
 
valid
consent and such
 
consent has not
 
been withdrawn.
 
Insofar as Covered
 
Books and Records
 
relate to
employees of UBS
 
ESE, such employees
 
are “associated persons”
 
of UBS AG
 
for purposes
 
of 17 CFR
§ 240.18a-5(b)(8) who
 
have agreed
 
to sharing of
 
their personal/employment
 
information with
 
the SEC
in the event of a request for information from the SEC.
 
5.
 
Any
 
data held
 
by UBS
 
ESE that
 
is
 
subject to
 
a
 
disclosure request
 
from the
 
SEC, either
 
by
 
way of
access or On-Site Inspection, will be held by UBS ESE
 
in Germany.
 
Whilst UBS ESE will be subject
to
 
direct On-Site
 
Inspection by
 
the SEC
 
in
 
Germany,
 
UBS ESE
 
will
 
provide access
 
to its
 
Covered
Books and Records (beyond On-Site
 
Inspections) to UBS AG London
 
Branch, rather than providing
this access directly to the SEC.
 
6.
 
The SEC will restrict
 
its information requests
 
for, and use of, any information
 
pursuant to its access
 
to
Covered Books
 
and Records and
 
On-Site Inspections to
 
only the
 
information that
 
it requires
 
for the
legitimate and specific purpose of fulfilling
 
its regulatory mandate and responsibilities by
 
evaluating
compliance with
 
legal obligations
 
designed to
 
ensure the proper
 
legal administration
 
of SEC-regulated
firms (which includes regulating,
 
administering, supervising, enforcing
 
and securing compliance with
the
 
securities or
 
derivatives laws
 
in its
 
jurisdiction) and
 
to
 
prevent and/or
 
enforce against
 
potential
illegal behaviour.
 
7.
 
Similarly,
 
UBS ESE will ensure that
 
its disclosures are compliant with
 
the data protection principles
set out in Article 5 of the EU GDPR.
39
 
We understand that UBS’ general experience in responding to
information requests from the SEC (or other US
 
and non-US regulators) leads it to maintain a belief,
which it considers to be reasonable, that UBS ESE can and (subject
 
to any changes in applicable law
and
 
regulation
 
and/or
 
the
 
approach
 
of
 
relevant
 
regulators,
 
including
 
the
 
competent
 
German
 
data
protection authorities)
 
will continue to be
 
able to comply
 
with these data protection
 
principles in the
course
 
of
 
making
 
disclosures
 
of
 
the
 
sort
 
required
 
when
 
providing
 
access
 
to
 
Covered
 
Books
 
and
Records and submitting to On-Site Inspection.
40
 
8.
 
It is the SEC’s
 
practice to limit the type and amount of
 
personal data it requests during examinations
to targeted
 
requests based
 
on risk
 
and related
 
to specific
 
clients and
 
accounts, and
 
employees.
 
The
39
 
 
These principles are set out in
 
at paragraph
 
40
 
 
See the
SEC
 
G
uidance at 85 FR 6298
.
 
 
0036335-0000808 UKO1: 2005527215.20
 
 
 
 
 
20
 
requested
 
information
 
may
 
include
 
some
 
limited
 
criminal
 
records
 
data
 
and
 
‘special
 
category
 
data’
under the EU GDPR (as described in
 
paragraph
 
of
 
to this opinion).
 
We
 
understand that
this aligns with UBS’
 
general experience in
 
responding to information
 
requests from the SEC,
 
leading
it to
 
maintain a
 
belief, which
 
it considers
 
to be
 
reasonable, that
 
this assumption
 
is, and
 
will remain,
accurate
 
(subject
 
to
 
any
 
changes
 
in
 
applicable
 
law
 
and
 
regulation
 
and/or
 
the
 
approach
 
of
 
relevant
regulators, including the competent German data protection authorities).
41
 
9.
 
Information, data and documents received
 
by the SEC are
 
maintained in a secure manner
 
and, under
strict
 
US
 
laws
 
of
 
confidentiality,
 
information
 
about
 
individuals
 
cannot
 
be
 
onward
 
shared
 
save
 
for
certain
 
uses
 
publicly disclosed
 
by
 
the
 
SEC, including
 
in
 
an
 
enforcement proceeding,
 
pursuant to
 
a
valid and non-exempt US Freedom of
 
Information Act (
FOIA
) request,
42
 
pursuant to a lawful request
of the
 
US Congress
 
or a
 
properly issued
 
subpoena, or
 
to other
 
regulators who
 
have demonstrated
 
a
need for the information and provide assurances of confidentiality.
10.
 
UBS
 
ESE
 
has
 
policies
 
in
 
place
 
directing
 
its
 
staff
 
not
 
to
 
UBS
 
ESE’s
 
communication
 
services
(e.g. business e-mail
 
accounts, telephones, chat
 
services, etc.)
 
for private
 
purposes, and
 
directing its
staff not to use private communication services for business purposes.
11.
 
All terms of
 
business entered into
 
with clients conducting
 
SBS transactions contain
 
clear statements
such that
 
clients are
 
aware that
 
that regulatory
 
oversight will
 
be exercised
 
by regulatory
 
authorities
and that
 
information regarding
 
their transactions,
 
including their
 
personal data,
 
can be
 
disclosed to
regulatory authorities (for example, clause 10, and
 
in particular clause 10(b) of the terms
 
of business
for professional clients and eligible counterparties (March 2019)
43
).
12.
 
UBS AG does not include the information
 
described in 17 C.F.R. §§.18a-5(b)(8)(i)(A) through (H) or
240.18a-5(a)(10)(i)(A)
 
through
 
(H),
 
as
 
the
 
case
 
may
 
be,
 
in
 
questionnaires
 
or
 
applications
 
for
employment
 
executed
 
by
 
an
 
associated
 
person
 
who
 
is
 
not
 
a
 
US
 
Person
 
(as
 
defined
 
in
 
17
 
C.F.R.
§240.3a71-3(a)(4)(i)(A)), unless UBS
 
AG is required to
 
obtain such information under
 
applicable law
in the jurisdiction in which
 
the associated person is employed
 
or located or obtains such
 
information
in conducting a background check that is customary for UBS AG in that jurisdiction and the
 
creation
or maintenance of records reflecting that information
 
would not result in a violation of applicable
 
law
in the jurisdiction in which the associated person is employed or located.
***
41
 
 
See the
SEC
 
G
uidance at 85 FR 6298
.
 
42
 
 
We do not give
 
any views in the opinion to matters of US law,
 
though we understand that information can be
made public pursuant to requests
under the
 
US FOIA,
 
and that
 
certain information is
 
exempt from
 
such requests,
 
including (among
 
others): (1)
 
a trade
 
secret or
 
privileged or
confidential commercial or
 
financial information obtained
 
from a person;
 
(2) a
 
personnel, medical, or
 
similar file the
 
release of
 
which would
constitute a clearly unwarranted invasion of personal privacy; (3) information
 
compiled for law enforcement purposes, the release of which (a)
could reasonably be expected to interfere with law enforcement proceedings; (b) would deprive a person of a right to a
 
fair trial or an impartial
adjudication; (c) could reasonably
 
be expected to constitute
 
an unwarranted invasion of
 
personal privacy; (d) could
 
reasonably be expected to
disclose the identity of a
 
confidential source; (e) would disclose techniques, procedures,
 
or guidelines for investigations or prosecutions;
 
or (f)
could reasonably be
 
expected to endanger
 
an individual's
 
life or physical
 
safety; (4) contained
 
in or related
 
to examination, operating,
 
or condition
reports about financial institutions that the SEC regulates
 
or supervises.
43
 
 
Available
 
at:
https://www.ubs.com/global/en/investment-bank/regulatory/_jcr_content/mainpar/toplevelgrid/col1/linklist_1815406319/
link.1894740908.file/PS9jb250ZW50L2RhbS9JbnZlc3RtZW50QmFuay9kb2N1bWVudHMvaWJ0ZXJtcy90ZXJtcy1vZi1idXNpbmVzcy5wZ
GY=/terms-of-business.pdf
.
 
0036335-0000808 UKO1: 2005527215.20

lospain
 
 
1
 
UBS AG London Branch
5 Broadgate
London
EC2M 2QS
Allen & Overy
Serrano 73
28006 Madrid Spain
Tel
+
34 91 782 98 00
Fax
+
34 91 782 98
99
Our ref
0036335
-
0000808
25 October 2021
Dear Sir or Madam
 
UBS AG registration as a non-resident security-based swap dealer
 
1.
 
BACKGROUND
1.1
 
We understand that UBS AG, a bank authorised in Switzerland, is seeking to register with the United
States (
US
) Securities and
 
Exchange Commission (
SEC
) as a non-resident
 
security-based swap (
SBS
)
dealer (
SBSD
).
1.2
 
To register as an SBSD with the SEC, a non-resident SBSD
1
 
such as UBS AG must attach an opinion
of counsel to Form SBSE, SBSE-A or SBSE-BD affirming that the SBSD can, as
 
a matter of law:
(a)
 
provide the
 
SEC with
 
prompt access
 
to the
 
relevant books
 
and records
 
as defined
 
in paragraphs
3.3 to 3.5 (
Covered Books and Records
); and
 
(b)
 
submit to on-site
 
inspection and examination
 
of its Covered
 
Books and Records by
 
the SEC
(
On-Site Inspection
).
1.3
 
Associated persons of UBS AG
 
located in Spain who effect
 
UBS transactions on behalf of
 
UBS AG
will be employed by the Spanish branch of UBS Europe SE (
UBS ESE ES
) which is incorporated in
Germany
 
and
 
authorised
 
to
 
provide
 
services
 
in
 
Germany
 
and
 
Spain
 
(among
 
other
 
jurisdictions).
Accordingly,
 
UBS ESE
 
ES
 
will
 
maintain certain
 
Covered Books
 
and
 
Records in
 
UBS ESE
 
ES
 
on
behalf of UBS AG.
1.4
 
You have asked us to issue
 
an opinion affirming
 
that (a) UBS
 
AG will be
 
able to provide
 
the SEC with
prompt access to
 
its Covered
 
Books and
 
Records that are
 
maintained by UBS
 
ESE ES in
 
Spain and
(b) UBS ESE ES can submit to On-Site
 
Inspection by the SEC of UBS ESE ES’ Covered Books
 
and
Records it maintains on behalf of UBS AG, in each case in accordance
 
with paragraph 1.2 above
2
.
1.5
 
This opinion is structured as follows:
(a)
 
Section 2:
 
Summary of opinion;
 
(b)
 
Section 3:
 
Scope, assumptions and qualifications;
 
(c)
 
Section 4:
 
Revisions to applicable law;
 
 
1
 
 
In the case of a corporation, an SBSD will be “non
-
resident” if it is incorporated in or has its principal place of business in any place not in
the United States (see 17 Code of Federal Regulations (
CFR
) § 240.15Fb2-4(a)(2)). As UBS AG is incorporated in Switzerland, UBS AG
fulfils this definition of a “non-resident” SBSD.
2
 
 
In accordance with
Assumption
 
of Annex 2, this
 
opinion does not cover
 
the direct provision of
 
Covered Books and Records
 
by UBS ESE
ES to the SEC as this information will instead be
 
provided to UBS AG London Branch and sent by UBS AG
 
London Branch to the SEC.
 
 
2
 
(d)
 
Section 5:
 
Reliance and confidentiality;
(e)
 
Annex 1: Opinion; and
(f)
 
Annex 2: Assumptions.
 
1.6
 
For the purposes
 
of this opinion,
 
the legal or
 
natural person imparting the
 
information subject to
 
the
duty of
 
confidentiality will
 
be the
Rights Holder
and the
 
person receiving
 
that information,
 
in this
case UBS ESE ES, will be the
Recipient.
 
2.
 
SUMMARY OF OPINION
Subject to the assumptions and qualifications below it is our opinion
 
that:
2.1
 
UBS ESE
 
ES can,
 
as a
 
matter of
 
applicable Spanish
 
law,
 
submit to
 
On-Site Inspection
 
by the
 
SEC.
There is no restriction on UBS ESE
 
ES submitting to On-Site Inspection by the
 
SEC. The remainder
of this opinion focuses on UBS
 
ESE ES’ ability to disclose
 
information contained in Covered Books
and Records to
 
the SEC in
 
the course of
 
On-Site Inspection in Spain
 
and the ability to
 
provide UBS
AG London Branch with prompt access to Covered Books and Records.
2.2
 
UBS
 
ESE
 
ES
 
can,
 
as
 
a
 
matter
 
of
 
applicable
 
Spanish
 
law,
 
provide
 
the
 
SEC
 
with
 
prompt
 
access
 
to
Covered Books
 
and Records
 
held by
 
UBS ESE
 
ES in
 
Spain either
 
by disclosure
 
of Covered
 
Books
and Records
 
to UBS
 
AG London
 
Branch for
 
the purpose of
 
providing information to
 
the SEC
 
or to
the SEC in the course of On-Site Inspections in Spain
3
.
Data Protection
4
 
2.3
 
Disclosures of personal data (particularly special categories of data
 
or criminal data) relating to UBS
ESE ES’
 
clients and
 
staff are
 
subject to
 
certain restrictions
 
under the
 
Data Protection
 
Laws, particularly
where this involves
 
a cross-border transfer
 
to a country
 
or territory the
 
EU has not
 
found to have
 
an
‘adequate’ data protection regime. However, there are certain legal bases for making disclosures, and
derogations from
 
the prohibition
 
on international transfers,
 
that would
 
be available
 
to UBS
 
ESE ES
were it
 
to
 
be required
 
by the
 
SEC to
 
make available
 
personal data
 
either by
 
disclosure of
 
Covered
Books and Records to UBS AG London Branch for the purpose of
 
providing information to the SEC
or to the SEC in the course of On-Site Inspections in Spain.
 
2.4
 
We
 
anticipate that the legitimate interest legal basis for processing is likely to
 
be the most applicable
ground under the EU GDPR and Spanish
 
DPA to enable disclosure of Covered Books and Records to
the SEC and to permit On-Site Inspection.
 
2.5
 
Where
 
UBS
 
AG
 
London
 
Branch
 
makes
 
onward
 
transfers
 
to
 
the
 
SEC
 
in
 
the
 
US
 
of
 
personal
 
data
received from
 
UBS ESE
 
ES on
 
the basis
 
of the
 
legitimate interests
 
derogation,
 
UBS ESE
 
ES must
inform the Spanish Data
 
Protection Authority and
 
data subjects prior
 
to the transfer:
 
we note that
 
UBS
ESE ES would need to assess the ability to rely on this derogation in each case.
 
Credit institutions’ duty of confidentiality
2.6
 
Spanish law sets out a duty of confidentiality applicable to UBS ESE ES – it is a Spanish branch of a
credit institution and
 
so is subject
 
to Spanish rules on
 
organisation and discipline
 
of credit institutions.
By virtue of this, UBS ESE ES is obliged
 
to keep confidential information on its customers'
 
balances,
positions,
 
transactions
 
and
 
other
 
operations,
 
which
 
shall
 
not
 
be
 
communicated
 
to
 
third
 
parties
 
or
3
 
 
Where a restriction on the ability
 
to transfer personal data or to
 
disclose confidential information applies, consent from th
e
Rights Holder,
validly given in accordance with the relevant standard for
 
consent under each applicable legal obligation, would
 
allow for such information
to be
 
lawfully transferred
 
to the
 
SEC or
 
disclosed to
 
the
 
SEC during
 
On-Site Inspection.
 
Please note
 
that valid
 
consent is
 
assumed in
Assumption
 
4
 
 
Please refer to section
 
of
 
for definitions of Data Protection Laws, EU GDPR
 
and the Spanish DPA.
 
0036335-0000808 UKO1: 2005598297.13
 
 
 
3
 
publicly disclosed.
 
This duty
 
only applies
 
to information
 
held or
 
controlled by
 
UBS ESE
 
ES that
 
relates
to its customers.
2.7
 
Nevertheless, disclosure with consent, or under another recognised exception, would not amount to a
breach of these legal duties. Ideally, the consent should specify not only the purpose of the disclosure
(to
 
provide
 
UBS
 
AG
 
London
 
Branch
 
with
 
access
 
to
 
the
 
Covered
 
Books
 
and
 
Records
 
in
 
order
 
to
forward
 
this
 
information
 
to
 
the
 
SEC),
 
but
 
also
 
which specific
 
entities
 
will
 
be
 
the
 
recipients
 
of
 
the
Covered Books and Records
 
(UBS AG London Branch).
 
However, the consent clause agreed
 
with the
client
 
could
 
be broad
 
enough that
 
any
 
UBS entity
 
could
 
be
 
entitled to
 
have access
 
to
 
the
 
Covered
Books
 
and
 
Records
 
and
 
could
 
be
 
delivered
 
to
 
the
 
SEC.
 
In
 
this
 
regard,
 
it
 
should
 
be
 
noted
 
that
 
in
accordance
 
with
 
assumption
 
4
 
(set
 
out
 
in
 
Annex
 
2)
 
UBS
 
ESE
 
ES
 
has
 
obtained
 
or
 
will
 
obtain
 
the
necessary consents. On that basis, UBS ESE ES would not breach the
 
duty of confidentiality.
2.8
 
In addition, disclosure to
 
a supervisory authority is
 
also exempted from confidentiality. Therefore, the
disclosure
 
to
 
the
 
Spanish
 
National
 
Securities
 
Market
 
Commission
 
(
CNMV
)
 
in
 
exercise
 
of
 
its
supervisory powers on
 
the grounds of
 
a request in
 
the context of
 
a cooperation with
 
the supervisory
authorities of a third country such as the SEC
 
(such cooperation being a specific power of
 
the CNMV
recognised by Spanish law) would also be, in our view,
 
deemed exempted for the On-Site Inspection
to the extent the
 
request for the On-site Inspection
 
is made to the
 
regulatory authorities of UBS
 
ESE
and it is
 
covered by
 
the cooperation
 
arrangements with
 
the CNMV
 
or the
 
ECB.
 
This request
 
to conduct
On-Site Inspection
 
should be
 
addressed to
 
the relevant
 
legal entity
 
subject to
 
the duty
 
of confidentiality
(in
 
this
 
case, UBS
 
ESE
 
or
 
UBS ESE
 
ES)
 
by the
 
relevant supervisory
 
authority (the
 
CNMV or
 
the
ECB)
 
in the
 
context of
 
a cooperation
 
with the
 
supervisory authorities
 
of a
 
third country
 
such as
 
the
SEC, and
 
not under
 
a demand
 
addressed to
 
a branch
 
of
 
a third
 
country credit
 
institution (UBS
 
AG
London Branch).
Spanish authorities arrangements with the SEC
2.9
 
In 1992, the CNMV and the SEC signed a Memorandum of Understanding (the
1992
 
CNMV MoU
)
5
 
for cooperation between
 
authorities, agreeing to
 
provide each other
 
with all the
 
assistance permitted
by
 
their
 
respective
 
regulations,
 
including
 
in
 
relation
 
to
 
granting
 
information
 
and
 
documents
 
from
persons, and conducting inspections or reviews of entities carrying
 
out securities market activities for
their own account or for the account of others.
 
Although the 1992
 
CNMV MoU is
 
recognised as a
 
mere statement of
 
intent and does
 
not imply the
imposition of any legal obligations on either partynor can it in any way operate as a substitute for the
local law applicable
 
in each case,
 
the CNMV has
 
broad supervisory powers
 
conferred by Spanish
 
law
6
 
and
 
the
 
exercise of
 
these powers
 
in
 
the
 
context of
 
a
 
cooperation by
 
the
 
CNMV with
 
third
 
country
supervisory authorities such as the SEC would waive the application of the confidentiality duties that
apply to UBS ESE ES.
2.10
 
Additionally,
 
on
 
August 16,
 
2021,
 
the
 
SEC and
 
the
 
European
 
Central
 
Bank (
ECB
)
7
 
have
 
signed a
Memorandum of Understanding (the
ECB MoU
).
8
 
5
 
 
Memorandum of
 
Understanding between
 
the Securities
 
and Exchange
 
Commission of
 
the United
 
States and
 
the Comisión
 
Nacional del
 
Mercado de Valores
 
of Spain for
 
consultation and cooperation
 
in the application
 
of legal provisions
 
relating to securities
 
markets, 8 July
1992
 
(
Memorandum
 
de
 
Entendimiento
 
entre
 
la
 
Securities
 
and
 
Exchange Commission
 
de
 
Estados
 
Unidos
 
y
 
la
 
Comisión
 
Nacional
 
del
Mercado de Valores
 
de España para la realización de consultas y cooperación en la aplicación de las disposiciones legales relativas a los
mercados de valores, de 8 de julio de 1992
).
6
 
 
Article 234 of the Royal Legislative Decree 4/2015, of 23 October, approving the revised
 
text of the Securitie
s Market Law.
 
7
 
 
As UBS ESE qualifies as a “significant institution”
 
within the meaning of Art. 6(4) of the Regulation der
 
(EU) No. 1024/2013
(the
Single
Supervisory Mechanism Regulation
), it is, as regards prudential supervision, also subject to
 
direct supervision by the ECB.
8
 
 
The
 
Memorandum of
 
Understanding between
 
the
 
United States
 
Securities and
 
Exchange Commission
 
and
 
the
 
European Central
 
Bank
concerning consultation, cooperation and the exchange of information related
 
to the supervision and oversight of certain cross-border over-
the-counter derivatives entities
 
in connection
 
with the
 
use of
 
substituted compliance by
 
such entities dated
 
16 August
 
2021 (available
 
at
https://www.bankingsupervision.europa.eu/legalframework/mous/html/ssm.mou_2021_sec~220403db9b.en.pdf
).
 
0036335-0000808 UKO1: 2005598297.13
 
 
4
 
2.11
 
Lastly, on October 21,2021, the
 
SEC, the CNMV
 
and the Bank
 
of Spain (
BoS
) signed a
 
Memorandum
of
 
Understanding
 
(the
2021
 
MoU
)
9
 
regarding
 
consultation,
 
cooperation
 
and
 
the
 
exchang
e
 
of
information
 
in
 
the
 
supervisory
 
and
 
oversight
 
of
 
certain
 
over-the-counter
 
derivatives
 
entities
 
that
operate on a
 
cross-border basis
 
in the United
 
States and
 
Spain in connection
 
with the use
 
of substituted
compliance by such entities.
Privacy and Human Rights
2.12
 
Protection
 
for
 
the
 
general
 
fundamental
 
right
 
to
 
respect
 
for
 
private
 
and
 
family
 
life,
 
home
 
and
correspondence
” is
 
enshrined in
 
Article 8
 
of the
 
European Convention
 
on Human
 
Rights (
ECHR
).
This right
 
is directly
 
applicable in
 
Spain. Actions
 
in respect
 
of Article
 
8 ECHR
 
require a
 
separate cause
of action, such as
 
an action arising from
 
a wrongful act
 
or other legal obligation,
 
such as under the
 
EU
GDPR and Spanish DPA.
 
2.13
 
Article 8 ECHR is,
 
as it were, the legal
 
foundation on which the
 
EU GDPR has been
 
based. The EU
GDPR is detailing the fundamental
 
right laid down in Article 8
 
ECHR. Thus, Article 8 ECHR
 
and the
EU GDPR
 
are intertwined with
 
each other. As long
 
as the provision
 
of information
 
to the SEC
 
by UBS
ESE ES falls entirely within the scope of and is in compliance with the EU GDPR and Spanish DPA,
we consider the general fundamental right set out in Article 8 ECHR
 
will be protected.
 
This summary opinion is not a substitute for the full expression of our views
 
set out in Annex 1.
3.
 
SCOPE, ASSUMPTIONS AND QUALIFICATIONS
3.1
 
This opinion relates solely to access provided to the SEC by UBS AG, through its London branch, of
Covered Books
 
and Records held
 
on its
 
behalf by
 
UBS ESE ES
 
in Spain
 
and On-Site
 
Inspection of
UBS ESE
 
ES by
 
the SEC
 
in
 
Spain. This
 
opinion applies
 
equally to
 
remote access
 
from the
 
United
States to Covered Books and Records held in Spain. This opinion excludes books and records held in
the US. Where matters considered in
 
this opinion are not governed by laws
 
applying to the entirety of
Spain,
 
this
 
opinion
 
relates
 
solely
 
to
 
matters
 
of
 
Spanish
 
law
 
and
 
European
 
Union
 
(
EU
)
 
law
 
that
 
is
directly applicable in Spain (i.e.
 
regulations pursuant to Art. 288(2) of the
 
Treaty on the Functioning
of the European Union).
3.2
 
This opinion has been prepared in accordance with UBS AG’s specific instructions as to the scope of
the opinion. For this purpose you have issued us with guidance from a third party US law firm which
we have used to inform the scope of our opinion.
3.3
 
This opinion
 
only covers
 
access to
 
and the On-site
 
Inspection of
 
Covered Books
 
and Records.
 
Covered
Books and Records include only those books and records which:
(a)
 
relate to the US business
10
 
of the non-resident SBSD.
11
 
These are the records that relate to an
SBS that is either:
(i)
 
entered into, or offered to be entered into, by or on behalf of the
 
non-resident SBSD,
with a “U.S. Person”
 
as defined in 17
 
CFR § 240.3a71-3(a)(4)
12
 
(
US Person
) (other
than an SBS conducted through a foreign branch of such US Person
13
); or
9
 
 
Memorandum
of Understanding
 
between
the Securities and
 
Exchange Comm
ission of the
 
United States,
the Comisión Nacional
 
del Mercado
de Valores of Spain and the Bank of Spain concerning consultation, cooperation and the exchange of information related to the supervision
and oversight
 
of certain
 
cross-border over-the-counter
 
derivatives entities
 
in connection
 
with the
 
use of
 
substituted compliance
 
by such
entities.
10
 
 
As defined in 17 CFR §240.3a71
-
3(a)(8).
 
11
 
 
Cross
-
Border Application of Certain [SBS] Requirements,
 
85 Fe
d.
 
Reg. 6270, 6296 (Feb. 4, 2020) (the
SEC Guidance
).
 
12
 
 
A “
U.S. person
” means any person
 
that is “
(i) a natural person
 
resident in the U.S.; (ii)
 
a partnership, corporation,
 
trust, investment vehicle,
or other legal person organized,
 
incorporated, or established under the laws of the
 
United States or having its principal place of
 
business
in the United States; (iii) an account (whether
 
discretionary or non-discretionary) of a U.S. person; or (iv) an estate of
 
a decedent who was
a resident of the United States at the time of death.
” 17 CFR § 240.3a71-3(a)(4).
13
 
 
A “
foreign branch
” means “
any branch of a U.S. bank if: (i) the branch is located outside of the United States; (ii) the branch operates for
valid business reasons;
 
and (iii) the
 
branch is engaged
 
in the business
 
of banking and
 
is subject to
 
substantive banking regulation
 
in the
jurisdiction where located.
” (17 CFR § 240.3a71-3(a)(2)). An “
SBS conducted through a foreign branch
” means an SBS that is “
arranged,
 
 
5
 
(ii)
 
arranged, negotiated, or executed by
 
personnel of the non-resident SBSD
 
located in a
branch in the United States (
US branch
) or office or by personnel
 
of an agent of the
non-resident SBSD located in a US branch or office;
14
 
or
(b)
 
constitute
 
financial
 
records
 
necessary
 
for
 
the
 
SEC
 
to
 
assess
 
the
 
non-resident
 
SBSD’s
compliance with the SEC’s margin and capital requirements, if applicable.
15
 
3.4
 
Further
 
to
 
Assumption
 
1,
 
this
 
opinion
 
is
 
limited
 
to
 
those
 
types
 
of
 
records
 
that
 
are
 
relevant
 
to
prudentially regulated SBSDs,
 
which excludes financial
 
records as noted
 
in paragraph 3.3(b)
 
above.
 
For this opinion, the term “Covered Books and Records” extends to these
 
record types alone.
3.5
 
This opinion covers data relating to:
(a)
 
SBS transactions
 
concluded between UBS
 
AG (through
 
its associated
 
persons employed by
UBS ESE ES) and
 
US Person counterparties,
 
insofar as this data
 
is held on behalf
 
of UBS AG
by UBS ESE ES
 
(e.g. voice recordings
 
and client communications)
 
(these transactions will
 
be
concluded by
 
staff of UBS
 
ESE ES
 
acting in the
 
name and
 
for the account
 
of UBS
 
AG London
Branch and
 
so some
 
data relating
 
to such
 
transactions will
 
be held
 
by UBS
 
AG London
 
Branch
in the United
 
Kingdom (
UK
) – access
 
to Covered Books
 
and Records and
 
On-Site Inspections
by the SEC of data that is held in Spain is not within scope of this opinion); and
(b)
 
the activities of
 
the staff of
 
UBS ESE ES
 
pertaining to UBS
 
AG’s
 
SBS transactions that are
also arranged,
 
negotiated, or
 
executed by
 
personnel of
 
UBS AG
 
located in
 
a US
 
branch or
office or by
 
personnel of an agent
 
of UBS AG located in
 
a US branch or
 
office (irrespective
of whether UBS AG’s counterparty is a US Person or a non-US Person).
This opinion only
 
covers transactions
 
entered into by
 
UBS AG
 
where UBS ESE
 
ES is acting
 
on behalf
of UBS AG.
 
This opinion does
 
not cover data
 
relating to SBS
 
transactions concluded between
 
UBS
ESE
 
ES
 
and
 
its
 
own
 
counterparties
 
(even
 
though
 
UBS
 
ESE
 
ES
 
may
 
be
 
relying
 
on
 
the
 
counting
exemption set out in 17 CFR § 240.3a71-3(d) for such transactions, we are instructed that this data is
not relevant for the purposes of 17
 
CFR § 240.15Fb2-4(c) and so this data is
 
not within scope of this
opinion).
3.6
 
The issues
 
addressed in
 
this opinion
 
apply equally
 
across the
 
different document
 
types which
 
constitute
the Covered Books and
 
Records based upon the
 
information actually contained
 
in each of the relevant
Covered Books and Records. We have not examined any such documents or records.
 
3.7
 
In giving this opinion, we have made the further assumptions set out
 
in Annex 2.
 
3.8
 
No opinion is expressed on matters of fact.
 
3.9
 
As a
 
practical matter,
 
it may
 
be particularly
 
difficult to
 
establish that
 
consent is
 
freely given
 
where
information relates to
 
UBS ESE ES
 
staff because consent
 
is very difficult to
 
rely on in
 
an employment
context, due to the inherent imbalance of power between an employer and its staff (for example, staff
may believe
 
there could
 
be negative
 
consequences should
 
they refuse
 
to give
 
consent). Further,
 
consent
will only be valid if UBS ESE ES
 
offers
 
its staff a genuine choice over how the
 
data is used and will
only continue to
 
be an appropriate
 
legal basis if
 
UBS ESE ES
 
also offers
 
its staff the
 
opportunity to
withdraw consent at any time. Where consent is relied upon in this opinion, it is on the basis that this
practical
 
matter
 
has
 
been
 
overcome.
 
Where
 
consent
 
is
 
not
 
available
 
as
 
a
 
legal
 
basis
 
for
 
disclosure
negotiated, and executed by
 
a U.S. person
 
through a foreign
 
branch of such
 
U.S. person if:
 
(A) the foreign
 
branch is the
 
counterparty to
such security-based swap transaction; and (B) the
 
security-based swap transaction is arranged, negotiated, and executed on
 
behalf of the
foreign branch solely by persons located outside the United States.
” (17 CFR § 240.3a71-3(a)(3)(i)).
14
 
 
17 CFR
 
§
 
240.3a71
-
3(a)(8)(i)(B).
 
15
 
 
The requirement
 
set out
 
in this
 
paragraph
 
does not
 
apply to
 
UBS AG
 
because it
 
is not
 
subject to
 
the SEC’s
 
margin and
 
capital
requirements as it is assumed that UBS AG has a prudential
 
regulator – please see Assumption
 
set out in
 
 
0036335-0000808 UKO1: 2005598297.13
 
 
6
 
(including where
 
valid consent
 
cannot be
 
obtained), UBS
 
ESE ES
 
may be able
 
to rely
 
on an alternative
basis for disclosure (e.g. the public interest exception).
4.
 
REVISIONS TO APPLICABLE LAW
 
4.1
 
We
 
note
 
that
 
the
 
SEC
 
rules
16
 
require
 
a
 
non-resident
 
SBSD
 
to
 
re-certify
 
within
 
90
 
days
 
after
 
any
changes in the legal or regulatory framework that would:
(a)
 
impact the ability of the SBSD to provide prompt access to its Covered
 
Books and Records;
 
(b)
 
impact the
 
manner in
 
which it
 
would provide
 
prompt access
 
to its
 
Covered Books
 
and Records;
or
(c)
 
impact the ability of the SEC to conduct On-Site Inspections.
4.2
 
Upon a change in law or regulatory framework of the sort outlined in paragraph 4.1
 
above, the SBSD
is required to submit a revised opinion describing how, as a matter of law,
 
the SBSD will continue to
meet its obligations.
 
4.3
 
This opinion
 
relates solely to
 
the laws
 
of Spain
 
and EU
 
law that
 
is directly
 
applicable in
 
Spain (i.e.
regulations pursuant to Art. 288(2) of the
 
Treaty on the Functioning of
 
the European Union), in each
case, in
 
force as
 
at the
 
date of
 
this opinion.
 
We
 
have no
 
obligation to
 
notify any
 
addressee of
 
any
change in any applicable law or its application after the date of this opinion.
5.
 
RELIANCE AND CONFIDENTIALITY
5.1
 
This opinion is given
 
for the sole benefit of
 
the addressee.
 
It may not be relied
 
upon by anyone else
without our prior written consent.
5.2
 
This
 
opinion
 
is
 
not
 
to
 
be
 
disclosed
 
to
 
any
 
person
 
outside
 
of
 
UBS
 
AG’s
 
group
 
or
 
used,
 
circulated,
quoted or otherwise referred to for any
 
other purpose. However, we agree that
 
a copy of this opinion
letter may be disclosed:
 
(a)
 
where
 
disclosure is
 
required
 
or
 
requested
 
by
 
any
 
governmental, banking,
 
taxation
 
or
 
other
regulatory authority or similar body having jurisdiction over
 
UBS AG (including to the SEC
as
 
part
 
of
 
UBS
 
AG’s
 
SBSD
 
registration
 
application) or
 
by
 
the
 
rules
 
of
 
any
 
relevant
 
stock
exchange or pursuant to any applicable law or regulation; and
 
(b)
 
to
 
UBS
 
AG’s
 
affiliates,
 
and
 
any
 
of
 
their
 
officers,
 
directors,
 
employees,
 
auditors,
 
insurers,
reinsurers, insurance brokers and professional advisors (in their capacity
 
as such).
5.3
 
Any such disclosure
 
must be made
 
on the basis
 
that it is
 
for information purposes only,
 
no recipient
may rely
 
on this advice,
 
no client-lawyer relationship between
 
us and the
 
recipient arises following,
or as a
 
result of, any
 
such disclosure. We assume no
 
duty or liability
 
to any recipient,
 
and any recipient
under paragraph 5.2(b) above will be subject to the same restrictions on disclosure
 
as set out above.
5.4
 
We
 
assume no obligation
 
to advise
 
you or
 
any other person
 
or to
 
make any
 
investigations as to
 
any
legal
 
developments
 
or
 
factual
 
matters
 
arising
 
subsequent
 
to
 
the
 
date
 
hereof
 
that
 
might
 
affect
 
the
opinions expressed herein.
 
16
 
 
17 CFR §
 
240.15Fb2
-
4(c)(2).
 
 
0036335-0000808 UKO1: 2005598297.13
lospainp7i0.gif
 
7
Yours
 
faithfully,
 
 
 
Allen &Overy
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
0036335-0000808 UKO1: 2005598297.13
 
 
8
ANNEX 1
 
OPINION
1.
 
DATA
 
PROTECTION
1.1
 
The
 
General
 
Data
 
Protection Regulation
 
2016/679
 
(
EU
 
GDPR
)
 
and the
 
Organic
 
Law
 
3/2018
 
of
 
5
December
 
on
 
the
 
Protection
 
of
 
Personal
 
Data
 
and
 
Guarantee
 
of
 
Digital
 
Rights
 
(
Spanish
 
DPA
)
(together, the
Data Protection Laws
) will apply to
 
UBS ESE ES’ disclosure
 
of Covered Books and
Records to UBS AG
 
London Branch for the
 
purpose of providing information to
 
the SEC and to
 
the
SEC in the
 
course of On-Site Inspections,
 
to the extent that
 
these comprise or contain
 
personal data.
Personal
 
data
 
is
 
data
 
relating
 
to
 
an
 
identified
 
or
 
identifiable
 
living
 
individual,
 
so
 
may
 
extend
 
to
information on UBS ESE ES’s staff as well as clients.
 
1.2
 
Under
 
the
 
Data
 
Protection Laws,
 
specific
 
additional restrictions
 
apply
 
for
 
data
 
relating
 
to
 
criminal
convictions and offences.
 
These laws also
 
impose heightened restrictions
 
on the processing
 
of ‘special
category data’
 
– this
 
is data
 
that reveals
 
racial or
 
ethnic background,
 
political opinions,
 
religious or
philosophical
 
beliefs,
 
or
 
trade
 
union
 
membership,
 
genetic
 
data,
 
biometric
 
data
 
when
 
used
 
for
 
ID
purposes, health information, data concerning sex life
 
or sexual orientation. As special category
 
data
are less likely
 
to be
 
relevant in
 
the context
 
of UBS
 
ESE ES’
 
disclosures to
 
the SEC,
 
the laws
 
applicable
to this data have not been considered in detail in this opinion.
1.3
 
Key restrictions in
 
the Data Protection
 
Laws relating to
 
UBS ESE ES’ ability
 
to disclose personal
 
data
to the SEC are set out below.
Legal basis for the disclosure
1.4
 
UBS ESE ES requires a legal basis
 
under Article 6 of the EU GDPR
 
and the Spanish DPA to disclose
personal data to the
 
SEC in the course
 
of On-Site Inspections
 
and to provide
 
UBS AG London Branch
with access to
 
its Covered Books
 
and Records for
 
the purpose of
 
providing information to
 
the SEC.
Data cannot be
 
disclosed if
 
doing so would
 
breach another
 
legal requirement under
 
applicable Spanish
law (e.g. confidentiality
 
duties –
 
please see
 
section 2).
 
Whilst there
 
are a
 
number of
 
Article 6
 
legal
bases on which
 
UBS ESE ES
 
may seek to
 
rely,
 
none on its
 
own is so
 
comprehensive as to
 
cover all
disclosures
 
of personal data
 
to the SEC,
 
so UBS ESE
 
ES will
 
need to consider
 
the most appropriate
legal basis to apply to any given situation.
1.5
 
The Article
 
6 legal
 
bases that seem
 
the most
 
relevant and applicable
 
to UBS
 
ESE ES, together
 
with
their respective limitations, are as follows:
(a)
 
Consent (Article 6(1)(a))
: In order for consent
 
to be valid under the
 
Data Protection Laws, it
must satisfy
 
the high
 
standard of
 
being a
 
freely-given, specific,
 
informed and
 
unambiguous
indication of wishes.
 
As a practical
 
matter, in Spain, it
 
would be very difficult
 
to establish that
consent is
 
freely given
 
where information
 
relates to
 
UBS ESE
 
ES staff,
 
in
 
an employment
context,
 
due
 
to
 
the
 
inherent
 
imbalance
 
of
 
power
 
between
 
an
 
employer
 
and
 
its
 
staff
 
(for
example, staff
 
may believe there
 
could be negative
 
consequences should they
 
refuse to give
consent). Further, consent will only
 
be valid if UBS ESE ES
 
offers its staff a
 
genuine choice
over how the data is used, and will only
 
continue to be an appropriate legal basis if
 
UBS ESE
ES also offers its staff the opportunity to withdraw consent at any time.
 
 
 
 
 
 
 
 
 
0036335-0000808 UKO1: 2005598297.13
 
 
 
9
 
(b)
 
Legitimate interests (Article
 
6(1)(f))
: This is
 
a more flexible
 
legal basis for
 
processing that
 
can
apply to a multitude
 
of business purposes,
 
including with respect
 
to ensuring compliance
 
with
regulatory obligations. To rely on the legitimate interests ground, UBS ESE ES must:
 
(i)
 
identify its,
 
or a
 
third party’s legitimate
 
interest (this
 
can include
 
commercial interests,
individual
 
interests
 
or
 
broader
 
societal
 
benefits)
 
in
 
complying
 
with
 
the
 
SEC’s
disclosure request;
(ii)
 
show that
 
the
 
disclosure of
 
documents to
 
the SEC
 
is
 
necessary for
 
achieving these
interests; and
 
(iii)
 
balance
 
these
 
interests
 
against
 
the
 
competing
 
interests,
 
rights
 
and
 
freedoms
 
of
 
the
individuals concerned, and satisfy itself that those interests
 
do not outweigh its own.
 
If individuals would not
 
reasonably expect the disclosure,
 
or if the
 
disclosure would
cause
 
unjustified
 
harm
 
to
 
the
 
individuals,
 
the
 
interests
 
of
 
those
 
individuals
 
would
likely override the interests of UBS ESE ES or the third party.
An individual has the right to object
 
to the disclosure of their data to the SEC
 
under this basis
for processing, and UBS
 
ESE ES would need
 
to demonstrate ‘compelling’
 
legitimate grounds
to process the data that override the rights, freedoms and interests of
 
that individual.
The balancing of
 
legitimate interests against
 
the competing interests,
 
rights and freedoms
 
of
the
 
individuals
 
concerned should
 
be
 
made
 
on
 
a
 
case-by-case
 
basis
 
and
 
should
 
consider all
available facts.
 
In particular, Recital
 
47 of
 
the GDPR
 
states that,
 
when balancing
 
their interests
against
 
those
 
of
 
the
 
individuals
 
concerned,
 
controllers
 
should
 
take
 
into
 
account
 
the
reasonable expectations
 
of data
 
subjects based
 
on their
 
relationship with
 
the controller
”. With
this
 
in
 
mind,
 
UBS
 
ESE
 
ES
 
may
 
argue
 
that
 
its
 
interests
 
are
 
not
 
outweighed by
 
those
 
of
 
its
clients or its employees on the basis that:
(A)
 
clients are
 
aware, due
 
to
 
statements contained
 
in their
 
terms
 
of business
 
with UBS
AG,
 
of
 
the
 
US
 
nexus
 
when
 
they
 
engage
 
in
 
SBS
 
transactions
 
and,
 
due
 
to
 
their
understanding as
 
sophisticated investors,
 
that regulatory
 
oversight will
 
be exercised
by
 
the
 
SEC,
 
which
 
may
 
entail
 
certain
 
information
 
regarding
 
their
 
transactions,
including in some cases their personal data, to be disclosed to the SEC;
 
and
(B)
 
the employees whose
 
personal data may
 
be disclosed to
 
the SEC understand
 
their role
will involve SEC
 
oversight due
 
to their being
 
classified as
 
‘associated persons’
 
for the
purposes of SBS
 
transactions and understand
 
that, as a
 
result, certain of their
 
personal
data
 
may
 
be
 
disclosed
 
to
 
the
 
SEC.
 
More
 
specifically,
 
each
 
associated
 
person
 
is
required
 
to
 
complete
 
an
 
‘SBS
 
associated
 
person
 
questionnaire’,
 
which
 
provides
advance notice that
 
their activities may
 
involve the
 
disclosure of their
 
personal data
to the SEC and
 
potentially require them to undertake
 
interviews with the SEC.
 
Each
employee that is an
 
associated person is also
 
required to agree or
 
acknowledge their
understanding
 
that
 
their
 
data
 
may
 
be
 
provided
 
to
 
the
 
SEC
 
in
 
connection
 
with
 
the
SEC’s oversight of SBS transactions.
In addition, while focused on the relationship
 
between the SEC and the CNMV, the existence
of the 2021MoU arguably reflects an acceptance in Spain that the SEC has a duty to regulate
SBS markets and may need to access information
 
maintained by financial institutions located
in
 
Spain
 
for
 
this
 
purpose.
17
 
This
 
argument
 
is
 
further
 
supported
 
by
 
the
 
ECB
 
MoU,
 
which
similarly reflects an understanding of the SEC’s
 
duties and an acceptance regarding the need
for information, including personal data, to be provided to the SEC.
18
 
17
 
 
Please refer to Articles IV and V of the 2021 MoU.
 
18
 
 
For the
 
avoidance of doubt,
 
we note however
 
that neither
the 1992
 
CNMV
MoU nor
 
the ECB
 
MoU stipul
ates any
 
exemptions from
 
the
compliance with applicable data protection rules under
 
the GDPR, including from the international transfer rules.
 
0036335-0000808 UKO1: 2005598297.13
 
 
10
 
Also relevant to this balancing of interests are that the SEC will:
(1)
 
restrict its
 
information requests
 
for, and
 
use of,
 
any information
 
to only
 
the information
that
 
it
 
requires
 
for
 
the
 
legitimate
 
and
 
specific
 
purpose
 
of
 
fulfilling
 
its
 
regulatory
mandate
 
and
 
responsibilities
 
and
 
to
 
prevent
 
and/or
 
enforce
 
against
 
potential illegal
behaviour, with the type
 
and amount of personal data requested being
 
targeted based
on risk and related to specific clients and accounts, and employees;
19
 
and
(2)
 
information,
 
data
 
and
 
documents
 
received
 
by
 
the
 
SEC
 
are
 
maintained
 
in
 
a
 
secure
manner and only disclosed pursuant to strict US confidentiality laws
20
.
(c)
 
Disclosure is
 
necessary for
 
compliance
 
with a
 
legal obligation
 
to which
 
UBS ESE
 
ES is
 
subject
(Article 6(1)(c))
: There must be a
 
Spanish nexus in order for
 
UBS ESE ES to be
 
able to rely
on this legal basis.
 
Article 6(3) of
 
the EU GDPR
 
and Article 8(1)
 
of the Spanish DPA
 
requires
that the
 
legal obligation must
 
be laid down
 
by a
 
Spanish rule with
 
the status of
 
a law (other
instruments such
 
as decrees
 
or regulations
 
will not
 
be sufficient)
 
or EU
 
law,
21
 
although this
does not
 
have to
 
be an
 
explicit statutory
 
obligation, as
 
long as
 
the application
 
of the
 
law is
foreseeable to UBS ESE ES as the person subject to it.
22
 
In the context of this legal basis
 
for processing, a direct request from the SEC in
 
the absence
of a
 
Spanish legal
 
requirement (e.g.
 
a lawful
 
request from
 
the CNMV
 
in the
 
exercise of
 
its
powers)
 
would
 
not
 
justify
 
the
 
disclosure
 
as
 
being
 
necessary
 
for
 
compliance
 
with
 
such
 
an
obligation.
(d)
 
Disclosure is necessary
 
for the performance
 
of a task
 
carried out
 
in the public
 
interest (Article
6(1)(e))
: There must
 
be a
 
Spanish nexus in
 
order for UBS
 
ESE ES to
 
be able to
 
rely on this
legal basis.
 
Article 8(2)
 
of the
 
Spanish DPA
 
requires that
 
the task
 
carried out
 
in the
 
public
interest derives
 
from the
 
powers conferred
 
by a
 
Spanish rule
 
with the
 
status of
 
a law
 
(other
instruments such as decrees or regulations will not be sufficient) or EU law.
In the context
 
of this legal
 
basis for processing,
 
a direct request
 
from SEC in
 
the absence of
powers conferred by a
 
Spanish rule with the
 
status of a law
 
or EU law (e.g.
 
a lawful request
from
 
the
 
CNMV
 
in
 
the
 
exercise
 
of
 
its
 
powers)
 
would
 
not
 
justify
 
the
 
disclosure
 
as
 
being
necessary for the performance of a task carried out in the public interest.
1.6
 
Based upon the above,
 
the
 
legitimate interests basis
 
for processing is
 
likely to be the
 
most appropriate
Article 6 ground on which UBS ESE ES could rely in relation
 
to its disclosure of Covered Books and
Records
 
to
 
the
 
SEC and
 
to permit
 
On-Site
 
Inspection.
 
However,
 
to
 
rely
 
on
 
the
 
legitimate interests
ground, UBS ESE ES needs to undertake a balancing test as outlined above.
1.7
 
It is
 
considered very
 
unlikely that
 
data included
 
in Covered
 
Books and
 
Records or
 
disclosed to
 
the
SEC during On-Site Inspections will
 
include special categories of data.
 
Further, UBS ESE
 
ES might
not
 
hold
 
all
 
information
 
described
 
in
 
17
 
C.F.R.
 
§§.18a-5(b)(8)(i)(A)
 
through
 
(H)
 
or
 
240.18a-
5(a)(10)(i)(A) through
 
(H), as
 
the case
 
may be,
 
for an
 
associated person
 
who is
 
not a
 
US Person.
23
 
However, to the extent that this does occur, and such information is held by UBS ESE ES in addition
to an Article 6 legal basis, UBS ESE ES will
 
need to establish an additional legal basis
 
for processing
under Article 9 of the EU GDPR and the Spanish DPA
 
if it discloses special categories of data to the
19
 
 
Please refer to Assumptions
 
and
 
in Annex 2, as well as section 5 of the 1992 CNMV MoU and Article II and paragraph 49 of the ECB
MoU.
20
 
 
Please refer to Assumption
 
in Annex 2, as well as section 6 of the 1992 CNMV MoU and
 
paragraph 56 of the ECB MoU.
21
 
 
Article 8(1)
 
of the
Spanish
DP
A
 
establishes that
 
such
 
Spanish
 
rule with
 
the status of
 
a law
or EU
law
 
may: (i)
 
determine
the general
 
conditions
of the processing and the types of
 
data to be processed as well as
 
the transfers that may take place as
 
a result of compliance with the legal
obligation; and (ii) impose special conditions on the processing, such
 
as the adoption of additional security measures.
22
 
 
Recital 41
EU GDPR
.
 
23
 
 
As we understand is as defined in 17 C.F.R. §240.3a71
-
3(a)(4)(i)(A)
.
 
 
0036335-0000808 UKO1: 2005598297.13
 
 
 
11
 
SEC. Other
 
than valid
 
consent
24
 
when applicable
 
for certain
 
special categories
 
of data
25
 
and public
interest due
 
to the
 
limitations
 
discussed in paragraphs
 
1.5(a) and
 
(d) above, the
 
Article 9 legal
 
basis
that may be applicable to disclosure of Covered Books and Records is processing is necessary for
 
the
establishment,
 
exercise
 
or
 
defence
 
of
 
legal
 
claims
 
or
 
whenever
 
courts
 
are
 
acting
 
in
 
their
 
judicial
capacity
 
(Article
 
9(2)(f)).
 
However,
 
please
 
note
 
that
 
there
 
is
 
no
 
guidance
 
from
 
the
 
Spanish
 
Data
Protection
 
Authority
 
on
 
the
 
applicability
 
of
 
this
 
particular
 
legal
 
basis
 
and
 
that
 
it
 
is
 
also
 
uncertain
whether this legal basis can be extended to this case.
1.8
 
Similarly, processing of
 
personal data
 
relating to
 
criminal convictions
 
and offences
 
is highly
 
restricted,
and can only
 
be disclosed where is
 
authorised by a
 
rule of EU
 
law,
 
by the Spanish
 
DPA
 
or by other
Spanish laws or rules
 
that have the force
 
of law. In the absence of such
 
rule of EU law, by the Spanish
DPA or by other Spanish laws or rules – and we
 
are aware of no such law
 
or rule that would authorise
this disclosure
 
to the
 
SEC –
 
UBS ESE
 
ES could
 
not disclose
 
these personal
 
data to
 
the SEC.
 
In practice,
this restriction
 
on UBS
 
ESE ES
 
is dealt
 
with by
 
this information
 
being provided
 
and/or transferred
directly by the individual
 
(here, staff of UBS ESE ES) to the requesting party (here, the SEC).
Data protection principles
1.9
 
In addition to establishing a legal basis for the disclosure, UBS ESE ES would need to ensure that its
disclosures are compliant with the remaining
 
requirements under the Data Protection
 
Laws, including
the data protection principles set out in Article 5 of the EU GDPR.
 
For example, UBS ESE ES must:
(a)
 
be
 
transparent with
 
those whose
 
personal data
 
is
 
to
 
be
 
disclosed to
 
the
 
SEC, who
 
must
 
be
provided
 
with
 
fair
 
processing
 
information
 
(usually
 
in
 
the
 
form
 
of
 
a
 
privacy
 
notice
 
or
statement);
(b)
 
with
 
respect
 
to
 
the
 
data
 
itself,
 
ensure
 
that
 
it
 
only
 
provides
 
personal
 
data
 
that
 
is
 
adequate,
relevant and limited
 
to what is
 
necessary in relation
 
to the purposes
 
of its regulatory
 
activities;
 
(c)
 
be careful to avoid participating
 
in ‘data dumps’ and should
 
consider withholding documents,
anonymising personal data
 
(or pseudonymising
 
data where full
 
anonymisation is not
 
possible)
and redacting personal data from documents as appropriate;
(d)
 
ensure that the data is accurate and, where necessary, kept up to date;
(e)
 
keep the personal data
 
in a form that enables
 
identification of individuals for
 
no longer than is
necessary for the purposes for which the personal data is processed;
 
and
(f)
 
ensure
 
that
 
the
 
confidentiality
 
and
 
integrity
 
of
 
personal
 
data
 
is
 
maintained,
 
and
 
as
 
such,
implement appropriate security measures (e.g. encryption) to protect
 
the personal data.
1.10
 
Whilst it is possible
 
that the SEC has
 
taken these principles
 
into account in its
 
request for access
 
to the
Covered Books and Records,
 
responsibility remains with UBS
 
ESE ES to
 
verify this and
 
implement
its own compliance measures.
International transfers
1.11
 
The
 
general
 
principle
 
in
 
the
 
EU
 
GDPR
 
is
 
that
 
UBS
 
ESE
 
ES
 
may
 
not
 
transfer
 
personal
 
data
 
to
 
a
jurisdiction
 
outside
 
the
 
European
 
Economic
 
Area
 
(
EEA
),
 
unless
 
it
 
can
 
satisfy
 
a
 
condition
 
for
 
the
transfer as set out in Chapter V of the EU GDPR.
 
24
 
 
Article 9(2)(a) of
 
the E
U GDPR
 
please also refer
 
to limitations on
 
the applicability of
 
consent discussed in
 
paragraph
 
of section
:
 
25
 
 
i.e.,
genetic data,
 
biometric
 
data
 
wh
en
 
used
 
for
 
ID purposes
 
and
 
health information.
 
Article 9(1)
 
of
 
the
 
Spanish DPA
 
establishes that
 
processing may
 
not be
 
based on
 
consent alone
 
if its
 
main purpose
 
for the
 
processing is
 
to identify
 
racial or
 
ethnic background,
 
political
opinions, religious or philosophical
 
beliefs, or trade union membership,
 
data concerning sex life or
 
sexual orientation.
 
This shall not prevent
the processing of such special categories of data under the other
 
legal basis of Article 9 of the EU GDPR.
 
0036335-0000808 UKO1: 2005598297.13
 
 
12
 
1.12
 
Article 45 of the
 
EU GDPR allows for
 
UBS ESE ES
 
to transfer personal data
 
to a recipient outside
 
the
EEA where the European
 
Commission has decided
 
that this third country
 
ensures an adequate level
 
of
protection. For the
 
purposes of providing
 
Covered Books and
 
Records to UBS
 
AG London
 
Branch,
the adequacy decision of the European Commission currently
 
in effect in respect of
 
the UK
 
26
 
allows
transfers of personal data
 
from the EEA, including
 
Spain, to the
 
UK to be made
 
freely.
 
Any transfer
from
 
UBS
 
ESE
 
ES
 
to
 
UBS
 
AG
 
London
 
Branch
 
would
 
therefore
 
be
 
permitted
 
without
 
limitation
(provided that the disclosure otherwise complied with the EU GDPR).
1.13
 
It should be noted that
 
under Article 44 sent. 1, Recital
 
101 of the EU GDPR any
 
onward transfer of
UBS ESE ES’ Covered Books and Records by UBS AG London Branch to the SEC is still subject to
the transfer requirements
 
of the EU
 
GDPR. In this
 
regard it is
 
helpful that the
 
European Commission’s
adequacy decision for
 
the United Kingdom
 
addresses onward transfers
 
from the UK
 
and notes that the
regime
 
on
 
international
 
transfers
 
under
 
the
 
UK
 
GDPR
27
 
and
 
UK
 
Data
 
Protection
 
Act
 
2018
 
is
 
in
substance identical
” to
 
the transfer
 
regime under
 
the EU
 
GDPR.
28
 
The primary
 
options
 
available to
UBS
 
AG
 
London
 
Branch
 
pursuant
 
to
 
this
 
EU
 
GDPR
 
restriction
 
applicable
 
to
 
UBS
 
ESE
 
when
disclosing UBS ESE ES’
 
Covered Books and Records to
 
the SEC in the
 
US are set out
 
in paragraph
1.14 of this Annex 1, below.
1.14
 
Derogations (Article
 
49 of
 
the EU
 
GDPR)
29
: Where
 
a transfer mechanism
 
adopted by
 
the European
Commission
 
in
 
respect
 
of
 
the
 
US
 
is
 
not
 
available
 
(as
 
is
 
currently
 
the
 
case),
 
derogations
 
from
 
the
transfer
 
prohibition
 
are
 
potentially
 
available
 
under
 
EU
 
GDPR
 
for
 
facilitating
 
UBS
 
AG
 
London
Branch’s transfer of personal
 
data contained
 
in UBS
 
ESE ES’
 
Covered Books
 
and Records
 
to the SEC.
 
1.15
 
These derogations include:
30
 
 
(a)
 
Consent
: Consent must be freely given in order to be valid.
31
 
(b)
 
Legitimate interests
: a data
 
transfer on the
 
basis of legitimate
 
interests may take
 
place if (i) the
transfer
 
is
 
not
 
repetitive,
 
(ii) the
 
transfer
 
concerns
 
only
 
a
 
limited
 
number
 
of
 
data
 
subjects,
(iii) the transfer
 
is necessary
 
for the
 
purposes of
 
compelling legitimate
 
interests pursued
 
by
UBS ESE
 
ES, (iv) UBS
 
ESE ES’
 
legitimate interests
 
are not
 
overridden by
 
the interests
 
or
rights and freedoms
 
of the Rights
 
Holder, (v)
 
UBS ESE
 
ES
 
has assessed
 
all the circumstances
surrounding
 
the
 
data
 
transfer,
 
and
 
(vi) UBS
 
ESE
 
ES
 
has,
 
on
 
the
 
basis
 
of
 
that
 
assessment,
provided suitable
 
safeguards with
 
regard to
 
the protection
 
of personal
 
data,
32
 
the legitimate
interests derogation
 
may be the
 
most appropriate
 
Article 49
 
of the EU
 
GDPR ground
 
on which
UBS ESE ES could
 
rely to transfer data
 
to the SEC. In
 
addition, according to Article
 
43 of the
Spanish
 
DPA,
 
UBS
 
ESE
 
ES
 
shall
 
inform
 
the
 
Spanish
 
Data
 
Protection
 
Authority
 
of
 
the
international data
 
transfer to
 
the SEC
 
based on
 
legitimate interests.
 
UBS ESE
 
ES shall
 
also
inform data
 
subjects of
 
the transfer
 
and of
 
the overriding
 
legitimate interests
 
pursued. This
information shall be provided prior to the carrying out of the transfer.
26
 
 
Commission Implementing Decision of 28.6.2021
 
pursuant to Regulation (EU) 2016/679 of the
 
Eu
ropean Parliament and of the Council on
the adequate protection of
 
personal data by the United
 
Kingdom. Please note that
 
in the future the adequacy
 
decision may be withdrawn,
 
not
prolonged or restricted and that the current adequacy decision is
 
limited to four years.
27
 
 
The
General Data Protection Regulation
 
2016/679 as it forms part
 
of “retained EU law” as
 
defined in the European Union
 
(Withdrawa
l) Act
2018 in the UK.
28
 
 
Paragraph 2.5.7, recitals (74)
 
and (75) of
 
the Commission Implementing Decision of
 
28.
6.2021 pursuant to
 
Regulation (EU) 2016/679 of
the European Parliament and of the Council on the adequate
 
protection of personal data by the United Kingdom.
29
 
 
The European
 
Data Protection
 
Board has
 
issued guidelines
 
to provide
 
guidance as
 
to the
 
applicati
on of
 
Article 49
 
of the
 
EU GDPR
 
on
derogations in the context of transfers of personal data to
 
third countries.
30
 
 
The available
 
derogations also
 
include, among
 
others, a
 
derogation based
 
on public
 
interest. However,
 
the
 
public interest
 
derogation in
Article 49(1)(d)
 
of the
 
EU GDPR
 
regarding international transfers
 
of personal
 
data refers
 
to the
 
transfer being ‘necessary
 
for reasons
 
of
public interest’
 
and differs from
 
the public interest
 
legal basis
 
in Article
 
6(1)(e) of the
 
EU GDPR (referring
 
to the processing
 
being ‘necessary
for the
 
performance of
 
a task
 
carried out
 
in the
 
public interest’).
 
However, please
 
note that
 
there is
 
no guidance
 
from the
 
Spanish Data
Protection Authority on the applicability
 
of this particular derogation and
 
that it is also uncertain whether
 
this derogation can be extended to
this case.
31
 
 
Please refer to paragraph
 
of this Annex 1 and note that valid consent is assumed
 
in Assumption
 
of Annex 2.
32
 
 
Last paragraph of Article 49(1) of the EU GDPR.
 
 
0036335-0000808 UKO1: 2005598297.13
 
 
13
 
Each of the consent and legitimate interest derogations need to be applied on a
 
case-by-case basis.
33
 
1.16
 
Access to Covered Books and
 
Records granted to the SEC
 
in the course of On-Site Inspections
 
would
not entail UBS ESE ES
 
effecting an international transfer
 
and so restrictions in Chapter
 
V of the EU
GDPR would not apply to that situation.
2.
 
CREDIT INSTITUTIONS’ DUTY OF CONFIDENTIALITY
Scope of duties
2.1
 
UBS ESE
 
ES, as
 
a branch
 
of a
 
credit institution,
 
is subject
 
to the
 
regulations governing
 
the organisation
and
 
discipline
 
of
 
credit
 
institutions
 
in
 
Spain.
 
Accordingly,
 
it
 
shall
 
comply
 
with
 
its
 
duty
 
of
confidentiality towards the
 
balances, positions, transactions
 
and other operations
 
of its clients as
 
Right
Holders.
2.2
 
In particular, article 83 of Law 10/2014
34
 
states as follows:
 
 
“Article 83. Duty to reserve information.
 
1. Institutions
 
and other
 
persons subject
 
to the
 
regulations
 
governing the
 
organisation
 
and
discipline of
 
credit
 
institutions are
 
obliged to
 
keep
 
confidential information
 
relating
 
to
 
the
balances, positions, transactions
 
and other operations of
 
their customers, which
 
may not be
communicated or disclosed to third parties.
2.
 
Exempt from
 
this
 
duty shall
 
be information
 
in
 
respect
 
of
 
which the
 
customer or
 
the
 
law
permits
 
its
 
communication
 
or
 
disclosure
 
to
 
third
 
parties
 
or
 
which,
 
as
 
the
 
case
 
may
 
be,
 
is
required or
 
must be sent to the respective supervisory authorities or within the
 
framework of
compliance with the obligations
 
established in Law 10/2010, of
 
28 April, on the prevention of
money laundering and the financing of terrorism. In this case, the transfer of the information
must comply with the provisions of the client itself or with the law. […].
3.
Information
 
exchanges
 
between
 
credit
 
institutions
 
belonging
 
to
 
the
 
same
 
consolidated
group are likewise an exception to this rule”.
2.3
 
First, it is worth considering whether or not
 
this rule would apply to the Recipient.
 
In this regard, we
must consider the provisions
 
of Law 10/2014
35
, which stipulates that
 
branches in Spain of
 
EU credit
institutions shall
"respect, in the exercise of their activity in Spain, the provisions on the organisation
and
 
discipline of
 
credit
 
institutions which,
 
where
 
applicable, are
 
applicable, as
 
well
 
as
 
any others
issued for reasons of general interest, whether at the state, regional or local level".
 
2.4
 
These so-called
 
organisational and
 
disciplinary provisions
 
include the
 
duty of confidentiality
 
as set
 
out
in Article 83 of Law 10/2014, which is a rule of Spanish law not derived from EU harmonisation and
is applicable
 
to institutions
 
or branches
 
providing banking
 
services in
 
Spain through
 
a passport
 
regime,
as the Recipient does.
2.5
 
By application of the first
 
paragraph of the aforementioned provision, therefore, in
 
the event that the
Covered Books and Records contain
 
information relating to the balances,
 
positions, transactions and
other operations of
 
the Right Holders,
 
UBS ESE ES
 
would be restricted
 
by this duty
 
in its ability
 
to
transmit this information to
 
the SEC. This duty only
 
applies to information held or
 
controlled by UBS
ESE ES that relates to its customers.
33
 
 
Article 49(1) EU GDPR at sentence 1 paragraph (a) and
 
sentence 2, respectively.
 
34
 
 
Law 10/2014, of 26 June, on the regulation, supervision and solvency
 
of credit institutions (
Law 10/2014
).
35
 
 
In particular, a
rticle 12.2
of
Law 10/2014
.
 
 
0036335-0000808 UKO1: 2005598297.13
 
 
 
 
 
14
 
Consent
2.6
 
However, Article 83(2) of
 
this provision establishes
 
a number of
 
possible waivers
 
or exceptions to
 
this
confidentiality
 
duty.
 
Among
 
them,
 
of
 
particular
 
interest
 
and
 
application
 
to
 
the
 
case
 
at
 
hand
 
is
 
the
exception
 
whereby
 
the
 
consent
 
of
 
the
 
client
 
to
 
the
 
transfer
 
of
 
data
 
about
 
his
 
balances,
 
positions,
transactions
 
and
 
other
 
operations
 
(to
 
UBS
 
AG
 
London
 
Branch
 
for
 
the
 
purpose
 
of
 
providing
information
 
to
 
the
 
SEC
 
or
 
to
 
the
 
SEC
 
in
 
the
 
course
 
of
 
On
-
Site
 
Inspections
 
in
 
Spain
)
 
would
automatically
mean
 
that
such
 
transfer
would
not
 
constitut
e
 
a
 
breach
 
by
 
UBS
 
ESE
 
ES
 
of
 
the
abovementioned regulation.
2.7
 
The consent of the client must
 
be sufficiently broad in its
 
drafting to allow the disclosure or delivery
of
 
information
 
regarding
 
the
 
Covered
 
Books
 
and
 
Records
 
to
 
UBS
 
AG
 
London
 
Branch
 
and
 
for
 
its
providing to the SEC. Ideally, the consent should include that UBS ESE
 
ES is providing access to the
Covered
 
Books
 
and
 
Records
 
to
 
UBS
 
AG
 
London
 
Branch
 
and
 
allow
 
UBS
 
AG
 
London
 
Branch
 
to
disclose it to regulatory authorities (or specifically to the SEC) or otherwise the consent might be not
valid. However, the consent clause agreed with the client could be broad enough that any UBS entity
could
 
be
 
entitled
 
to
 
have
 
access
 
to
 
the
 
Covered Books
 
and
 
Records (e.g.
 
the
 
consent
 
clause
 
could
include
 
that
 
the
 
information
 
would
 
be
 
transferred
 
to
 
any
 
UBS
 
entity
 
in
 
order
 
to
 
fulfil
 
SBSD
requirements before the SEC or other regulatory authorities).
 
2.8
 
Thus, the right of UBS ESE ES' banking clients to have their banking data covered by confidentiality
(which derives
 
from the
 
obligation of
 
the institutions
 
concerned to
 
ensure banking
 
secrecy) is
 
waivable
and can be
 
excluded by way
 
of consent. Since
 
this consent, as
 
stated in assumption 4
 
in Annex 2,
 
is
assumed to have been
 
properly gathered, there would
 
be no obstacle arising
 
from the Spanish banking
secrecy regulations that would prevent the Recipient from being
 
able to share the Covered Books and
Records with the SEC for regulatory compliance purposes.
Credit institution consolidated group exemption
2.9
 
The provision of access to Covered Books and Records by UBS ESE ES to UBS AG London Branch
is
 
also
 
exempted
 
if
 
both
 
credit
 
institutions
 
are
 
part
 
of
 
the
 
same
 
consolidated
 
group
 
(“
grupo
consolidable
”) as set
 
out in article
 
83 (3) of
 
Law 10/2014
36
. Article 83
 
(3) of Law
 
10/2014 does not
specifically define
 
the concept
 
of consolidated
 
group (“
grupo consolidable
”). However,
 
taking into
account that Law 10/2014 is the implementation of CRD
 
IV under Spanish law it is our view that this
concept
 
should
 
be
 
interpreted
 
in
 
accordance
 
with
 
Regulation
 
(EU)
 
No
 
575/2013
 
of
 
the
 
European
Parliament and of the
 
Council of 26 June
 
2013 on prudential requirements for
 
credit institutions and
investment firms
 
and amending
 
Regulation (EU)
 
No 648/2012 (
CRR
). Point
 
(47) of
 
Article 4(1)
 
of
CRR defines
 
the
 
concept of
 
“consolidation situation”
 
(name that
 
CRR gives
 
to
 
consolidated group
(“
grupo consolidable
”)) as:
the situation
 
that results
 
from
 
applying the
 
requirements
 
of this
 
Regulation in
 
accordance
with Part One, Title
 
II, Chapter 2 to an institution as if
 
that institution formed, together with
one or more other entities, a single institution.
Article
 
11.1
 
of
 
CRR, which
 
is
 
the first
 
article of
 
Part One
 
Title
 
II, Chapter
 
2 of
 
CRR, sets
 
out
 
the
following:
Parent
 
institutions
 
in
 
a
 
Member
 
State
 
shall
 
comply,
 
to
 
the
 
extent
 
and
 
in
 
the
 
manner
prescribed in Article 18, with the obligations laid down in Parts Two to Four and Part Seven
on the basis of their consolidated situation.”
 
2.10
 
In light of the above, an EU consolidated group (“
grupo consolidable
”), which can be a sub-group of
a
 
larger
 
non-EU
 
consolidation
 
group
 
(as
 
is
 
the
 
case
 
for
 
UBS)
 
exists
 
when
 
the
 
parent
 
company
 
is
36
 
 
Law 10/2014, of 26 June, on the regulation, supervision and solvency
 
of credit institutions (
Law 10/2014
).
 
0036335-0000808 UKO1: 2005598297.13
 
 
 
15
 
constituted
 
in
 
an
 
EU
 
Member
 
State.
 
In
 
this
 
regard,
 
it
 
should
 
be
 
noted
 
that
 
in
 
accordance
 
with
assumption 5 (set out in Annex
 
2) UBS AG (a) is the parent
 
company of the UBS group and
 
(b) is not
incorporated in an
 
EU Member State
 
(it is
 
a Swiss
 
bank).
 
Under this assumption,
 
UBS ESE
 
ES and
UBS AG London Branch would
 
not be part of
 
the same EU consolidated group,
 
the requirements of
the exemption to the duty of confidentiality are not met and disclosure would
 
not be allowed.
Supervisory authorities exemption
2.11
 
When the
 
consent of the
 
Rights Holder has
 
been duly obtained,
 
as noted above,
 
the aforementioned
article 83(2)
 
of
 
Law 10/2014
 
also includes,
 
as
 
an exception
 
that
 
discharges
 
the Recipient's
 
duty
 
of
confidentiality,
 
the
 
case
 
where
 
information
 
is
 
shared
 
at
 
the
 
request
 
or
 
requirement
 
of
 
supervisory
authorities:
 
“[…] Exempt from this duty shall be information in respect of which the customer or the law
permits
 
its
 
communication
 
or
 
disclosure
 
to
 
third
 
parties
 
or
 
which,
 
as
 
the
 
case
 
may
 
be,
 
is
required or must be sent to the respective supervisory authorities […]”.
2.12
 
It is uncertain
 
whether a request issued
 
directly by the
 
SEC would fall
 
within this exemption. In
 
our
view, and
 
given that the entity to be
 
registered with the SEC is in
 
fact UBS AG as a
 
Swiss bank (i.e.
an entity
 
not subject
 
to the
 
supervision of
 
the Spanish
 
supervisory authorities),
 
we consider that
 
the
SEC does not fall
 
within the supervisory authorities whose request would
 
be considered to be issued
by "
the respective supervisory authorities
" for the purposes of
 
Spanish law,
 
thus not benefiting from
this exemption.
2.13
 
Nevertheless, it is
 
uncontroversial that
 
the CNMV
 
is indeed
 
an authority
 
with supervisory
 
powers over
UBS ESE ES for
 
these purposes, so
 
that a request from
 
this organisation would doubtlessly
 
fall within
this exemption.
 
The CNMV's
 
powers under
 
Spanish law
37
 
also include
 
the CNMV's
 
ability to
 
carry
out
 
its
 
supervisory
 
duties and
 
exercise its
 
powers in
 
cooperation with
 
supervisory authorities
 
from
other
 
countries
 
(these
 
powers,
 
of
 
course,
 
include
 
requesting
 
information
 
and
 
carrying
 
out
 
on-site
inspections, as the
 
Spanish provisions generally provide
 
the CNMV with broad
 
supervisory powers)
and, in particular, the Spanish law also provides for the establishment, by the
 
CNMV,
 
of cooperation
mechanisms or agreements with
 
supervisory authorities of non-EU
 
countries
38
 
such as the
 
SEC. The
ECB is
 
also an
 
authority with
 
supervisory powers
 
over UBS
 
ESE ES,
 
and cooperation
 
mechanisms
between the ECB and the SEC are set out under the ECB MoU
39
.
 
2.14
 
Thus, we consider that this
 
exemption would be applicable in
 
the event that the relevant
 
information
or requirement
 
is requested
 
or issued
 
by the
 
CNMV or
 
the ECB
 
in the
 
framework of
 
a supervisory
request
 
in
 
the
 
context
 
of
 
cooperation
 
between
 
authorities,
 
such
 
as
 
in
 
the
 
context
 
described
 
in
 
the
following section 3. This interpretation can be applied in the context of
 
an On-Site Inspection.
2.15
 
However, it is our view that
 
this exemption from confidentiality
 
could not be applied
 
in relation to the
provision of the Covered Books
 
and Records to UBS AG
 
London if any such request
 
of information
has
 
been
 
addressed
 
solely
 
to
 
UBS
 
AG
 
London.
 
For
 
this
 
exemption
 
to
 
be
 
applied,
 
the
 
request
 
of
information has
 
to be
 
addressed to
 
the relevant
 
legal entity
 
subject to
 
the duty
 
of confidentiality
 
(in
this case, UBS
 
SE or UBS
 
SE Spanish branch)
 
by the relevant
 
supervisory authority (the
 
CNMV or
the ECB) in the
 
context of a cooperation
 
with the supervisory
 
authorities of a
 
third country such as
 
the
SEC, and
 
not under
 
a demand
 
addressed to
 
a branch
 
of
 
a third
 
country credit
 
institution (UBS
 
AG
London Branch). The CNMV
 
could request the
 
Covered Books and Records
 
from UBS ESE ES
 
out
of
 
a
 
cooperation
 
mechanism
 
or
 
agreement
 
with
a
 
non
-
EU
 
authority
 
(SEC)
,
 
but
the
 
duty
 
of
confidentiality may
 
not be
 
exempted solely
 
on the
 
basis of
 
a request
 
of a
 
branch of
 
a third
 
country
credit institution (UBS AG London Branch) (unless the consent exemption
 
applies).
 
37
 
 
Article 234 of the Royal Legislative Decree 4/2015, of 23 October, approving the revised
 
text of the Securities Market Law.
 
38
 
 
Article 2
47
 
of the Royal Legislative Decree 4/2015, of 23 October, approving the revised text
 
of the Securities Market Law.
 
39
 
 
Please refer to Article II, Article III and Article V
 
of the ECB MoU.
 
 
0036335-0000808 UKO1: 2005598297.13
 
 
16
 
3.
 
SUPERVISORY AUTHORITIES’ ARRANGEMENTS WITH THE SEC
1992 Memorandum of Understanding
3.1
 
In
 
1992,
 
the
 
CNMV
 
and
 
the
 
SEC
 
signed
 
the
 
1992
 
CNMV
 
MoU.
 
The
 
1992
 
CNMV
 
MoU
 
is
 
a
Memorandum of Understanding for cooperation
 
between authorities. In particular,
 
these supervisory
authorities
 
agreed
 
to
 
provide
 
each
 
other
 
with
 
all
 
the
 
assistance
 
permitted
 
by
 
their
 
respective
regulations, including
 
in the
 
event that
 
any of
 
the rules
 
of their
 
markets had
 
been infringed,
 
even if
such
 
infringement
 
was
 
not
 
a
 
violation
 
in
 
the
 
jurisdiction
 
of
 
the
 
authority
 
receiving
 
the
 
request
 
for
assistance.
3.2
 
The assistance agreed to be provided includes the following capabilities:
(a)
 
Providing access to information in the records and files of the authority receiving the request
for assistance.
(b)
 
Taking testimony and statements from persons.
(c)
 
Obtaining information and documents from persons.
(d)
 
Conducting inspections or
 
reviews of entities
 
carrying out securities
 
market activities for
 
their
own account or for the account of others (for this
 
functionality, it is specifically mentioned in
the
 
1992
 
CNMV
 
MoU
 
that
 
the
 
option
 
for
 
the
 
requesting
 
authority
 
to
 
be
 
present
 
at
 
the
inspection is envisaged, although there
 
is no mention of the ability
 
of the requesting authority
to conduct an inspection for its own account without the intervention
 
of the local authority).
3.3
 
The listed functions can
 
indeed be interpreted as
 
enabling access to the
 
Covered Books and Records
and
 
the
 
completion
 
of
 
On-site
 
Inspections
 
(in
 
particular
 
points
 
(c)
 
and
 
(d)).
 
However,
 
in
 
the
 
1992
CNMV MoU
 
the authorities
 
acknowledge that,
 
in some
 
circumstances, they
 
may not
 
have the
 
legal
authority to provide
 
the assistance in
 
question and, indeed, recognise
 
that it is
 
merely a statement of
intent and does not imply the imposition of any legal
 
obligations on either party nor can it in any way
operate as a substitute for the local law applicable in each case.
3.4
 
Notwithstanding the fact that
 
the 1992 CNMV
 
MoU signing authorities have
 
indeed stated that they
may not have the
 
legal authority to carry
 
out their cooperation
 
activities as described therein,
 
it should
be noted
 
that in
 
general Spanish
 
law
40
 
grants the
 
CNMV broad
 
supervisory powers,
 
which include
both obtaining information and documentation
 
and conducting on-site inspections.
 
These powers also
include the exercise
 
of its
 
powers in a
 
framework of collaboration
 
with supervisory
 
authorities of other
states and, in particular, of third states such as the SEC.
 
3.5
 
The
 
exercise
 
of
 
these
 
powers
 
by
 
the
 
CNMV
 
to
 
exercise
 
the
 
relevant
 
supervisory
 
activities,
 
as
mentioned in paragraphs
 
2.8 to 2.11 above,
 
would also mean
 
that the duty of
 
banking secrecy required
from UBS ESE
 
ES towards its
 
customers' balances, positions,
 
transactions and other
 
operations would
be exempted
 
by applying
 
the exception
 
whereby this
 
duty of
 
confidentiality does
 
not apply
 
in the
 
event
of a request from authorities with supervisory powers, in this case the CNMV (which, in the exercise
of its powers, would cooperate
 
in this context with the
 
SEC for the fulfilment of
 
its supervisory duties
over SBSDs)
41
.
3.6
 
It should
 
be noted,
 
however, that
 
the purpose
 
of these
 
supervisory and
 
cooperation exercises
 
by the
CNMV
 
to
 
issue
 
requirements
 
or
 
carry
 
out
 
supervisory
 
activities
 
should
 
be
 
clearly
 
defined
 
and
sufficiently substantiated.
 
Indeed, as
 
explained above,
 
in no
 
case are
 
we talking
 
about legal
 
obligations
deriving from the 1992 CNMV
 
MoU and enforceable against the
 
CNMV,
 
which could refuse to carry
40
 
 
Article 234 of the Royal Legislative Decree 4/2015, of 23 October, approving the revised
 
text of the Securities Market Law.
 
41
 
 
Article 83(2) of Law 10/2014.
 
 
0036335-0000808 UKO1: 2005598297.13
 
 
17
 
out the supervisory
 
tasks requested by
 
the SEC on
 
the grounds of,
 
among others, reasons
 
of general
interest.
2021 Memorandum of Understanding
3.7
 
In 2021, the SEC, the CNMV
 
and the BoS signed the 2021 MoU.
 
The 2021 MoU is a Memorandum
of Understanding
 
for cooperation
 
between authorities.
 
In specific,
 
these supervisory
 
authorities agreed
to cooperate to support
 
the facilitation of
 
the ability of
 
certain entities to
 
complain with particular
 
U.S.
requirements
 
through
 
substituted
 
compliance
 
with
 
certain
 
provisions
 
under
 
the
 
laws
 
of
 
Spain
 
and
supervision and enforcement by the SEC
 
of its laws and regulations, including
 
as contemplated under
substituted compliance. The
 
entities covered by
 
the 2021
 
MoU are
 
security-based swap entities
 
that
operate in the United States and Spain on a cross-border basis.
3.8
 
Under the 2021 MoU, the SEC, the CNMV and the BoS agreed to
 
consult regularly:
42
 
(a)
 
General supervisory and oversight issues or other related developments;
(b)
 
Issues relevant to the operations,
 
activities and regulation related
 
to the activities raised under
security-based swaps agreements;
(c)
 
The operation of the 2021 MoU and the subsisted compliance order
 
explained below; and
(d)
 
Any other areas of mutual interest.
3.9
 
In particular, the SEC,
 
the CNMV and
 
the BoS agreed
 
to cooperate and
 
exchange information
 
through
the following commitments:
43
 
(a)
 
The CNMV
 
and BoS
 
intend to
 
provide to
 
the
 
SEC on
 
an ongoing
 
basis information
 
of the
SBSD (
Ongoing Notification
);
(b)
 
Provision of
 
information for
 
the purposes
 
of supervision
 
and oversight
 
of the
 
relevant security-
based
 
swap entity.
 
Such information
 
may
 
include information
 
relevant to
 
the financial
 
and
operational
 
condition
 
of
 
the
 
security-based
 
swap
 
entity
 
(
Request-Based
 
Information
Sharing
);
(c)
 
Consultations
 
between
 
authorities
 
to
 
update
 
each
 
other’s
 
on
 
their
 
respective
 
functions
 
and
regulatory oversight programs (
Periodic Consultations
);
(d)
 
Provision
 
of
 
information
 
on
 
a
 
voluntary
 
basis
 
without
 
request
 
(
Provision
 
of
 
Unsolicited
Information
).
3.10
 
The
 
cooperation
 
between
 
the
 
SEC,
 
the
 
CNMV
 
and
 
the
 
BoS
 
also
 
includes
 
providing
 
access
 
to
information (
Direct Requests
 
Made to
 
Covered Firms
)
44
 
and facilitating
 
On-Site Inspections
 
(
On
Site Visits
).
45
 
3.11
 
None
 
of
 
the
 
provisions contained
 
in
 
the
 
2021 MoU
 
should
 
be
 
construed as
 
a
 
limitation on:
 
(i)
 
the
SEC´s ability to obtain Covered Books and Records or conduct On-Site Inspections; (ii) the security-
based swap entity obligations
 
under U.S. law,
 
including the obligation to
 
provide its Covered Books
and Records
 
directly to
 
the SEC;
 
or (iii)
 
a SBSD
 
to provide
 
an opinion
 
of counsel
 
and certification
pursuant to
 
Exchange Act
 
Rule 15Fb2-4(c)(1)
 
regarding the
 
SEC´s ability
 
to obtain
 
the Covered
 
Books
and Records or conduct On-Site Inspections.
46
 
42
 
 
Please refer to Article III of the 2021 MoU.
 
43
 
 
Please refer to Article III of the 2021 MoU.
 
44
 
 
Please refer to Article IV of the 2021 MoU.
 
45
 
 
Please refer to Article V of the 2021 MoU.
 
46
 
 
Please refer to paragraph 46 of the 2021 MoU.
 
 
0036335-0000808 UKO1: 2005598297.13
 
 
18
 
3.12
 
With respect to
 
security swap
 
dealer entities
 
under supervision
 
of the
 
ECB, the
 
commitments contained
in the MoU 2021 do not include any information, document
 
or action which is in the sole remit of
 
the
ECB or otherwise cannot be shared by the CNMV or the BoS without
 
the consent of the ECB.
47
 
3.13
 
The MoU 2021 states
 
that with respect to
 
cooperation under the MoU, no
 
banking secrecy,
 
blocking
laws, or other regulations or legal barriers should prevent the authorities from providing assistance to
the SEC.
48
 
3.14
 
Lastly, the
 
2021 MoU does not
 
create any legally binding
 
obligations confer any rights
 
or supersede
domestic laws or other laws.
49
 
ECB MoU
 
3.15
 
On August 16, 2021, the SEC and the
 
European Central Bank signed the ECB MoU. The ECB MoU
is
 
a
 
Memorandum
 
of
 
Understanding
 
concerning
 
consultation,
 
cooperation
 
and
 
the
 
exchange
 
of
information
 
related
 
to
 
the
 
supervision
 
and
 
oversight
 
of
 
certain
 
cross-border
 
over-the-counter
derivatives entities in connection with the use of substituted compliance
 
by such entities.
3.16
 
Under the ECB MoU,
 
the SEC and the
 
ECB agree to provide each
 
other with the fullest cooperation
permissible as permitted
 
by their respective
 
regulations. The
 
ECB MoU further
 
states that with
 
respect
to cooperation under the ECB MoU, no
 
banking secrecy, blocking
 
laws, or other regulations or legal
barriers should prevent the ECB from providing assistance to the SEC
 
under the ECB MoU.
50
 
3.17
 
The cooperation to
 
be provided by
 
the ECB includes
 
providing access to
 
information
51
 
and facilitating
On-Site
 
Inspections by
 
the SEC
52
.
 
Where
 
necessary in
 
order
 
to
 
fulfil
 
its
 
supervisory and
 
oversight
responsibilities, the SEC may conduct On-Site Inspections to inspect, examine, and obtain books and
records of the firm being inspected
53
.
3.18
 
For the
 
sake of
 
clarity we
 
note that
 
the ECB
 
MoU does
 
not create
 
any legally
 
binding obligations,
confer any rights or supersede domestic laws or other laws
54
.
Substituted compliance order
3.19
 
On 22 October 2021, the SEC
 
granted an application of the CNMV
 
determining that compliance with
Spanish legal requirements
 
by the class of
 
market participants specified
 
and described therein
 
satisfies
the analogous requirements applicable
 
to a security-based swap
 
dealer or major security-based
 
swap
participant
 
registered
 
with
 
the
 
SEC
 
that
 
is
 
not
 
a
 
US
 
Person
 
under
 
Section
 
15F
 
of
 
the
 
Securities
Exchange Act of 1934 and regulations thereunder.
4.
 
PRIVACY
 
AND HUMAN RIGHTS
4.1
 
Article 8
 
ECHR confers
 
a general
 
right to
 
respect for
 
his private
 
and family
 
life, his
 
home and
 
his
correspondence
”.
 
This
 
right
 
is
 
directly
 
applicable
 
in
 
Spain.
 
The
 
right
 
to
 
privacy
 
clearly
 
applies
 
to
natural persons. In certain situations legal
 
persons, such as companies, have been
 
held to benefit from
a right to privacy in certain
 
situations. The European Court of Human
 
Rights assumed in a September
2014 case
 
that the
 
reputation of
 
a company
 
fell under
 
the notion
 
of private
 
life under
 
Article 8
 
ECHR.
55
 
47
 
 
Please refer to Article I of the 2021 MoU.
 
48
 
 
Please refer to paragraph 26 of the 2021 MoU.
 
49
 
 
Please refer to paragraph 27 of the 2021 MoU
 
50
 
 
Please refer to Article II of the ECB MoU.
 
51
 
 
Please refer to Article III of the ECB MoU.
 
52
 
 
Please refer to Article V of the ECB MoU
 
53
 
 
Please refer to paragraph 45 of the ECB MoU.
 
54
 
 
Please refer to paragraph 27 of the ECB MoU.
 
55
 
Firma EDV Für Sie, EFS Elecktronische Datenverarbeitung Dienstleistungs
 
GMBH v Germany
 
Application 32783/08.
 
0036335-0000808 UKO1: 2005598297.13
 
 
19
 
4.2
 
Article 8 ECHR
 
does not in
 
itself give rise
 
to a free-standing
 
cause of action
 
– instead an
 
action arising
from a
 
wrongful act,
 
a breach
 
of agreement
 
or other
 
legal obligation,
 
such as
 
under the
 
EU GDPR,
must be brought, and the court will then be obliged to consider
 
the application of Article 8 ECHR.
 
4.3
 
Article 8
 
ECHR is,
 
as it
 
were, the
 
fundamental legal
 
foundation on
 
which the
 
EU GDPR
 
has
 
been
based.
 
The EU
 
GDPR elaborates
 
on the
 
applicable principles
 
of
 
and the
 
rules
 
on the
 
protection of
natural persons when it comes to processing of personal data.
56
 
The ECHR can further be relied upon
when
 
interpreting
 
this
 
EU
 
GDPR
 
law
 
if
 
necessary.
 
The
 
EU
 
GDPR
 
can
 
therefore
 
be
 
seen
 
as
 
the
regulation detailing
 
the right
 
laid down
 
in Article
 
8 ECHR,
 
when it
 
comes to
 
the processing
 
of personal
data. The EU GDPR and Article ECHR cannot be seen entirely separately
 
from each other.
Application and exceptions
4.4
 
Article 8 is a qualified right,
 
meaning that it can be breached
 
in accordance with Article 8(2) – that
 
is,
where doing so is:
(a)
 
in accordance with the law;
This
 
criterion
 
has
 
two
 
aspects:
 
the
 
measure
 
complained
 
about
 
must
 
have
 
some
 
basis
 
in
domestic
 
law,
 
whether
 
that
 
is
 
an
 
act
 
of
 
parliament,
 
delegated
 
legislation
 
or
 
case
 
law,
 
and
secondly, that the domestic law has to be sufficiently precise
 
so that an individual can foresee
with a reasonable
 
degree of certainty
 
the consequences of
 
their actions or
 
the circumstances
in which the authority may take a particular course of action.
57
 
The relevant consideration on
the
 
first
 
aspect
 
is
 
the
 
legal
 
basis
 
on
 
which
 
the
 
court
 
would
 
allow
 
Article
 
8
 
ECHR
 
to
 
be
breached. The second aspect in effect requires that the domestic law cannot be so broad as to
enable
 
arbitrary action.
 
In
 
determining
 
whether to
 
allow
 
information
 
to
 
be
 
provided to
 
the
SEC, the
 
court would
 
have to
 
balance the
 
relevant legal
 
duty with
 
the merits
 
of permitting
disclosure. These duties of confidence establish limits on the court’s actions,
 
thus preventing
arbitrary action by the court.
(b)
 
is necessary in a democratic society;
 
This criterion
 
is intended
 
to ensure
 
the proportionality
 
of an
 
intrusion into
 
private life.
 
To meet
this criterion, there must be a “
pressing social need
” for the interference, and the interference
must be proportionate to that need.
58
 
and
(c)
 
in the interests
 
of national security,
 
public safety or the
 
economic well-being of the
 
country,
for
 
the
 
prevention
 
of
 
disorder
 
or
 
crime,
 
for
 
the
 
protection
 
of
 
health
 
or
 
morals,
 
or
 
for
 
the
protection of the rights and freedoms of others (i.e. a legitimate aim).
This
 
criterion
 
is
 
intended
 
to
 
ensure
 
that
 
the
 
purpose
 
of
 
an
 
intrusion
 
into
 
private
 
life
 
is
adequately serious so as to justify the intrusion.
 
4.5
 
As the EU GDPR and
 
Article 8 ECHR cannot been seen entirely
 
separately from each other,
 
and the
provision
 
of information
 
to
 
the
 
SEC by
 
UBS ESE
 
ES will,
 
insofar this
 
contains personal
 
data, fall
entirely within the
 
scope of the
 
EU GDPR, we
 
consider that
 
the criteria set
 
out in paragraph
 
4.4 are
met, as long as UBS ESE ES complies with the requirements set out
 
in paragraphs 1.1 to 1.12 above.
 
56
 
 
See also recitals (1) and (2) EU GDPR.
 
57
 
 
Malone v UK [1984] ECHR 10 at 68.
 
58
 
Dudgeon v UK
 
(1982) 4 E.H.R.R. 149 at 164.
 
0036335-0000808 UKO1: 2005598297.13
 
 
20
 
ANNEX 2
 
ASSUMPTIONS
This opinion relies on the following assumptions:
1.
 
UBS AG has
 
a “prudential regulator”
 
as defined by
 
Section 3 of
 
the US Securities
 
Exchange Act of
1934
 
(the
Securities Exchange
 
Act
).
 
As
 
such,
 
the
 
Covered Books
 
and
 
Records considered
 
in
 
this
opinion are limited to what a prudentially regulated SBSD must be able to
 
share with the SEC.
 
2.
 
Additionally, in accordance with SEC Guidance at
 
85 FR 6297, books and records pertaining to SBS
transactions entered into prior to the date that UBS AG submits an application for registration are not
Covered Books and Records.
 
3.
 
Where transfers of
 
personal data are
 
made to the
 
SEC in the
 
absence of an
 
adequacy determination,
such disclosure will
 
be made in
 
compliance with Articles 44
et seq
. of the
 
EU GDPR and
 
limited to
what
 
is
 
necessary
 
for
 
the
 
purpose
 
of
 
the
 
transfer
 
(i.e.
 
compliance
 
with
 
the
 
principle
 
of
 
data
minimisation, e.g. by applying less intrusive processing activities
 
such as redaction).
4.
 
UBS ESE ES has obtained
 
all necessary prior consent
 
of the persons (e.g
.
, counterparties, employees)
whose information is or will be included in Covered Books and Records to provide UBS
 
AG London
with access to the
 
Covered Books and Records including for
 
forwarding this information to the SEC
or to allow On-Site Inspections
 
to the SEC, to the
 
extent, as considered in this opinion,
 
such consent
would constitute valid
 
consent and such
 
consent has not
 
been withdrawn.
 
Insofar as Covered
 
Books
and Records relate
 
to employees of
 
UBS ESE ES,
 
such employees are
 
“associated persons” of
 
UBS
AG
for
 
purposes
 
of
17
 
CFR
 
§
240.18a
-
5(b)(8)
 
who
 
ha
ve
 
agreed
 
to
 
sharing
 
of
 
their
personal/employment information
 
with
 
the
 
SEC in
 
the
 
event
 
of
 
a
 
request for
 
information from
 
the
SEC.
 
5.
 
UBS AG is not constituted in the EU and is the parent company of the
 
UBS group.
 
 
6.
 
The SEC will restrict
 
its information requests
 
for, and use of, any information
 
pursuant to its access
 
to
Covered Books
 
and Records and
 
On-Site Inspections to
 
only the
 
information that
 
it requires
 
for the
legitimate and specific purpose of fulfilling
 
its regulatory mandate and responsibilities by
 
evaluating
compliance with
 
legal obligations
 
designed to
 
ensure the proper
 
legal administration
 
of SEC-regulated
firms (which includes regulating,
 
administering, supervising, enforcing
 
and securing compliance with
the
 
securities or
 
derivatives laws
 
in its
 
jurisdiction) and
 
to
 
prevent and/or
 
enforce against
 
potential
illegal behaviour.
7.
 
Similarly,
 
UBS
 
ESE
 
ES
 
will
 
ensure
 
that
 
its
 
disclosures
 
are
 
compliant
 
with
 
the
 
data
 
protection
principles set
 
out
 
in
 
Article 5
 
of
 
the
 
EU
 
GDPR.
59
 
We
 
understand that
 
UBS’
 
general experience
 
in
responding
 
to
 
information
 
requests
 
from
 
the
 
SEC
 
(or
 
other
 
US
 
and
 
non-US
 
regulators)
 
leads
 
it
 
to
maintain
 
a
 
belief,
 
which
 
it
 
considers
 
to
 
be
 
reasonable,
 
that
 
UBS
 
ESE
 
ES
 
can
 
and
 
(subject
 
to
 
any
changes
 
in
 
applicable
 
law
 
and
 
regulation
 
and/or
 
the
 
approach
 
of
 
relevant
 
regulators,
 
including
 
the
ICO) will continue
 
to be able to comply with these data
 
protection principles in the course of
 
making
disclosures of the sort required when providing
 
access to Covered Books and Records and
 
submitting
to On-Site Inspection.
60
 
8.
 
It is the SEC's
 
practice to limit the type
 
and amount of personal data
 
it requests during examinations
to
 
targeted
 
requests based
 
on risk
 
and
 
related to
 
specific clients
 
and accounts,
 
and employees.
 
The
requested
 
information
 
may
 
include
 
some
 
limited
 
criminal
 
records
 
data
 
and
 
‘special
 
category
 
data’
under the EU
 
GDPR (as described in
 
paragraph 1.2 of Annex
 
1 to this
 
opinion). We
 
understand that
this aligns with UBS’
 
general experience in
 
responding to information
 
requests from the SEC,
 
leading
59
 
 
These principles are set out in
 
at paragraph
 
60
 
 
See the
SEC
 
G
uidance at 85 FR 6298
.
 
 
0036335-0000808 UKO1: 2005598297.13
 
 
 
 
 
21
 
it to
 
maintain a
 
belief, which
 
it considers
 
to be
 
reasonable, that
 
this assumption
 
is, and
 
will remain,
accurate
 
(subject
 
to
 
any
 
changes
 
in
 
applicable
 
law
 
and
 
regulation
 
and/or
 
the
 
approach
 
of
 
relevant
regulators).
61
 
9.
 
Information, data and documents received
 
by the SEC are
 
maintained in a secure manner
 
and, under
strict
 
US
 
laws
 
of
 
confidentiality,
 
information
 
about
 
individuals
 
cannot
 
be
 
onward
 
shared
 
save
 
for
certain
 
uses
 
publicly disclosed
 
by
 
the
 
SEC, including
 
in
 
an
 
enforcement
 
proceeding,
 
pursuant to
 
a
valid and non-exempt US Freedom of
 
Information Act (
FOIA
) request,
62
 
pursuant to a lawful request
of the
 
US Congress
 
or a
 
properly issued
 
subpoena, or
 
to other
 
regulators who
 
have demonstrated
 
a
need for the information and provide assurances of confidentiality.
 
10.
 
Any data held by UBS ESE ES that is
 
subject to a disclosure request from the SEC, either
 
by way of
access or
 
On-Site Inspection,
 
will
 
be held
 
by UBS
 
ESE ES
 
in
 
Spain.
 
Whilst UBS
 
ESE ES
 
will
 
be
subject
 
to
 
direct
 
On-Site
 
Inspection
 
by
 
the
 
SEC
 
in
 
Spain,
 
UBS
 
ESE
 
ES
 
will
 
provide
 
access
 
to
 
its
Covered Books
 
and Records
 
(beyond On-Site
 
Inspections) to
 
UBS AG
 
London Branch,
 
rather than
providing this access directly to the SEC.
11.
 
All terms of
 
business entered into
 
with clients conducting
 
SBS transactions contain clear
 
statements
such that
 
clients are
 
aware that
 
that regulatory
 
oversight will
 
be exercised
 
by regulatory
 
authorities
and that
 
information regarding
 
their transactions,
 
including their
 
personal data,
 
can be
 
disclosed to
regulatory authorities (for example, clause 10, and
 
in particular clause 10(b) of the terms
 
of business
for professional clients and eligible counterparties (March 2019)
63
).
12.
 
UBS AG does not include the information
 
described in 17 C.F.R. §§.18a-5(b)(8)(i)(A) through (H) or
240.18a-5(a)(10)(i)(A)
 
through
 
(H),
 
as
 
the
 
case
 
may
 
be,
 
in
 
questionnaires
 
or
 
applications
 
for
employment
 
executed
 
by
 
an
 
associated
 
person
 
who
 
is
 
not
 
a
 
US
 
Person
 
(as
 
defined
 
in
 
17
 
C.F.R.
§240.3a71-3(a)(4)(i)(A)), unless UBS
 
AG is required to
 
obtain such information under
 
applicable law
in the jurisdiction in which
 
the associated person is employed
 
or located or obtains such
 
information
in conducting a background check that is customary for UBS AG in that jurisdiction and the
 
creation
or maintenance of records reflecting that information
 
would not result in a violation of applicable
 
law
in the jurisdiction in which the associated person is employed or located.
61
 
 
See the
SEC
 
G
uidance at 85 FR 6298
. This assumption also
aligns with the information that we understand
 
was provided by the SEC to the
ICO per page 2 of the ICO Letter.
62
 
 
We
 
do not
 
give any
 
views in
 
the opinion
 
to matters
 
of US
 
law,
 
though we
 
understand that
 
information can
 
be
made public
 
pursuant to
requests under
 
the US
 
FOIA, and
 
that certain
 
information is
 
exempt from
 
such requests,
 
including (among
 
others): (1)
 
a trade
 
secret or
privileged or confidential commercial or financial information
 
obtained from a person; (2) a
 
personnel, medical, or similar file the
 
release
of which would constitute a clearly unwarranted invasion of personal privacy; (3) information compiled for law enforcement purposes, the
release of which (a) could reasonably be expected to interfere with law enforcement proceedings;
 
(b) would deprive a person of a right to a
fair trial or an impartial adjudication; (c) could reasonably be expected to constitute an unwarranted
 
invasion of personal privacy; (d) could
reasonably
 
be
 
expected
 
to
 
disclose
 
the
 
identity
 
of
 
a
 
confidential
 
source;
 
(e)
 
would
 
disclose
 
techniques,
 
procedures,
 
or
 
guidelines
 
for
investigations or prosecutions;
 
or (f) could
 
reasonably be expected
 
to endanger an
 
individual's life or
 
physical safety; (4)
 
contained in or
related to examination, operating, or condition reports about financial
 
institutions that the SEC regulates or supervises.
63
 
 
Available
 
at:
https://www.ubs.com/global/en/investment-bank/regulatory/_jcr_content/mainpar/toplevelgrid/col1/linklist_1815406319/
link.1894740908.file/PS9jb250ZW50L2RhbS9JbnZlc3RtZW50QmFuay9kb2N1bWVudHMvaWJ0ZXJtcy90ZXJtcy1vZi1idXNpbmVzcy
5wZ GY=/terms-of-business.pdf
.
 
0036335-0000808 UKO1: 2005598297.13

lohongkong
 
lohongkongp1i1.gif lohongkongp1i0.gif
 
1
 
 
 
 
 
 
 
UBS AG Hong Kong Branch
52/F, Two
 
International Finance Centre,
 
8 Finance Street, Central,
 
Hong Kong
 
 
Allen & Overy
9th Floor Three Exchange Square
Central
 
Hong Kong SAR
China
Tel
+852 2974 7000
Fax
+852 2974 6999
 
Our
ref
CHLR/WWLL
/
0036335
-
0000808
20 October 2021
Dear Sir or Madam
 
UBS AG Hong Kong Branch SEC registration as a non-resident security-based swap dealer
1.
 
BACKGROUND
1.1
 
We
 
understand that UBS AG (
UBS
), a bank authorised in Switzerland, is seeking to register with the
United States
 
(
US
) Securities
 
and Exchange
 
Commission (
SEC
) as
 
a non-resident
 
security-based swap
(
SBS
) dealer (
SBSD
).
1.2
 
To
 
register as an SBSD
 
with the SEC, a
 
non-resident SBSD
1
 
such as UBS must
 
attach an opinion of
counsel to Form SBSE, SBSE-A or SBSE-BD affirming that the SBSD can, as a
 
matter of law:
(a)
 
provide the
 
SEC with
 
prompt access
 
to the
 
relevant books
 
and records
 
as defined
 
in paragraphs
3.3 and 3.4 (
Covered Books and Records
); and
 
(b)
 
submit to on-site
 
inspection and examination of
 
its Covered Books and
 
Records by the SEC
(
On-Site Inspection
).
1
 
 
In the case of a corporation, an SBSD will be “non
-
resident” if it is incorporated in or has its principal place of business in any place not in
the United States (see
 
17 Code of Federal
 
Regulations (
CFR
) § 240.15Fb2-4(a)(2)). As
 
UBS is incorporated in
 
Switzerland,
 
UBS fulfils this
definition of a “non-resident” SBSD.
Managing Partner, Hong Kong
Vicki Liu
Partners
Registered Foreign Lawyers
Matthew J.
Bower
Jonathan C.H. Hsui
Roger S.W.Y.
 
Lui
Yvonne E.M. Siew
Eugene T. Chen
2,3
Ian Chapman
Tsui Miu Jing
Simon G. Makinson
Ross A. Stewart
Victor G.H. Ho
2
Fai Hung Cheung
Hui Ting Joanne Lau
William J. McAuliffe
Agnes S.W. Tsang
Jun Kwon Lee
1, 2
Guanyu Fang
Lina Lee
David
A.
Norman
Patrick P.H. Wong
Stephen M. Miller
1
James Ford
Kung
-
Wei Liu
François A.C. Renard
Richard M. Woodworth
Matthew J. Hodgson
Cindy H.Y. Lo
Charlotte J.G. Robins
1 Admitted to practise in England and Wales
2 Admitted to practise in California
3 Admitted to practise in Washington DC
Allen & Overy is affiliated with Allen & Overy LLP, a limited liability partnership registered in England and Wales
 
with registered office at One Bishops Square, London E1 6AD.
Allen & Overy LLP or an affiliated undertaking
 
has an office in each of: Abu Dhabi, Amsterdam,
 
Antwerp, Bangkok, Beijing, Belfast, Bratislava, Brussels, Budapest, Casablanca,
 
Dubai,
Düsseldorf, Frankfurt, Hamburg, Hanoi, Ho Chi
 
Minh City, Hong Kong, Istanbul, Jakarta (associated
 
office), Johannesburg, London, Los Angeles,
 
Luxembourg, Madrid, Milan, Moscow,
Munich, New York, Paris, Perth, Prague, Rome, São Paulo, Seoul, Shanghai, Silicon Valley,
 
Singapore, Sydney, Tokyo,
 
Warsaw, Washington, D.C. and Yangon.
 
 
 
2
 
1.3
 
UBS will maintain certain Covered Books and Records
 
in its Hong Kong branch (
UBSHK
), which is
a
 
licensed
 
bank
 
authorised
 
by
 
the
 
Hong
 
Kong
 
Monetary
 
Authority
 
(
HKMA
),
 
and
 
a
 
registered
institution registered with the Securities and Futures Commission
 
(
SFC
) in Hong Kong.
1.4
 
You
 
have asked
 
us to
 
issue an
 
opinion affirming
 
that UBSHK will
 
be able
 
to provide
 
the SEC
 
with
prompt access
 
to its
 
books and
 
records and
 
submit to
 
On-Site Inspection
 
by the
 
SEC in
 
accordance
with paragraph 1.2 above.
1.5
 
This opinion is structured as follows:
(a)
 
Section 2:
 
summary of opinion;
 
(b)
 
Section 3:
 
scope, assumptions and qualifications;
 
(c)
 
Section 4:
 
revisions to applicable law;
(d)
 
Section 5:
 
reliance and confidentiality;
(e)
 
Annex 1: Opinion; and
(f)
 
Annex 2: Assumptions.
1.6
 
For the purposes
 
of this opinion,
 
the legal or
 
natural person imparting the
 
information subject to
 
the
duty of
 
confidentiality will
 
be the
Rights Holder
and the
 
person receiving
 
that information,
 
in this
case UBSHK, will be the
Recipient.
 
2.
 
SUMMARY OF OPINION
Subject to the assumptions and qualifications below it is our opinion
 
that:
2.1
 
UBSHK can,
 
as a
 
matter of
 
applicable Hong
 
Kong law,
 
submit to
 
On-Site Inspection
 
by the
 
SEC.
There is
 
no restriction
 
on UBSHK
 
submitting to
 
On-Site Inspection
 
by the
 
SEC.
 
The remainder
 
of
this
 
opinion
 
focuses on
 
UBSHK’s
 
ability
 
to
 
disclose information
 
contained
 
in
 
Covered
 
Books and
Records to the
 
SEC in the course
 
of On-Site Inspection in
 
Hong Kong and the
 
ability to provide the
SEC with prompt access to Covered Books and Records.
2.2
 
UBSHK
 
can,
 
as
 
a
 
matter
 
of
 
applicable
 
Hong
 
Kong
 
law,
 
provide
 
the
 
SEC
 
with
 
prompt
 
access
 
to
Covered Books and Records held by UBSHK in Hong Kong.
2
 
Data protection
 
2.3
 
Disclosures of personal
 
data relating to
 
UBSHK’s clients
 
and staff
 
are subject to
 
certain restrictions
under
 
the
 
Personal
 
Data
 
(Privacy)
 
Ordinance
 
(Cap.
 
486)
 
(
PDPO)
.
 
Provided
 
that
 
a
 
data
 
user
 
(e.g.,
UBSHK) in Hong
 
Kong controls the
 
collection, holding, processing or
 
use of personal
 
data then the
PDPO applies.
 
2.4
 
Under the
 
PDPO, there
 
the six
 
data protection
 
principles (
DPP
)
 
that UBSHK,
 
as a
 
data user,
 
must
comply with.
 
In particular,
 
DPP 3
 
is directed
 
against the
 
misuse of
 
personal data
 
and sets
 
out that
personal
 
data
 
shall
 
not,
 
without
 
UBSHK’s
 
clients’
 
and
 
staff’s
 
prescribed
 
consent,
 
be
 
used
 
for
 
any
purpose other than
 
the purpose for
 
which the data
 
was to be
 
used at the
 
time of the
 
collection of the
data or a purpose
 
directly related to the purpose
 
at the time of
 
collection.
 
In this regard, “prescribed
consent”
 
means
 
consent
 
that
 
is
 
expressly
 
and
 
voluntarily
 
given
 
and
 
has
 
not
 
been
 
withdrawn
 
by
UBSHK’s clients and staff in writing.
 
2
 
 
Whe
re a restriction on the ability to
 
transfer personal data or to disclose confidential
 
information applies, consent from the R
ights Holder,
validly given in accordance with the relevant standard for
 
consent under each applicable legal obligation, would
 
allow for such information
to be
 
lawfully transferred
 
to the
 
SEC or
 
disclosed to
 
the
 
SEC during
 
On-Site Inspection.
 
Please note
 
that valid
 
consent is
 
assumed in
Assumption
 
 
0036335-0000808 UKO1: 2005333372.8
 
 
3
 
2.5
 
Therefore, the disclosure and transfer of personal data to the SEC in the US would require UBSHK’s
clients’ and
 
staff’s
 
prescribed consent
 
under
 
DPP 3
 
if
 
such
 
use
 
was
 
not
 
stipulated in
 
a notification
given
 
to
 
its
 
clients
 
and
 
staff
 
 
commonly
 
known
 
as
 
the
 
personal
 
information
 
collection
 
statement
(
PICS
) – provided at the time the personal data was collected.
 
Common law duties of confidentiality
2.6
 
The general
 
duty of confidentiality
 
applies to non-public
 
information held or
 
controlled by UBSHK
that
 
relates
 
to
 
any
 
person.
 
The
 
banker’s
 
duty
 
of
 
confidentiality
 
arises
 
due
 
to
 
the
 
nature
 
of
 
the
relationship between a banker and their customer (and this duty does not
 
apply to information held or
controlled by UBSHK
 
that relates to any
 
person other than
 
its customers).
 
Finally, every employment
relationship held
 
by UBSHK
 
contains an
 
implied legal
 
duty of
 
mutual confidence,
 
however,
 
this is
very narrow in scope and is unlikely to apply where UBSHK is making disclosures to the SEC in the
normal course of its SBS business and in accordance with SEC
 
requirements.
 
2.7
 
Disclosure with
 
consent, or
 
under another
 
recognised exception,
 
would not
 
amount to
 
a breach
 
of these
legal duties.
2.8
 
These duties of confidentiality will not apply to any information contained in the Covered Books and
Records or
 
to On-Site
 
Inspection insofar
 
as information
 
made available
 
to the
 
SEC is
 
owned by
 
or
relates to
 
UBSHK itself, rather
 
than owned
 
by or
 
relating to
 
UBSHK’s
 
clients or,
 
in the
 
case of
 
the
general and employer’s duties only, its staff.
2.9
 
In this
 
regard, reliance
 
on valid
 
consent would
 
establish certainty
 
that the
 
duties of
 
confidentiality have
been overcome.
 
Alternatively, it may be
 
possible, where the
 
information held
 
relates to clients,
 
to rely
on the own interest exception to
 
the banker’s (but not general
 
or employer’s) duty of confidentiality.
 
However, as
 
this requires a case
 
-by-case balancing of the
 
competing factors in favour
 
of each of
 
the
bank and the Rights
 
Holder, this will
 
provide a less reliable basis
 
for disclosure than the bases
 
noted
above.
 
However,
 
absent
 
consent
 
and
 
the
 
own
 
interest
 
exception,
 
and
 
because
 
the
 
public
 
interest
exception is
 
yet to
 
receive formal judicial
 
recognition in
 
Hong Kong, UBSHK
 
may,
 
as a
 
last resort,
consider seeking a
 
court order prior to
 
permitting the SEC to
 
access its Covered
 
Books and Records
and to conduct On-Site Inspection of UBSHK.
 
Privacy
 
and
 
human rights
 
2.10
 
At present, there is
 
no stand-alone basis to
 
bring a claim for
 
‘invasion of privacy’ under
 
Hong Kong
law.
 
Article 14 of
 
the Hong Kong
 
Bill of Rights
 
Ordinance (Cap. 383) (
BOR
) states that
 
no person
shall
 
be
 
subjected
 
to
 
arbitrary
 
or
 
unlawful
 
interference
 
with
 
his
 
privacy,
 
family,
 
home
 
or
correspondence
”, and that
 
everyone has
 
the right
 
to the protection
 
of the
 
law against
 
such interference.
2.11
 
Insofar
 
as
 
remedies
 
are
 
concerned
 
however,
 
the
 
BOR
 
only
 
binds
 
the
 
Hong
 
Kong
 
government
 
and
public authorities.
 
The right to
 
privacy under the
 
BOR cannot be
 
enforced against private
 
persons.
3
 
Accordingly, Article 14 affords
 
no protection to UBSHK’s staff or clients whose right of privacy has
been infringed by UBSHK, being a private person.
 
This summary opinion is not a substitute for the full expression of our views
 
set out in Annex 1.
 
 
3
 
 
In
Tam Hing Yee v Wu Tai Wai
 
[1992] 1 HKLR
 
185
, the court
 
ruled that the
 
BOR does not
 
apply to litigation
 
involving only private
 
citizens
and therefore consistency of a statutory provision with
 
the BOR cannot be challenged in such proceedings.
 
 
0036335-0000808 UKO1: 2005333372.8
 
 
4
 
3.
 
SCOPE, ASSUMPTIONS AND QUALIFICATIONS
3.1
 
This
 
opinion
 
relates
 
solely to
 
access
 
provided
 
to
 
the
 
SEC
 
of
 
Covered
 
Books
 
and
 
Records
 
held
 
by
UBSHK in Hong Kong and On-Site
 
Inspection of UBSHK by the SEC in
 
Hong Kong.
 
This opinion
applies equally to
 
remote access from
 
the US to Covered
 
Books and Records
 
held in Hong
 
Kong. This
opinion excludes books and records held in the US.
3.2
 
This opinion has been prepared in accordance with
 
UBS’s specific instructions as
 
to the scope of the
opinion.
 
For this purpose you have issued us with guidance
 
from a third party US law firm which we
have used to inform the scope of our opinion.
3.3
 
This opinion
 
only covers
 
access to
 
and the
 
On-site Inspection
 
of Covered
 
Books and
 
Records.
 
Covered
Books and Records include only those books and records which:
(a)
 
relate to the
 
US business
4
 
of the non-resident
 
SBSD.
5
 
These are the
 
records that relate
 
to an
SBS that is either:
(i)
 
entered into, or offered to be entered into, by or on behalf of the
 
non-resident SBSD,
with a
 
“U.S. Person” as
 
defined in
 
17 CFR
 
§ 240.3a71-3(a)(4)
6
 
(
US Person
) (other
than an SBS conducted through a foreign branch of such US Person
7
); or
(ii)
 
arranged, negotiated, or executed by
 
personnel of the non-resident SBSD
 
located in a
branch in
 
the US
 
(
US branch
) or
 
office or
 
by personnel
 
of an
 
agent of
 
the non-resident
SBSD located in a US branch or office;
8
 
or
(b)
 
constitute
 
financial
 
records
 
necessary
 
for
 
the
 
SEC
 
to
 
assess
 
the
 
non-resident
 
SBSD’s
compliance with the SEC’s margin and capital requirements, if applicable.
9
 
3.4
 
Further
 
to
 
Assumption
 
1,
 
this
 
opinion
 
is
 
limited
 
to
 
those
 
types
 
of
 
records
 
that
 
are
 
relevant
 
to
prudentially regulated SBSDs,
 
which excludes financial
 
records as noted
 
in paragraph 3.3(b)
 
above.
 
For this opinion, the term “Covered Books and Records” extends to these
 
record types alone.
3.5
 
The issues
 
addressed in
 
this opinion
 
apply equally
 
across the
 
different document
 
types which
 
constitute
the Covered Books and
 
Records based upon the
 
information actually contained
 
in each of the relevant
Covered Books and Records.
 
We have not examined any such documents or records.
 
3.6
 
In giving this opinion, we have made the further assumptions set out
 
in Annex 2.
 
3.7
 
No opinion is expressed on matters of fact.
 
4
 
 
As defined in 17 CFR §240.3a71
-
3(a)(8).
 
5
 
 
Cross
-
Border Application of Certain [SBS] Requirements,
 
85 Fed. Reg. 6270, 6296 (Feb. 4, 2020) (the
SEC Guidance
).
 
6
 
 
A “U.S. person” means any person that is “(i) a natural person resident
 
in the U.
S.; (ii) a partnership, corporation, trust, investment vehicle,
or other legal person organized, incorporated, or established under the laws of the United States or having its principal place of business in
the United States; (iii) an
 
account (whether discretionary or non-discretionary) of a
 
U.S. person; or (iv) an estate
 
of a decedent who was a
resident of the United States at the time of death.” 17 CFR
 
§ 240.3a71-3(a)(4).
7
 
 
A “foreign branch” means “any branch of
 
a U.S. bank if: (i)
 
the branch is located
 
outside of the United States; (ii)
 
the branch operates for
valid business
 
reasons; and
 
(iii) the
 
branch is
 
engaged in
 
the business
 
of banking
 
and is
 
subject to
 
substantive banking regulation
 
in the
jurisdiction where located.” (17 CFR § 240.3a71-3(a)(2)). An “SBS conducted through a
 
foreign branch” means an SBS that is “arranged,
negotiated, and executed by
 
a U.S. person through
 
a foreign branch of such
 
U.S. person if: (A) the
 
foreign branch is the counterparty
 
to such
security-based swap transaction; and (B) the security-based swap transaction is arranged, negotiated, and executed on behalf of the foreign
branch solely by persons located outside the United States.” (17
 
CFR § 240.3a71-3(a)(3)(i)).
8
 
 
17 CFR § 240.3a71
-
3(a)(8)(i)(B).
 
9
 
 
The
 
requirement set
 
o
ut
 
in this
 
paragraph
 
does
 
not
 
apply
 
to
 
UBSHK because
 
it
 
is
 
not
 
subject to
 
the
 
SEC’s
 
margin
 
and
 
capital
requirements as it is assumed that UBSHK is a prudentially
 
regulated SBSD – please see the assumptions set out
 
in
 
 
0036335-0000808 UKO1: 2005333372.8
 
lohongkongp5i0.gif
 
5
 
4.
 
REVISIONS TO APPLICABLE LAW
 
4.1
 
We
 
note
 
that
 
the
 
SEC
 
rules
10
 
require
 
a
 
non-resident
 
SBSD
 
to
 
re-certify
 
within
 
90
 
days
 
after
 
any
changes in the legal or regulatory framework that would:
(a)
 
impact the ability of the SBSD to provide prompt access to its Covered
 
Books and Records;
 
(b)
 
impact the
 
manner in
 
which it
 
would provide
 
prompt access
 
to its
 
Covered Books
 
and Records;
or
(c)
 
impact the ability of the SEC to conduct On-Site Inspections.
4.2
 
Upon a change in law or regulatory framework of the sort outlined in paragraph 4.1
 
above, the SBSD
is required to submit a revised opinion describing how, as a matter of law,
 
the SBSD will continue to
meet its obligations.
 
4.3
 
This opinion relates solely to the laws of Hong Kong in force as at the date of this opinion.
 
We have
no obligation to
 
notify any addressee of any
 
change in any applicable
 
law or its application
 
after the
date of this opinion.
5.
 
RELIANCE AND CONFIDENTIALITY
5.1
 
This opinion is given
 
for the sole benefit of
 
the addressee.
 
It may not be relied
 
upon by anyone else
without our prior written consent.
5.2
 
This
 
opinion
 
is
 
not
 
to
 
be
 
disclosed
 
to
 
any
 
person
 
outside
 
of
 
UBS
 
AG’s
 
group
 
or
 
used,
 
circulated,
quoted or otherwise referred to for any other purpose.
 
However, we agree that a copy of this opinion
letter may be disclosed:
 
(a)
 
where
 
disclosure is
 
required
 
or
 
requested
 
by
 
any
 
governmental, banking,
 
taxation
 
or
 
other
regulatory authority or similar body having jurisdiction over
 
UBS AG (including to the SEC
as
 
part
 
of
 
UBS
 
AG’s
 
SBSD
 
registration
 
application) or
 
by
 
the
 
rules
 
of
 
any
 
relevant
 
stock
exchange or pursuant to any applicable law or regulation; and
 
(b)
 
to
 
UBS
 
AG’s
 
affiliates,
 
and
 
any
 
of
 
their
 
officers,
 
directors,
 
employees,
 
auditors,
 
insurers,
reinsurers, insurance brokers and professional advisors (in their capacity as
 
such).
5.3
 
Any such disclosure
 
must be made
 
on the basis
 
that it is
 
for information purposes
 
only,
 
no recipient
may rely
 
on this advice,
 
no client-lawyer relationship between
 
us and the
 
recipient arises following,
or as a
 
result of,
 
any such
 
disclosure.
 
We assume no duty
 
or liability
 
to any
 
recipient, and
 
any recipient
under paragraph 5.2(b) above will be subject to the same restrictions on disclosure
 
as set out above.
5.4
 
We
 
assume no obligation
 
to advise
 
you or
 
any other person
 
or to
 
make any
 
investigations as to
 
any
legal
 
developments
 
or
 
factual
 
matters
 
arising
 
subsequent
 
to
 
the
 
date
 
hereof
 
that
 
might
 
affect
 
the
opinions expressed herein.
Yours
 
faithfully,
 
Allen & Overy
 
10
 
 
17 CFR §
240.15Fb2
-
4(c)(2).
 
 
0036335-0000808 UKO1: 2005333372.8
 
 
6
 
ANNEX 1
 
OPINION
1.
 
DATA
 
PROTECTION
1.1
 
The PDPO will apply
 
to UBSHK’s disclosure of Covered Books
 
and Records to the
 
SEC to the extent
that these comprise or contain personal data.
 
“Personal data” is data relating directly or indirectly
 
to
a
 
living
 
individual,
 
from
 
which
 
it
 
is
 
practicable
 
for
 
the
 
identity
 
of
 
the
 
individual
 
to
 
be
 
directly
 
or
indirectly ascertained and in a
 
form in which access to
 
or processing of the data
 
is practicable, so may
extend to information on UBSHK staff as well as clients.
 
1.2
 
Key restrictions in the PDPO relating to
 
UBSHK’s ability to disclose personal data to the SEC are set
out below.
Legal basis for the disclosure
1.3
 
Pursuant
 
to
 
section
 
4
 
of
 
the
 
PDPO, a
 
“data
 
user” must
 
not
 
do
 
an
 
act,
 
or
 
engage in
 
a
 
practice, that
contravenes
 
a
 
DPP
 
save
 
as
 
required
 
or
 
permitted
 
under
 
the
 
PDPO.
 
A
 
“data
 
user”,
 
in
 
relation
 
to
“personal
 
data”,
 
means
 
a
 
person
 
who,
 
either
 
alone
 
or
 
jointly
 
or
 
in
 
common
 
with
 
other
 
persons,
controls
 
the collection,
 
holding, processing
 
or use
” of
 
the data.
 
In particular,
 
the word
 
“use” is
 
defined
to mean
 
in relation
 
to personal
 
data, includes
 
disclose or
 
transfer the
 
data”
. Note
 
that the
 
PDPO
does not
 
have extra-territorial
 
application and
 
only applies
 
to data
 
users who
 
control the
 
collection,
holding, processing or use of “personal data” in Hong Kong.
11
 
We
 
assume that UBSHK controls the
collection, holding,
 
processing
 
or
 
use
 
of
 
personal data
 
in
 
Hong
 
Kong
 
and
 
is
 
“data
 
user”
 
under
 
the
PDPO.
 
1.4
 
Of note, the
 
PDPO does not
 
(currently) regulate the
 
transfer of personal
 
data to places
 
outside of Hong
Kong.
12
 
1.5
 
Schedule 1 of the PDPO sets out the six DPPs, namely:
 
(i)
 
Principle 1—purpose and manner of collection of personal data (
DPP 1
);
 
(ii)
 
Principle 2—accuracy and duration of retention of personal data;
 
(iii)
 
Principle 3—use of personal data (
DPP 3
);
 
(iv)
 
Principle 4—security of personal data;
 
(v)
 
Principle 5—information to be generally available; and
 
(vi)
 
Principle 6—access to personal data.
Applicable DPPs
1.6
 
In the event that UBSHK is required to disclose any personal data to the SEC, DPP 3, which governs
the use
 
of personal
 
data, is
 
most relevant
 
for UBSHK
 
as a
 
data user.
 
As mentioned,
 
disclosure also
amounts to “use”
 
and therefore, any
 
improper use (including
 
disclosure or transfer)
 
of personal data
by the data user may contravene the requirements under DPP 3.
 
 
 
11
 
 
However, control would not be lost or vitiated even if
 
disclosure would be required under compulsion
 
of law, if any, so long
as such person
had control over the
 
relevant personal data in
 
the first place
 
(see AAB No. 16/2007,
 
a case decided by
 
the Administrative Appeals Board
that hears and determines appeals lodged against PCPD’s enforcement decisions).
 
12
 
See
discussion on section 33 of the PDPO below.
 
 
0036335-0000808 UKO1: 2005333372.8
 
 
7
 
1.7
 
In order not to contravene DPP 3, the use of personal data must be for a purpose:
(a)
 
that is the same as
 
the purpose for which the
 
data was to be used
 
at the time of their
 
original
collection by the data user;
 
(b)
 
directly related to the original purpose of collection; or
(c)
 
to which the “prescribed consent”
13
 
of the data subject has been obtained.
1.8
 
Separately, in situations where the use of personal data for purposes unrelated to the original purpose
of
 
collection
 
is
 
necessary,
 
and
 
the
 
prescribed
 
consent
 
of
 
the
 
data
 
subject
 
is
 
not
 
possible
 
(e.g.,
 
in
reporting of
 
evidence of
 
crime to
 
the law
 
enforcement agencies),
 
then Part
 
8 of
 
the PDPO
 
contains
relevant provisions exempting
 
personal data from
 
the application of
 
DPP 3 in
 
certain circumstances
(see paragraph 1.15 below).
Original Purpose
 
1.9
 
In
 
ascertaining
 
what
 
amounts
 
to
 
the
 
original
 
purpose of
 
collection,
 
one
 
major
 
factor
 
would
 
be
 
the
purpose of collection
 
as stated in
 
the notification given
 
to the data
 
subject under DPP1
 
– commonly
known as the Personal Information Collection Statement (
PICS
).
 
1.10
 
In
 
particular,
 
under
 
DPP 1(3)(b)(i),
 
the
 
individual must
 
be, on
 
or
 
before the
 
collection of
 
the
 
data,
explicitly informed of:
(a)
 
the purpose (in general or specific terms) for which the data are to
 
be used; and
(b)
 
the classes of persons to whom the data may be transferred.
1.11
 
In this
 
regard, the
 
data subject’s
 
reasonable expectation
 
on the
 
data user’s
 
use
 
of his
 
personal data
would also be a major factor to determine whether or not it relates directly
 
to the original purpose.
14
 
1.12
 
Therefore, whether UBSHK would be
 
able to disclose personal
 
data to the SEC
 
depends on whether
disclosure to the SEC was the same as the purpose for which the data was
 
to be used at the time of its
original collection or directly related to the original purpose of
 
collection.
 
Prescribed Consent
 
1.13
 
Section 2(3) of the PDPO
 
defines “prescribed consent”
 
to be an express consent
 
given voluntarily and
consent that has not been withdrawn by notice in writing.
15
 
Therefore, implied consent from conduct
or omission would not be sufficient and should not be deemed given by silence or no objection.
 
1.14
 
If UBSHK is
 
able to obtain
 
prescribed consent from
 
its staff or
 
clients then it
 
would be able
 
to disclose
such personal data to the SEC.
Part 8 Exemptions
1.15
 
Part 8 of the PDPO
 
provides for exemptions to, among others, DPP
 
3 where use of the
 
personal data
is for certain exempted
 
purpose(s) and the data user
 
has reasonable grounds to believe
 
that failure to
so use the personal data would prejudice the exempted purpose(s).
 
13
 
 
See paragraph
 
below.
14
 
 
In
Data Protection Principles in the Personal Data (Privacy) Ordinance – from the Privacy Commissioner’s perspective (2nd Edition)
, the
PCPD notes an example where data subject would have
 
reasonable expectation that his data provided in an account
 
opening form would be
used for purposes related to his application for service,
 
but not for any other unrelated purposes, for instance selling
 
the data to third parties
15
 
 
Section 2(3) states that “Where under
 
this Ordinance an act may be done
 
with the prescribed consent of a
 
person (and howsoeve
r the person
is described), such consent –
 
(a) means the express consent
 
of the person given voluntarily;
 
(b) does not include any
 
consent which has been
withdrawn by notice in writing served on the person to whom the consent has been given (but without prejudice to so much of that act that
has been done pursuant to the consent at any time before
 
the notice is so served).”
 
0036335-0000808 UKO1: 2005333372.8
 
8
1.16
 
Of note, the Part 8 exemptions do not require the data user to disclose or use the personal data for the
exempted purpose(s) but it is only to be invoked by the data user to justify the use of personal data as
“permitted” under section 4 of the Ordinance.
1.17
 
Among the Part
 
8 exemptions, the
 
most relevant in
 
this case would
 
be section 58
 
of the PDPO.
 
Section
58(1) and (2) state that:
“(1) Personal data held for the purposes of—
(a) the prevention or detection of crime;
(b) the apprehension, prosecution or detention of offenders;
(c) the assessment or collection of any tax or duty;
(d) the prevention,
 
preclusion or
 
remedying (including punishment)
 
of unlawful or
 
seriously
improper conduct, or dishonesty or malpractice, by persons;
(e) the prevention or preclusion of significant financial loss arising from—
(i)any imprudent business practices or activities of persons; or
(ii) unlawful
 
or seriously
 
improper conduct, or
 
dishonesty or
 
malpractice, by
 
persons;
(f)
 
ascertaining whether
 
the
 
character or
 
activities of
 
the
 
data subject
 
are
 
likely to
 
have a
significantly adverse impact on any thing—
(i) to which the discharge of statutory functions by the data user relates; or
(ii)
 
which relates
 
to
 
the
 
discharge
 
of
 
functions to
 
which this
 
paragraph
 
applies by
virtue of subsection (3); or
(g) discharging functions to which this paragraph applies by virtue of subsection (3),
is exempt
 
from the
 
provisions of
 
data protection
 
principle 6
 
and section
 
18(1)(b) where
 
the
application of those provisions to the data would be likely to—
 
(i)prejudice any of the matters referred to in this subsection; or
(ii)directly or indirectly identify the person who is the source of the data.
(2)Personal data is
 
exempt from
 
the provisions
 
of data protection
 
principle 3 in
 
any case in
which—
 
(a) the use of the data is for any of the purposes referred to in subsection (1) (and whether or
not the data is held for any of those purposes); and
(b) the application of those
 
provisions in relation to such use would be likely to
 
prejudice any
of the matters referred to in that subsection,
and in
 
any proceedings
 
against any person
 
for a
 
contravention of any
 
of those provisions
 
it
shall be a defence to show that he had reasonable grounds for believing that failure to so use
the data would have been likely to prejudice any of those matters.”
 
 
 
 
0036335-0000808 UKO1: 2005333372.8
 
 
9
 
1.18
 
To
 
summarise, exemption from
 
DPP 3 is
 
available under section
 
58(2) for the
 
purposes specified in
section 58(1)
and
 
where the application of DPP 3 would be
 
likely to prejudice any of those purposes
specified in section 58(1).
 
1.19
 
We understand that disclosure to the SEC is, at least in part and/or
 
for certain types of records, for
 
the
purposes of
 
preventing fraud
 
or crime
 
(e.g., records relating to
 
transactions and
 
persons involved
 
in
transactions), further supporting this view.
 
1.20
 
Therefore,
 
the
 
most
 
relevant
 
limbs
 
under
 
section
 
58(1)
 
may
 
be
 
paragraphs
 
(a)
 
(the
 
prevention
 
or
detection
 
of
 
crime),
 
(b)
 
(the
 
apprehension,
 
prosecution
 
or
 
detention
 
of
 
offenders),
 
and
 
(d)
 
(the
prevention,
 
preclusion
 
or
 
remedying
 
(including
 
punishment)
 
of
 
unlawful
 
or
 
seriously
 
improper
conduct, or dishonesty or malpractice, by persons).
 
1.21
 
As regards
 
paragraphs
 
(a) and
 
(b), the
 
Administrative Appeals
 
Board has
 
previously decided
 
that it
only
 
applies
 
to
 
crimes
 
and
 
offences
 
under
 
Hong
 
Kong
 
law
 
and
 
therefore violation
 
of
 
foreign laws
would not be sufficient.
16
 
There is also a lack
 
of authority to suggest that paragraphs (c)
 
to (f) would
apply to situations
 
that occur
 
outside Hong
 
Kong and UBSHK
 
may be unlikely
 
to rely on
 
any unlawful
and seriously improper conduct that occurred outside Hong Kong or in accordance to foreign laws in
order to satisfy section 58(2).
 
1.22
 
In addition, even if any of the purposes under
 
section 58(1) apply,
 
UBSHK would have to prove that
the effect of such
 
failure to disclose data to the
 
SEC would be “likely to
 
prejudice” any such matters
(as required by section 58(2)(b)).
 
In this regard, the Office of the Privacy
 
Commissioner for Personal
Data (
PCPD
), the
 
statutory body
 
enforcing the
 
PDPO, has recommended
 
that in
 
case of
 
doubt, it
 
is
prudent for the
 
data user to
 
ask the
 
law enforcement agency
 
why the data
 
was considered necessary
and also how the failure to use such data would be likely to prejudice the
 
intended purpose.
17
 
International transfers
1.1
 
As mentioned
 
previously, the PDPO
 
does not have
 
extra-territorial application
 
and only
 
applies to
 
data
users
 
who
 
control
 
the
 
collection,
 
holding,
 
processing
 
or
 
use
 
of
 
“personal
 
data”
 
in
 
Hong
 
Kong.
 
Furthermore, the PDPO does not (currently) regulate the transfer of personal
 
data to places outside of
Hong Kong.
18
 
2.
 
COMMON LAW
 
DUTIES OF CONFIDENTIALITY
2.1
 
The general banker’s and
 
employer’s duties of confidentiality are
 
distinct duties.
 
However, the case
law on each duty informs the approach to the other,
 
with the banker’s and employer’s duties existing
in acknowledgement of
 
the specific circumstances
 
that arise as
 
between a bank
 
and its customers
 
or
employees (respectively).
 
Given the common
 
law position on
 
these duties is
 
largely aligned, these
 
are
dealt with together here.
19
 
16
 
 
AAB No. 16/2007
 
17
 
Data
 
Protection
 
Principles
 
in
 
the
 
Personal
 
Data
 
(Privacy)
 
Ordinance
 
 
from
 
the
 
Privacy
 
Commissioner’s
 
perspective
 
(2nd
 
Edition)
,
paragraph 12.43.
18
 
 
For completeness, section 33 of
 
the PDPO restricts the transfer
 
of personal data to
 
a place outside Hong Ko
ng unless one of
 
the specified
conditions is met.
 
However, section 33 has yet to be brought
 
into force since its enactment in
 
1995 and there is no timeline indicated
 
by the
Hong Kong government as to when section 33 may come into force.
19
 
 
The vast
majority of common
 
law principles cited
 
in this legal
 
opinion remain based
 
on English case law. In
 
considering the constituti
onality
and binding effect of these
 
English cases, it was
 
held in
A Solicitor (FACV 24/07) v Law Society
 
of Hong Kong
 
[2008] 2 HKLRD 576
 
(CFA)
that:
 
(a)
 
after 1 July
 
1997, Article 8
 
of the Basic
 
Law provides that
 
the laws previously
 
in force in
 
Hong Kong (i.e.,
 
the common law,
rules of equity,
 
ordinances, subordinate legislation and
 
customary law) shall
 
be maintained except
 
for any that
 
contravene the
Basic Law and subject to any amendment by the Hong
 
Kong legislature;
 
(b)
 
prior to 1 July 1997, decisions of the Privy
 
Council functioning as the final appellate court
 
in Hong Kong remains binding on
 
all
the courts in Hong Kong;
 
(c)
 
pri
or to 1 July 1997, decisions
 
of the House of Lords were
 
not binding in Hong Kong but,
 
like Privy Council decisions on
 
appeal
from other
 
jurisdictions, had
 
considerable persuasive
 
authority.
 
Unless local
 
circumstances were
 
material, the
 
Privy Council,
sharing essentially common membership with the House of Lords, on an appeal from Hong Kong
 
was unlikely to diverge from
a decision of the House of Lords;
 
(d)
 
after 1 July 1997 the establishment of the Hong
 
Kong Court of Final Appeal introduced a
 
new constituti
onal order. Article 84 of
the Basic Law expressly provided that
 
the courts in Hong Kong might refer
 
to precedents of other common law
 
jurisdictions and
the Hong Kong courts should continue to derive assistance from overseas jurisprudence. Bearing in mind that historically Hong
Kong’s legal system originated
 
from the British
 
legal system,
 
decisions of the
 
Privy Council
 
and House of
 
Lords should
 
be treated
 
 
10
 
2.2
 
Where Covered Books and Records do not contain any relevant forms of information, and
 
it is likely
that
 
many
 
aspects
 
of
 
the
 
information
 
required
 
will
 
not
 
(e.g., transaction
 
data
 
such
 
as
 
volumes
 
and
prices), these duties of confidentiality will not apply.
Scope of duties
2.3
 
The
 
leading
 
case
 
on
 
the
 
common
 
law
 
duty
 
of
 
confidentiality
 
is
Coco
 
v
 
AN
 
Clark
 
(Engineers)
 
Ltd
[1968] F.S.R. 415, which was applied
 
by the Hong Kong
 
Court of First Instance
 
in
AXA China Region
Insurance Co Ltd v Pacific Century Insurance Co Ltd
[2003] 3 HKC 1.
 
This case established that to
be protected
 
under the
 
common law
 
of
 
confidentiality,
 
two requirements
 
must be
 
met.
 
Firstly,
 
the
information must have the
 
necessary quality of confidence
”.
20
 
Secondly,
 
the information must have
been given in a situation which imposed an obligation of confidence.
 
(a)
 
The necessary quality of confidence
 
is negatively defined as information
 
which is not “
public
property and
 
public knowledge
”.
21
 
As the
 
information contained in
 
the Covered Books
 
and
Records is
 
not publicly
 
available, it
 
will likely
 
possess this
 
necessary quality
 
of confidence
insofar as that information relates
 
to UBSHK’s
 
clients or staff and
 
is not information owned
by or relating to UBSHK itself.
(b)
 
To
 
be
 
protected
 
under
 
the
 
common
 
law duty
 
of
 
confidentiality,
 
the
 
information must
 
have
been communicated in a
 
situation where an obligation
 
of confidence was either
 
expressly or
impliedly imposed.
22
 
The court will consider whether the recipient of the information knew,
or ought to have known, that there was a
 
duty of confidentiality attached to that information.
 
This duty of confidentiality can be
 
imposed by contract, implied by the
 
circumstances of the
disclosure, or implied by a special relationship of the parties.
 
(c)
 
Where,
 
and
 
to
 
the
 
extent
 
that,
 
the
 
Covered
 
Books
 
and
 
Records
 
concern
 
either
 
customer
information
 
or
 
employee
 
information,
 
this
 
would
 
likely
 
satisfy
 
the
 
requirement
 
that
 
the
Recipient, in this case being UBSHK, knew or ought
 
to have known that the information was
to be treated confidentially.
 
2.4
 
In
 
Hong
 
Kong,
 
the
 
common
 
law
 
banker’s
 
duty
 
of
 
confidence,
 
established
 
by
Tournier
 
v
 
National
Provincial
 
and Union
 
Bank of
 
England
[1924] 1
 
KB 461
 
(
Tournier
), is
 
one such
 
instance where
 
a
special relationship
 
exists between the
 
parties.
 
Under this duty
 
of confidence, banks,
 
such as UBSHK,
must keep
 
their customers’
 
affairs private –
 
in this
 
respect the general
 
duty is
 
broader than
 
the banker’s
duty as the general duty extends to benefit others, such as UBSHK’s staff.
 
(a)
 
The scope of the duty is wide – as Atkin LJ outlined in the judgment:
It
[the duty of confidentiality]
clearly goes beyond the state
 
of the account, that is,
 
whether
there is a debit or credit balance, and
 
the amount of the
 
balance.
 
It must extend at
 
least to all
the transactions that go through the
 
account, and to the securities, if any,
 
given in respect of
the account
”.
23
 
 
 
with great respect. Their persuasive effect would depend on all relevant circumstances including, in particular, the nature of the
issue and the similarity of any relevant statutory or constitutional
 
provision.
20
 
 
Megarry J
 
in the
Coco v
 
AN Clark
 
(Engineers) Ltd
 
judgment at
 
419 used
 
the formulation
 
first used
 
by Lord
 
Greene, M.R.
 
in
 
Saltman
Engineering Co Ltd v Campbell Engineering Co Ltd
 
[1948] 65 RPC 203, [1963] 3 All ER 413.
21
 
Saltman Engineering Co Ltd v Campbell Engineering Co Ltd
 
[1948] 65 RPC 203, [1963] 3 All ER 413 at 415.
22
 
 
Megarry J in
Coco v AN Clark (Engineers) Ltd
 
judgment at 420.
23
 
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 485.
 
0036335-0000808 UKO1: 2005333372.8
 
 
11
 
(b)
 
The temporal scope of the banker’s duty is also wide. Atkin LJ judged that the banker’s
 
duty
of confidentiality “
extend
[s]
beyond the point when
 
the account is closed,
 
or cease
[s]
 
to be an
active account
”,
24
 
and this duty
 
also extends to cover
 
disclosures from one banking entity
 
to
another within the same corporate group.
25
 
2.5
 
While an employer’s duty of confidence
 
under common law does exist,
26
 
it is very limited:
 
UBSHK
will only
 
be restricted
 
in its
 
use of
 
information held
 
in relation
 
to its
 
employees “
where
 
there
 
is no
reasonable and proper
 
cause for the employer
[’]
s conduct and only
 
then if the conduct
 
is calculated
to destroy or seriously damage the relationship of trust and confidence.
27
 
2.6
 
No distinction is drawn in
 
the case law on either of
 
the general or banker’s duties regarding
 
the nature
of the person to whom the duty is owed – i.e. a natural or a legal person – and so
 
we consider that the
duties apply equally to any person
 
irrespective of their legal status.
 
The employer’s duty can clearly
be owed only to a natural person.
Unauthorised disclosure
2.7
 
A successful claim for breach
 
of confidentiality must demonstrate
 
that there has been an unauthorised
use of confidential information to the detriment of the Rights Holder.
28
 
2.8
 
For those Covered Books
 
and Records that contain
 
customer information, which
 
is unlikely to
 
include
all Covered Books and
 
Records, these duties of
 
confidentiality will apply and
 
so UBSHK will only be
able to disclose Covered Books and Records containing confidential information in un-redacted form
where one of the exceptions below is met.
2.9
 
Tournier
established four exceptions to the banker’s duty of confidentiality,
29
 
the first three of which
apply equally to the general and employer’s duties of confidentiality:
 
(a)
 
where the disclosure is made by the express or implied consent of
 
the customer;
 
30
 
(b)
 
under compulsion of law;
(c)
 
where the disclosure is in the public interest; or
(d)
 
for the banker’s
 
duty of confidentiality
 
only,
 
where it is
 
in the interests
 
of the bank
 
to make
disclosure.
Consent
2.10
 
Disclosure of
 
confidential information
 
is permissible
 
where the
 
Rights Holder
31
 
has given
 
their consent
to the disclosure of their confidential information.
32
 
24
 
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 485.
25
 
Bank of Tokyo Ltd v Karoon
[1987] 1 AC 45 at 54.
 
26
 
Hui King Fai
 
v Hong Kong Council of Social Service
[2017] 6 HKC 350 at 36;
Semana Bachicha v Poon Shiu Man
[2000] 3 HKC 452 at
469.
27
 
Malik v Bank
 
of Credit and
 
Commerce International SA
 
[1998] A.C 20 at
 
53; this case
 
is was applied
 
by the Court
 
of Appeal in
Semana
Bachicha v Poon Shiu Man
[2000] 3 HKC 452.
 
28
 
 
Megarry J in
Coco v AN
 
Clark (Engineers) Ltd
[1968] F.S.R. 415at 421.
29
 
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 485 at 473.
30
 
 
For the general
 
duty of confidentiality:
 
This was confirmed
 
by Arnold J
 
in
Primary Group (UK) Ltd
 
v The Royal
 
Bank of Scotland
 
Plc
[2014]
R.P.C. 26
 
at 246.
 
31
 
 
Where the banker’s duty of confidentiality applies this will be the
 
customer.
 
32
 
 
Due of the
 
overlap between
 
bank confidentiality
 
and
the PDPO
it would be
 
advisable to clarify
 
when obtaining
 
consent that another,
 
separate,
legal basis applied to the processing of the personal data under
 
the PDPO.
 
 
0036335-0000808 UKO1: 2005333372.8
 
 
12
 
Compulsion of law
2.11
 
Information
 
that
 
would
 
otherwise
 
be
 
confidential
 
may
 
be
 
disclosed
 
when
 
required
 
by
 
a
 
statutory
provision
33
 
or court order.
34
 
In Hong Kong, the
 
Court of Appeal
 
held in
FDC Co Ltd and
 
Others v The
Chase Manhattan Bank, N.A.
[1990] 1 HKLR 277 that the compulsion of law exception
 
only applies
to Hong Kong law and did not
 
include a foreign law.
 
35
 
Accordingly, under
 
Hong Kong law an order
of a
 
foreign court will
 
not release a
 
bank from its
 
duty of secrecy
 
to its
 
customer where that
 
duty is
governed by the law of Hong Kong.
 
2.12
 
Therefore, to
 
satisfy this
 
compulsion of
 
law UBSHK
 
would have
 
to rely
 
on Hong
 
Kong statute
 
– a
provision of US law,
 
such as an
 
SEC Rule, is
 
unlikely to be sufficient
 
for this purpose.
 
While there
are numerous statutory provisions
 
that require the disclosure
 
of information that would
 
otherwise be
confidential, none applies directly to this situation.
2.13
 
Equally,
 
a US
 
court order
 
is also
 
unlikely to
 
be sufficient
 
for this
 
purpose: it
 
was held
 
in
X AG
 
and
others v A bank
[1983] 2 All
 
ER 464 at 475 that
 
a subpoena requiring disclosure issued
 
by a foreign
court did
 
not qualify
 
as compulsion
 
by law
 
on the
 
basis that
 
“[t]
he fact
 
is that
 
confidentiality is
 
not
rendered
 
illegal
 
by
 
a
 
subpoena
 
requiring
 
disclosure,
 
which
 
is
 
to
 
be
 
contrasted
 
with
 
some
 
form
 
of
legislation to that end
”. The facts in
FDC Co Ltd v The Chase Manhattan Bank, N.A.
 
[1990] 1 HKLJ
277
36
 
are closely analogous with
X AG and others v
 
A bank
[1983] 2 All ER
 
464, where, as noted, it
was held by that the first
 
qualification, compulsion of law,
 
applied only to a Hong Kong law
 
and did
not include a foreign law.
37
 
For completeness, while it is possible
 
to rely on implied consent,
 
there is likely to be a high bar
 
to meet in order to do so.
 
In
Turner v Royal
Bank of Scotland Plc
[1999] 2 All E.R 664, regarding
 
the banker’s duty of confidentiality, it was decided that established
 
market practice of
sharing of
 
customer information
 
between banks
 
(which practice
 
was generally
 
known only
 
to the
 
banks themselves)
 
did not
 
amount to
implied consent of the customer as this
 
practice was not known by the
 
customer.
 
To amount to implied
 
consent, the practice under which
disclosure is
 
made must
 
be “
notorious, certain and
 
reasonable
” (
Turner v
 
Royal Bank
 
of Scotland
 
Plc
[1999] 2
 
All E.R
 
664 at
 
670, Sir
Richard Scott VC quoting from
Chitty on Contracts
 
(27th edn, 1994), vol I, para 13-014.)
 
 
The practice
 
of sharing
 
information with
 
local regulators
 
in order
 
to enable
 
banking business
 
to be
 
conducted within
 
the relevant
 
local
jurisdiction is, in our experience, well
 
established such that it might be considered
 
notorious, certain and reasonable
”.
 
In this context, it is
possible that
 
much of
 
the information
 
contained in
 
the Covered
 
Books and
 
Records would
 
be information
 
of a
 
sort that
 
customers (and
particularly more sophisticated customers of the kind
 
that would normally be offered services
 
by UBSHK in respect of SBSs)
 
may expect
would be shared with the SEC.
 
 
In part, the ability
 
to rely on
 
implied consent will
 
depend on the
 
information provided to
 
customers when UBSHK
 
provides services in
 
SBSs.
 
If no information about the jurisdiction
 
or regulators involved is provided then
 
UBSHK would rely on the customer’s
 
own understanding of
regulatory obligations on banks, the US nexus and the SEC’s
 
role in these services.
 
Conversely, if customers are informed that UBSHK’s
activity in SBSs is conducted on a cross-border basis
 
into the US and is subject to oversight by
 
the SEC then the ability to rely on
 
implied
consent increases.
 
Similarly, if customers are informed that de
 
tailed information on all aspects of UBSHK’s
 
activity in SBSs is subject to
examination by the SEC then the ability to rely on implied consent
 
increases further still.
33
 
 
See the
 
example given
 
by Bankes
 
LJ in
Tournier
 
v National
 
Provincial &
 
Union Bank
 
[1924] 1
 
K.B 461
 
at 473
 
of the
 
Bankers’ Books
Evidence Act 1879.
 
In Hong Kong, various ordinances and subsidiary legislation set out provisions requiring
 
disclosure under compulsion
by statute.
 
34
 
 
For the general duty
 
of confidentiality: compulsion
 
by an or
der of a Hong
 
Kong court includes
 
a mareva (freezing
 
injunction) under the
High
Court Ordinance (Cap. 4),
 
section 21L and
 
Practice Direction 11.1;
 
garnishee order (order to
 
show cause) under Rules
 
of the High
 
Court
(Cap. 4A), Ord 49, Garnishee Proceedings;
 
and a writ of subpoena (witness summons) under Evidence
 
Ordinance (Cap. 8), section 77A.
 
For the banker’s duty of confidentiality:
X AG and others v A bank
[1983] 2 All ER 464 at 475.
35
 
 
In
FDC Co
 
Ltd and
 
Others v
 
The Chase
 
Manhattan Bank, N.A.
[1990] 1
 
HKLR 277,
 
the US
 
Internal Revenue Service
 
(
IRS
) wanted
 
to
inspect the
 
plaintiff’s records
 
regarding accounts
 
held with
 
the Hong
 
Kong branch
 
of the
 
defendant bank.
 
The IRS
 
served notice
 
on the
defendant bank’s
 
US headquarters and obtained
 
US court orders for
 
the production of the
 
records.
 
The plaintiff applied for
 
and obtained
interim injunctions against the defendant
 
in Hong Kong to
 
restrain disclosure pending trial.
 
In this appeal to
 
have the interim injunctions
discharged, the Hong Kong Court of Appeal considered the four exceptions, as
 
established in
Tournier
and held that the compulsion of law
exception only applies to Hong Kong law and did not include
 
foreign law.
 
36
 
 
In
FDC Co Ltd and
 
Others v The Chase
 
Manhattan Bank, N.A.
[1990] 1 HKLR 277,
 
a request for customer information
 
was made to the
head office of the defendant’s bank in New York
 
by the Inland Revenue Services to assist a tax investigation. However, since the accounts
were held in the
 
Hong Kong branch of the
 
bank the request was
 
denied. See
FDC Co Ltd and
 
Others v The Chase Manhattan
 
Bank, N.A.
[1990] 1 HKLR 277 at 284.
37
 
 
It is noted that the Court of Appeal in
FDC Co Ltd
 
v The Chase Manhattan Bank, N.A
.
 
[1990] 1 HKLR 277 did not take the same approach
as Leggatt J in
X AG and others v A bank
[1983] 2 All ER 464, and did not feel it necessary to consider the effect of the subpoena
 
upon the
bank by regarding the matter as irrelevant to the decision. Ibid. at 286 (Yang
 
J A): “
Mr Hoffman argues that our case is a dispute between
Hong Kong courts and United States courts. With respect
 
to him, I do not see the problem quite in that light.
 
The question is simply one of
applying our own
 
law in our
 
own courts
”. The English
 
courts have affirmed
 
the approach of
 
the Hong Kong
 
Court of Appeal
 
in
Bank of
Tokyo Ltd v Karoon
 
[1987] AC 45.
 
0036335-0000808 UKO1: 2005333372.8
 
 
 
13
 
2.14
 
Finally, as the Memorandum
 
of Understanding between
 
the SFC and
 
the SEC dated
 
18 January 2017
38
 
(the
Memorandum of Understanding
) lacks the authority
 
of statute, it is
 
very unlikely to meet
 
this
exception and should not be relied upon by UBSHK (though it is
 
of some relevance in the context of
the public interest exception – please see paragraphs
 
2.15 to 2.21 below).
39
 
As at the date of this legal
opinion, there
 
is no
 
publicly available
 
Memorandum of Understanding
 
between the
 
HKMA and
 
the
SEC but for completeness, as regards banking activities, section 7(e) of the Banking
 
Ordinance (Cap.
155)
 
empowers
 
the
 
Hong
 
Kong
 
Monetary
 
Authority
 
to
 
co-operate
 
with
 
and
 
assist
 
recognized
financial services
 
supervisory authorities
 
of Hong Kong
 
or of any
 
place outside
 
Hong Kong,
 
whenever
appropriate, to
 
the extent
 
permitted by
 
this or
 
any other
 
Ordinance
”.
 
However, section
 
7 is
 
not directly
applicable to UBSHK and only sets
 
out the functions of the HKMA.
 
Similarly, in relation to matters
regulated
 
under
 
the
 
Securities
 
and
 
Futures
 
Ordinance
 
(Cap.
 
571)
 
(
SFO
),
 
section
 
186
 
of
 
the
 
SFO
empowers the SFC,
40
 
and section 186A of the SFO empowers
 
the HKMA,
 
to assist regulators outside
Hong Kong.
 
However, UBSHK itself cannot rely on sections 186 and 186A as those provisions
 
only
set out the power available to the regulators.
Public interest
2.15
 
Determining whether the public interest exception applies
 
requires a balance to be struck between the
rights of the Rights Holders and
 
the public interest in the SEC
 
obtaining that information.
41
 
The test
to be
 
applied when
 
considering whether
 
confidentiality should
 
be breached
 
in favour
 
of freedom
 
of
expression is whether,
 
in all the circumstances,
 
it is in the
 
public interest that the
 
duty of confidence
should be breached.
42
 
2.16
 
The public
 
interest test
 
has not
 
been exercised
 
in Hong
 
Kong in
 
the context
 
of bank
 
confidentiality
(see
 
paragraph
 
2.21
 
below)
 
and,
 
in
 
any
 
event,
 
disclosure
 
in
 
the
 
public
 
interest
 
has
 
been
 
narrowly
construed by
 
the English
 
courts.
43
 
Under the
 
test, the
 
burden is
 
for UBSHK
 
to justify
 
disclosure of
confidential information
44
 
(rather than for
 
e.g., a customer
 
to justify continued
 
confidentiality).
 
The
general position is
 
that voluntary disclosure,
 
including in relation
 
to disclosures
 
to the police
 
in respect
of suspicions of criminal activity,
 
would breach the duty of confidence other than as permitted under
statute,
45
 
indicating that there
 
is a high
 
bar to be
 
met when arguing
 
that a disclosure
 
was made lawfully
in pursuit of
 
a greater public
 
interest.
 
Bankes LJ suggested
 
in
Tournier
that national security
 
concerns
would meet this
 
criterion,
46
 
while Atkin LJ
 
gave the example
 
of disclosure
 
in the interest
 
of preventing
fraud or crime.
47
 
2.17
 
However, there is well established
 
precedent for public
 
interest in effective
 
regulation and supervision
of
 
banking
 
institutions
 
outweighing
 
the
 
public
 
interest
 
in
 
maintaining
 
confidentiality
 
even
 
in
 
the
absence of
 
statutory authority.
48
 
This arguably
 
is a
 
continuation of Atkin
 
LJ’s
 
example in
Tournier
 
regarding the prevention of fraud or crime.
 
In such cases, the weight of the claim for disclosure is
 
 
38
 
See Memorandum
 
of Understanding
 
Concerning Consultation,
 
Cooperation and
 
the Exchange
 
of Information
 
Related to
 
Related to
 
the
Supervision of Cross-Border Regulated Entities
(
https://www.sfc.hk/-/media/EN/files/ER/MOU/2017-01-18-SEC-SFC-MoU.pdf
).
39
 
 
The
 
SFC
 
and
 
the
 
SEC
 
are,
 
among
 
o
thers,
 
also
 
signatories
 
to
 
the
International
 
Organization
 
of
 
Securities
 
Commissions
 
Multilateral
Memorandum of Understanding Concerning Consultation and Cooperation
 
and the Exchange of Information’
 
but it also lacks the authority
of statute.
 
Therefore, it is very unlikely to meet this exception and
 
should not be relied upon by UBSHK.
40
 
 
UBSHK is registered
 
institution regulated by
 
the SFC so
 
the SFC has
 
powers to, among
 
other things, require
 
information from U
BSHK.
However, as UBSHK is also a licensed bank, the SFC is required in certain circumstances to consult the HKMA, as the primary regulatory
of banks.
41
 
AG v Guardian Newspapers (No 2) and Others [1990] 1 A.C. 109
 
(known as
Spycatcher
) at 268.
42
 
Prince of Wales v Associated Newspapers Ltd (CA)
[2007] 3 WLR at 68.
 
In the context of that case, it is relevant that
 
the test is not simply
whether the information
 
is a matter
 
of public
 
interest, as, unlike
 
disclosure to the
 
SEC, that
 
case involves
 
public dissemination
 
of information.
This case is cited in the
University of
 
Hong Kong v Hong Kong Commercial Broadcasting Co Ltd & Anor
 
[2016] 4 HKLRD 113.
 
43
 
 
As noted, the public
 
interest test has not
 
been exercised in Hong
 
Kong but, in our
 
view, this
 
may be construed to
 
refer to the Hong
 
Kong
public.
44
 
Price Waterhouse v BCCI Holdings (Luxembourg) SA
 
[1992] BCLC 583 at 597.
45
 
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 474.
46
 
Tournier v National Provincial and Union Bank of
 
England
[1924] 1 KB 461
 
at 485 at 473 where
 
Bankes LJ quotes Lord Finlay’s judgment
in
Weld-Blundell v Stephens
[1920] A.C. 956
 
at 965 where “
danger to the state
” was given as
 
an example where an
 
exception could be made
to the duty of confidentiality.
47
 
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 486.
48
 
Price Waterhouse v BCCI Holdings (Luxembourg) SA
 
[1992] BCLC 583 at 596 and 601.
 
0036335-0000808 UKO1: 2005333372.8
 
 
14
 
greater when considering
 
limited disclosure,
 
such as to
 
a relevant authority
 
acting under its
 
own duties
of confidence, as opposed to public dissemination of information.
49
 
2.18
 
That there is a
 
public interest in banks making
 
adequate disclosures to foreign regulators is
 
reflected
 
the
 
Memorandum of
 
Understanding, which relates
 
to consultation,
 
cooperation and the
 
exchange of
information related to market oversight and supervision of regulated entities as well as the provisions
under
 
the
 
SFO
 
and
 
the
 
BO
 
empowering
 
the
 
SFO
 
and
 
the
 
HKMA,
 
as
 
relevant,
 
to
 
assist
 
regulators
outside Hong Kong (see paragraph 2.14 above).
50
 
 
2.19
 
In an
 
example of
 
the application
 
of this
 
principle in
 
the context
 
of bank
 
confidentiality,
 
an English
case
 
held
 
that
 
compliance
 
with
 
a
 
foreign
 
subpoena
 
could
 
occur
 
without
 
breaching
 
the
 
duty
 
of
confidentiality on the basis of
 
the public interest exception.
51
 
However, note that the court in that
 
case
was less willing to apply public duty qualification unconditionally
 
and stressed that disclosure should
be
 
limited
 
to
 
what
 
was
 
reasonably
 
necessary
 
to
 
achieve
 
the
 
purpose
 
of
 
the
 
public
 
interest
 
in
disclosure”.
 
In addition, that case has not been cited in any reported Hong Kong court decisions and
therefore, it does have formal judicial recognition in Hong Kong.
 
2.20
 
It is
 
assumed that
 
disclosure to
 
the SEC
 
is solely
 
in furtherance
 
of the
 
SEC’s
 
supervisory mandate.
 
We
 
further understand
 
that such
 
disclosure to
 
the SEC
 
is, at
 
least in
 
part and/or
 
for certain
 
types of
records, for
 
the purposes
 
of preventing
 
fraud or
 
crime (e.g., records
 
relating to
 
transactions and
 
persons
involved in
 
transactions), further
 
supporting this
 
view.
 
Therefore, there
 
may be
 
an argument
 
for public
interest in disclosure,
 
given the public interest
 
in enabling effective
 
supervision of financial services
business, including SBS business.
 
2.21
 
That being said,
 
the public interest
 
test has not
 
been exercised in
 
Hong Kong in
 
the context of
 
bank
confidentiality.
 
Dr.
 
Claire Wilson,
 
author
 
of
Banking Law
 
and
 
Practice in
 
Hong Kong
,
52
 
has
 
also
argued that “
in the modern banking environment it does not appear necessary for the continuation of
the
[public interest]
 
qualification in Hong Kong. Numerous statutes provide guidance upon instances
where a disclosure can be made
 
in a public interest situation. Further,
 
it is safer for a bank to seek a
court order prior to divulging
 
information
.”
53
 
Consequently, rather than relying on the
 
public interest
exception – which has not been tested in
 
the Hong Kong courts – it would
 
be prudent for UBSHK to
instead seek a court order
 
prior to permitting the
 
SEC to access its Covered
 
Books and Records and
 
to
conduct On-Site Inspection of UBSHK.
 
In the interests of the bank
2.22
 
In
 
limited
 
cases,
 
disclosure
 
of
 
confidential
 
information
 
that
 
is
 
subject
 
to
 
the
 
banker’s
 
duty
 
of
confidentiality may
 
be permissible
 
where it
 
is in
 
the interests
 
of the
 
bank.
 
This exception
 
does not
apply to information that is subject to the general duty of confidentiality.
 
However, we consider that
this exception is available to information that is subject to both such duties, leaving only
 
information
that does
 
not relate
 
to customers
 
(e.g., information
 
relating to
 
staff) beyond the
 
scope of
 
this exception.
 
2.23
 
It is clearly in the interests of UBSHK to comply with the
 
SEC’s requests.
 
However, the majority of
case law on this exception points to there being a high bar to meet.
 
2.24
 
In
X AG
 
and others
 
v A
 
bank
[1983] 2
 
All ER
 
464 it
 
was held
 
that a
 
bank could
 
not comply
 
with a
subpoena
 
from
 
a
 
New
 
York
 
court
 
without
 
breaching
 
its
 
duty
 
of
 
confidentiality.
 
However,
 
in
considering arguments based on the banker’s own
 
interest, Leggatt J judged that it was not clearly
 
in
49
 
AG v Guardian Newspapers (No 2) and Others
[1990] 1 A.C. 109 (known as
Spycatcher
) at 268.
50
 
 
Similarly, as noted above, section
 
186 of the SFO
 
empowers the SFC to assist regulators outside Hong
 
Kong.
51
 
Pharaon v Bank
 
of Credit
 
and Commerce
 
International SA
 
[1998] 4 All
 
ER 455, where
 
Rattee J stated
 
in his judgement
 
that “
the public
interest in upholding the duty of confidentiality
 
existing between banker and customer
 
was subject to being overridden
 
by the greater public
interest in making confidential
 
documents relating to the
 
alleged fraud of an international bank
 
available to the parties to
 
private foreign
proceedings for
 
the purpose
 
of uncovering
 
that fraud.
 
However,
 
such disclosure
 
should be
 
limited to
 
what was
 
reasonably necessary
 
to
achieve the purpose of the public interest in disclosure
”.
52
 
 
Sweet & Maxwell
 
Hong Kong
, 201
7.
 
53
 
 
Dr. Claire Wilson
, Banking Law and Practice in Hong Kong (
Sweet & Maxwell Hong
Kong
, 2017), paragraph 3.109.
 
 
0036335-0000808 UKO1: 2005333372.8
 
 
15
 
the bank’s
 
own interests
 
to comply
 
with the
 
subpoena, as
 
the bank
 
would not,
 
as a
 
matter of
 
fact in
that particular case, face any
 
serious detriment for its
 
failure to comply.
54
 
In contrast, Bankes LJ
 
gave
the example
 
in
Tournier
of a
 
bank commencing
 
an action
 
against a
 
customer where
 
the customer’s
overdraft is in arrears, acknowledging that, in that
 
situation, the banker would be able to
 
disclose the
amount of the overdraft in its
 
claim.
 
These cases suggest that the bank’s
 
own interest exception will
be construed
 
narrowly and
 
the court
 
will take
 
a view
 
on whether
 
the bank’s own
 
interests are
 
genuinely
threatened by non-disclosure.
 
2.25
 
In Hong
 
Kong, the Court
 
of Appeal
 
in
FDC Co
 
Ltd v The
 
Chase Manhattan
 
Bank, N.A.
 
[1990] 1 HKLJ
277 has applied this
 
qualification more narrowly than the
 
English courts, where Silke J
 
A stated that
the interest
 
of the
 
bank
” must
 
mean in
 
the interests
 
of ordinary
 
banking practice
 
[…].
The issues
here
 
are
 
very much
 
wider than
 
those narrow
 
interests
 
of the
 
bank as
 
I
 
see them
 
to
 
be
”. Therefore,
disclosure
 
under
 
this
 
limb
 
has
 
to
 
be
 
strictly
 
limited
 
to
 
information
 
that
 
is
 
necessary
 
to
 
protect
 
the
interests of
 
the bank and
 
not simply to
 
disclose information when
 
it is
 
in the
 
bank’s interest.
 
In the
context of requests by
 
the SEC, it is assumed
 
that failure to comply
 
could result in enforcement
 
action
and
 
potentially
 
even
 
the
 
cessation
 
of
 
UBSHK’s
 
ability
 
to
 
conduct
 
SBS
 
business
 
in
 
US
 
markets.
 
Accordingly, it
 
is expected that
 
UBSHK may face serious
 
detriment for a
 
failure to comply with
 
the
SEC’s demands, and so this exception may be available to UBSHK.
2.26
 
However, to
 
rely on this
 
exception, UBSHK must
 
balance its interests
 
in complying with
 
the SEC’s
disclosure request against
 
the competing interest
 
of its customers
 
in the banker’s
 
duty of confidence
being maintained,
 
and UBSHK must
 
satisfy itself that
 
those interests
 
do not
 
outweigh its
 
own. This
would
 
need
 
to
 
be
 
assessed
 
on
 
a
 
case-by-case
 
basis.
 
Due
 
to
 
the
 
differing
 
circumstances
 
of
 
each
customer,
 
this
 
exception
 
is
 
perhaps
 
less
 
likely
 
to
 
provide
 
a
 
consistent
 
basis
 
on
 
which
 
to
 
provide
information to the SEC than the public interest exception considered
 
above.
3.
 
MISUSE OF PRIVATE
 
INFORMATION
 
3.1
 
Where
 
Covered
 
Books
 
and
 
Records
 
do
 
not
 
contain,
 
and
 
On-Site
 
Inspection
 
would
 
not
 
reveal,
 
any
relevant forms of information, an action for misuse of private
 
information will not be able to prevent
the sharing of information with the
 
SEC.
 
Considering the nature of the Covered Books
 
and Records
(e.g., transaction
 
data
 
such
 
as
 
volumes
 
and
 
prices),
 
and
 
the
 
focus
 
of
 
actions
 
for
 
misuse
 
of
 
private
information
 
(as
 
explained
 
below),
 
it
 
is
 
likely
 
that
 
many,
 
and
 
perhaps
 
most,
 
aspects
 
of
 
information
disclosed to the SEC required will not fall within scope of this action.
3.2
 
However, the doctrine of misuse
 
of private information has yet to receive formal judicial recognition
as a cause of
 
action in Hong Kong. It was
 
discussed by the Court of
 
First Instance in
Sim Kon Fah v
JBPB &
 
Co (A
 
Firm)
 
[2011]
 
4 HKLRD
 
45 and
X and
 
Another v
 
Z
[2020] HKCU
 
1959
 
and
X v
 
Y
[2014]
 
5
 
HKLRD
 
823,
 
but
 
the
 
matter
 
was
 
resolved
 
without
 
the
 
court
 
needing
 
to
 
make
 
any
determination
 
on
 
that
 
cause
 
of
 
action.
 
However,
 
the
 
court,
 
in
 
obiter
 
in
X
 
and
 
Another
 
v
 
Z
[2020]
HKCU 1959, seemed to suggest that the tort of misuse of private information
 
might be recognised.
55
 
 
 
3.3
 
In
 
the
 
context
 
of
 
the
 
SEC’s
 
ability
 
to
 
access
 
Covered
 
Books
 
and
 
Records
 
and
 
to
 
conduct
 
On-Site
Inspections of UBSHK,
 
it is anticipated that
 
most information that would
 
be subject to such
 
exercises,
and which relates to a person other than UBSHK, would properly fall to be addressed by an action in
confidence
 
regarding
 
secret
 
information
 
rather
 
than
 
an
 
action
 
in
 
misuse
 
of
 
private
 
information.
 
Information that is both confidential and private will be subject to the restrictions on confidential and
the restrictions on private information.
 
Please see section 2 above regarding the ability
 
of UBSHK to
share confidential information with the SEC.
54
 
X AG and others v A bank
[1983] 2 All ER 464 at 475.
55
 
X and Another v Z
[2020] HKCU 1959 at paragraph 146, where Hon
 
Coleman J in the Court of First Instance commented that “ […]
it is in
my view high time that the Hong Kong Court recognised the tort of misuse of private information. If indeed it has not happened, it is likely
that it has not happened simply because the right case
 
has not come before the Court and pursued to the full conclusion.
 
0036335-0000808 UKO1: 2005333372.8
 
 
16
 
4.
 
RIGHT TO PRIVACY
4.1
 
At present, there is
 
no stand-alone basis to
 
bring a claim for
 
‘invasion of privacy’ under
 
Hong Kong
law.
56
 
The BOR
 
incorporates the
 
provisions of
 
the International
 
Covenant on
 
Civil and
 
Political Rights
as applied to Hong Kong.
 
Article 14 of the Hong Kong BOR, states that no person
 
shall be subjected
to
 
arbitrary
 
or
 
unlawful
 
interference
 
with
 
his
 
privacy,
 
family,
 
home
 
or
 
correspondence,
 
nor
 
to
unlawful attacks on
 
his honour and reputation
” and that
 
everyone has the right
 
to the protection
 
of
the law against such interference or attacks
” (
Article 14
).
 
4.2
 
The BOR does not elaborate on the right to privacy
 
under Article 14. Insofar as remedy is concerned
however,
 
the
 
BOR
 
binds
 
only
 
the
 
Hong
 
Kong
 
government
 
and
 
public
 
authorities,
 
and
 
any
 
person
acting on behalf
 
of the Hong
 
Kong government or
 
a public authority.
 
The right to
 
privacy under the
BOR
 
cannot
 
be
 
enforced
 
against
 
private
 
persons.
 
As
 
UBSHK
 
is
 
a
 
private
 
entity,
 
BOR
 
affords
 
no
protection to UBSHK’s staff and clients in a private context and would not be relevant.
 
 
56
 
 
For completeness, t
he
 
Hong Kong
 
Legislative Council is currently reviewing the PDPO.
 
Under the Personal Data (Privacy) (Amendment)
Bill 2021, a new offence is proposed to be introduced into the PDPO under which a
 
person commits an offence if the person discloses any
personal data of a data subject without the data subject’s consent, (a) with an intent to threaten, intimidate or harass the data subject or
 
any
immediate family
 
member, or being
 
reckless as
 
to whether
 
the data
 
subject or
 
any immediate
 
family member
 
would be
 
threatened, intimidated
or harassed; or (b) with an intent to cause
 
psychological harm to the data subject or any immediate family member,
 
or being reckless as to
whether psychological harm would be caused to the
 
data subject or any immediate family member; and
 
the disclosure causes psychological
harm to the data subject or any immediate family member.
 
0036335-0000808 UKO1: 2005333372.8
 
 
17
 
ANNEX 2
 
ASSUMPTIONS
This opinion relies on the following assumptions:
1.
 
UBS AG, including
 
UBSHK, has a
 
“prudential regulator” as
 
defined by Section
 
3 of the US
 
Securities
Exchange Act
 
of
 
1934 (the
Securities
 
Exchange Act
).
 
As
 
such,
 
the
 
Covered Books
 
and
 
Records
considered in
 
this opinion
 
are limited
 
to what
 
a prudentially
 
regulated SBSD
 
must be
 
able to
 
share
with the SEC.
 
2.
 
Additionally, in accordance with SEC Guidance at
 
85 FR 6297, books and records pertaining to SBS
transactions entered into prior to the date that
 
UBSHK submits an application for registration are not
Covered Books and Records.
 
3.
 
UBSHK
 
has
 
obtained
 
any
 
necessary
 
prior
 
consent
 
of
 
the
 
persons
 
(e.g
.
,
 
counterparties,
 
employees)
whose information is or will be included
 
in Covered Books and Records in order to
 
provide the SEC
with
 
access
 
to
 
its
 
Covered
 
Books
 
and
 
Records
 
or
 
to
 
allow
 
On-Site
 
Inspections,
 
to
 
the
 
extent,
 
as
considered in this opinion,
 
such consent would constitute
 
valid consent and such
 
consent has not been
withdrawn.
 
Insofar as Covered Books and Records relate
 
to employees of UBSHK,
 
such employees
are “associated
 
persons” of
 
UBS for
 
purposes of
 
17 CFR
 
§ 240.18a-5(b)(8)
 
who have
 
agreed to
 
sharing
of their personal/employment
 
information with the SEC
 
in the event of a
 
request for information from
the SEC.
4.
 
The SEC will restrict
 
its information requests
 
for, and use of, any information
 
pursuant to its access
 
to
Covered Books
 
and Records and
 
On-Site Inspections to
 
only the
 
information that
 
it requires
 
for the
legitimate and specific purpose of fulfilling
 
its regulatory mandate and responsibilities by
 
evaluating
compliance with
 
legal obligations
 
designed to
 
ensure the proper
 
legal administration
 
of SEC-regulated
firms (which includes regulating,
 
administering, supervising, enforcing
 
and securing compliance with
the
 
securities or
 
derivatives laws
 
in its
 
jurisdiction) and
 
to
 
prevent and/or
 
enforce against
 
potential
illegal behaviour.
 
5.
 
Similarly, UBSHK will ensure that
 
its disclosures are
 
compliant with the
 
data protection principles
 
set
out in
 
Schedule 1
 
of the
 
PDPO. We
 
understand that
 
UBSHK’s
 
general experience
 
in responding
 
to
information requests from the SEC (or other US and
 
non-US regulators) leads it to maintain a belief,
which it
 
considers to
 
be reasonable, that
 
UBSHK can and
 
(subject to any
 
changes in applicable
 
law
and regulation
 
and/or the
 
approach of
 
relevant regulators)
 
will continue
 
to be
 
able to
 
comply with
 
these
data
 
protection principles
 
in
 
the
 
course
 
of
 
making
 
disclosures
 
of
 
the
 
sort
 
required
 
when
 
providing
access to Covered Books and Records and submitting to On-Site Inspection.
57
 
6.
 
It is the SEC's
 
practice to limit the type
 
and amount of personal data
 
it requests during examinations
to targeted
 
requests based
 
on risk
 
and related
 
to specific
 
clients and
 
accounts, and
 
employees.
 
We
understand that
 
this aligns with
 
UBSHK’s
 
general experience in
 
responding to
 
information requests
from the SEC, leading it
 
to maintain a belief, which
 
it considers to be reasonable,
 
that this assumption
is,
 
and
 
will
 
remain,
 
accurate
 
(subject
 
to
 
any
 
changes
 
in
 
applicable
 
law
 
and
 
regulation
 
and/or
 
the
approach of
 
relevant regulators).
 
 
57
 
 
See the
SEC
 
G
uidance at 85 FR 6298
.
 
 
0036335-0000808 UKO1: 2005333372.8
 
 
18
 
7.
 
Information, data and documents received
 
by the SEC are
 
maintained in a secure manner
 
and, under
strict
 
US
 
laws
 
of
 
confidentiality,
 
information
 
about
 
individuals
 
cannot
 
be
 
onward
 
shared
 
save
 
for
certain
 
uses
 
publicly disclosed
 
by
 
the
 
SEC, including
 
in
 
an
 
enforcement proceeding,
 
pursuant to
 
a
valid and non-exempt US Freedom of
 
Information Act (
FOIA
) request,
58
 
pursuant to a lawful request
of the
 
US Congress
 
or a
 
properly issued
 
subpoena, or
 
to other
 
regulators who
 
have demonstrated
 
a
need for the information and provide assurances of confidentiality.
 
58
 
 
We
 
do not
 
give any
 
views in
 
the opinion
 
to matters
 
of US
 
law,
 
though we
 
understand that
 
information can
 
be
made public
 
pursuant to
requests under
 
the US
 
FOIA,
 
and that
 
certain information
 
is exempt
 
from such
 
requests, including
 
(among others):
 
(1) a
 
trade secret
 
or
privileged or confidential commercial or financial information
 
obtained from a person; (2) a
 
personnel, medical, or similar file the
 
release
of which would constitute a clearly unwarranted invasion of personal privacy; (3) information compiled for law enforcement purposes, the
release of which (a) could reasonably be expected to interfere with law enforcement proceedings;
 
(b) would deprive a person of a right to a
fair trial or an impartial adjudication; (c) could reasonably be expected to constitute an unwarranted
 
invasion of personal privacy; (d) could
reasonably
 
be
 
expected
 
to
 
disclose
 
the
 
identity
 
of
 
a
 
confidential
 
source;
 
(e)
 
would
 
disclose
 
techniques,
 
procedures,
 
or
 
guidelines
 
for
investigations or prosecutions;
 
or (f) could
 
reasonably be expected
 
to endanger an
 
individual's life or
 
physical safety; (4)
 
contained in or
related to examination, operating, or condition reports about financial
 
institutions that the SEC regulates or supervises.
 
0036335-0000808 UKO1: 2005333372.8

losweden2
 
losweden2p1i0.gif
 
1
 
 
Privileged and confidential
Roschier Advokatbyrå AB
Brunkebergstorg 2
P.O.Box
 
7358
SE-103 90 Stockholm
Sweden
 
Reg. office: Stockholm
Business ID 556686-5670
 
21 October 2021
UBS AG London Branch
5 Broadgate
London EC2M 2QS
 
 
Re: UBS SEC registration as a non-resident security based swap dealer
 
Dear Sir or Madam,
 
1.
 
BACKGROUND
1.1
 
We understand
 
that UBS AG,
 
a bank authorised
 
in Switzerland, is
 
seeking to register
 
with
the
 
United
 
States
 
("
US
")
 
Securities
 
and
 
Exchange
 
Commission
 
("
SEC
")
 
as
 
a
 
non-resident
security-based swap ("
SBS
")
 
dealer ("
SBSD
").
1.2
 
To
 
register as an
 
SBSD with the SEC,
 
a non-resident SBSD
1
 
such as UBS AG
 
must attach
 
an
opinion
 
of
 
counsel
 
to
 
Form
 
SBSE,
 
SBSE-A
 
or
 
SBSE-BD
 
affirming
 
that
 
the
 
SBSD
 
can,
 
as
 
a
matter of law:
(a)
 
provide the SEC
 
with prompt access
 
to the relevant
 
books and records
 
as defined
in paragraphs
 
to
 
("
Covered Books and Records
"); and
 
(b)
 
submit to on-site inspection and examination of its Covered Books and Records by
the SEC ("
On-Site Inspection
").
1.3
 
Associated persons of UBS AG located
 
in Sweden who effect
 
SBS transactions on behalf of
UBS AG will be employed by the Swedish Branch of UBS Europe SE ("
UBS ESE SE
") which is
incorporated
 
in
 
Germany
 
and
 
authorised
 
to
 
provide
 
services
 
in
 
Germany
 
and
 
Sweden
(among other jurisdictions).
 
Accordingly,
 
UBS ESE SE
 
will maintain certain
 
Covered Books
and Records in Sweden on behalf of UBS AG.
1.4
 
You
 
have asked us to
 
issue an opinion where we consider whether (a) UBS
 
AG will be able
to
 
provide
 
the
 
SEC
 
with
 
prompt
 
access
 
to
 
its
 
Covered
 
Books
 
and
 
Records
 
that
 
are
maintained by UBS ESE
 
SE in Sweden and (b)
 
UBS ESE SE can
 
submit to On-Site Inspection
1
 
In the case of a corporation, an SBSD will be "non-resident" if it is incorporated in or has its principal place of business in any place not
in the United States (see 17 Code of Federal Regulations
 
(
CFR
). § 240.15Fb2-4(a)(2)). As UBS AG is incorporated in Switzerland, UBS AG
fulfils this definition of a "non-resident" SBSD.
 
 
2
 
by the
 
SEC of
 
UBS AG’s
 
Covered Books
 
and Records
 
it maintains
 
on behalf
 
of UBS
 
AG, in
each case in accordance with paragraph
2
 
1.5
 
This opinion is structured as follows:
(a)
 
Section
:
;
 
(b)
 
Section
:
;
 
(c)
 
Section
:
 
(d)
 
Section
:
 
(e)
 
Annex 1: Opinion; and
(f)
 
Annex 2: Assumptions.
2.
 
SUMMARY OF OPINION
Subject to the assumptions and qualifications below it is our opinion that:
2.1
 
UBS ESE SE can,
 
as a matter of applicable
 
Swedish law, submit to On-Site Inspection by
 
SEC.
The
 
remainder
 
of
 
this
 
opinion
 
focuses
 
on
 
UBS
 
ESE
 
SE's
 
ability
 
to
 
disclose
 
information
contained in Covered
 
Books and Records
 
to the SEC
 
in the course
 
of On-Site Inspection in
Sweden and the
 
ability to provide
 
UBS AG London
 
Branch with prompt
 
access to Covered
Books and Records.
2.2
 
UBS ESE SE can, as a matter of applicable
 
Swedish law, provide the SEC with prompt access
to Covered Books
 
and Records
 
held by
 
UBS ESE
 
SE in
 
Sweden either
 
by disclosure
 
of Covered
Books and Records to
 
UBS AG London Branch for onward
 
disclosure to the SEC as decided
by UBS AG London Branch or to the SEC in the course of On-Site Inspections in Sweden.
3
 
Data Protection
4
 
2.3
 
Disclosures
 
of
 
personal
 
data
 
(particularly
 
special
 
categories
 
of
 
data
 
or
 
criminal
 
data)
relating to UBS ESE SE's clients and staff are subject
 
to certain restrictions under the GDPR,
particularly where
 
this involves
 
a cross
 
-border transfer
 
to a
 
country or
 
territory that
 
the
European
 
Commission
 
has
 
not
 
found
 
to
 
have
 
an
'
adequate
'
 
data
 
protection
 
regime.
However,
 
there are
 
certain legal
 
bases for
 
making disclosures,
 
and derogations
 
from the
prohibition
 
on
 
international
 
transfers,
 
that
 
would
 
potentially
 
be
 
available
 
to
 
UBS ESE
 
SE
were it
 
to be
 
required by
 
the SEC
 
to make
 
available personal
 
data either
 
by disclosure
 
of
Covered Books
 
and Records
 
to UBS
 
AG London Branch
 
or to
 
the SEC
 
in the course
 
of On-
Site Inspections in Sweden.
 
2
 
In accordance with Assumption
 
in Annex 2,
 
this opinion does not cover
 
the direct provision of
 
Covered Books and
 
Records by UBS
ESE SE to
 
the SEC as this
 
information would instead
 
be provided to UBS
 
AG London Branch and
 
sent by UBS AG
 
London Branch to the
SEC.
3
 
Where a restriction on the ability to transfer personal data or to disclose confidential or private information applies, consent from the
person affected (e.g. a
 
data subject under applicable data
 
protection legislation or a person
 
whose information is covered
 
under bank
secrecy rules), validly given in accordance with
 
the relevant standard for consent under each applicable legal obligation, would allow
 
for
such information
 
to be
 
lawfully transferred
 
to the
 
SEC
 
or disclosed
 
to the
 
SEC
 
during On-Site
 
Inspection.
 
Please note
 
that we
 
have
assumed at Assumption
 
of Annex 2 that UBS ESE SE has validly obtained such consent.
4
 
Please refer to section
 
of Annex 1 for definitions of GDPR.
 
 
3
 
2.4
 
We anticipate that valid consent
 
(where applicable) or
 
the legitimate interest legal
 
basis for
the processing
 
of personal
 
data are
 
likely
 
to be
 
the most
 
likely
 
applicable grounds
 
under
the GDPR
 
to enable
 
disclosure of
 
Covered
 
Books and
 
Records
 
to UBS
 
AG London
 
Branch
and any onward transfer to the SEC
5
, and to permit On-Site Inspection.
Duties of confidentiality
2.5
 
UBS ESE
 
SE is
 
most likely
 
subject to
 
the banking
 
confidentiality provisions
 
of the
 
Swedish
Banking
 
and
 
Financing
 
Business
 
Act
 
2002
 
(
Lag
 
(2004:297)
 
om
 
bank
-
 
och
finansieringsrörelse
) (as amended),
 
which provides that information about
 
the relationship
between private
 
subjects (including both natural
 
persons and legal
 
entities) and the
 
bank
may
 
not be
 
disclosed without
 
authorisation. It
 
may
 
reasonably be
 
assumed that
 
consent
that
 
satisfies
 
the
 
requirements
 
of
 
the
GDPR
 
would
 
also
 
satisfy
 
the
 
requirements
 
for
authorised disclosure under the banking confidentiality rule.
Privacy and Human Rights
2.6
 
Protection of personal
 
data and protection
 
from intrusion of
 
rights of privacy
 
is set out
 
in
Articles 7 and 8
 
of the EU Charter of
 
Fundamental Rights. The rules
 
only apply
 
to legislators
and authorities of a member state when they are
 
interpreting or implementing union law.
Consequently, the Charter does not prevent UBS ESE SE
 
from transferring data to the US as
long as the transfer is in accordance with applicable law, such as the GDPR.
2.7
 
Further,
 
Sweden is a party to the European
 
Convention on Human Rights. The Convention
provides for rights similar to the Charter,
 
but is not limited to matters of union law.
 
Article
8 of the Convention establishes the general
 
right to “
respect for his private and family life,
his home and
 
his correspondence
". Under the
 
constitutional rule of
 
Chapter 2,
 
Section 19
of the Instrument of Government (
Regeringsformen
), Swedish legislation must conform to
the provisions of the
 
Convention and under the
 
European Convention on Human
 
Rights Act
1994 (
lag (1994:1219) om den europeiska konventionen
 
angående skydd för de mänskliga
rättigheterna och de
 
grundläggande friheterna
) (as amended).
 
The Convention also
 
has the
force of Parliamentary statute.
2.8
 
Action for a
 
misuse of
 
private information under
 
Article 8
 
requires a
 
reasonable expectation
of
 
privacy
 
to
 
exist
 
 
this
 
is
 
unlikely
 
where
 
valid
 
consent
 
to
 
disclosure
 
of
 
the
 
relevant
information has been given.
2.9
 
This
 
summary
 
opinion
 
is
 
not
 
a
 
substitute
 
for
 
the
 
full
 
expression
 
of
 
our
 
views
 
set
 
out
 
in
Annex 1.
 
3.
 
SCOPE, ASSUMPTIONS AND QUALIFICATIONS
3.1
 
This opinion
 
relates
 
solely to
 
access provided
 
to
 
the SEC
 
by
 
UBS AG,
 
through
 
its London
Branch, of Covered Books and Records held on its behalf by UBS ESE SE in Sweden and On-
Site Inspection of UBS ESE SE by the SEC in Sweden. This opinion applies equally
 
to remote
access from the United States to Covered
 
Books and Records held in Sweden. This opinion
5
 
Although UBS AG London Branch would still have to comply with
 
the requirements set out in EU law in relation to any onward transfer
to a third
 
country. Any
 
transfer of
 
personal data
 
to UBS AG
 
London Branch for
 
the sole purpose of
 
transferring it
 
onwards to
 
the SEC
would require due consideration of the
 
requirements under EU or Swedish law
 
(absent which, the transfer would
 
likely be disqualified
by the Swedish Authority
 
for Privacy Protection as an
 
attempt to circumvent the restrictions on third
 
country transfers of personal data).
 
 
 
4
 
excludes books and records
 
held in the
 
US. This opinion
 
relates solely to
 
matters of Swedish
law
 
and
 
European
 
Union
 
(
EU
)
 
law
 
that
 
is
 
directly
 
applicable
 
in
 
Sweden
 
(i.e.
 
regulations
pursuant to Art. 288(2) of the Treaty on the Functioning of the European Union).
 
3.2
 
This opinion has been prepared in accordance with UBS AG's specific instructions as to the
scope of the opinion. For this purpose, we
 
have been provided with guidance from
 
a third
party US law firm which we have used to inform the scope of our opinion.
3.3
 
This
 
opinion
 
only
 
covers
 
access
 
to
 
and
 
the
 
On-site
 
Inspection
 
of
 
Covered
 
Books
 
and
Records. Covered Books and Records include only those books and records which:
(a)
 
relate
 
to the
 
US business
6
 
of the
 
non-resident SBSD.
7
 
These are
 
the records
 
that
relate to an SBS that is either:
(i)
 
entered
 
into,
 
or
 
offered
 
to
 
be
 
entered
 
into,
 
by
 
or
 
on
 
behalf
 
of
 
the
 
non-
resident SBSD, with
 
a "U.S.
 
Person"
 
as defined
 
in 17
 
CFR §
 
240.3a71-3(a)(4)
8
 
("
US Person
") (other
 
than an
 
SBS conducted
 
through a
 
foreign
 
branch of
such US Person
9
); or
(ii)
 
arranged, negotiated,
 
or executed
 
by personnel of
 
the non-resident SBDS
located in
 
a branch
 
in the United
 
States ("
US branch
") or
 
office or
 
by the
personnel of an
 
agent of the
 
non-resident SBSD located
 
in a US branch
 
or
office;
10
 
or
(b)
 
constitute financial records necessary
 
for the SEC
 
to assess the
 
non-resident SBSD's
compliance with the SEC's margin and capital requirements, if applicable.
11
 
3.4
 
Further to Assumption 1, this opinion is limited to those types of records
 
that are relevant
to
 
prudentially
 
regulated
 
SBSDs, which
 
excludes
 
financial
 
records
 
as
 
noted
 
in
 
paragraph
.
 
For
 
this
 
opinion,
 
the
 
term
 
“Covered
 
Books
 
and
 
Records"
 
extends
 
to
 
these
record types alone.
3.5
 
This opinion covers data relating to:
(a)
 
SBS
 
transactions
 
concluded
 
between
 
UBS
 
AG
 
(through
 
its
 
associated
 
persons
employed by UBS ESE SE) and US
 
Person counterparties, insofar as this data is held
on
 
behalf
 
of
 
UBS
 
AG
by
 
UBS
 
ESE
 
SE
 
(e.g.
 
voice
 
recordings
 
and
 
client
6
 
As defined in 17 CFR §240.3a71-3(a)(8).
7
 
Cross-Border Application of Certain [SBS] Requirements, 85 Fed. Reg. 6270, 6296 (Feb. 4, 2020) (the "
SEC Guidance
").
 
8
 
A "U.S.
 
person" means any
 
person that
 
is "(i) a
 
natural person
 
resident in
 
the U.S.;
 
(ii) a partnership,
 
corporation, trust,
 
investment
vehicle, or other legal person organized, incorporated, or established under the laws of the United States or having its principal place of
business in the
 
United States; (iii) an
 
account (whether discretionary
 
or non-discretionary) of
 
a U.S. person;
 
or (iv) an
 
estate of a decedent
who was a resident of the United States at the time of death." 17 CFR § 240.3a71-3(a)(4).
9
 
A "foreign branch"
 
means "any branch of a U.S. bank if:
 
(i) the branch is located outside of the
 
United States; (ii) the branch operates
for valid business reasons; and (iii) the branch
 
is engaged in the business of banking and is
 
subject to substantive banking regulation in
the
 
jurisdiction
 
where
 
located."
 
(17
 
CFR
 
§
 
240.3a71-3(a)(2)).
 
An
 
"SBS
 
conducted
 
through
 
a
 
foreign
 
branch"
 
means
 
an
 
SBS
 
that
 
is
"arranged, negotiated,
 
and executed
 
by a
 
U.S. person
 
through a
 
foreign branch
 
of such
 
U.S.
 
person if:
 
(A) the
 
foreign branch
 
is the
counterparty to such
 
security-based swap transaction;
 
and (B) the
 
security-based swap transaction
 
is arranged, negotiated,
 
and executed
on behalf of the foreign branch solely by persons located outside the United States."
 
(17 CFR § 240.3a71-3(a)(3)(i)).
10
 
17 CFR § 240.3a71-3(a)(8)(i)(B).
11
 
The requirement set out
 
in this paragraph
 
does not apply to UBS
 
AG because it is
 
not subject to the
 
SEC's margin and
 
capital
requirements as it is assumed that UBS AG has a prudential regulator – please see the Assumption
 
set out in Annex 2.
 
 
5
 
communications) (these
 
transactions will
 
be concluded
 
by staff of
 
UBS ESE
 
SE acting
in
 
the
 
name
 
and
 
for
 
the
 
account
 
of
 
UBS
 
AG
 
London
 
Branch
 
and
 
so
 
some
 
data
relating to
 
such transactions will
 
be held by
 
UBS AG London
 
Branch in the
 
United
Kingdom (
UK
) –
 
access to Covered
 
Books and Records
 
and On-Site Inspections
 
by
the SEC of data that is held in the UK is not within scope of this opinion); and
(b)
 
the activities of
 
the staff of UBS
 
ESE SE pertaining
 
to UBS AG’s SBS transactions
 
that
are also arranged, negotiated, or executed by personnel of UBS AG located in a US
branch or
 
office or
 
by personnel of
 
an agent of
 
UBS AG located
 
in a US
 
branch or
office (irrespective
 
of whether
 
UBS AG’s
 
counterparty is
 
a US Person
 
or a
 
non-US
Person.
This opinion
 
only covers
 
transactions entered
 
into by
 
UBS AG
 
where UBS
 
ESE SE
 
is acting
on
 
behalf
 
of
 
UBS
 
AG.
 
This
 
opinion
 
does
 
not
 
cover
 
data
 
relating
 
to
 
SBS
 
transactions
concluded between UBS
 
ESE SE and
 
its own counterparties
 
(even though UBS
 
ESE SE may
be
 
relying
 
on
 
the
 
counting
 
exemption
 
set
 
out
 
in
 
17
 
CFR
 
§
 
240.3a71-3(d)
 
for
 
such
transactions,
 
we are
 
instructed that this
 
data is not
 
relevant for
 
the purposes of
 
17 CFR §
240.15Fb2-4(c) and so this data is not within scope of this opinion).
3.6
 
The
 
issues
 
addressed
 
in
 
this
 
opinion
 
apply
 
equally
 
across
 
the
 
different
 
document
 
types
which
 
constitute
 
the
 
Covered
 
Books
 
and
 
Records
 
based
 
upon
 
the
 
information
 
actually
contained in each of the relevant
 
Covered Books and Records. We
 
have not examined any
such documents or records.
 
3.7
 
In giving this opinion, we have made the further assumptions set out in Annex 2.
 
3.8
 
No opinion is expressed on matters of fact.
 
3.9
 
As a practical matter, it may be particularly difficult to establish that consent is freely given
where information relates to UBS ESE SE staff because consent is very difficult to rely on in
an employment
 
context,
 
due to
 
the inherent
 
imbalance of
 
power between
 
an employer
and its staff
 
(for example,
 
staff may
 
believe there could be
 
negative consequences should
they refuse to give
 
consent).
12
 
The consent will only be valid
 
if UBS ESE SE offers
 
its staff a
genuine choice over how the data is used and will only continue to be an
 
appropriate legal
basis if
 
UBS ESE
 
SE also
 
offers
 
its staff
 
the opportunity
 
to withdraw
 
consent at
 
any
 
time.
Where consent is relied upon in this
 
opinion, it is on the
 
basis that this practical matter has
been overcome.
 
4.
 
REVISIONS TO APPLICABLE LAW
 
4.1
 
We note that the SEC rules
13
 
require a non-resident SBSD to re-certify within 90 days after
any changes in the legal or regulatory framework that would:
(a)
 
impact the ability
 
of the SBSD to
 
provide prompt access
 
to its
 
Covered Books and
Records;
12
 
The Swedish Authority for Privacy Protection also acknowledge this issue on its website, stating that employee consent may not, as
 
a
main rule, be relied upon by the employer.
 
13
 
17 CFR § 240.15Fb2-4(c)(2).
 
 
6
(b)
 
impact the manner in
 
which it would
 
provide prompt access
 
to its Covered
 
Books
and Records; or
(c)
 
impact the ability of the SEC to conduct On-Site Inspections.
4.2
 
Upon a change in law or
 
regulatory framework of the sort outlined in paragraph
 
above,
the SBSD
 
is required
 
to submit
 
a revised
 
opinion describing
 
how,
 
as a
 
matter of
 
law,
 
the
SBSD will continue to meet its obligations.
 
4.3
 
This opinion
 
relates solely
 
to the
 
laws of
 
Sweden and
 
EU law
 
that is
 
directly applicable
 
in
Sweden
 
(i.e. regulations
 
pursuant
 
to
 
Art. 288(2)
 
of
 
the Treaty
 
on
 
the
 
Functioning of
 
the
European Union), in
 
each case, in
 
force as at the
 
date of this
 
opinion. We have no
 
obligation
to notify any addressee of any
 
change in any applicable law or
 
its application after the date
of this opinion.
5.
 
RELIANCE AND CONFIDENTIALITY
5.1
 
This opinion
 
is given
 
for
 
the sole
 
benefit of
 
the addressee.
 
It may
 
not be
 
relied upon
 
by
anyone else without our prior written consent.
5.2
 
This
 
opinion
 
is
 
not
 
to
 
be
 
disclosed
 
to
 
any
 
person
 
outside
 
of
 
UBS
 
AG's
 
group
 
or
 
used,
circulated, quoted or otherwise referred to for any other purpose. However, we agree that
a copy of this opinion letter may be disclosed:
 
(a)
 
where disclosure is required or requested
 
by any governmental,
 
banking, taxation
or
 
other
 
regulatory
 
authority
 
or
 
similar
 
body
 
having
 
jurisdiction
 
over
 
UBS
 
AG
(including to
 
the SEC
 
as part
 
of UBS
 
AG's SBSD
 
registration
 
application) or
 
by the
rules
 
of
 
any
 
relevant
 
stock
 
exchange
 
or
 
pursuant
 
to
 
any
 
applicable
 
law
 
or
regulation; and
 
(b)
 
to
 
UBS
 
AG's
 
affiliates,
 
and
 
any
 
of
 
their
 
officers,
 
directors,
 
employees,
 
auditors,
insurers, reinsurers,
 
insurance brokers
 
and professional advisors
 
(in their capacity
as such).
5.3
 
Any such disclosure must be made on the basis that it is for information
 
purposes only, no
recipient may rely
 
on this
 
advice, no
 
client-lawyer relationship between
 
us and
 
the recipient
arises following, or as a
 
result of, any such disclosure. We assume no duty
 
or liability to any
recipient,
 
and
 
any
 
recipient
 
under
 
paragraph
 
will
 
be
 
subject
 
to
 
the
 
same
restrictions on disclosure as set out above.
5.4
 
We assume no obligation
 
to advise you or any
 
other person or to make
 
any investigations
as to any legal developments or factual matters arising subsequent to the date hereof that
might affect the opinions expressed herein.
5.5
 
The
 
terms
 
and
 
conditions
 
applicable
 
to
 
all
 
our
 
matters
 
are
 
available
 
on
 
our
 
website,
https://www.roschier.com/general
 
-terms-and-conditions/
.
 
 
Yours
 
faithfully,
ROSCHIER ADVOKATBYRÅ
 
AB
 
 
7
 
ANNEX 1
OPINION
1.
 
DATA
 
PROTECTION
1.1
 
The
 
General
 
Data
 
Protection
 
Regulation
 
2016/679
 
(the
 
"
GDPR
"),
 
the
 
Swedish
 
Data
Protection Act (2018:218), and
 
the Swedish Data
 
Protection Ordinance (2018:219)
 
as well
as regulations issued by the Swedish Authority for Privacy Protection will apply to UBS ESE
SE's disclosure of Covered Books and Records to UBS AG London Branch for the purpose
 
of
providing information to the SEC and to
 
the SEC in the
 
course of On-Site Inspections, to the
extent
 
that these
 
comprise or
 
contain personal
 
data. Personal
 
data is
 
data relating
 
to an
identified or identifiable living
 
individual, so may extend to information on
 
UBS ESE SE staff
as well as clients.
 
1.2
 
Under
 
the
 
GDPR,
 
specific
 
additional
 
restrictions
 
apply
 
for
 
data
 
relating
 
to
 
criminal
convictions and offences. These
 
laws also impose
 
heightened restrictions on
 
the processing
of
 
'special category
 
data'
 
– this
 
is data
 
that reveals
 
racial
 
or ethnic
 
background, political
opinions,
 
religious
 
or
 
philosophical
 
beliefs,
 
or
 
trade
 
union
 
membership,
 
genetic
 
data,
biometric data when used for
 
ID purposes, health information, data
 
concerning sex life or
sexual orientation.
 
As special category
 
data are
 
less likely
 
to be relevant
 
in the context
 
of
UBS
 
ESE
 
SE's
 
disclosures
 
to
 
the
 
SEC,
 
the
 
laws
 
applicable
 
to
 
this
 
data
 
have
 
not
 
been
considered in detail in this opinion.
1.3
 
Key restrictions in the GDPR relating to UBS ESE SE's ability to
 
disclose personal data to the
SEC are set out below.
Legal basis for the disclosure
1.4
 
UBS ESE SE requires
 
a legal basis under Article
 
6 of the EU
 
GDPR to disclose personal data
to the SEC in the course of On-Site Inspections and to provide UBS AG London Branch with
access to
 
its Covered
 
Books and
 
Records for
 
the purpose
 
of providing
 
information to
 
the
SEC.
 
Data
 
cannot
 
be
 
disclosed
 
if
 
doing
 
so
 
would
 
breach
 
another
 
legal
 
requirement
(e.g. confidentiality –
 
please see
 
section 2
 
below). Whilst
 
there are
 
a number
 
of Article
 
6
legal bases on which UBS ESE SE may seek to
 
rely,
 
none on its own is so comprehensive as
to cover all disclosures of personal data to the SEC, so UBS ESE SE will
 
need to consider the
most appropriate legal basis to apply to any given situation.
1.5
 
The
 
Article
 
6
 
legal
 
bases
 
most
 
applicable
 
to
 
UBS
 
ESE
 
SE,
 
together
 
with
 
their
 
respective
limitations, are as follows:
(a)
 
Consent (Article 6(1)(a))
: In order
 
for consent
 
to be valid
 
under the GDPR,
 
it must
satisfy
 
the
 
high
 
standard
 
of
 
being
 
a
 
freely-given,
 
specific,
 
informed
 
and
unambiguous indication of wishes.
14
 
(b)
 
Legitimate interests (Article 6(1)(f))
: This is one of the most
 
flexible legal bases for
processing
 
that
 
can
 
apply
 
to
 
a
 
multitude
 
of
 
business
 
purposes,
 
including
 
with
14
 
Please
 
also
 
refer
 
to
 
limitations
 
on
 
the
 
applicability
 
of
 
consent
 
discussed
 
in
 
paragraph
 
of
 
section
 
Please note that valid consent is assumed at Assumption
 
in Annex 2.
 
8
respect
 
to
 
ensuring
 
compliance
 
with
 
regulatory
 
obligations.
 
To
 
rely
 
on
 
the
legitimate interests ground, UBS ESE SE must:
 
(i)
 
identify
 
its,
 
or
 
a
 
third
 
party's
 
legitimate
 
interest
 
(this
 
can
 
include
commercial
 
interests,
 
individual interests
 
or broader
 
societal
 
benefits) in
complying with the SEC's disclosure request;
 
(ii)
 
show that the
 
disclosure of
 
documents to
 
the SEC
 
is necessary
 
for achieving
these interests; and
 
(iii)
 
balance
 
these
 
interests
 
against
 
the
 
competing
 
interests,
 
rights
 
and
freedoms
 
of
 
the
 
individuals
 
concerned,
 
and
 
satisfy
 
itself
 
that
 
those
interests
 
do
 
not
 
outweigh
 
its
 
own.
 
If
 
individuals
 
would
 
not
 
reasonably
expect the disclosure, or if the
 
disclosure would cause unjustified harm to
the individuals, the interests of those
 
individuals would likely override the
interests of UBS ESE SE or the third party.
An individual has the
 
right to object to the
 
disclosure of their data to
 
the SEC under
this basis for processing,
 
and UBS ESE SE would
 
need to demonstrate
 
'compelling'
legitimate
 
grounds
 
to
 
process
 
the
 
data
 
that
 
override
 
the
 
rights,
 
freedoms
 
and
interests of that individual.
The
 
balancing of
 
legitimate
 
interests
 
against
 
the competing
 
interests,
 
rights
 
and
freedoms of the individuals
 
concerned should be
 
made on a
 
case-by-case basis and
should consider all available facts. In particular, Recital 47 of the GDPR states that,
when
 
balancing
 
their
 
interests
 
against
 
those
 
of
 
the
 
individuals
 
concerned,
controllers should take into
 
account “
the reasonable expectations of data subjects
based on their relationship with the controller
”.
 
With this in mind, UBS ESE SE may
argue that its interests
 
are not outweighed by those of its
 
clients or its employees
on the basis that:
(A)
 
clients are
 
aware, due
 
to statements
 
contained in
 
their terms of
 
business
with UBS AG,
 
of the
 
US nexus
 
when they engage
 
in SBS transactions
 
and,
due
 
to
 
their
 
understanding
 
as
 
sophisticated
 
investors,
 
that
 
regulatory
oversight will be
 
exercised by the
 
SEC, which
 
may entail certain
 
information
regarding
 
their transactions,
 
including in
 
some cases
 
their personal
 
data,
to be disclosed to the SEC; and
(B)
 
the
 
employees
 
whose
 
personal
 
data
 
may
 
be
 
disclosed
 
to
 
the
 
SEC
understand their role will
 
involve SEC oversight due
 
to their being
 
classified
as
 
‘associated
 
persons’
 
for
 
the
 
purposes
 
of
 
SBS
 
transactions
 
and
understand that, as
 
a result,
 
certain of
 
their personal data
 
may be disclosed
to
 
the
 
SEC.
 
More
 
specifically,
 
each
 
associated
 
person
 
is
 
required
 
to
complete
 
an
 
‘SBS
 
associated
 
person
 
questionnaire’,
 
which
 
provides
advance
 
notice
 
that
 
their
 
activities
 
may
 
involve
 
the
 
disclosure
 
of
 
their
personal
 
data
 
to
 
the
 
SEC
 
and
 
potentially
 
require
 
them
 
to
 
undertake
interviews with the SEC. Each
 
employee that is an
 
associated person is also
required to agree or acknowledge their understanding that their data may
be
 
provided
 
to
 
the
 
SEC
 
in
 
connection
 
with
 
the
 
SEC’s
 
oversight
 
of
 
SBS
transactions.
 
 
 
9
 
In addition,
 
while focused
 
on the
 
relationship between
 
the SEC
 
and the
 
ECB,
 
the
existence of the
 
Memorandum of Understanding
 
entered into
 
by the SEC
 
and the
European Central
 
Bank (
ECB
)
15
 
(the
ECB
 
MoU
)
16
 
may
 
arguably be
 
taken
 
to mean
that
 
the
 
SEC's
 
access
 
to
 
information,
 
including
 
personal
 
data,
 
held
 
by
 
financial
institutions in the EU
 
is compatible with EU
 
law, even if Sweden has not acceded
 
to
the European
 
banking union and
 
the ECB
 
therefore
 
has no jurisdiction
 
in Sweden
for these purposes.
17
 
Also relevant to this balancing of interests are that the SEC will:
(1)
 
restrict its information requests for, and use of, any information to
 
only the
information
 
that
 
it
 
requires
 
for
 
the
 
legitimate
 
and
 
specific
 
purpose
 
of
fulfilling its regulatory mandate and
 
responsibilities and to prevent and/or
enforce
 
against
 
potential
 
illegal
 
behaviour,
 
with the
 
type
 
and
 
amount
 
of
personal
 
data
 
requested
 
being
 
targeted
 
based
 
on
 
risk
 
and
 
related
 
to
specific clients and accounts, and employees;
18
 
and
(2)
 
information, data
 
and documents received
 
by the SEC are
 
maintained in a
secure
 
manner
 
and
 
only
 
disclosed
 
pursuant
 
to
 
strict
 
US
 
confidentiality
laws.
19
 
(c)
 
Disclosure is necessary for compliance
 
with a legal obligation to
 
which UBS ESE SE
is subject (Article 6(1)(c))
: There must
 
be a Swedish
 
nexus in order
 
for UBS ESE
 
SE
to be
 
able to rely
 
on this legal
 
basis. Article 6(3)
 
requires that
 
the legal obligation
must
 
be
 
laid
 
down
 
by
 
Swedish
 
or
 
EU
 
law,
 
although
 
this
 
does
 
not
 
have
 
to
 
be
 
an
explicit statutory obligation for the processing of data, as long
 
as the application of
the law
 
is foreseeable to
 
UBS ESE
 
SE as
 
the person
 
subject to
 
it.
20
 
It should
 
therefore
be noted that
 
a request from
 
the SEC
 
in the
 
absence of
 
a Swedish legal
 
requirement
would
 
not
 
justify
 
the
 
disclosure
 
as
 
being necessary
 
for
 
compliance
 
with
 
such an
obligation.
We further note
 
that the
 
ECB MoU
 
does not
 
create any legally
 
binding obligations.
21
 
(d)
 
Disclosure
 
is
 
necessary
 
for
 
the
 
performance
 
of
 
a
 
task
 
carried
 
out
 
in
 
the
 
public
interest (Article 6(1)(e))
: There must be a Swedish nexus in order for UBS ESE SE to
be able to rely
 
on this legal basis.
 
The relevant public
 
interest must
 
be recognized
in
 
either Swedish
 
or
 
EU law.
 
In this
 
case, we
 
have
 
not
 
been able
 
to
 
identify
 
any
public
 
interest
 
that
 
would
 
permit
 
the
 
disclosure
 
to
 
the
 
SEC,
 
nor
 
the
 
transfer
 
of
personal
 
data
 
to
 
the
 
UBS
 
AG
 
London
 
Branch
 
for
 
the
 
purpose
 
of
 
providing
15
 
As UBS Europe SE qualifies as a “significant institution” within the meaning of Art. 6(4) of the Regulation der (EU) No. 1024/2013 (the
Single Supervisory Mechanism Regulation
), it is, as regards prudential supervision, also subject to direct supervision by the ECB.
16
 
The Memorandum of Understanding between the United States Securities and Exchange Commission and the European Central Bank
concerning consultation, cooperation and the exchange of information
 
related to the supervision and oversight of certain cross-border
over-the-counter
 
derivatives
 
entities
 
in
 
connection with
 
the
 
use
 
of
 
substituted
 
compliance by
 
such
 
entities
 
dated
 
16
 
August
 
2021
(available at
https://www.bankingsupervision.europa.eu/legalframework/mous/html/ssm.mou_2021_sec~220403db9b.en.pdf
).
17
 
For
 
the
 
avoidance
 
of
 
doubt,
 
we
 
note
 
however
 
that
 
the
 
ECB
 
MoU
 
does
 
not
 
stipulate
 
any
 
exemptions
 
from
 
the
 
compliance with
applicable data protection rules under the GDPR, including from the international transfer rules.
18
 
Please refer to Assumptions
 
and
 
in Annex 2, as well as Article II and paragraph 49 of the ECB MoU.
19
 
Please refer to Assumption
 
in Annex 2, as well as paragraph 56 of the ECB MoU.
20
 
Recital 41 GDPR.
21
 
Article II paragraph 27 of the ECB MoU.
 
 
10
 
information to the SEC. For the avoidance of doubt, since Sweden has not
 
acceded
to the European banking
 
union, the ECB MoU is
 
not sufficient to demonstrate
 
the
existence of a relevant public interest.
1.6
 
Based upon the above, the
 
legitimate interest
 
as a legal basis
 
for processing is
 
likely to be
the
 
most
 
appropriate
 
Article 6
 
ground
 
on
 
which
 
UBS
 
ESE
 
SE
 
could
 
rely
 
in
 
relation
 
to
 
its
disclosure of Covered Books
 
and Records to
 
the SEC and to
 
permit On-Site Inspection. For
UBS ESE SE to rely on the
 
legitimate interests ground,
 
UBS ESE SE would need to
 
undertake
a balancing test as outlined above.
1.7
 
It is considered very unlikely that data included in Covered Books and Records or disclosed
to the
 
SEC during On-Site
 
Inspections will include
 
special categories
 
of data.
 
Further,
 
UBS
ESE SE might not
 
hold all information
 
described in 17
 
C.F.R. §§.18a-5(b)(8)(i)(A) through (H)
or 240.18a- 5(a)(10)(i)(A) through (H), as the case may be
 
an associated person who is not
a US person.
22
 
However,
 
to the extent that this does occur, and such information is held by
UBS
 
ESE
 
SE,
 
in
 
addition
 
to
 
an
 
Article
 
6
 
legal
 
basis,
 
UBS
 
ESE
 
SE
 
will
 
need
 
to
 
establish
 
an
additional legal
 
basis for
 
processing under
 
Article 9
 
of the
 
EU GDPR
 
if it
 
discloses special
categories of
 
data to the
 
SEC. Other than valid
 
consent,
23
 
the Article 9 legal
 
basis that are
most likely to
 
apply to disclosure of
 
Covered Books and Records
 
is processing is necessary
for the establishment, exercise
 
or defence of legal claims or
 
whenever courts are acting in
their judicial capacity (Article 9(2)(f)).
1.8
 
Similarly,
 
UBS
 
ESE
 
SE's
 
processing
 
of
 
personal
 
data
 
relating
 
to
 
criminal
 
convictions
 
and
offences is highly restricted, and such data
 
can only be disclosed,
 
transferred or otherwise
processed where authorised by one of the conditions in
 
(i) Chapter 3, Paragraph 8 and 9 of
the Swedish
 
Data Protection Act,
 
(ii) Paragraph 5
 
of the
 
Swedish Data Protection
 
Ordinance,
or (iii) Swedish
 
Authority for Privacy
 
Protection, Regulation 2018:2.
 
Of these conditions,
 
the
most likely
 
to apply to
 
the disclosure to
 
the SEC,
 
is processing of
 
personal data in
 
relation
to legal
 
claims (Paragraph
 
5 of
 
the Swedish
 
Data Protection
 
Ordinance). This
 
condition is
met if
 
the processing
 
is necessary for
 
the purpose of,
 
or in
 
connection with,
 
establishing,
exercising
 
or defending
 
legal rights,
 
as well
 
as to
 
perform an
 
obligation
 
under applicable
Swedish
 
and/or
 
EU
 
law.
 
In
 
practice,
 
this
 
restriction
 
on
 
UBS
 
ESE
 
SE
 
is
 
dealt
 
with
 
by
 
this
information being provided and/or transferred directly by the individual (here,
 
staff of UBS
ESE SE) to the requesting party (here, the SEC).
Data protection principles
1.9
 
In addition to establishing a
 
legal basis for the disclosure, UBS
 
ESE SE would need to
 
ensure
that
 
its
 
disclosures
 
are
 
compliant
 
with
 
the
 
remaining
 
requirements
 
under
 
the
 
GDPR,
including the
 
data protection
 
principles set out
 
in Article 5
 
of the
 
EU GDPR.
 
For example,
UBS ESE SE must:
(a)
 
be transparent with
 
those whose personal data
 
is to be disclosed to
 
the SEC, who
must be provided with fair processing information (usually in the form of a privacy
notice or statement);
22
 
As we understand, is as defined in 17 C.F.R. §240.3a71-3(a)(4)(i)(A).
23
 
Article 9(2)(a) GDPR–
 
please also refer
 
to limitations on
 
the applicability of
 
consent discussed in
 
paragraph
 
of section
 
 
 
11
 
(b)
 
with respect
 
to the
 
data
 
itself,
 
ensure that
 
it only
 
provides
 
personal
 
data
 
that
 
is
adequate, relevant
 
and limited to what
 
is necessary in relation
 
to the purposes of
its regulatory activities;
 
(c)
 
be careful
 
to avoid
 
participating in 'data
 
dumps' and should
 
consider withholding
documents,
 
anonymising
 
personal
 
data
 
(or
 
pseudonymising
 
data
 
where
 
full
anonymisation
 
is
 
not
 
possible)
 
and
 
redacting
 
personal
 
data
 
from
 
documents
 
as
appropriate;
(d)
 
ensure that the data is accurate and, where necessary, kept
 
up to date;
(e)
 
keep
 
the personal
 
data in
 
a form
 
that enables
 
identification of
 
individuals for
 
no
longer than is necessary for
 
the purposes for which the
 
personal data is processed;
and
(f)
 
ensure that the confidentiality and integrity of personal data is maintained, and as
such,
 
implement
 
appropriate
 
security
 
measures
 
(e.g.
 
encryption)
 
to
 
protect
 
the
personal data.
1.10
 
Whilst it
 
is possible that
 
the SEC has
 
taken these
 
principles into account
 
in its request
 
for
access to the Covered Books and Records,
 
responsibility remains with UBS ESE SE to verify
this and implement its own compliance measures.
International transfers
1.11
 
The general principle in the EU
 
GDPR is that UBS ESE SE may
 
not transfer personal
 
data to
a jurisdiction outside the European
 
Economic Area unless it
 
can satisfy a condition for
 
the
transfer as set out in Chapter V of the GDPR.
 
1.12
 
Article 45
 
of the
 
EU GDPR
 
allows
 
for
 
UBS ESE
 
SE to
 
transfer
 
personal
 
data to
 
a recipient
outside the EU/EEA where the transfer
 
is based on an adequacy decision by the
 
European
Commission, identifying
 
a specific
 
country as
 
a country
 
that provides
 
a sufficient
 
level of
protection for personal data.
 
For the purposes of providing Covered Books and Records
 
to
UBS AG
 
London Branch,
 
the adequacy
 
decision of
 
the European
 
Commission
 
currently in
effect
 
in respect of
 
the UK
24
 
allows transfers
 
of personal data
 
from the
 
EU/EEA, including
Sweden,
 
to
 
the UK
 
to
 
be made
 
freely.
 
Any
 
transfer
 
from
 
UBS ESE
 
SE to
 
UBS AG
 
London
Branch
 
would
 
therefore
 
be
 
permitted
 
without
 
limitation
 
(provided
 
that
 
the
 
disclosure
otherwise complied with the
 
EU GDPR).
1.13
 
It should
 
be noted
 
that under
 
Article 44
 
sent. 1,
 
Recital 101
 
of the
 
EU GDPR
 
any onward
transfer of UBS
 
ESE SE’s
 
Covered Books and Records
 
by UBS AG London Branch to
 
the SEC
is still subject to the
 
transfer requirements of the EU GDPR including,
 
in relation to UBS ESE
SE,
 
national
 
legislation
 
on
 
data
 
protection
 
in
 
Sweden.
25
 
To
 
the
 
extent
Swedish
 
law
corresponds
 
with the EU
 
GDPR, the rules
 
are similar to
 
international transfers under the UK
24
 
Commission Implementing Decision
 
of 28.6.2021 pursuant to
 
Regulation (EU) 2016/679 of
 
the European Parliament and
 
of the Council
on the
 
adequate protection
 
of personal
 
data
 
by the
 
United Kingdom.
 
Please note
 
that in
 
the future
 
the adequacy
 
decision may
 
be
withdrawn, not prolonged or restricted and that the current adequacy decision is limited to four years
25
 
According to Chapter
 
1, Section 5
 
of the Swedish
 
Data Protection Act
 
(2018:218), further
 
supplemented by the
 
Swedish Data Protection
Ordinance (2018:219), national legislation on data protection applies to
 
processing of personal data in the context of the activities of an
establishment of a controller
 
or a processor in
 
Sweden. Considering the
 
objectives of the
 
GDPR, it is our
 
interpretation that mere onward
transfer must be assessed based on the laws in the country of origin, which in this case is Sweden.
 
 
 
12
 
GDPR.
 
As
 
noted
 
by
 
the
 
European
 
Commission’s
 
adequacy decision
 
for
 
onward
 
transfers
from
 
the
 
UK,
 
the
 
regime
 
on
 
international
 
transfers
 
under
 
the
 
UK
 
GDPR
26
 
and
 
UK
 
Data
Protection Act 2018 is “
in substance identical
” to the transfer regime under the EU
 
GDPR.
27
 
The
 
primary
 
options
 
available
 
to
 
UBS
 
AG
 
London
 
Branch
pursuant
 
to
 
EU
 
GDPR
 
and
 
restrictions
 
under
 
Swedish
 
law
 
applicable
 
to
 
UBS
 
ESE
 
SE
 
when
 
disclosing
 
UBS
 
ESE
 
SE’s
Covered Books and Records to the SEC in the US are as follows
:
28
 
(a)
 
Derogations (Article
 
49)
: Where
 
a transfer
 
mechanism adopted
 
by the
 
European
Commission
 
in
 
respect
 
of
 
the
 
US
 
is
 
not
 
available
 
(as
 
is
 
currently
 
the
 
case),
derogations
 
from the
 
transfer
 
prohibition are
 
potentially available
 
for facilitating
UBS ESE
 
SE's transfer
 
of personal
 
data
 
contained
 
in UBS
 
ESE SE’s
 
Covered
 
Books
and Records to the SEC. These
 
derogations include explicit consent, public
 
interest,
handling of legal claims and legitimate interest. Of these derogations, we
 
consider
explicit consent or legitimate interest to be the most viable solution.
 
 
(i)
 
Explicit
 
consent
 
(Article
 
49.1
 
(a))
:
 
This
 
is
 
likely
 
to
 
be
 
the
most
 
viable
 
derogation for direct
 
transfer from Sweden to
 
the US, or from Sweden via
UK to the US, in the current situation. For
 
a transfer to be
 
lawful based on
explicit consent,
 
the consent
 
must be
 
freely given,
 
specific, informed
 
and
an unambiguous indication of
 
the data subject's wishes.
29
 
By "freely given"
the individual
 
should be
 
offered
 
the genuine
 
choice and
 
must be
 
able to
refuse
or
 
withdraw
 
a
 
previously
 
given
 
consent
 
without
 
negative
consequences. Furthermore,
 
for
 
the derogation
 
to
 
apply,
 
information
 
on
all risks associated
 
with the transfer
 
must have
 
been provided in
 
advance
to
 
the
 
affected
 
data
 
subjects.
 
It
 
may
 
be
 
particularly difficult
 
to
 
establish
that consent
 
is freely given
 
where information
 
relates to
 
UBS ESE SE
 
staff
because consent is very difficult to rely on in an employment context,
 
due
to the inherent imbalance of power between
 
an employer and its staff (for
example, staff
 
may believe
 
there could
 
be negative
 
consequences should
they refuse
 
to give
 
consent). The
 
consent will
 
only be
 
valid if
 
UBS ESE
 
SE
offers
 
its staff
 
a
 
genuine
 
choice over
 
how
 
the
 
data
 
is used
 
and
 
will
 
only
continue to be
 
an appropriate legal
 
basis if UBS ESE
 
SE also offers
 
its staff
the opportunity
 
to withdraw consent
 
at any time.
 
Please note that
 
we have
assumed at Assumption
 
of Annex 2 that UBS ESE
 
SE has validly obtained
such consent.
 
(ii)
 
Necessary for public interest
 
(Article 49.1 (d))
: The relevant
 
public interest
must
 
be recognized
 
in either
 
EU law
 
or member
 
state
 
law,
 
but the
 
mere
existence
 
of
 
such
 
public
 
interest
 
is
 
not
 
sufficient.
 
The
 
derogation
 
only
applies when it
 
can also be
 
deduced from EU law
 
or the law of
 
the member
state
 
to which
 
the controller
 
is subject
 
that the
 
data transfer
 
in question
should
 
be
 
allowed
 
for
 
important
 
public
 
interest
 
purposes.
 
We
 
have
 
not
identified
 
any
 
Swedish
 
law
 
allowing
 
such
 
transfer
 
in the
 
current
 
matter.
Furthermore,
 
the
 
derogation
 
only
 
applies
 
to
 
occasional
 
transfers
 
and
 
is
26
 
The General Data Protection Regulation
 
2016/679 as it forms
 
part of “retained EU
 
law” as defined
 
in the European Union
 
(Withdrawal)
Act 2018 in the UK.
27
 
Paragraph 2.5.7, recitals (74) and (75)
 
of the Commission Implementing Decision of 28.6.2021 pursuant to Regulation
 
(EU) 2016/679
of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom.
28
 
Please also note the restrictions under paragraph
 
in this Annex 1.
 
29
 
Article 4(11) GDPR.
 
 
13
 
subject to
 
a necessity test,
 
meaning that
 
it is
 
not applicable
 
to general
 
or
extensive requests for
 
personal data. Consequently,
 
we do not consider it
possible
 
for
 
UBS
 
ESE
 
SE
 
to
 
rely
 
on
 
the
 
public
 
interest
 
exception
 
for
transferring personal data to the US.
 
(iii)
 
Establishment,
 
exercise
 
or
 
defense
 
of
 
legal
 
claims
 
(Article
 
49.1
 
(e))
:
 
This
option
 
does
 
not
 
apply
 
to
 
unspecified
 
or
 
extensive
 
data
 
requests,
 
nor
potential future legal proceedings,
 
and we do not consider it applicable in
this case.
(iv)
 
Necessary
 
for
 
the
 
purpose
 
of
 
compelling
 
legitimate
 
interests
 
(Article
 
49.1-2):
This
 
exception
 
can
 
apply
 
to
 
transfer
 
personal
 
data
 
for
 
a
compelling
 
legitimate
 
interest.
 
For
 
example,
 
in
 
order
 
to
 
e.g.
 
protect
 
the
controller's organization or systems
 
from serious immediate harm or from
a severe
 
penalty which would
 
seriously affect
 
its business.
30
 
The transfer
must only concern a limited number of
 
data subjects and prior notification
of the transfer
 
must be provided
 
to the supervisory
 
authority. Although the
application of
 
this derogation is
 
very narrow,
 
there may be
 
a possibility
 
that
UBS ESE SE's legitimate
 
interest to ensure
 
compliance with US law,
 
e.g. to
avoid penalties,
 
could be sufficient
 
to demonstrate a compelling
 
reason for
the
 
derogation
 
to
 
apply,
 
provided
 
however,
 
that
 
no
 
other
 
derogation
 
is
applicable, the
 
result of
 
the balancing test
 
is in UBS
 
ESE SE's
 
favour
31
 
and
the principles
 
of the GDPR are respected.
32
 
Each of the derogations above needs to be applied on a case-by-case basis.
33
 
(b)
 
The
 
Swedish
 
Financial
 
Supervisory
 
Authority
 
route:
 
In
 
certain
 
situations,
 
for
example where UBS ESE SE considers the transfer of data to the US to be high risk,
it may be
 
possible to arrange
 
for the disclosure
 
to be made
 
to the Swedish
 
Financial
Supervisory Authority,
 
which
 
could
 
then
 
transfer
 
the
 
data
 
to
 
the
 
SEC
 
in
 
the
 
US.
However,
 
such
 
transfer
 
would
 
have
 
to
 
be
 
approved
 
in
 
advance
 
by
 
the
 
Swedish
Authority for Privacy Protection.
1.14
 
Access
 
to
 
Covered
 
Books
 
and
 
Records
 
granted
 
to
 
the
 
SEC
 
in
 
the
 
course
 
of
 
On-Site
Inspections
 
would
 
not
 
entail
 
UBS
 
ESE
 
SE
 
effecting
 
an
 
international
 
transfer
 
and
 
so
restrictions in Chapter V of the EU GDPR would not apply to that situation.
2.
 
BANK CONFIDENTIALITY
 
2.1
 
UBS
 
ESE
 
SE
 
is
 
subject
 
to
 
the
 
Swedish
 
Banking
 
and
 
Financing
 
Business
 
Act
 
2002
 
(
Lag
(2004:297) om
 
bank- och
 
finansieringsrörelse
) (as
 
amended) (the
 
SBFBA
”) "in
 
applicable
parts" (Chapter 1, Section 2 of the SBFBA).
 
There is no authoritative guidance, either in the
form of subordinate legislation, regulations of the Swedish Financial Supervisory Authority
(
Finansinspektionen
) or any other
 
public authority in
 
Sweden, case law or
 
self-regulation as
to what parts
 
of the SBFBA
 
apply to branches
 
of foreign banks
 
such as
 
UBS ESE
 
SE. However,
30
 
See EDPB guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, p. 15.
31
 
See section 1.5 on the Legal basis for the disclosure.
32
 
See section 1.9 on the Data protection principles.
33
 
 
Article 49(1) EU
GDPR.
 
 
 
14
 
it is widely assumed that
 
the provisions of bank confidentiality
 
in Chapter 1, Section 10
 
of
the
 
SBFBA
 
do
 
apply
 
to
 
such
 
branches.
 
Pursuant
 
to
 
this
 
section,
 
information
 
about
 
the
relationship
 
between
 
private
 
subjects (including
 
both natural
 
persons
 
and legal
 
entities)
and the
 
bank may
 
not be
 
disclosed without
 
authorisation. Although this
 
rule has
 
been in
force for well over a
 
hundred and thirty years, there is no authoritative guidance, either in
the
 
form
 
of
 
subordinate
 
legislation,
 
regulations
 
of
 
the
 
Swedish
 
Financial
 
Supervisory
Authority
 
or
 
any
 
other
 
public authority
 
in
 
Sweden,
 
case
 
law
 
or
 
self-regulation
 
as
 
to
 
the
concrete
 
effects of the
 
rule. However, it is
 
widely considered that
 
– under
 
general principles
of law
 
– consent of
 
the private
 
subject to whom
 
the information
 
pertains would count
 
as
authorisation
 
of
 
disclosure.
 
It
 
is
 
not
 
clear
 
what
 
form
 
such
 
authorisation
 
should
 
take
 
or
otherwise what
 
the specific
 
conditions for
 
valid consent
 
would be.
 
However, it is reasonable
to
 
assume
 
that
 
consent
 
that
 
conforms
 
to
 
the
 
GDPR
 
would
 
be
 
acceptable
 
also
 
for
 
the
purposes of Chapter 1, Section 10 of the SBFBA.
3.
 
PRIVACY AND HUMAN RIGHTS
Misuse of private information
3.1
 
Aside
 
from
 
the
 
GDPR
 
(and
 
other
 
sector-specific
 
data
 
protection
 
legislation
 
that
 
will
 
not
apply to
 
UBS ESE
 
SE), there
 
is no
 
stand-alone basis
 
to bring
 
a claim
 
for 'misuse
 
of private
information'
 
in
 
Sweden.
 
Although
 
the
 
Swedish
 
Constitution
 
states
 
that
 
the
 
public
 
shall
protect the
 
private and
 
family lives
 
of individuals,
34
 
this addresses
 
a different
 
component
of
 
privacy
 
to
 
the
 
protection
 
of
 
confidentiality
 
(which
 
relates
 
to
 
the
 
secrecy
 
of
 
private
information), namely the prevention of intrusion into an individual's privacy.
Right to privacy
3.2
 
The Charter
 
of Fundamental
 
Rights of
 
the EU
 
(the "
Charter
") provides
 
for respect for
 
private
and family
 
life
 
(Article 8)
 
and the
 
protection of
 
personal data
 
(Article 7).
35
 
The Charter
 
is
only
 
applicable
 
to
 
national
 
authorities' interpretation
 
and
 
implementation
 
of
 
union
 
law.
Thus, breaches of
 
the Charter are
 
permissible for purposes or
 
rules recognized by
 
the EU,
such as the GDPR.
3.3
 
Sweden is a party to the European Convention on Human Rights. The Convention provides
for rights similar to
 
the Charter,
 
but is not limited to
 
matters of
 
union law.
 
Article 8 of the
Convention, confers a general right to “
respect for his private and family life, his home and
his correspondence
" ("
Article 8
"). This right is
 
established in Swedish law implementing
 
the
Convention (
Sw.
 
Lag (1994:1219) om den europeiska konventionen
 
angående skydd för de
mänskliga rättigheterna och de grundläggande
 
friheterna
). A court must take Article 8
 
into
account, even if the action is one among private parties.
3.4
 
Primarily,
 
the rights
 
under the
 
Convention should
 
be assured
 
in the
 
legislative process
 
to
protect against arbitrary interferences and Swedish courts
 
are obliged to interpret Swedish
law in conformity with the
 
Convention.
 
However, Article 8 is a qualified right,
 
meaning that
it can be breached in
 
accordance with Article 8(2)
 
– that is, where doing
 
so is in accordance
with law, necessary in a democratic society,
 
and with a legitimate aim.
 
34
 
The Swedish Constitution, Chapter 1, Paragraph 2.
35
 
The Charter of Fundamental Rights of the European Union (2012/C 326/02).
 
15
3.5
 
An action for misuse of private information requires a reasonable
 
expectation of privacy to
exist,
 
which
 
is
 
not
 
the
 
case
 
when
 
the
 
individual
 
itself
 
has
 
provided
 
a
 
consent
 
that
 
is
considered lawful
 
and valid.
 
Consequently, there could
 
be no
 
breach of
 
the individual's
 
right
to
 
privacy
 
under
 
Article 8
 
for
 
as
 
long as
 
the
 
consent
 
is
 
obtained
 
in
 
accordance
 
with
 
the
GDPR.
 
 
 
 
16
 
ANNEX 2
 
ASSUMPTIONS
This opinion relies on the following assumptions:
1.
 
UBS AG has a "prudential regulator
 
"
 
as defined by Section 3 of the US Securities Exchange
Act
 
of
 
1934
 
(the
 
"
Securities
 
Exchange
 
Act
").
 
As
 
such,
 
the
 
Covered
 
Books
 
and
 
Records
considered in this
 
opinion are limited to
 
what a prudentially regulated
 
SBSD must be able
to share with the SEC.
2.
 
Additionally, in accordance with SEC Guidance at 85 FR
 
6297, books and records pertaining
to SBS
 
transactions entered
 
into prior
 
to the date
 
that UBS AG
 
submits an application
 
for
registration are not Covered Books and Records.
 
3.
 
Where
 
transfers
 
of
 
personal
 
data
 
are
 
made
 
to
 
the
 
SEC
 
in
 
the
 
absence
 
of
 
an
 
adequacy
determination, such
 
disclosure will
 
be made
 
in compliance
 
with Articles
 
44
et seq
. of
 
the
EU GDPR and limited
 
to what is necessary
 
for the purpose of
 
the transfer (i.e.
 
compliance
with the principle of data minimisation, e.g. by
 
applying less intrusive processing activities
such as redaction).
4.
 
UBS ESE SE or, as the case may be, UBS
 
AG has obtained any necessary
 
prior consent of the
persons
 
(e.g
.
,
 
counterparties,
 
employees)
 
whose
 
information
 
is
 
or
 
will
 
be
 
included
 
in
Covered Books
 
and Records
 
in order
 
to provide
 
the SEC
 
with access to
 
its Covered
 
Books
and Records
 
or to
 
allow On-Site
 
Inspections, to
 
the extent,
 
as considered
 
in this
 
opinion,
such consent
 
would constitute
 
valid
 
consent and
 
such consent
 
has not
 
been withdrawn.
Insofar as Covered Books and Records
 
relate to employees of UBS ESE SE, such employees
are
 
“associated
 
persons"
 
of
 
UBS
 
AG
 
for
 
purposes of
 
17
 
CFR §
 
240.18a-5(b)(8) who
 
have
agreed to sharing of their personal/employment information with
 
the SEC in the event of
 
a
request for information from the SEC.
5.
 
Any data held by UBS ESE SE that
 
is subject to a disclosure request from the SEC, either by
way of access or On-Site Inspection, will be
 
held by UBS ESE SE in Sweden.
 
Whilst UBS ESE
SE will be
 
subject to direct
 
On-Site Inspection by
 
the SEC in
 
Sweden, UBS ESE SE
 
will provide
access to
 
its Covered
 
Books and Records
 
(beyond On-Site
 
Inspections) to UBS
 
AG London
Branch, rather than providing this access directly to the SEC.
6.
 
The SEC
 
will restrict
 
its information
 
requests for,
 
and use of,
 
any information
 
pursuant to
its access
 
to Covered
 
Books and
 
Records and
 
On-Site Inspections
 
to only
 
the information
that it
 
requires for
 
the legitimate
 
and specific purpose
 
of fulfilling
 
its regulatory
 
mandate
and responsibilities by evaluating compliance with legal obligations designed
 
to ensure the
proper
 
legal
 
administration
 
of
 
SEC
-
regulated
 
firms
 
(which
 
includes
 
regulating,
administering,
 
supervising,
 
enforcing
 
and
 
securing
 
compliance
 
with
 
the
 
securities
 
or
derivatives laws
 
in its
 
jurisdiction) and
 
to prevent
 
and/or enforce
 
against potential
 
illegal
behaviour.
 
7.
 
Similarly, UBS ESE SE will ensure that its disclosures are compliant with
 
the data protection
principles set
 
out in
 
Article 5
 
of the
 
EU GDPR.
36
 
We understand that
 
UBS’ general
 
experience
in responding
 
to information
 
requests
 
from the
 
SEC (or
 
other US
 
and non-US
 
regulators)
36
 
These principles are set out in Annex 1at paragraph
 
 
 
 
 
 
17
 
leads it to maintain
 
a belief,
 
which it considers
 
to be reasonable, that
 
UBS ESE SE can
 
and
(subject to
 
any changes
 
in applicable law
 
and regulation
 
and/or the
 
approach of
 
relevant
regulators) will
 
continue to be
 
able to comply with
 
these data protection
 
principles in the
course of making disclosures of the sort required when providing access to Covered Books
and Records and submitting to On-Site Inspection.
37
 
8.
 
It
 
is
 
the
 
SEC's
 
practice
 
to
 
limit
 
the
 
type
 
and
 
amount
 
of
 
personal
 
data
 
it
 
requests
 
during
examinations
 
to
 
targeted
 
requests
 
based
 
on
 
risk
 
and
 
related
 
to
 
specific
 
clients
 
and
accounts,
 
and employees.
 
The requested
 
information
 
may
 
include some
 
limited criminal
records data and
 
'special category data'
 
under the GDPR (as described in paragraph
 
of
Annex 1
 
to this
 
opinion). We
 
understand that
 
this aligns
 
with UBS’
 
general experience
 
in
responding to
 
information requests
 
from the
 
SEC, leading it
 
to maintain
 
a belief,
 
which it
considers to
 
be reasonable,
 
that this
 
assumption is,
 
and will
 
remain, accurate
 
(subject to
any changes in applicable
 
law and regulation and/or
 
the approach of
 
relevant regulators).
38
 
9.
 
Information, data
 
and documents received by
 
the SEC are
 
maintained in a
 
secure manner
and, under
 
strict US
 
laws of
 
confidentiality, information about individuals
 
cannot be
 
onward
shared
 
save
 
for
 
certain
 
uses
 
publicly
 
disclosed
 
by
 
the
 
SEC,
 
including
 
in
 
an
 
enforcement
proceeding,
 
pursuant
 
to
 
a valid
 
and
 
non-exempt
 
US
 
Freedom
 
of
 
Information
 
Act
 
(
FOIA
)
request,
39
 
pursuant to a lawful request
 
of the US Congress or
 
a properly issued subpoena,
or
 
to
 
other
 
regulators
 
who
 
have
 
demonstrated
 
a
 
need
 
for
 
the
 
information
 
and
 
provide
assurances of confidentiality.
10.
 
All terms
 
of business
 
entered
 
into
 
with clients
 
conducting SBS
 
transactions
 
contain clear
statements such
 
that clients are
 
aware that
 
that regulatory
 
oversight will
 
be exercised
 
by
regulatory
 
authorities
 
and
 
that
 
information
 
regarding
 
their
 
transactions,
 
including
 
their
personal
 
data,
 
can
 
be disclosed
 
to
 
regulatory
 
authorities (for
 
example,
 
clause 10,
 
and in
particular
 
clause
 
10(b)
 
of
 
the
 
terms
 
of
 
business
 
for
 
professional
 
clients
 
and
 
eligible
counterparties (March 2019)
40
.
11.
 
UBS AG does
 
not include
 
the information described
 
in 17 C.F.R. §§.18a-5(b)(8)(i)(A)
 
through
(H)
 
or
 
240.18a-5(a)(10)(i)(A)
 
through
 
(H),
 
as
 
the
 
case
 
may
 
be,
 
in
 
questionnaires
 
or
applications for employment executed
 
by an associated person who is not a US Person (as
defined
 
in
 
17
 
C.F.R.
 
§240.3a71-3(a)(4)(i)(A)),
 
unless
 
UBS
 
AG
 
is
 
required
 
to
 
obtain
 
such
information
 
under
 
applicable
 
law
 
in
 
the
 
jurisdiction
 
in
 
which
 
the
 
associated
 
person
 
is
employed or located or obtains such information in conducting a background check that is
customary
 
for
 
UBS
 
AG
 
in
 
that
 
jurisdiction
 
and
 
the
 
creation
 
or
 
maintenance
 
of
 
records
37
 
See the SEC Guidance at 85 FR 6298.
38
 
See the SEC Guidance at 85 FR 6298.
 
39
 
We do not give
 
any views in the opinion to matters
 
of US law,
 
though we understand that information can
 
be made public pursuant
to requests under the US FOIA, and that certain information is exempt
 
from such requests, including (among others): (1) a trade secret
or privileged or
 
confidential commercial
 
or financial
 
information obtained
 
from a
 
person; (2)
 
a personnel,
 
medical, or
 
similar file
 
the
release of
 
which would
 
constitute a
 
clearly unwarranted
 
invasion of
 
personal privacy;
 
(3) information
 
compiled for
 
law enforcement
purposes, the release
 
of which (a)
 
could reasonably be
 
expected to
 
interfere with
 
law enforcement
 
proceedings; (b) would
 
deprive a
person of a right
 
to a fair trial
 
or an impartial adjudication; (c)
 
could reasonably be expected to
 
constitute an unwarranted
 
invasion of
personal privacy;
 
(d) could
 
reasonably be
 
expected
 
to
 
disclose the
 
identity
 
of a
 
confidential source;
 
(e) would
 
disclose techniques,
procedures, or
 
guidelines for
 
investigations
 
or prosecutions;
 
or (f)
 
could reasonably
 
be expected
 
to endanger
 
an individual's
 
life
 
or
physical safety;
 
(4) contained
 
in or
 
related
 
to
 
examination,
 
operating,
 
or condition
 
reports about
 
financial institutions
 
that
 
the SEC
regulates or supervises.
40
 
Available
 
at:
https://www.ubs.com/global/en/investment-bank/regulatory/_jcr_content/mainpar/toplevelgrid/col1/linklist_
1815406319/link.1894740908.file/PS9jb250ZW50L2RhbS9JbnZlc3RtZW50QmFuay9kb2N1bWVudHMvaWJ0ZXJtcy90ZXJtcy1vZi1idXNpb
mVzcy5wZGY=/terms-of-business.pdf
.
 
18
reflecting
 
that
 
information
 
would
 
not
 
result
 
in
 
a
 
violation
 
of
 
applicable
 
law
 
in
 
the
jurisdiction in which the associated person is employed or located.

loitaly
 
loitalyp1i0.gif
 
1
 
 
 
 
UBS AG London Branch
5 Broadgate
London
EC2M 2QS
Allen & Overy - Studio Legale Associato
Via Ansperto 5
20123 Milan Italy
Tel
 
+39 02 2904 91
Fax
 
+39 02 2904 9333
Corso Vittorio Emanuele II
 
284
00186
 
Rome
 
Italy
Tel
 
+39 06 6842 71
Fax
 
+39 06 6842 7333
Our ref 0010023-0022577 EUO2: 2001685421.2
22 October 2021
Dear Madam/Sir
 
UBS AG SEC registration as a non-resident security-based swap dealer
 
1.
 
BACKGROUND
1.1
 
We understand that UBS AG, a bank authorised in Switzerland, is seeking to register with the United
States (
US
) Securities and
 
Exchange Commission (
SEC
) as a non-resident
 
security-based swap (
SBS
)
dealer (
SBSD
).
1.2
 
To register as an SBSD with the SEC, a non-resident SBSD
1
 
such as UBS AG must attach an opinion
of counsel to Form SBSE, SBSE-A or SBSE-BD affirming that the SBSD can, as
 
a matter of law:
(a)
 
provide the
 
SEC with
 
prompt access
 
to the
 
relevant books
 
and records
 
as defined
 
in paragraphs
3.3 to 3.5 (
Covered Books and Records
); and
 
(b)
 
submit to on-site
 
inspection and examination
 
of its Covered
 
Books and Records by
 
the SEC
(
On-Site Inspection
).
 
 
1
 
 
In the case of a corporation, an SBSD will be “non
-
resident” if it is incorporated in or has its principal place of business in any place not in
the United States (see 17 Code of Federal Regulations (
CFR
) § 240.15Fb2-4(a)(2)). As UBS AG is incorporated in Switzerland, UBS AG
fulfils this definition of a “non-resident” SBSD.
 
STUDIO LEGALE ASSOCIATO
Partner
Craig Byrne
1,2
Avv. Livio Bossotto
Avv. Giovanni Gazzaniga
Avv. Paolo Ghiglione
Avv. Massimo Greco
Avv. Dott. Comm. Francesco
 
Guelfi
Avv. Paolo Nastasi
Avv. Pietro Scarfone
1
Avv. Stefano Sennhauser
Avv. Cristiano Tommasi
Counsel
Avv. Luca Amicarelli
Avv. Pietro Bellone
Avv. Juri Bettinelli
Avv. Nunzio Bicchieri
Lisa Curran
1,3
Avv. Emilio De Giorgi
Frederic Demeulenaere
1
Avv. Emiliano La Sala
Avv. Alessandra Pala
Avv. Amilcare Sada
 
1 Solicitor, England and Wales
2 Barrister and Solicitor, British Columbia
3 Barrister and Solicitor, Ontario
Milan Office: Via Ansperto 5; 20123 Milan (tel +39
 
02 2904 91; fax +39 02 2904 9333)
Rome Office: Corsco Vittorio Emanuele
 
II, 284; 00186 Rome (tel +39 06 6842 71; fax +39
 
06 6842 7333)
Studio Legale Associato is affiliated with Allen & Overy
 
LLP, a limited
 
liability partnership in England and Wales.
Allen & Overy or
 
an affiliated undertaking has an office in
 
each of: Abu Dhabi,
 
Amsterdam, Antwerp, Bangkok, Beijing, Belfast, Bratislava, Brussels,
 
Budapest,
Casablanca, Dubai, Dusseldorf, Frankfurt, Hamburg, Hanoi, Ho Chi Minh City,
 
Hong Kong, Istanbul, Jakarta (associated office), Johannesburg, London,
 
Los
Angeles, Luxembourg,
 
Madrid, Milan,
 
Moscow,
 
Munich, New
 
York,
 
Paris, Perth,
 
Prague, Rome,
 
Sao Paulo,
 
Seoul, Shanghai,
 
Silicon Valley,
 
Singapore,
Sydney, Tokyo,
 
Warsaw, Washington,
 
D.C. and Yangon.
 
 
2
 
1.3
 
UBS Europe SE is a
 
credit institution incorporated in Germany and subject to
 
prudential supervision
by
 
the
 
Federal
 
Financial
 
Supervisory
 
Authority
 
(
Bundesanstalt
 
für
 
Finanzdienstleistungsaufsicht
,
BaFin
).
 
UBS
 
Europe
 
SE
 
is
 
authorised
 
to
 
provide
 
services
 
in
 
Italy
 
(among
 
other
 
jurisdictions).
Associated persons
 
of UBS
 
AG located
 
in Italy
 
who effect
 
SBS transactions
 
on behalf
 
of UBS
 
AG
will be employed
 
by the Italian
 
branch of UBS
 
Europe SE (
UBS ESE IT
)
2
. Accordingly,
 
UBS ESE
IT will maintain certain Covered Books and Records in Italy on behalf of UBS
 
AG.
You
 
have
 
asked
 
us to
 
issue
 
an
 
opinion affirming
 
that
 
(a) UBS
 
AG
 
London Branch
 
will
 
be
 
able to
provide the SEC
 
with prompt access
 
to its
 
Covered Books and
 
Records that are
 
maintained by UBS
ESE IT
 
in Italy
 
on its
 
behalf and
 
(b) UBS ESE
 
IT can
 
submit to
 
On-Site Inspection
 
by the
 
SEC of
UBS AG’s Covered Books
 
and Records it
 
maintains on behalf
 
of UBS AG,
 
in each case
 
in accordance
with paragraph 1.2 above.
3
 
1.4
 
This opinion is structured as follows:
(a)
 
Section 2:
 
Summary of opinion;
 
(b)
 
Section 3:
 
Scope, assumptions and qualifications;
 
(c)
 
Section 4:
 
Revisions to applicable law;
(d)
 
Section 5:
 
Reliance and confidentiality;
(e)
 
Annex 1: Opinion; and
(f)
 
Annex 2: Assumptions.
 
1.5
 
For the purposes
 
of this opinion,
 
the legal or
 
natural person imparting the
 
information subject to
 
the
duty of
 
confidentiality will
 
be the
Rights Holder
and the
 
person receiving
 
that information,
 
in this
case UBS ESE IT, will be the
Recipient.
 
2.
 
SUMMARY OF OPINION
Subject to the assumptions and qualifications below it is our opinion that,
 
subject to all the conditions set out
in this opinion, as a matter of applicable Italian law:
2.1
 
UBS ESE
 
IT can
 
submit to
 
On-Site Inspection
 
by the
 
SEC. There
 
is no
 
restriction on
 
UBS ESE
 
IT
submitting to
 
On-Site Inspection
 
by the
 
SEC
4
. The
 
remainder of
 
this opinion
 
focuses on
 
UBS ESE
IT’s ability to disclose information contained in Covered
 
Books and Records to the
 
SEC in the course
of On-Site Inspection in Italy and the ability to provide UBS AG London Branch with prompt access
to Covered Books and Records.
2.2
 
UBS ESE IT
 
can provide the
 
SEC with prompt
 
access to Covered
 
Books and Records
 
held by UBS
ESE IT in
 
Italy either by
 
disclosure of Covered
 
Books and Records
 
to UBS AG
 
London Branch for
the purpose of providing information
 
to the SEC or to the SEC
 
in the course of On-Site Inspections
 
in
Italy.
5
 
 
 
2
 
 
Please see Assumption 13 set
out in Annex 2.
 
3
 
 
In accordance with Assumption 9 in Annex 2, this opinion does
 
not cover the direct provision of Covered Books and Records by
UBS ESE
IT to the SEC as this information will instead be
 
provided to UBS AG London Branch and sent by UBS AG
 
London branch to the SEC.
4
 
 
Please see
Footnote 48 below
.
 
5
 
 
Where a restriction on the ability to transfer personal data or to disclose confidential information applies as a matter of I
talian rules on data
protection, confidentiality
 
obligations and
 
bank secrecy,
 
consent from
 
the Rights
 
Holder, validly
 
given in
 
accordance with
 
the
 
relevant
standard for
 
consent under
 
each applicable
 
legal obligation,
 
would allow
 
for such
 
information to
 
be lawfully
 
transferred to
 
the SEC
 
or
disclosed to the SEC during On-Site Inspection.
 
Please note that valid consent is assumed in Assumption
 
6.
 
 
0036335-0000808 UKO1: 2005583510.12
 
 
3
 
Data Protection
6
 
2.3
 
Disclosures of personal data (particularly special categories of data
 
or criminal data) relating to UBS
ESE
 
IT’s
 
clients
 
and
 
staff
 
are
 
subject
 
to
 
certain
 
restrictions
 
under
 
the
 
Data
 
Protection
 
Laws,
particularly where this involves a cross-border transfer to a country or territory
 
the EU has not found
to
 
have
 
an
 
‘adequate’
 
data
 
protection
 
regime.
 
However,
 
there
 
are
 
certain
 
legal
 
bases
 
for
 
making
disclosures, and derogations from the prohibition
 
on international transfers, which would
 
be available
to UBS ESE IT were it
 
to be required by the SEC
 
to make available personal data
 
either by disclosure
of Covered Books and Records to UBS AG London Branch for the purpose of providing information
to the SEC or to the SEC in the course of On-Site Inspections in Italy.
 
2.4
 
We
 
anticipate that
 
the legitimate
 
interest and
 
consent legal
 
bases for
 
processing are
 
likely to
 
be the
most likely applicable grounds under the
 
GDPR to enable disclosure of Covered
 
Books and Records
to UBS
 
AG London Branch
 
for the
 
purpose of providing
 
information to
 
the SEC
 
and to
 
permit On-
Site Inspection.
 
Duties of confidentiality under Italian civil law applicable to contracts
2.5
 
By way
 
of general
 
principle, Italian
 
civil law
 
does not
 
expressly provide
 
for specific
 
confidentiality
requirements applicable to the parties of a
 
contract governed by Italian law or for a
 
standard model of
confidentiality agreements.
 
In particular,
 
and in
 
contrast to
 
requirements applying
 
to other
 
types of
contracts (e.g., purchase or
 
service agreements), neither the
 
Italian Civil Code nor
 
other related civil
laws
 
provide
 
for
 
pre-determined
 
effects
 
and
 
consequences
 
arising
 
from
 
the
 
execution
 
of
 
a
confidentiality agreement or specify the scope of the obligations arising
 
therefrom.
2.6
 
In the absence of a specific legal framework or restrictions imposed by Courts’ precedents, parties to
a non-disclosure or a confidentiality agreement are generally free,
 
in principle, to agree the scope and
terms and conditions of any obligation in that respect.
2.7
 
Given the
 
above, from
 
the
 
sole perspective
 
of
 
confidentiality duties
 
applicable to
 
the
 
parties under
Italian contract law, the transfer of
 
data from UBS ESE
 
IT to the SEC
 
would be possible
 
provided that
contractual arrangements in place with
 
clients either allow such
 
dissemination of information, or
 
the
transfer is consented to, from
 
time to time, by clients
 
themselves, so that UBS ESE
 
IT is not in breach
of
 
any
 
contractual
 
arrangement
 
arising
 
from
 
a
 
non-confidentiality/non-disclosure
 
clause,
 
absent
possible exemptions.
 
This is
 
without prejudice
 
to
 
the remarks
 
set forth
 
under Section
 
2.8 below
 
as
regards the Italian bank secrecy rules.
Bank secrecy
2.8
 
Despite
 
the
 
absence
 
of
 
a
 
specific
 
bank
 
secrecy
 
regime
 
in
 
Italy,
 
the
 
duty
 
to
 
keep
 
customers’
 
data
confidential
 
within
 
the
 
provision
 
of
 
financial
 
services
 
stems
 
from
 
statutory
 
obligations
 
on
“professionals” (including
 
bankers) and
 
civil
 
law which
 
provides
 
that market
 
practices such
 
as
 
the
duty
 
of
 
confidence,
 
which
 
is
 
widely
 
accepted
 
and
 
complied
 
with
 
by
 
Italian
 
financial
 
institutions,
including Italian branches of
 
foreign institutions operating in
 
Italy,
 
form legally binding obligations.
The
 
breach
 
of
 
confidentiality
 
obligations
 
may
 
entail
 
a
 
liability
 
for
 
the
 
bank
 
towards
 
its
 
customers
unless the
 
customer has given
 
consent to
 
the disclosure
 
or an
 
exemption applies (
e.g.
 
a “just
 
cause”
for disclosing the
 
information). There is
 
no definition of
 
“just cause” under
 
Italian law; however,
 
in
general
 
terms,
 
this
 
could
 
be
 
considered
 
as
 
a
 
set
 
of
 
circumstances
 
that
 
legitimate
 
the
 
disclosure
 
of
confidential information, such as the
 
existence of a legislative provision or
 
an order from an authority
imposing the disclosure.
2.9
 
The duty of confidentiality would
 
likely apply to UBS ESE
 
IT in respect of the information
 
contained
in the
 
Covered Books
 
and Records
 
described at
 
paragraph 3.3(a)
 
below,
 
insofar as
 
that information
relates to UBS ESE IT’s clients and is not information
 
owned by or relating to UBS ESE IT itself. As
6
 
 
Please refer to section 1 of Annex 1 for definitions
 
of Data Protection Laws and the GDPR.
 
 
0036335-0000808 UKO1: 2005583510.12
 
 
4
 
such, in
 
principle UBS
 
ESE IT
 
may not
 
provide such
 
information to
 
third parties
 
unless it
 
gets the
Rights Holder’s consent or is able to rely on a just cause.
 
2.10
 
As regards the ability of UBS ESE
 
IT to rely on just cause to
 
disclose information to the SEC, under
the Memorandum
 
of Understanding
 
entered into
 
between the
 
CONSOB
7
 
and the SEC
 
on 22 December
2020 (the
CONSOB MoU
)
8
, it is
 
expressly envisaged that the
 
SEC may conduct On-Site
 
Inspection
at
 
UBS
 
ESE
 
IT
 
according
 
to
 
the
 
provisions
 
of
 
the
 
CONSOB MoU.
 
Moreover,
 
despite
 
the
 
lack
 
of
specific / express provisions in this respect, we
 
consider that a direct request of information from the
SEC to UBS ESE IT or UBS
 
AG should be consistent with
 
the terms of the CONSOB
 
MoU. As such,
in principle a request of information from
 
the SEC (whether directly or through On-Site
 
Inspection as
per the terms of the CONSOB MoU) should constitute a just cause for disclosure.
 
The Memorandum
of Understanding entered into by the SEC and the European Central Bank (
ECB
)
9
 
(the
ECB MoU
)
10
 
contemplates similar provisions to the CONSOB MoU.
2.11
 
In the absence of a specific exemption, UBS ESE IT may rely on consent
 
from Rights Holders.
Privacy and Human Rights
2.12
 
Protection
 
for
 
the
 
general
 
fundamental
 
right
 
to
 
respect
 
for
 
private
 
and
 
family
 
life,
 
home
 
and
correspondence
” is
 
enshrined in
 
Article 8
 
of the
 
European Convention
 
on Human
 
Rights (
ECHR
).
This right is directly
 
applicable in Italy. Actions in
 
respect of Article
 
8 of the ECHR
 
require a separate
cause of action, such as an action arising from a wrongful act or other legal obligation, such as
 
under
the Data Protection Laws.
 
2.13
 
Article 8 ECHR is, as it were, the
 
legal foundation on which the GDPR
 
has been based. The GDPR is
detailing the
 
fundamental right
 
laid down
 
in Article
 
8 of
 
the ECHR.
 
Thus, Article
 
8 ECHR
 
and the
GDPR are intertwined
 
with each other.
 
As long as
 
the provision of
 
information to the
 
SEC by UBS
ESE
 
IT
 
falls
 
entirely
 
within
 
the
 
scope
 
of
 
and
 
is
 
in
 
compliance
 
with
 
the
 
Data
 
Protection
 
Laws,
 
we
consider the general fundamental right set out in Article 8 of the ECHR
 
will be protected.
 
2.14
 
This summary opinion is not a substitute for the full expression of our views
 
set out in Annex 1.
3.
 
SCOPE, ASSUMPTIONS AND QUALIFICATIONS
3.1
 
This opinion relates solely to access provided to the SEC by UBS
 
AG, through its London Branch, of
Covered Books and
 
Records held on
 
its behalf by
 
UBS ESE
 
IT in Italy
 
and On-Site
 
Inspection of UBS
ESE IT by the SEC
 
in Italy.
 
The restrictions noted under this opinion apply
 
equally to remote access
from the
 
US to
 
Covered Books and
 
Records held
 
in Italy.
 
This opinion
 
excludes books
 
and records
held in the US.
 
 
 
7
 
Commissione
 
Nazionale
 
per
 
le
 
Società
 
e
 
la
 
Borsa
(
i.e.
 
the
 
Italian
 
securities and
 
exchange
 
regulator).
 
The
 
CONSOB
 
is
 
competent for
supervising firms operating in Italy in relation to the performance
 
of investment services and dealing in financial instruments.
8
 
Memorandum of Understanding concerning consultation, cooperation and
 
the exchange of information related to market oversight and the
supervision of covered firms.
Available here in English:
https://www.consob.it/documents/46180/46181/MOU_Consob_Sec_20201222.pdf/bae3b1d6-3ef6-438b-bba0-0b7943cce7a8.
 
9
 
 
As UBS Europe SE
 
qualifies as a “significant institution”
within the meaning of
 
Art. 6(4) of the Regulation
 
der (EU) No. 1024/20
13 (the
Single Supervisory Mechanism Regulation
), it is, as regards prudential supervision, also
 
subject to direct supervision by the ECB.
10
 
 
The
 
Memorandum of
 
Understanding between
 
the
 
United States
 
Securities and
 
Exchange Commission
 
and
 
the
 
European Cent
ral Bank
concerning consultation, cooperation and the exchange of information related
 
to the supervision and oversight of certain cross-border over-
the-counter derivatives entities
 
in connection
 
with the
 
use of
 
substituted compliance by
 
such entities dated
 
16 August
 
2021 (available
 
at
https://www.bankingsupervision.europa.eu/legalframework/mous/html/ssm.mou_2021_sec~220403db9b.en.pdf).
We
 
consider that it
 
is not completely
 
clear whether the
 
ECB MoU
 
would be applicable
 
in this
 
scenario, as we
 
assume that the
 
receiving
entity of the SEC request (UBS AG
 
London branch, which is also
 
the entity seeking to register as
 
SBSD) is not subject to the supervision
 
of
the ECB. However, the existence of the ECB MoU might be considered as an element that could confirm that the EU accepts that the SEC
has a duty to regulate
 
SBS markets and may
 
need to access information,
 
including personal data, maintained
 
by financial institutions located
in the EU for this purpose.
 
0036335-0000808 UKO1: 2005583510.12
 
 
5
 
3.2
 
This opinion has been prepared in accordance with UBS AG’s specific instructions as to the scope of
the opinion.
 
For this purpose you have issued us
 
with guidance from a third party US
 
law firm which
we have used to inform the scope of our opinion.
3.3
 
This opinion covers data relating to:
(a)
 
SBS transactions
 
concluded between UBS
 
AG (through
 
its associated
 
persons employed
 
by
UBS ESE
 
IT) and
 
US Person
 
counterparties
11
, insofar
 
as this
 
data is
 
held on
 
behalf of
 
UBS
AG by UBS
 
ESE IT
 
(e.g. voice recordings
 
and client communications
12
) (these
 
transactions
will be concluded by staff of UBS
 
ESE IT acting in the name and for
 
the account of UBS AG
London
 
Branch
 
and
 
so
 
some
 
data
 
relating
 
to
 
such
 
transactions
 
will
 
be
 
held
 
by
 
UBS
 
AG
London Branch
 
in the
 
United Kingdom
 
(
UK
)
 
– access
 
to Covered
 
Books and
 
Records and
On-Site
 
Inspections
 
by
 
the
 
SEC
 
of
 
data
 
that
 
is
 
held
 
in
 
the
 
UK
 
is
 
not
 
within
 
scope
 
of
 
this
opinion); and
(b)
 
the activities
 
of the
 
staff of
 
UBS ESE
 
IT pertaining
 
to UBS
 
AG’s
 
SBS transactions that
 
are
also arranged,
 
negotiated, or
 
executed by
 
personnel of
 
UBS AG
 
located in
 
a US
 
branch or
office or by
 
personnel of an agent
 
of UBS AG located in
 
a US branch or
 
office (irrespective
of whether UBS AG’s counterparty is a US Person or a non-US Person).
This opinion only covers
 
transactions entered into by
 
UBS AG where UBS
 
ESE IT is acting on
 
behalf
of UBS AG.
 
This opinion does
 
not cover data
 
relating to SBS
 
transactions concluded between
 
UBS
ESE
 
IT
 
and
 
its
 
own
 
counterparties
 
(even
 
though
 
UBS
 
ESE
 
IT
 
may
 
be
 
relying
 
on
 
the
 
counting
exemption set out in 17 CFR § 240.3a71-3(d) for such transactions, we are instructed that this data is
not relevant for the purposes of 17
 
CFR § 240.15Fb2-4(c) and so this data is
 
not within scope of this
opinion).
3.4
 
This opinion
 
only covers
 
access to
 
and the
 
On-site Inspection
 
of Covered
 
Books and
 
Records.
 
Covered
Books and Records include only those books and records which:
(a)
 
relate to the US business
13
 
of the non-resident SBSD.
14
 
These are the records that relate to an
SBS that is either:
(i)
 
entered into, or offered to be entered into, by or on behalf of the
 
non-resident SBSD,
with a “U.S. Person”
 
as defined in 17
 
CFR § 240.3a71-3(a)(4)
15
 
(
US Person
) (other
than an SBS conducted through a foreign branch of such US Person
16
); or
(ii)
 
arranged, negotiated, or executed by
 
personnel of the non-resident SBSD
 
located in a
branch in
 
the US
 
(
US branch
) or
 
office or
 
by personnel
 
of an
 
agent of
 
the non-resident
SBSD located in a US branch or office;
17
 
or
 
 
11
 
 
Please see Assumption 13 set out in Annex 2.
 
12
 
 
Legal
 
analysis
 
from
 
local
 
data
 
protection
 
and/or
 
employment
 
law
 
perspective
 
on
 
possibility
 
to
 
record
 
voice
 
calls
 
and/or
 
monit
or
communications with a client is excluded from the scope
 
of this opinion – please see the Assumption 12 set out in Annex
 
2.
13
 
 
As defined in 17 CFR §240.3a71
-
3(a)(8).
 
14
 
 
Cross
-
Border Application of Certain [SBS] Requirements,
 
85 Fed.
 
Reg. 6270, 6296 (Feb. 4, 2020) (the
SEC Guidance
).
 
15
 
 
A “U.S. person” means any person that
 
is “(i) a natural person resident in the U.S.; (ii) a partnership, corporation,
 
trust, investment vehicle,
or other legal person organized, incorporated, or established under the laws of the United States or having its principal place of business in
the United States; (iii) an
 
account (whether discretionary or non-discretionary) of a
 
U.S. person; or (iv) an estate
 
of a decedent who was a
resident of the United States at the time of death.” 17 CFR
 
§ 240.3a71-3(a)(4).
16
 
 
A “foreign branch” means “any branch
of a U.S. bank if:
 
(i) the branch is located outside of
 
the United States; (ii) the branch operates
 
for
valid business
 
reasons; and
 
(iii) the
 
branch is
 
engaged in
 
the business
 
of banking
 
and is
 
subject to
 
substantive banking regulation
 
in the
jurisdiction where located.” (17 CFR § 240.3a71-3(a)(2)). An “SBS conducted through a
 
foreign branch” means an SBS that is “arranged,
negotiated, and executed by
 
a U.S. person through
 
a foreign branch of such
 
U.S. person if: (A) the
 
foreign branch is the counterparty
 
to such
security-based swap transaction; and (B) the security-based swap transaction is arranged, negotiated, and executed on behalf of the foreign
branch solely by persons located outside the United States.” (17
 
CFR § 240.3a71-3(a)(3)(i)).
17
 
 
17 CFR
 
§
 
240.
3a71
-
3(a)(8)(i)(B).
 
 
0036335-0000808 UKO1: 2005583510.12
 
 
6
 
(b)
 
constitute
 
financial
 
records
 
necessary
 
for
 
the
 
SEC
 
to
 
assess
 
the
 
non-resident
 
SBSD’s
compliance with the SEC’s margin and capital requirements, if applicable.
18
 
3.5
 
Further
 
to
 
Assumption
 
1,
 
this
 
opinion
 
is
 
limited
 
to
 
those
 
types
 
of
 
records
 
that
 
are
 
relevant
 
to
prudentially regulated SBSDs,
 
which excludes financial
 
records as noted
 
in paragraph 3.4(b)
 
above.
 
For this opinion, the term “Covered Books and Records” extends to these
 
record types alone.
3.6
 
The issues
 
addressed in
 
this opinion
 
apply equally
 
across the
 
different document
 
types which
 
constitute
the Covered Books and
 
Records based upon the
 
information actually contained
 
in each of the relevant
Covered Books and Records.
 
We have not examined any such documents or records.
 
3.7
 
In giving this opinion, we have made the further assumptions set out
 
in Annex 2.
 
3.8
 
No opinion
 
is expressed
 
on matters
 
of fact. The
 
advice provided
 
in this
 
opinion is
 
limited to
 
the matters
expressly dealt with herein and does not cover other matters.
4.
 
REVISIONS TO APPLICABLE LAW
 
4.1
 
We
 
note
 
that
 
the
 
SEC
 
rules
19
 
require
 
a
 
non-resident
 
SBSD
 
to
 
re-certify
 
within
 
90
 
days
 
after
 
any
changes in the legal or regulatory framework that would:
(a)
 
impact the ability of the SBSD to provide prompt access to its Covered
 
Books and Records;
 
(b)
 
impact the
 
manner in
 
which it
 
would provide
 
prompt access
 
to its
 
Covered Books
 
and Records;
or
(c)
 
impact the ability of the SEC to conduct On-Site Inspections.
4.2
 
Upon a change in law or regulatory framework of the sort outlined in paragraph 4.1
 
above, the SBSD
is required to submit a revised opinion describing how, as a matter of law,
 
the SBSD will continue to
meet its obligations.
 
4.3
 
This opinion
 
relates solely
 
to the laws
 
of Italy and
 
European Union
 
(
EU
) law
 
that is directly
 
applicable
in
 
Italy
 
(i.e.
 
regulations
 
pursuant
 
to
 
Art.
 
288(2)
 
of
 
the
 
Treaty
 
on
 
the
 
Functioning of
 
the
 
European
Union),
 
in
 
each
 
case
 
in
 
force
 
as
 
at
 
the
 
date
 
of
 
this
 
opinion.
 
We
 
have
 
no
 
obligation to
 
notify
 
any
addressee of any change in any applicable law or its application after the date of
 
this opinion.
5.
 
RELIANCE AND CONFIDENTIALITY
5.1
 
This opinion is given
 
for the sole benefit of
 
the addressee.
 
It may not be relied
 
upon by anyone else
without our prior written consent.
5.2
 
This
 
opinion
 
is
 
not
 
to
 
be
 
disclosed
 
to
 
any
 
person
 
outside
 
of
 
UBS
 
AG’s
 
group
 
or
 
used,
 
circulated,
quoted or otherwise referred to for any other purpose.
 
However, we agree that a copy of this opinion
letter may be disclosed:
 
(a)
 
where
 
disclosure is
 
required
 
or
 
requested
 
by
 
any
 
governmental, banking,
 
taxation
 
or
 
other
regulatory authority or similar body having jurisdiction over
 
UBS AG (including to the SEC
as
 
part
 
of
 
UBS
 
AG’s
 
SBSD
 
registration
 
application) or
 
by
 
the
 
rules
 
of
 
any
 
relevant
 
stock
exchange or pursuant to any applicable law or regulation; and
 
 
 
18
 
 
The requirement
 
set out
 
in this
 
paragraph 3.3(b)
 
does not
 
apply to
 
UBS
AG
 
because it
 
is not
 
subject
to the
 
SEC’s
 
margin and
 
capital
requirements as it is assumed that UBS AG has a prudential
 
regulator–
 
please see the Assumption 1 set out in Annex 2.
19
 
 
17 CFR § 240.15Fb2
-
4(c)(2).
 
 
0036335-0000808 UKO1: 2005583510.12
loitalyp7i0.gif
 
7
(b)
 
to
 
UBS
 
AG’s
 
affiliates,
 
and
 
any
 
of
 
their
 
officers,
 
directors,
 
employees,
 
auditors,
 
insurers,
reinsurers, insurance brokers and professional advisors (in their capacity
 
as such).
5.3
 
Any such disclosure
 
must be made
 
on the basis
 
that it is
 
for information purposes only,
 
no recipient
may rely
 
on this advice,
 
no client-lawyer relationship between
 
us and the
 
recipient arises following,
or as a
 
result of,
 
any such
 
disclosure.
 
We assume no duty
 
or liability
 
to any
 
recipient, and
 
any recipient
under paragraph 5.2(b) above will be subject to the same restrictions on disclosure
 
as set out above.
5.4
 
We
 
assume no obligation
 
to advise
 
you or
 
any other person
 
or to
 
make any
 
investigations as to
 
any
legal
 
developments
 
or
 
factual
 
matters
 
arising
 
subsequent
 
to
 
the
 
date
 
hereof
 
that
 
might
 
affect
 
the
opinions expressed herein.
 
Yours
 
faithfully,
 
 
 
Allen &Overy - Studio Legale Associato
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
0036335-0000808 UKO1: 2005583510.12
 
 
 
 
8
 
ANNEX 1
 
OPINION
1.
 
DATA
 
PROTECTION
1.1
 
The General Data Protection
 
Regulation 2016/679 (
GDPR
), the General
 
Data Protection Regulation
2016/679 and its local implementation,
 
the Legislative Decree no. 196/2003,
 
as amended in 2018 (the
Privacy
 
Code
)
 
and
 
guidelines
 
and
 
decisions
 
issued
 
by
 
the
 
Italian
 
Data
 
Protection
 
Authority
 
(the
Garante per la
 
Protezione dei dati personali
, the
Garante
) (together, the
Data Protection Laws
) will
apply to UBS ESE IT’s disclosure of Covered
 
Books and Records to UBS
 
AG London Branch for the
purpose of providing information to the
 
SEC and to the SEC
 
in the course of On-Site
 
Inspections, to
the extent that these
 
comprise or contain personal
 
data. Personal data is
 
data relating to an
 
identified
or identifiable living individual,
 
so may extend to information
 
on UBS ESE IT staff as well
 
as clients.
 
1.2
 
Under
 
the
 
Data
 
Protection Laws,
 
specific
 
additional restrictions
 
apply
 
for
 
data
 
relating
 
to
 
criminal
convictions and offences.
 
These laws also
 
impose heightened restrictions
 
on the processing
 
of ‘special
category data’
 
– this
 
is data
 
that reveals
 
racial or
 
ethnic background,
 
political opinions,
 
religious or
philosophical
 
beliefs,
 
or
 
trade
 
union
 
membership,
 
genetic
 
data,
 
biometric
 
data
 
when
 
used
 
for
 
ID
purposes, health information, data concerning sex life or sexual orientation.
 
As special category data
are less
 
likely to
 
be relevant
 
in the
 
context of
 
UBS ESE
 
IT’s disclosures to
 
the SEC,
 
the laws
 
applicable
to this data have not been considered in detail in this opinion.
1.3
 
Key restrictions in
 
the Data Protection
 
Laws relating to
 
UBS ESE IT’s ability
 
to disclose personal
 
data
to the SEC are set out below.
Legal basis for the disclosure
1.4
 
UBS ESE IT requires a legal basis
 
under Article 6 of the GDPR to disclose personal data
 
to the SEC
in the
 
course of
 
On-Site Inspections
 
and to
 
provide UBS
 
AG London
 
Branch with
 
access to
 
its Covered
Books and Records for the purpose
 
of providing information to the SEC. Data cannot
 
be disclosed if
doing so
 
would breach another
 
legal requirement (e.g. confidentiality
 
– please see
 
section 2
 
below).
 
Whilst there are a number
 
of Article 6 legal
 
bases on which UBS
 
ESE IT may seek
 
to rely, none on its
own is so comprehensive as to cover all disclosures of personal data to the SEC, so UBS ESE IT will
need to consider the most appropriate legal basis to apply to any given
 
situation.
1.5
 
The Article 6
 
legal bases most
 
applicable to UBS
 
ESE IT,
 
together with their
 
respective limitations,
are as follows:
(a)
 
Consent (Article 6(1)(a))
: In order for consent
 
to be valid under the
 
Data Protection Laws, it
must satisfy
 
the high
 
standard of
 
being a
 
freely-given, specific,
 
informed and
 
unambiguous
indication of wishes.
20
 
(b)
 
Processing is
 
necessary for the
 
performance of a contract
 
to which the
 
data subject is
 
party
(Article 6(1)(b))
: this legal basis could be
 
used by UBS ESE IT to
 
provide UBS AG London
Branch with
 
access to
 
its Covered
 
Books and
 
Records for
 
the purpose
 
of providing
 
information
to the SEC depending on type
 
of agreements in place between UBS
 
AG London Branch and
UBS ESE IT about execution by personnel of the latter of SBS transaction on behalf
 
of UBS
20
 
 
As a
 
practical matter, it may be particularly difficult to establish that consent is freely given where information
 
relates to UBS
 
ESE IT staff
because consent is very difficult to rely on in an employment context, due to the inherent imbalance of power between an employer and its
staff (for example, staff may believe
 
there could be negative consequences
 
should they refuse to give
 
consent). Further, consent will only be
valid if UBS ESE IT
 
offers its staff a genuine
 
choice over how the data
 
is used and will
 
only continue to be an
 
appropriate legal basis if
 
UBS
ESE IT also offers its staff the opportunity to
 
withdraw consent at any time. Where consent is relied upon in this opinion, it is on the
 
basis
that this practical matter has
 
been overcome. Where consent is not
 
available as a legal basis
 
for disclosure (including where valid consent
cannot be obtained), UBS ESE
 
IT may be able
 
to rely on an
 
alternative basis for disclosure (e.g.
 
the legitimate interest). In this
 
respect, it
could
 
be
 
worth
 
mentioning
 
EDPB’s
 
guidelines
 
on
 
consent
 
under
 
regulation
 
2016/679,
 
adopted
 
on
 
4
 
May
 
2020,
 
available
 
at
 
https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf
. Please
 
note that
 
valid consent
 
is assumed
 
at
Assumption 4 of Annex 2.
 
0036335-0000808 UKO1: 2005583510.12
 
 
9
 
AG London
 
Branch. In any
 
event, however, reliance
 
on this
 
basis would
 
not exempt
 
UBS ESE
IT from assessing any onward transfer of data to the SEC
21
.
(c)
 
Disclosure is necessary
 
for compliance
 
with a
 
legal obligation
 
to which UBS
 
ESE IT
 
is subject
(Article 6(1)(c))
: In order to
 
take advantage of this
 
legal basis, the legal
 
obligation with which
UBS
 
ESE
 
IT
 
would
 
be
 
required
 
to
 
comply
 
should
 
be
 
the
 
result
 
of
 
a
 
local
 
or
 
EU
 
law
 
or
regulation, although
 
this does
 
not have
 
to be
 
an explicit
 
statutory obligation,
 
as long
 
as the
application of the law is foreseeable to UBS ESE IT as the person subject
 
to it.
22
 
In the context of this legal basis
 
for processing, an SEC request in
 
the absence of an Italian or
EU legal
 
requirement (e.g.
 
a lawful
 
request from
 
the Bank
 
of
 
Italy or
 
the
 
CONSOB in
 
the
exercise of its
 
powers as provided by
 
mandatory laws and regulations)
 
would not justify
 
the
disclosure as being necessary for compliance with such an obligation.
We further note that neither the CONSOB MoU nor
 
the ECB MoU create any
 
legally binding
obligations.
23
 
(d)
 
Disclosure is necessary
 
for the performance
 
of a
 
task carried
 
out in the
 
public interest (Article
6(1)(e))
: as
 
per the
 
previous
 
legal basis,
 
the task
 
carried out
 
in the
 
public interest
 
should be
linked to
 
the Italian or
 
EU law in
 
order for UBS
 
ESE IT to
 
be able
 
to rely on
 
it.
 
Indeed, as
mentioned by
 
consideration no. 45
 
to GDPR, “
it should
 
also be for
 
Union or Member
 
State
law to determine
 
whether the controller performing
 
a task carried
 
out in the public
 
interest or
in the
 
exercise of
 
official authority should
 
be a
 
public authority
 
or another
 
natural or
 
legal
person governed
 
by public
 
law,
 
or,
 
where
 
it is
 
in the
 
public interest
 
to do
 
so, including
 
for
health purposes
 
such as
 
public health
 
and social
 
protection
 
and the
 
management of
 
health
care
 
services, by
 
private law,
 
such as
 
a professional
 
association
”. In
 
this respect,
 
however,
Italian scholars consider
 
that this legal
 
basis is
 
mainly aimed at
 
justifying data
 
processing only
and exclusively by Italian or EU public authorities,
 
in accordance with provisions of the Data
Protection Code.
(e)
 
Legitimate
 
interests
 
(Article
 
6(1)(f))
24
:
 
This
 
is
 
one
 
of
 
the
 
most
 
flexible
 
legal
 
bases
 
for
processing
 
that
 
can
 
apply
 
to
 
a
 
multitude
 
of
 
business
 
purposes,
 
including
 
with
 
respect
 
to
ensuring compliance with
 
regulatory obligations. To
 
rely on
 
the legitimate interests
 
ground,
UBS ESE IT,
 
as data controller, must:
 
(i)
 
identify its,
 
or a
 
third party’s legitimate
 
interest (this
 
can include
 
commercial interests,
individual
 
interests
 
or
 
broader
 
societal
 
benefits)
 
in
 
complying
 
with
 
the
 
SEC’s
disclosure request;
 
(ii)
 
show that
 
the
 
disclosure of
 
documents to
 
the SEC
 
is
 
necessary for
 
achieving these
interests; and
 
(iii)
 
balance
 
these
 
interests
 
against
 
the
 
competing
 
interests,
 
rights
 
and
 
freedoms
 
of
 
the
individuals concerned, and satisfy itself that those interests
 
do not outweigh its own.
 
If individuals would not
 
reasonably expect the disclosure, or
 
if the disclosure would
cause
 
unjustified
 
harm
 
to
 
the
 
individuals,
 
the
 
interests
 
of
 
those
 
individuals
 
would
likely override the interests of UBS ESE IT or the third party.
21
 
 
Please see paragraph
1.13 and subs
 
below
in this respect.
 
22
 
 
Recital 41
 
GDPR
.
 
23
 
 
Article II, par. 13 of the CONSOB MoU and Article II
 
paragraph 27 of the ECB MoU.
 
24
 
 
With respect to the existence of a legitimate
 
interest as a legal basis for
 
processing of data, please consider conditions
 
se
t out by the Garante
on 22 February 2018
 
(available here https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/8080493, in Italian
only) according
 
to which
 
any data
 
controller, before
 
deciding to
 
rely on
 
such legal
 
basis, should,
inter alia
, and
 
on top
 
of the
 
measures
indicated in
 
points
 
(i) to
 
(iii) of
 
this paragraph,
 
perform in
 
advance a
 
data protection
 
impact assessment
 
pursuant to
 
article 35
 
GDPR,
considering specific factors and circumstances.
 
 
0036335-0000808 UKO1: 2005583510.12
 
 
10
 
An individual has the right to object
 
to the disclosure of their data to the
 
SEC under this basis
for processing,
 
and UBS ESE IT would need to demonstrate ‘compelling’ legitimate grounds
to process the data that override the rights, freedoms and interests of
 
that individual.
The balancing of
 
legitimate interests against
 
the competing interests,
 
rights and freedoms
 
of
the
 
individuals
 
concerned should
 
be
 
made
 
on
 
a
 
case-by-case
 
basis
 
and
 
should
 
consider all
available facts.
 
In particular, Recital
 
47 of
 
the GDPR
 
states that,
 
when balancing
 
their interests
against
 
those
 
of
 
the
 
individuals
 
concerned,
 
controllers
 
should
 
take
 
into
 
account
 
the
reasonable expectations
 
of data
 
subjects based
 
on their
 
relationship with
 
the controller
”. With
this in
 
mind, UBS
 
ESE IT
 
may argue that
 
its interests
 
are not
 
outweighed by
 
those of
 
its clients
or its employees on the basis that:
(A)
 
clients are
 
aware, due
 
to
 
statements contained
 
in their
 
terms
 
of business
 
with UBS
AG,
 
of
 
the
 
US
 
nexus
 
when
 
they
 
engage
 
in
 
SBS
 
transactions
 
and,
 
due
 
to
 
their
understanding as
 
sophisticated investors,
 
that regulatory
 
oversight will
 
be exercised
by
 
the
 
SEC,
 
which
 
may
 
entail
 
certain
 
information
 
regarding
 
their
 
transactions,
including in some cases their personal data, to be disclosed to the SEC;
 
and
(B)
 
the employees whose
 
personal data may
 
be disclosed to
 
the SEC understand
 
their role
will involve SEC
 
oversight due
 
to their being
 
classified as
 
‘associated persons’
 
for the
purposes of SBS
 
transactions and understand
 
that, as a result,
 
certain of their
 
personal
data
 
may
 
be
 
disclosed
 
to
 
the
 
SEC.
 
More
 
specifically,
 
each
 
associated
 
person
 
is
required
 
to
 
complete
 
an
 
‘SBS
 
associated
 
person
 
questionnaire’,
 
which
 
provides
advance notice that
 
their activities may
 
involve the
 
disclosure of their
 
personal data
to the SEC and
 
potentially require them to undertake
 
interviews with the SEC. Each
employee that is an
 
associated person is also
 
required to agree or
 
acknowledge their
understanding
 
that
 
their
 
data
 
may
 
be
 
provided
 
to
 
the
 
SEC
 
in
 
connection
 
with
 
the
SEC’s oversight of SBS transactions.
In
 
addition,
 
while
 
focused
 
on
 
the
 
relationship
 
between
 
the
 
SEC
 
and
 
the
 
CONSOB,
 
the
existence of
 
the CONSOB
 
MoU arguably
 
reflects an
 
acceptance in
 
Italy that
 
the SEC has
 
a
duty
 
to
 
regulate
 
SBS markets
 
and may
 
need to
 
access information
 
maintained by
 
financial
institutions located in
 
Italy for this
 
purpose. This argument
 
is further supported
 
by the
 
ECB
MoU,
 
which
 
similarly
 
reflects
 
an
 
understanding
 
of
 
the
 
SEC’s
 
duties
 
and
 
an
 
acceptance
regarding the need for information, including personal data, to be provided
 
to the SEC.
Also relevant to this balancing of interests are that the SEC will:
(1)
 
restrict its
 
information requests
 
for, and
 
use of,
 
any information
 
to only
 
the information
that
 
it
 
requires
 
for
 
the
 
legitimate
 
and
 
specific
 
purpose
 
of
 
fulfilling
 
its
 
regulatory
mandate
 
and
 
responsibilities
 
and
 
to
 
prevent
 
and/or
 
enforce
 
against
 
potential illegal
behaviour, with the type
 
and amount of personal data requested being
 
targeted based
on risk and related to specific clients and accounts, and employees;
25
 
and
(2)
 
information,
 
data
 
and
 
documents
 
received
 
by
 
the
 
SEC
 
are
 
maintained
 
in
 
a
 
secure
manner and only disclosed pursuant to strict US confidentiality laws.
26
 
 
 
25
 
 
Please refer to Assumptions
5 and 7
in Annex 2, as well as
 
Article II
 
and
 
paragraph 49 of the ECB
 
MoU.
 
26
 
 
Please refer to Assumption
8
 
in Annex 2, as well
as Article VI of the CONSOB MoU and
 
paragraph 56 of the ECB MoU.
 
 
0036335-0000808 UKO1: 2005583510.12
 
 
11
 
As with the public interest basis, individuals have the
 
right to object to processing under this
legitimate interest basis.
27
 
Based upon
 
the above,
 
the
 
legitimate interests
 
and consent
 
bases for
 
processing (provided
 
that
all requirements for
 
each of such
 
two legal bases
 
are met) are
 
likely to be
 
the most appropriate
Article 6
 
grounds on
 
which UBS
 
ESE IT
 
could rely
 
in relation
 
to its
 
disclosure of
 
Covered
Books and Records to the SEC and to permit On-Site Inspection.
1.6
 
It is
 
considered very
 
unlikely that
 
data included
 
in Covered
 
Books and
 
Records or
 
disclosed to
 
the
SEC during On-Site
 
Inspections will include
 
special categories of
 
data. Further,
 
UBS ESE IT
 
might
not
 
hold
 
all
 
information
 
described
 
in
 
17
 
C.F.R.
 
§§.18a-5(b)(8)(i)(A)
 
through
 
(H)
 
or
 
240.18a-
5(a)(10)(i)(A)
 
through
 
(H),
 
as
 
the
 
case
 
may
 
be
 
an
 
associated
 
person
 
who
 
is
 
not
 
a
 
US
 
person.
28
 
However, to
 
the extent that this
 
does occur,
 
in addition to
 
an Article 6
 
legal basis, UBS ESE
 
IT will
need to establish
 
an additional legal
 
basis for processing
 
under Article 9
 
of the GDPR
 
if it
 
discloses
special categories of data to the
 
SEC.
 
In this respect, other than a valid
 
consent
29
, the Article 9 legal
basis
 
that
 
is
 
most
 
likely
 
to
 
apply
 
to
 
disclosure
 
of
 
Covered
 
Books
 
and
 
Records
 
is
 
found
 
in
 
Article
9(2)(f): processing is necessary
 
for the establishment, exercise
 
or defence of legal claims
 
or whenever
courts are acting in their judicial capacity.
1.7
 
Similarly, as set out for special
 
categories of personal data,
 
UBS ESE IT’s processing of
 
personal data
relating
 
to
 
criminal
 
convictions
 
and
 
offences
 
of
 
its
 
employees
 
is
 
highly
 
restricted
 
and
 
can
 
only
 
be
disclosed subject to specific conditions being met. In this
 
respect, it needs to be flagged that article 8-
octies of the
 
Privacy Code, as amended
 
by Legislative Decree no.
 
101/2018 following the entry
 
into
force of
 
GDPR and implementing
 
Article 10 of
 
the GDPR provides
 
that processing of
 
criminal data
by controllers that
 
are not a
 
“public authority”
30
, must be
 
made in line
 
with provisions of
 
applicable
law, or specific regulation, to be made considering certain criteria set out
 
by the same article 8-octies.
 
In its opinion
 
issued on 24
 
June 2021
31
, the Garante
 
gave its
 
approval to a
 
scheme of
 
regulation drafted
by the Italian Ministry of Justice, to set out terms and conditions
 
for processing criminal data by non-
public authorities. Further to such opinion, no regulation has been
 
approved as yet.
However, paragraph
 
3 of
 
the abovementioned article
 
8-octies seems to
 
allow processing of
 
criminal
data in some specific circumstances. In
 
our opinion, the exemptions
 
most likely to apply to disclosure
of
 
Covered
 
Books
 
and
 
Records
 
are
 
those
 
under
 
points:
 
(c)
 
verifying
 
or
 
ascertaining
 
the
 
integrity
requirements, subjective
 
requirements and
 
disqualification conditions
 
in the
 
cases provided
 
for by
 
laws
or regulations; (e)
 
the ascertainment, exercise
 
or defence of
 
a right in
 
court; or (m)
 
the fulfilment of
the
 
obligations
 
established
 
by
 
the
 
regulations
 
in
 
force
 
concerning
 
the
 
prevention
 
of
 
the
 
use
 
of
 
the
financial system for the purpose of money laundering and terrorist
 
financing.
In this respect, however, and also considering the very
 
unclear wording of such article 8-octies,
 
par. 3
of
 
the
 
Privacy Code,
 
the
 
scope
 
and
 
validity of
 
the
 
abovementioned provision
 
is
 
debated
 
by
 
Italian
scholars in light of the lack of a regulation made by the Ministry of Justice, as said, not yet approved,
and which is supposed to set out,
inter alia
, guarantees to rights and freedom of data subjects.
27
 
 
Article 2(1), GDPR.
 
 
0036335-0000808 UKO1: 2005583510.12
28
 
 
As we understand, is
 
as
defined in 17 C.F.R. §240.3a71
-
3(a)(4)(i)(A).
 
29
 
 
Article 9(2)(a) GDPR
 
please also refer to
the discussion of consent at
 
footnote
no 12
 
above.
 
30
 
 
By “public authority”, it is
 
intended any Italian public au
thority. Data processing
 
by public authorities is subject
 
to a different set
 
of rules
(namely, EU regulation 2016/680, implemented in Italy by the Legislative Decree 51/2018).
31
 
 
Opinion available here at
https://www.garanteprivacy.it/home/docweb/
-
/docweb
-
display/docweb/9682603
 
, in Italian only.
 
 
0036335-0000808 UKO1: 2005583510.12
 
 
12
 
Data protection principles
1.8
 
In addition to establishing a legal
 
basis for the disclosure, UBS ESE IT
 
would need to ensure that its
disclosures are compliant with the remaining
 
requirements under the Data Protection Laws,
 
including
the data protection principles set out in Article 5 of the GDPR.
 
For example, UBS ESE IT must:
(a)
 
be
 
transparent with
 
those whose
 
personal data
 
is
 
to
 
be
 
disclosed to
 
the
 
SEC, who
 
must
 
be
provided in advance with fair processing information (usually in the form of a privacy notice
or statement);
(b)
 
with
 
respect
 
to
 
the
 
data
 
itself,
 
ensure
 
that
 
it
 
only
 
provides
 
personal
 
data
 
that
 
is
 
adequate,
relevant and limited
 
to what is
 
necessary in relation
 
to the purposes
 
of its regulatory
 
activities;
 
(c)
 
be careful to avoid participating
 
in ‘data dumps’ and should
 
consider withholding documents,
anonymising personal data
 
(or pseudonymising
 
data where full
 
anonymisation is not
 
possible)
and redacting personal data from documents as appropriate;
(d)
 
ensure that the data is accurate and, where necessary, kept up to date;
(e)
 
keep the personal data
 
in a form that enables
 
identification of individuals for
 
no longer than is
necessary for the purposes for which the personal data is processed;
 
and
(f)
 
ensure
 
that
 
the
 
confidentiality
 
and
 
integrity
 
of
 
personal
 
data
 
is
 
maintained,
 
and
 
as
 
such,
implement appropriate security measures (e.g. encryption) to protect
 
the personal data.
1.9
 
Whilst it is possible
 
that the SEC has
 
taken these principles
 
into account in its
 
request for access to
 
the
Covered Books and
 
Records, responsibility remains
 
with UBS
 
ESE IT to
 
verify this
 
and implement
its own compliance measures.
International transfers
1.10
 
The general principle
 
in the GDPR is
 
that UBS ESE IT
 
may not transfer personal
 
data to a jurisdiction
outside the European Economic Area, unless it can satisfy a condition for the transfer as set out in its
Chapter V.
 
1.11
 
Article 45 of
 
GDPR allows for UBS
 
ESE IT to transfer
 
personal data to
 
a recipient outside the
 
EEA
where the transfer
 
is based on
 
adequacy decisions issued
 
by the EU
 
Commission. In this respect,
 
on
16
 
July
 
2020
 
the
 
Court
 
of
 
Justice
 
of
 
the
 
European
 
Union
 
invalidated
 
the
 
Commission
 
Decision
2016/1250 on
 
the adequacy
 
of the protection
 
provided by
 
the EU-US
 
“Privacy Shield” agreement.
 
The
judgment upheld the validity of standard contractual clauses to allow data transfers under the GDPR,
but requires
 
data controllers
 
to assess
 
the level
 
of data
 
protection in
 
the recipient’s country
 
and to
 
adopt
“supplementary measures” if needed.
1.12
 
For the purposes of providing
 
Covered Books and Records to
 
UBS AG London Branch,
 
the adequacy
decision of
 
the European
 
Commission currently
 
in effect
 
in respect
 
of the
 
UK
32
 
allows transfers
 
of
personal data from
 
the EEA, including
 
Italy, to the UK to
 
be made freely. Any
 
transfer from UBS
 
ESE
IT
 
to
 
UBS
 
AG
 
London
 
Branch
 
would therefore
 
be
 
permitted
 
without limitation
 
(provided that
 
the
disclosure otherwise complied with the GDPR).
1.13
 
It should be noted that under Article
 
44 sent. 1, Recital 101 of the
 
GDPR any onward transfer of UBS
ESE IT’s
 
Covered Books and Records
 
by UBS AG
 
London Branch to the
 
SEC is still
 
subject to the
transfer
 
requirements
 
of
 
the
 
GDPR.
 
In
 
this
 
regard
 
it
 
is
 
helpful
 
that
 
the
 
European
 
Commission’s
adequacy decision for
 
the UK addresses
 
onward transfers from the
 
UK and notes that
 
the regime on
32
 
 
Commission Implementing Decision of 28.6.2021
 
pursuant to Regulation (EU) 2016/679 of the
 
Eur
opean Parliament and of the Council on
the adequate protection of
 
personal data by the United
 
Kingdom. Please note that
 
in the future the adequacy
 
decision may be withdrawn,
 
not
prolonged or restricted and that the current adequacy decision is
 
limited to four years.
 
0036335-0000808 UKO1: 2005583510.12
 
 
13
 
international
 
transfers
 
under
 
the
 
UK
 
GDPR
33
 
and
 
UK
 
Data
 
Protection
 
Act
 
2018
 
is
 
in
 
substance
identical
” to
 
the transfer
 
regime under
 
the
 
GDPR.
34
 
The primary
 
options available
 
under GDPR
 
to
UBS AG
 
London Branch
 
pursuant to
 
this GDPR
 
restriction applicable
 
to UBS
 
ESE IT
 
when disclosing
personal data
 
contained in
 
UBS ESE
 
IT’s
 
Covered Books and
 
Records to
 
the SEC
 
in the
 
US are
 
as
follows:
(a)
 
Derogations (Article 49)
: Where a transfer mechanism
 
adopted by the European
 
Commission
in respect
 
of the
 
US is
 
not available
 
(as is
 
currently the
 
case), derogations
 
for specific
 
situations
from
 
the
 
transfer
 
prohibition
 
are
 
potentially
 
available
 
for
 
facilitating
 
UBS
 
AG
 
London
Branch’s transfer of personal data contained
 
in UBS ESE IT’s Covered Books
 
and Records to
the SEC. These derogations include:
35
 
(A)
 
Consent
:
 
according
 
to
 
the
 
FAQs
 
published
 
by
 
the
 
EDPB
 
following
 
the
abovementioned decision of
 
the Court of
 
Justice of the
 
European Union
 
 
on 16
 
July
2020
36
, consent should
 
be (i) explicit,
 
(ii) specific for
 
the particular data
 
transfer or set
of transfers (meaning that
 
the data exporter must
 
make sure to obtain
 
specific consent
before the transfer
 
is put in
 
place even if
 
this occurs after
 
the collection of
 
the data has
been
 
made),
 
and
 
(iii)
 
informed,
 
particularly
 
as
 
to
 
the
 
possible
 
risks
 
of
 
the
 
transfer
(meaning the data
 
subject should also
 
informed of the
 
specific risks resulting
 
from the
fact
 
that
 
their
 
data
 
will
 
be
 
transferred
 
to
 
a
 
country
 
that
 
does
 
not
 
provide
 
adequate
protection and that no adequate safeguards aimed at providing protection
 
for the data
are being implemented).
37
 
(B)
 
Legitimate interests:
Article 49, par.
 
1 of the
 
GDPR makes clear that
 
a data transfer
on
 
the
 
basis
 
of
 
legitimate
 
interests
 
may
 
only
 
take
 
place
 
if
 
(i) the
 
transfer
 
is
 
not
repetitive, (ii) the
 
transfer concerns
 
only a
 
limited number
 
of data
 
subjects, (iii) the
transfer is
 
necessary for
 
the purposes
 
of compelling
 
legitimate interests
 
pursued by
UBS
 
ESE
 
IT,
 
(iv) UBS
 
ESE
 
IT’s
 
legitimate
 
interests
 
are
 
not
 
overridden
 
by
 
the
interests of rights
 
and freedoms of
 
the Rights
 
Holder, (v) UBS
 
ESE IT has
 
assessed
all the circumstances surrounding the
 
transfer, and (vi) UBS ESE IT has, on the basis
of that assessment, provided suitable
 
safeguards with regard to the protection
 
of data.
UBS ESE
 
IT must
 
also ensure
 
it applies
 
the ‘necessary’
 
test to
 
ensure that
 
only the
personal data necessary for the SEC’s purposes is transferred
38
.
UBS ESE IT should
 
not rely on
 
any of the
 
derogations for making transfers
 
on a large
 
scale
and/or in
 
a systematic manner,
 
and their use
 
must be considered
 
on a case-by-case
 
basis for
separate requests of the
 
SEC, with UBS ESE
 
IT keeping records of
 
the transfers that evidence
the careful analysis that led them to rely on that derogation.
(b)
 
Public local authorities
 
route
: In certain
 
situations, for example
 
where UBS ESE
 
IT considers
the transfer
 
of data
 
to UBS
 
AG London
 
Branch for the
 
purpose of
 
providing information to
the SEC to
 
be high risk,
 
it may
 
be possible to
 
arrange for the
 
disclosure to be
 
made to local
authorities, which could then transfer the data to the SEC in the US.
 
 
 
33
 
 
The General Data Protection Regulation
 
2016/679 as it forms part
 
of “retained EU law” as
 
defined in the European Union
 
(Withd
rawal) Act
2018 in the UK.
34
 
 
Paragraph 2.5.7, rec
itals (74) and
 
(75) of the
 
Commission Implementing Decision of
 
28.6.2021 pursuant to Regulation
 
(EU) 2016/679 of
the European Parliament and of the Council on the adequate
 
protection of personal data by the United Kingdom.
 
0036335-0000808 UKO1: 2005583510.12
35
 
 
These derogations should
not
 
be considered a blanket approval for UBS ESE IT to transfer
 
data to the SEC under this basis.
36
 
 
Also
 
adopted
 
by
 
the
 
Italian
 
DPA
 
and
 
available
 
in
 
Italian
 
on
 
i
ts
 
website
 
at
 
the
 
following
 
link:
https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9443857
37
 
 
Please note that valid consent is assumed in Assumption
 
4 of Annex 2.
 
38
 
 
Please also refer to par. 1.5(d) and footnote no. 14.
 
 
0036335-0000808 UKO1: 2005583510.12
 
 
 
 
 
14
 
In this respect, please refer to our paragraph 3.14 below regarding the MoU in place between
the SEC and
 
CONSOB as
 
well as the
 
“Administrative arrangement
 
for the transfer
 
of personal
data” between
 
each of
 
the EEA
 
Authorities and
 
the SEC
 
(among other
 
non-EEA authorities)
39
,
setting out
 
safeguards and
 
restrictions applicable
 
to transfer
 
of data
 
between authorities,
 
as
well as of the opinion issued by the
 
European Data Protection Board (
EDPB
) on 12 February
2019, no. 4.
40
 
1.14
 
Mere access to Covered
 
Books and Records granted to
 
the SEC in the
 
course of On-Site Inspections
would not entail
 
UBS ESE IT
 
effecting an international
 
transfer and so
 
restrictions in Chapter
 
V of the
EU GDPR would not apply to that situation.
2.
 
DUTIES OF CONFIDENTIALITY UNDER ITALIAN CIVIL LAW
Italian civil law applicable to contracts
2.1
 
By way
 
of general
 
principle, Italian
 
civil law
 
does not
 
expressly provide
 
for specific
 
confidentiality
requirements applicable to the parties to a contract governed
 
by Italian law or for a standard model of
confidentiality agreements. In particular, in contrast to requirements that are applicable to other types
of contracts (e.g., purchase or service agreements), neither the
 
Italian Civil Code nor other civil laws
provide for
 
pre-determined effects and
 
consequences arising from the
 
execution of a confidentiality
agreement or specify the scope of the obligations arising therefrom.
2.2
 
There
 
is
 
very
 
limited
 
Courts’
 
precedents in
 
this
 
context, since
 
this is
 
a matter
 
which
 
Courts rarely
debated about. In
 
any event, pursuant
 
to article 1322,
 
of the Italian
 
Civil Code, parties
 
to an agreement
are free to determine
 
content of an obligation
 
within the limits imposed by
 
applicable law and to
 
the
extent that such obligation is aimed at achieving an interest deserving
 
protection by the legal system.
2.3
 
There
 
are,
 
however,
 
some
 
cases
 
in
 
which
 
Italian
 
law
 
provided
 
for
 
some
 
general
 
confidentiality
obligations, by
 
listing duties
 
of confidentiality
 
of employees
 
in favour
 
of their
 
employers (in
 
article
2105 of
 
the Italian
 
Civil Code),
 
or by
 
describing scope
 
of the
 
breach of
 
a company’s
 
secrets in
 
the
context
 
of
 
unfair
 
competition
 
(article
 
98
 
of
 
legislative
 
decree
 
no.
 
30/2005,
 
so-called
 
Code
 
of
 
the
Industrial Property).
2.4
 
In the vast
 
majority of cases,
 
however, the
 
obligation not to disclose
 
some information and/or not
 
to
use or to limit
 
the use of certain
 
information, is agreed
 
among parties by
 
setting out specific covenants
or clauses, which can be independent from
 
other agreements or connected to and dependent on
 
other
arrangements.
2.5
 
In absence
 
of a
 
specific legal framework
 
or restrictions
 
imposed by
 
Courts’ precedents, in
 
principle
parties to a
 
non-disclosure or a
 
confidentiality agreement, are
 
generally free
41
 
to agree, among
 
other
matters, (i) what information
 
is and is not covered
 
by the covenant; (ii)
 
if there are some
 
exceptions to
the
 
confidentiality
 
obligations
 
(e.g.,
 
whether
 
some
 
information
 
can
 
be
 
disclosed
 
to
 
certain
 
third
parties); (iii) whether this is fixed-term
 
or open-ended; (iv) if information covered by the
 
contractual
restrictions can be used by the bound party (e.g. in the context of a due diligence process) or not, and
to what extent.
2.6
 
In order
 
for a
 
non-disclosure agreement
 
to
 
be valid
 
under Italian
 
law,
 
the reason
 
why two
 
or more
parties are executing the agreement does not generally matter.
 
 
 
39
 
 
To
 
which
 
SEC
 
is
 
signatory
 
as
 
from
 
10
 
May
 
2019
 
and
 
CONSOB
 
from
 
7
 
June
 
2019.
 
Text
 
available
 
at
 
the
 
following
 
link
https://www.iosco.org/about/?subsection=administrative_arrangement
.
 
40
 
 
Available
at
 
the
 
following
 
link
https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-42019-draft-aa-
between-eea-and-non-eea_en
.
41
 
 
Parties are bound by the limits envisaged by Article 1322
 
of the Italian Civil Code (p
lease
see Section 2.2 above).
 
 
0036335-0000808 UKO1: 2005583510.12
 
15
Penalty clause
2.7
 
Parties are
 
generally free
 
to include
 
in confidentiality/non-disclosure
 
agreements some
 
penalty clauses,
in order to further secure the obligation.
2.8
 
In this respect,
 
however, it
 
is relevant that,
 
pursuant to article
 
1384 of the
 
Italian Civil Code,
 
Courts
have the power
 
to reduce to an
 
equitable sum the
 
amount to be
 
paid by way of
 
penalty by a
 
party in
breach of its confidentiality obligations, in the event that such amount is
 
deemed openly exaggerated
in relation to the overall value of the obligation and the interests at stake.
Consent
2.9
 
Disclosure
 
of
 
confidential
 
information
 
is
 
permissible
 
where
 
the
 
disclosing
 
party
 
has
 
given
 
their
consent
 
to
 
the
 
disclosure of
 
their
 
confidential information
 
to
 
certain
 
or,
 
in
 
general pre-determined,
third parties.
 
Please note
 
that we
 
have assumed
 
at Assumption
 
4 of
 
Annex 2
 
that UBS
 
ESE IT
 
has
validly obtained, or
 
will validly obtain,
 
such consent
 
as is necessary
 
for such disclosure
 
of confidential
information.
2.10
 
Lists
 
of
 
third
 
parties
 
to
 
whom
 
information
 
can
 
be
 
disclosed
 
can
 
be
 
also
 
set
 
out
 
in
 
advance
 
in
 
the
agreement or agreed from time to time.
Compulsion of law
2.11
 
Information
 
that
 
would
 
otherwise
 
be
 
confidential
 
may
 
be
 
disclosed
 
when
 
required
 
by
 
a
 
statutory
provision or court order.
 
Indeed, as mentioned, parties are free to determine content of an obligation,
to the extent that it is in compliance with the legal framework.
2.12
 
By
 
way
 
of
 
example,
 
with
 
decision
 
dated
 
14
 
March
 
2018,
 
the
 
Civil
 
Court
 
of
 
Milan
 
stated
 
that
 
a
shareholder of a
 
company who, at
 
the same time,
 
is not its
 
director has the
 
power granted by
 
article
2476 of the Italian Civil
 
Code to inspect and have
 
access to corporate documents,
 
notwithstanding the
existence of a non-disclosure agreement among the other shareholders.
 
2.13
 
Similarly,
 
with
 
a
 
recent
 
decision
 
on
 
2
 
August
 
2021, the
 
Administrative Court
 
of
 
Rome
 
stated
 
that
access
 
right
 
to
 
documentation
 
of
 
public
 
interest
 
granted
 
by
 
Italian
 
laws
 
to
 
citizens
 
under
 
specific
circumstances prevails over
 
the existence of
 
a confidentiality agreement
 
among the
 
private parties that
drafted such documentation.
2.14
 
To
 
satisfy this
 
compulsion of
 
law exception
 
it is
 
likely that
 
UBS ESE
 
IT would
 
have to
 
rely on
 
an
Italian (or an EU)
 
statute – a provision
 
of US law, such as an SEC
 
Rule, is unlikely to
 
be sufficient for
this purpose.
2.15
 
Equally, a US court order is
 
also unlikely to be
 
sufficient for this purpose,
 
unless this order is
 
properly
recognised by the Italian legal system according to ordinary civil or criminal procedure rules in place
from time to time.
2.16
 
Please note that the
 
remarks set forth
 
above are without prejudice
 
to the principles and
 
requirements
applicable under
 
the Italian
 
banks secrecy
 
rules (please
 
see Section
 
3 below
 
and in
 
particular paragraph
3.5 and ff. below).
3.
 
BANK SECRECY
Bank secrecy under Italian Law
3.1
 
There is no
 
specific bank secrecy
 
regime under Italian
 
law, meaning that under the
 
Italian banking and
financial laws there is not a separate
 
set of statutory provisions which specifically
 
set forth strict bank
 
0036335
-
0000808 UKO1: 2005583510.12
 
 
 
 
16
 
secrecy
requirements
applicable
 
to
 
financial
 
institutions
 
(such
 
as
 
banks
)
operating
 
in
 
Italy
.
In
particular, under Italian banking
 
and financial
 
laws there are
 
no statutory
 
provisions setting
 
forth (i) an
express
 
or
 
strict
 
obligation
 
for
 
banks
 
to
 
keep
 
the
 
information
 
acquired
 
within
 
the
 
performance
 
of
banking or financial
 
services confidential, (ii)
 
the conditions under
 
which the disclosure
 
of customers’
information may be allowed,
 
and (iii) the exemptions from the conditions under (ii) above.
3.2
 
Nonetheless, a
 
duty of
 
confidentiality is
 
considered by
 
the Italian
 
Courts and
 
legal theory
 
as an
 
implied
term of the contract between banks
 
(or other financial institutions) and their customers. In particular,
such duty of confidentiality is based on certain general rules of Italian
 
law including:
(a)
 
Article
 
622
 
of
 
the
 
Italian
 
Criminal
 
Code
 
which
 
imposes
 
a
 
general
 
secrecy
 
obligation
 
on
professionals
 
(
segreto
 
professionale
 
i.e.
 
“professional
 
secrecy”)
 
by
 
providing
 
criminal
sanctions for those professionals who, being aware of certain confidential information due to
the
 
performance
 
of
 
their
 
office,
 
disclose
 
such
 
secrets
 
to
 
third
 
parties,
 
save
 
where
 
they
 
act
pursuant
 
to
 
a
 
“just
 
cause”
 
(
giusta
 
causa
)
 
 
in
 
this
 
context,
 
banks
 
are
 
considered
 
to
 
be
“professionals”;
 
(b)
 
Articles
 
1(4)
 
and
 
8
 
of
 
the
 
introductory
 
provisions
 
to
 
the
 
Italian
 
Civil
 
Code
 
(“
Preleggi
”)
provide that “usages”
 
(
usi
,
 
i.e.
 
customary market practices)
 
are considered as
 
a legal source
 
of
rights and obligations in matters which are not governed by specific laws or regulations. The
existence
 
of
 
a
 
duty
 
to
 
keep
 
customers’
 
data
 
confidential
 
within
 
the
 
provision
 
of
 
financial
services
 
is
 
widely
 
accepted
 
and
 
complied
 
with
 
by
 
Italian
 
financial
 
institutions,
 
including
Italian branches of foreign institutions operating in Italy
42
, and the general market practice is
to
 
acquire
 
the
 
customer’s
 
prior
 
written
 
consent
 
before
 
disclosing
 
its
 
information
 
to
 
third
parties. In our view this practice forms
 
a “usage” that is binding upon the
 
parties to a contract
pursuant to Article 1374 of the Italian Civil Code; and
(c)
 
Articles 1175 and 1375 of the Italian Civil Code
 
which set forth the principles of fairness
 
and
good faith in the execution of a contract.
3.3
 
In addition, we
 
consider that the
 
general duty of
 
confidentiality for banks
 
may be grounded
 
on the rule
which imposes
 
on banks
 
an obligation
 
to act
 
according to
 
the principle
 
of fairness
 
when providing
banking
 
or
 
financial
 
services
 
to
 
clients,
 
as
 
envisaged
 
under
 
the
 
Italian
 
banking
 
transparency
regulation
43
.
3.4
 
Given
 
the
 
absence of
 
statutory
 
provisions setting
 
forth a
 
specific
 
bank secrecy
 
regime
 
in
 
Italy,
 
the
scope
 
of
 
the
 
bank
 
secrecy
 
obligations
 
currently
 
remains
 
within
 
a
 
grey-area
 
under
 
Italian
 
law.
 
In
principle
 
the
 
duty
 
of
 
confidentiality
 
should
 
apply
 
to
 
any
 
client’s
 
information
 
which
 
is
 
not
 
already
public. As
 
the information contained
 
in the
 
Covered Books and
 
Records is not
 
publicly available, it
will likely be
 
qualified as confidential
 
information insofar
 
as that information
 
relates to UBS
 
ESE IT’s
clients and is not
 
information owned by or relating to UBS ESE IT itself. In any case, the restrictions
under the
 
Italian bank
 
secrecy regime
 
mentioned herein
 
should not
 
apply if
 
the Covered
 
Books and
Records and relevant information do not relate to Italian counterparties.
Consent requirement
3.5
 
Based on the
 
principles mentioned
 
above, even in
 
the absence of
 
specific bank secrecy
 
regime in Italy,
the breach of
 
the duty of
 
confidentiality may
 
entail a liability
 
for the bank
 
towards its customers
 
unless
the customer has given consent to the disclosure or an exemption applies.
 
42
 
 
Despite the absence
 
of specific guidance
 
on the issue,
 
we beli
eve that the
 
bank secrecy
 
principles as set
 
forth in this
 
Section should reasonably
apply also to Italian branches of foreign banks, as it is
 
the case also for other regulatory conduct-related requirements.
43
 
 
Bank of Italy Regulation of 29 July 2009 as am
ended from time to time.
 
 
0036335-0000808 UKO1: 2005583510.12
 
 
17
 
3.6
 
This entails in
 
practice that by way
 
of general principle, the
 
Rights
 
Holder’s written consent
 
may be
required in
 
order for
 
UBS ESE
 
IT to
 
be able
 
to disclose
 
confidential information
 
to third
 
parties (please
see below)
44
.
 
3.7
 
Please note
 
that the
 
duty of
 
confidentiality and
 
the related
 
consent requirement
 
does not
 
depend on
whether the Rights Holder
 
is a professional or
 
institutional client or
 
a retail client as
 
they should apply
to any customer of the bank.
Exemptions from the consent requirement – Just cause
3.8
 
Based on the
 
general rules mentioned
 
above under paragraph
 
3.2 of this
 
Annex 1, as
 
a matter of
 
Italian
law it should be possible to exclude the need for an express consent from the Rights Holder when the
disclosure is justified by a “just cause”.
 
3.9
 
The principle
 
of “just
 
cause” (as
 
outlined in
 
Article 622
 
of the Italian
 
Criminal Code
 
mentioned above)
would exempt
 
professionals (including
 
banks) that
 
disclose confidential
 
information to
 
third parties
from being
 
alleged with
 
a breach
 
of the
 
confidentiality obligation.
 
There is
 
no definition
 
of “just
 
cause”
under Article 622 of the Italian Criminal Code nor have
 
the Italian courts clarified the scope/meaning
of this concept. However, in general terms (
i.e.
 
with no specific reference to bank secrecy), this
 
could
be considered as a
 
set of circumstances
 
that legitimate the disclosure
 
of confidential information,
 
such
as the existence of
 
a legislative provision imposing the
 
disclosure or the order
 
of an authority (
e.g.
 
a
court order).
3.10
 
In this respect,
 
we note that
 
under Italian law,
 
banks operating in
 
Italy may be
 
subject to mandatory
requests to provide
 
information to supervisory authorities
 
under certain circumstances.
 
In particular,
the
 
mandatory nature
 
of such
 
requests may
 
be inferred
 
from certain
 
provisions which
 
envisage the
application of sanctions
 
in case of non-compliance
 
with the request
 
of information
45
. We consider that
in
 
principle
 
responding
 
to
 
a
 
request
 
of
 
disclosure
 
from
 
an
 
Italian
 
regulator
 
may
 
theoretically
 
be
considered as a “just cause” for the disclosure of confidential information.
3.11
 
However, we cannot exclude
 
that the just
 
cause as per
 
Paragraph 3.10 and
 
3.11 above could be
 
limited
to mandatory requests
 
for information
 
coming from
Italian
 
authorities. Indeed,
 
whilst under
 
the Italian
banking and financial regulations
 
there are no specific
 
prohibitions or restrictions to
 
the effect that the
Italian branch of an
 
EEA bank may not
 
submit to inspections by,
 
or provide documents to, a
 
foreign
(e.g.
 
third
 
country)
 
authority,
 
by
 
way
 
of
 
general
 
principle
 
we
 
cannot
 
exclude
 
that
 
under
 
certain
circumstances a request
 
for information coming
 
from a foreign
 
authority may be
 
considered as non-
binding
 
as
 
a
 
matter
 
of
 
Italian
 
law
 
and
 
thus
 
may
 
not
 
exempt
 
a
 
firm
 
from
 
the
 
confidentiality
 
duties
imposed on it under the bank secrecy rules
46
. As such, lacking a specific provision in the context of a
bank secrecy
 
regime, it is
 
not clear
 
under Italian law
 
whether a request
 
of information coming
 
from
44
 
 
As mentioned above, based on Assumption 4 we assume that if a consent for the disclosure is required, this will be validly pr
ovided by the
Rights Holder.
45
 
 
We c
onsider that the “legitimate” nature of the request should be presumed
 
to the extent the request comes from a public authorit
y who has
effective supervisory powers on the banks as envisaged under the law.
46
 
 
We note that under the Italian
 
banking and finan
cial regulation, certain
 
provisions envisage the carrying
 
out of on
-
site inspections by foreign
regulators. In particular, pursuant to Article 54 of
 
Legislative Decree No. 385 of 1st
 
September 1993 (the
Italian Banking Act
) the Bank of
Italy may agree with the supervisory authority of a third country the modalities for carrying out inspections at the branches of banks based
in the respective countries, on a reciprocity
 
basis. In addition, pursuant to Article
 
6-
ter
(8) of Legislative Decree No.
 
58 of 24 February 1998
(the
Italian Financial Act
) the
 
Bank of
 
Italy and CONSOB
 
(within the
 
respective areas of
 
supervision) may agree
 
with the
 
supervisory
authorities of third countries
 
the modalities for inspections
 
of branches of investment firms
 
or banks located within
 
the respective territories.
We consider that these provisions relate to bilateral relationships between the Bank of Italy
 
and CONSOB (on one side) and a third country
regulator (on the other side)
 
having as object local inspections
 
within the respective territories
 
but limited to branches of firms
 
based in such
territories, in principle
 
including e.g. inspections by
 
the SEC at
 
Italian branches of
 
US banks (or
vice versa
). Therefore, we
 
consider that
these provisions should not be relevant
 
here as the target firm (UBS
 
ESE IT) is not the Italian
 
branch of a US bank. In
 
any case, whilst these
provisions empower the Bank
 
of Italy and
 
CONSOB to agree on
 
the
modalities
 
for inspections of local
 
branches through an arrangement
with the third
 
country regulator (e.g.
 
through a cooperation
 
agreement or memorandum of
 
understanding), such arrangement
 
(or the lack
thereof) should
 
not of
 
itself be
 
conclusive to
 
determine the
 
legal basis
 
for the
 
powers of
 
a foreign
 
regulator to
 
be able
 
to carry
 
out said
inspections at (or to obtain documents
 
/ information from) branches located in Italy. Indeed we assume that we are not required to provide
advice
 
on
 
the
 
general ability
 
of
 
the
 
SEC
 
as
 
a
 
prudential
 
regulator
 
to
 
exercise
 
supervisory
 
functions including
 
through
 
local
 
access or
inspections (including the carrying out
 
of On-Site Inspection) and to
 
obtain documents and information from
 
firms/branches located in Italy
which are under the jurisdiction
 
of the SEC in respect
 
of the provision of services
 
in the US and we assume
 
this matter is out of scope
 
of this
opinion. In particular, our analysis as set forth
 
herein focuses on the restrictions
 
applicable to UBS ESE IT
 
for submitting to inspections and
providing access
 
to Covered
 
Books and
 
Records and
 
particularly on
 
the issue
 
of whether
 
a request
 
from the
 
SEC to
 
UBS ESE
 
IT may
constitute the legal ground in order to UBS ESE IT
 
be exempted from the duty confidentiality under the Italian
 
bank secrecy regime.
0036335-0000808 UKO1: 2005583510.12
 
 
18
 
the SEC may be considered as “binding” upon UBS ESE IT and thus
 
as a just cause for the purposes
of exempting UBS ESE IT from the requirement to obtain prior consent
 
from the Rights Holder
47
.
 
3.12
 
Moreover,
 
we
 
note
 
that,
 
although not
 
expressly
 
set
 
forth
 
under
 
Article
 
622
 
of
 
the
 
Italian
 
Criminal
Code,
 
it
 
seems
 
that
 
a
 
pre-condition for
 
a
 
disclosure of
 
information
 
to
 
be
 
in
 
breach
 
of
 
professional
secrecy
 
is
 
that
 
said
 
disclosure
 
is
 
made
 
to
 
“third
 
parties”.
 
In
 
this
 
scenario,
 
the
 
Covered
 
Books
 
and
Records would be provided
 
by UBS ESE IT
 
to UBS AG London
 
branch (and then sent
 
by UBS AG
London
 
branch
 
to
 
the
 
SEC)
 
and,
 
therefore,
 
to
 
another
 
entity
 
of
 
the
 
same
 
group.
 
Based
 
on
 
general
principle
 
of
 
Italian
 
financial
 
regulation,
 
entities
 
within
 
the
 
same
 
corporate
 
group
 
are
 
generally
 
not
considered as “third parties”. Therefore
 
we consider that, in principle,
 
it might be argued that the
 
duty
of confidentiality might
 
not be applicable
 
in this scenario
 
as the disclosure
 
of information would
 
occur
at
 
an
 
intra-group
 
level
 
and
 
not
 
towards
 
“third
 
parties”.
 
However,
 
given
 
the
 
absence
 
of
 
a
 
specific
exemption for
 
intra-group transfers,
 
we are
 
unable to
 
provide a
 
definitive confirmation
 
that intra-group
disclosure of information would be
 
considered as a just cause
 
or an exemption from
 
the requirement
to obtain prior consent from the Right Holder.
3.13
 
Provided the
 
above, consent
 
would therefore
 
provide a
 
more reliable
 
basis on
 
which to
 
provide the
SEC access to Covered Book and Records and to submit to On-Site Inspection.
Cooperation agreements entered into by the SEC
3.14
 
On 22 December 2020, CONSOB
 
and the SEC entered into
 
the CONSOB MoU. The CONSOB
 
MoU
is
 
a
Memorandum
 
of
 
Understanding
 
c
oncerning
 
consultation,
 
cooperation
 
and
 
the
 
exchange
 
of
information related to market oversight and the supervision of covered firms
48
.
3.15
 
Generally speaking, the CONSOB MoU is a “
statement of intent to consult, cooperate, and exchange
information in connection with the with the supervision and oversight of Covered Firms that conduct
financial services business in either, or both, the United States and Italy
49
.
 
3.16
 
The CONSOB MoU defines:
(a)
 
Covered
 
Firm
 
as
 
a
 
Person
 
authorized,
 
designated,
 
qualified,
 
registered,
 
or
 
otherwise
regulated by,
 
supervised by or subject to
 
the oversight of, one or
 
both of the Authorities
[i.e.
CONSOB and the SEC]
, who conducts
 
investment, securities, derivatives,
 
asset management,
securities processing, or banking business or
 
participates in securities or derivatives
 
markets
(collectively “financial services business”) in either, or both, the United States and Italy
50
;
(b)
 
Covered Firms
” as
inter alia
 
security-based swap dealers
51
;
 
 
47
 
 
In
particular, w
e have not been able to find a specific case law which would clarify whether banks may rely on this “just cause” in order to
disclose information to third parties.
 
48
 
 
Pursuant to Article 4(3) of
 
the Italian Financial Act, the Bank
 
of Italy an
d CONSOB may cooperate with the
 
authorities of third countries
including through
 
the exchange information
 
(as noted
 
under Footnote
 
48 above, the
 
Bank of Italy
 
and CONSOB
 
may agree with
 
third country
authorities the modalities for local inspections). Please note that according to Article 7(7) of the Italian Banking Act the Bank of Italy may
exchange information with
 
the authorities of
 
third countries
 
pursuant to the
 
terms of cooperation
 
agreements concluded
 
with such authorities.
We
 
were not able
 
to find a
 
memorandum of understanding entered
 
into by the
 
SEC with the
 
Bank of Italy
 
which is the
 
Italian prudential
regulator for credit institutions, with limited supervisory powers
 
on Italian branches of EEA banks. Please see Footnote
 
48 above.
49
 
 
Paragraph 12 of
the CONSOB MoU.
 
50
 
 
Paragraph 3(a) of the CONSOB MoU.
 
51
 
 
Paragraph 3(b) of the
CONSOB
 
MoU.
 
 
0036335-0000808 UKO1: 2005583510.12
 
 
19
 
(c)
 
Books
 
and
 
Records”
as
 
documents,
 
electronic
 
media,
 
and
 
books
 
and
 
records
 
within
 
the
possession, custody,
 
or control
 
of, and other
 
information about, a Covered
 
Firm, and which
may include personal data
52
;
(d)
 
On-Site
 
Visit
 
as
 
any
 
regulatory
 
visit
 
to
 
the
 
premises
 
of
 
a
 
Covered
 
Firm
 
[…]
for
 
the
purposes
 
of
 
ongoing
 
supervision
 
and
 
oversight,
 
including
 
the
 
inspection
 
of
 
Books
 
and
Records
53
.
3.17
 
The CONSOB
 
MoU provides
 
for the
 
possibility for
 
the SEC
 
to conduct
 
On-Site Visits
 
of Covered
Firms located
 
in Italy, including to
 
inspect, examine,
 
and obtain
 
Books and
 
Records of
 
a Covered
 
Firm
directly
 
through
 
such
 
On-Site
 
Visits
54
.
 
An
 
On-Site
 
Visit
 
should
 
be
 
carried
 
out
 
in
 
accordance
 
with
Paragraph 28
 
of the
 
CONSOB MoU,
 
which requires
 
the SEC,
inter alia
, to
 
notify CONSOB
 
of its
intent to conduct the inspection.
3.18
 
In
 
addition,
 
the
 
CONSOB
 
MoU
 
prescribes
 
that
 
the
 
SEC
 
can
 
submit
 
a
 
“request
 
for
 
assistance”
 
to
CONSOB
 
in
 
order
 
to,
inter
 
alia
,
 
obtain
 
information
 
not
 
reasonably
 
otherwise
 
available
 
to
 
the
Requesting
 
Authority
”,
 
which
 
could
 
include
 
also
 
Information
 
responsive
 
to
 
requests
 
from
 
an
Authority, or an entity
 
to which an
 
Authority has
 
delegated registration functions,
 
related to the
 
fitness
of an
 
applicant for
 
authorization, registration,
 
or exemption
 
therefrom
”. The
 
request for
 
assistance
shall be submitted pursuant to Paragraph 22 of the CONSOB MoU.
3.19
 
The CONSOB
 
MoU does
 
not contain
 
a specific
 
provision setting
 
out the
 
possibility for
 
the SEC
 
to
directly request
 
Covered Books
 
and Records
 
when necessary
 
to fulfil
 
its regulatory
 
mandate. However,
Paragraph 32 of the CONSOB MoU, in dealing with the permissible use of the information acquired,
provides that “
The restrictions in this MOU do not apply to an Authority’s
 
use of information that an
Authority obtains
 
directly from a Covered Firm, whether during an On-Site Visit
 
or otherwise
”.
3.20
 
In light
 
of the above,
 
despite the absence
 
of a
 
specific provision in
 
the CONSOB MoU
 
granting the
SEC with the power of directly requesting access to the
 
Books and Records, such possibility does not
seem to be
 
restricted by the
 
CONSOB MoU,
 
which sets out
 
remedies (such as
 
the possibility to
 
submit
a request for
 
assistance to CONSOB or
 
to carry out
 
an On-Site Visit)
 
in order for
 
the SEC to
 
obtain
information not
 
otherwise available
 
to it,
 
including information
 
obtained directly
 
from a
 
Covered Firm.
In particular,
 
the CONSOB
 
MoU and
 
the ECB
 
MoU seems
 
to anticipate
 
that the
 
SEC could
 
obtain
relevant information from
 
Covered Firms in
 
ways other than
 
through the
 
carrying out of
 
an On-Site
Visit pursuant
 
to the terms of the
 
CONSOB MoU and thus does not
 
restrict the ability of the
 
SEC to
obtain information in such other ways.
3.21
 
We
 
consider that
 
this interpretation
 
is consistent
 
with the
 
intent and
 
purpose of
 
the CONSOB
 
MoU
which is
 
to facilitate
 
cooperation and
 
exchange of
 
information with
 
the SEC
55
. In
 
addition, we
 
consider
that this interpretation
 
is in line
 
with the
 
scope of
 
the CONSOB
 
MoU which should
 
not of itself
 
restrict
the general
 
ability of
 
the SEC
 
to carry
 
out On-Site
 
Visits
 
or request
 
information to
 
firms which
 
are
under its jurisdictions,
 
in the context of fulfilling its supervisory duties in accordance
 
with US laws
56
.
52
 
 
Paragraph 2 of the CONSOB MoU.
 
53
 
 
Paragraph 7 of the CONSOB MoU.
 
54
 
 
Paragraph 27 of the CONSOB MoU.
 
55
 
 
Pursuant to Article II,
 
Section 12 of the
 
CONSOB MoU “
This MOU is a
 
statement of intent to
 
consult, cooperate, and
 
exchange information
in connection with
 
the supervision and
 
oversight of Covered
 
Firms that conduct
 
financial services business in
 
either,
 
or both, the
 
United
States and Italy
”.
56
 
 
As mentioned under
Footnote
48
 
above
, we consider that the general ability
 
/ permission of a foreign regulator to
 
carry out inspections at,
or ask information
 
to, firms based
 
in Italy should
 
be governed by
 
general international
 
law rules. As
 
such we
 
assume that the
 
SEC is generally
able to perform those actions in Italy
 
under applicable international law rules and
 
the CONSOB MoU and ECB MoU (and
 
relevant rights of
the SEC thereunder) is
 
consistent with such rules. This
 
statement seems to be
 
confirmed by the provisions of
 
the CONSOB MoU and
 
the
ECB MoU. In particular, pursuant to Article II, Section 12 of the CONSOB MoU “
The cooperation and information sharing arrangements
under this
 
MOU should
 
be interpreted
 
and implemented
 
in a
 
manner that
 
is permitted
 
by,
 
and consistent
 
with, the
 
legal requirements
applicable to
 
each Authority
”. Pursuant
 
to Article
 
II, Section
 
13 of
 
the CONSOB MoU
 
This MOU
 
does not
 
create any
 
legally binding
obligations, confer any
 
rights or supersede
 
applicable laws
”. In addition,
 
pursuant to
 
Article II, Section
 
14 of
 
the CONSOB MoU
 
This
MOU is not intended to limit or condition the discretion of
 
an Authority in any way in the discharge
 
of its regulatory responsibilities or to
prejudice the individual responsibilities or autonomy of any
 
Authority. This MOU does not limit the ability
 
of an Authority to take measures
not described
 
in this
 
MOU in
 
fulfilment of
 
its supervisory
 
and oversight
 
functions or
 
preclude
 
Authorities from
 
sharing information
 
or
documents with respect
 
to Persons that are
 
not Covered Firms
 
but may be subject
 
to regulatory requirements
 
in the United States
 
and in
Italy.
 
In particular,
 
this MOU does
 
not limit any
 
right of any
 
Authority to communicate
 
with, conduct an
 
On-Site Visit
 
of (subject to
 
the
procedures described in Article IV), or obtain information or documents from, any Person subject to its jurisdiction that may be physically
located in the jurisdiction of another Authority in accordance with applicable
 
laws
”.
 
 
20
 
3.22
 
Based on
 
the above
 
remarks, we
 
consider that
 
in principle
 
a direct
 
request of
 
information from
 
the
SEC to
 
UBS ESE IT
 
or UBS
 
AG, and the
 
subsequent disclosure of
 
Covered Books
 
and Records by
UBS ESE IT to
 
UBS AG London Branch
 
for the purpose of
 
providing information to
 
the SEC, should
be consistent with the terms of the CONSOB MoU and implicitly allowed
 
by the CONSOB MoU
57
.
3.23
 
In
 
any
 
case,
 
we
 
note
 
that
 
the
 
CONSOB
 
MoU
 
regulates
 
the
 
relationship
 
between
 
the
 
SEC
 
and
CONSOB.
 
As
 
such,
 
in
 
(implicitly)
 
allowing
 
that
 
the
 
SEC
 
may
 
request
 
information
 
directly
 
from
Covered Firms such
 
as UBS ESE
 
IT,
 
the CONSOB MoU
 
does not stipulate
 
or imply that
 
UBS ESE
IT
 
would
 
be
 
able
 
to
 
provide
 
information
 
to
 
the
 
SEC
 
without
 
obtaining
 
a
 
consent
 
from
 
the
 
Rights
Holder
58
.
 
3.24
 
In
 
this
 
respect,
 
as
 
mentioned
 
above,
 
considering
 
the
 
lack
 
of
 
a
 
specific
 
bank
 
secrecy
 
regime
 
under
Italian law, it is not completely clear whether
 
under Italian law a request
 
of information from the SEC
may represent
 
a “just
 
cause” under
 
the Italian
 
bank secrecy
 
rules in order
 
for UBS
 
ESE IT
 
be exempted
from obtaining
 
the Rights
 
Holder’s consent. Based
 
on the Assumptions
59
, we consider
 
that in principle
a request of information coming from the
 
SEC should be deemed as mandatory for
 
UBS AG (or UBS
ESE IT,
 
as applicable) to the extent that a sanction
 
could be applied to UBS AG (or
 
UBS ESE IT,
 
as
applicable) in
 
case of
 
non-compliance with
 
such request
60
. In
 
this context,
 
a sanction
 
might include
restrictions on UBS AG’s ability to rely on or maintain its registration
 
with the SEC as a non-resident
SBSD although in the absence of a specific exemption this position
 
is not free from all doubt.
 
Based on
 
the remarks
 
above, a
 
request for
 
information from
 
the SEC
 
may be
 
considered as
 
a “just
cause” for UBS ESE IT
i.e.
 
as an exemption from the general requirement to obtain consent from the
Rights Holders provided that UBS
 
ESE IT (or UBS AG)
 
would be subject to
 
sanctions in case of
 
non-
compliance with such request, although as noted above in the absence of an
 
express guidance on this
specific issue under the Italian bank secrecy rules, this position is not
 
free from all doubt
61
.
4.
 
PRIVACY
 
AND HUMAN RIGHTS
4.1
 
Article 8 of the
 
European Convention on Human
 
Rights (
ECHR
) confers a
 
general right to “
respect
for his private and
 
family life, his home
 
and his correspondence
”. This right is
 
directly applicable in
Italy.
62
 
The right to privacy clearly applies to natural persons. In
 
certain situations legal persons, such
as companies,
 
have been
 
held to
 
benefit from
 
a right
 
to privacy
 
in certain
 
situations. The
 
European
Court of Human Rights
 
assumed in a September
 
2014 case that the
 
reputation of a
 
company fell under
the notion of private life under Article 8 ECHR.
63
 
4.2
 
Article 8 ECHR
 
does not in
 
itself give rise
 
to a free-standing
 
cause of action
 
– instead an
 
action arising
from a wrongful act,
 
a breach of agreement
 
or other legal obligation,
 
such as under the
 
GDPR, must
be brought, and the court will then be obliged to consider the application
 
of Article 8 ECHR.
 
 
 
57
 
 
Please note that this conclusion is
 
grounded on a consequential interpretation
 
of the provisions of the
CONSOB
MoU, whilst as
said there is
not an
 
express provision
 
to the
 
effect that
 
the SEC
 
may directly
 
request information
 
to Covered
 
Firms (such
 
as
 
UBS ESE
 
IT) without
activating the
 
procedures envisaged under
 
the CONSOB
 
MoU. As
 
such, a
 
prudent approach
 
would be
 
to verify
 
with CONSOB
 
that this
interpretation is consistent with the CONSOB MoU and more
 
generally with CONSOB’s position.
58
 
 
Subject to the applicability of the
 
ECB MoU mentioned in footnote No.
 
10 above, we note that the ECB
 
MoU contains similar pro
visions to
those of the CONSOB MoU mentioned in this section.
59
 
 
Reference is to Assumption
5, 7 and 8
.
 
60
 
 
As mentioned
 
above the
 
CONSOB MoU
 
and the
 
ECB MoU
 
seem to
 
recognise that
 
the SEC
 
may request
 
and obtain
 
information from
Covered Firms directly, which we assume should reasonably
 
include
inter alia
 
requests for obtaining information
 
relating to UBS ESE IT’s
clients.
61
 
 
In any case, please note that
client’s consent is assumed as per Assumption 4 of Annex 2.
 
62
 
 
Article
10 of the Italian Constitution and law no. 848/1955,
 
that ratified ECHR convention by Italy.
 
63
 
Firma EDV Für Sie, EFS Elecktronische Datenverarbeitung Dienstleistungs
 
GMBH v Germany
 
Application 32783/08.
 
0036335-0000808 UKO1: 2005583510.12
 
 
21
 
4.3
 
Article 8 ECHR is, as it were, the fundamental legal foundation on
 
which the GDPR has been based.
The GDPR elaborates
 
on the applicable
 
principles of and
 
the rules on the
 
protection of natural
 
persons
when it
 
comes to
 
processing of
 
personal data.
64
 
The ECHR
 
can further
 
be relied
 
upon when
 
interpreting
this GDPR law if necessary. The GDPR can therefore
 
be seen as the regulation detailing
 
the right laid
down in
 
Article 8
 
ECHR, when it
 
comes to
 
the processing of
 
personal data. The
 
GDPR and
 
Article
ECHR cannot be seen entirely separately from each other.
Application and exceptions
4.4
 
Article 8 is a qualified right,
 
meaning that it can be breached
 
in accordance with Article 8(2) – that
 
is,
where doing so is:
(a)
 
in accordance with the law;
This
 
criterion
 
has
 
two
 
aspects:
 
the
 
measure
 
complained
 
about
 
must
 
have
 
some
 
basis
 
in
domestic
 
law,
 
whether
 
that
 
is
 
an
 
act
 
of
 
parliament,
 
delegated
 
legislation
 
or
 
case
 
law,
 
and
secondly, that the domestic law has to be sufficiently precise
 
so that an individual can
 
foresee
with a reasonable
 
degree of certainty
 
the consequences of
 
their actions or
 
the circumstances
in which the authority may take a particular course of action.
65
 
The relevant consideration on
the
 
first
 
aspect
 
is
 
the
 
legal
 
basis
 
on
 
which
 
the
 
court
 
would
 
allow
 
Article
 
8
 
ECHR
 
to
 
be
breached. The second aspect in effect requires that the domestic law cannot be so broad as to
enable arbitrary
 
action.
 
In determining
 
whether to
 
allow information
 
to be
 
provided to
 
the
SEC, the
 
court would
 
have to
 
balance the
 
relevant legal
 
duty with
 
the merits
 
of permitting
disclosure. These duties of confidence establish limits on the court’s actions,
 
thus preventing
arbitrary action by the court.
(b)
 
is necessary in a democratic society;
 
This criterion
 
is intended
 
to ensure
 
the proportionality
 
of an
 
intrusion into
 
private life.
 
To meet
this criterion, there must be a “
pressing social need
” for the interference, and the interference
must be proportionate to that need.
66
 
and
(c)
 
in the interests
 
of national security,
 
public safety or the
 
economic well-being of the
 
country,
for
 
the
 
prevention
 
of
 
disorder
 
or
 
crime,
 
for
 
the
 
protection
 
of
 
health
 
or
 
morals,
 
or
 
for
 
the
protection of the rights and freedoms of others (i.e. a legitimate aim).
This
 
criterion
 
is
 
intended
 
to
 
ensure
 
that
 
the
 
purpose
 
of
 
an
 
intrusion
 
into
 
private
 
life
 
is
adequately serious so as to justify the intrusion.
 
4.5
 
As
 
the
 
GDPR
 
and
 
Article
 
8
 
ECHR
 
cannot
 
been
 
seen
 
entirely
 
separately
 
from
 
each
 
other,
 
and
 
the
provision
 
of
 
information to
 
the
 
SEC
 
by
 
UBS
 
ESE
 
IT
 
will,
 
insofar
 
this
 
contains
 
personal data,
 
fall
entirely within the scope of
 
the GDPR, we consider that
 
the criteria set out in
 
paragraph 4.4 are met,
as long as UBS ESE IT complies with the requirements set out in paragraphs 1 above.
64
 
 
See also considerations (1) and (2) GDPR.
 
65
 
 
Malone v UK [1984] ECHR 10 at 68.
 
66
 
Dudgeon v UK
 
(1982) 4 E.H.R.R. 149 at 164.
 
0036335-0000808 UKO1: 2005583510.12
 
 
22
 
ANNEX 2
 
ASSUMPTIONS
This opinion relies on the following assumptions:
1.
 
UBS AG has
 
a “prudential regulator”
 
as defined by
 
Section 3 of
 
the US Securities
 
Exchange Act of
1934 (the
Securities Exchange
 
Act
).
 
As such,
 
the Covered
 
Books and
 
Records considered
 
in this
opinion are limited to what a prudentially regulated SBSD must be able to
 
share with the SEC.
 
2.
 
Additionally, in accordance with SEC Guidance at
 
85 FR 6297, books and records pertaining to SBS
transactions entered into prior to the date that UBS AG submits an application for registration are not
Covered Books and Records.
 
3.
 
Where transfers of
 
personal data are
 
made to the
 
SEC in the
 
absence of an
 
adequacy determination,
such disclosure will
 
be made in
 
compliance with Articles 44
et seq
. of the
 
EU GDPR and
 
limited to
what
 
is
 
necessary
 
for
 
the
 
purpose
 
of
 
the
 
transfer
 
(i.e.
 
compliance
 
with
 
the
 
principle
 
of
 
data
minimisation, e.g. by applying less intrusive processing
 
activities such as redaction).
4.
 
UBS ESE IT
 
or, as the case
 
may be, UBS AG,
 
has obtained any
 
necessary prior consent
 
of the persons
(e.g.,
 
counterparties,
 
employees)
 
whose
 
information
 
is
 
or
 
will
 
be
 
included
 
in
 
Covered
 
Books
 
and
Records in order
 
to provide the
 
SEC with access
 
to its Covered
 
Books and Records
 
or to allow
 
On-
Site
 
Inspections,
 
to
 
the
 
extent,
 
as
 
considered
 
in
 
this
 
opinion,
 
such
 
consent
 
would
 
constitute
 
valid
consent and
 
such consent
 
has not
 
been withdrawn.
 
Insofar as
 
Covered Books
 
and Records
 
relate to
employees of UBS ESE IT,
 
such employees are “associated persons” of UBS
 
AG for purposes of 17
CFR §
 
240.18a-5(b)(8) who
 
have agreed to
 
sharing of
 
their personal/employment
 
information with
 
the
SEC in the event of a request for information from the SEC.
5.
 
The SEC will restrict
 
its information requests
 
for, and use of, any information
 
pursuant to its access
 
to
Covered Books
 
and Records and
 
On-Site Inspections to
 
only the
 
information that
 
it requires
 
for the
legitimate and specific purpose of fulfilling
 
its regulatory mandate and responsibilities by
 
evaluating
compliance with
 
legal obligations
 
designed to
 
ensure the proper
 
legal administration
 
of SEC-regulated
firms (which includes regulating,
 
administering, supervising, enforcing
 
and securing compliance with
the
 
securities or
 
derivatives laws
 
in its
 
jurisdiction)
 
and to
 
prevent and/or
 
enforce against
 
potential
illegal behaviour.
 
6.
 
Similarly, UBS ESE
 
IT will
 
ensure that
 
its disclosures
 
are compliant
 
with the
 
data protection
 
principles
set
 
out in
 
Article 5
 
of the
 
GDPR.
67
. We
 
understand that
 
UBS’ general
 
experience in
 
responding to
information requests from the SEC (or other US and
 
non-US regulators) leads it to maintain a belief,
which it considers
 
to be reasonable,
 
that UBS ESE
 
IT can and
 
(subject to any
 
changes in applicable
law and regulation and/or the approach
 
of relevant regulators) will continue
 
to be able to comply with
these data
 
protection principles
 
in the
 
course of
 
making disclosures
 
of the
 
sort required
 
when providing
access to Covered Books and Records and submitting to On-Site Inspection.
7.
 
It is the SEC's
 
practice to limit the type
 
and amount of personal data
 
it requests during examinations
to targeted
 
requests based
 
on risk
 
and related
 
to specific
 
clients and
 
accounts, and
 
employees.
 
The
requested
 
information
 
may
 
include
 
some
 
limited
 
criminal
 
records
 
data
 
and
 
‘special
 
category
 
data’
under the GDPR (as described in paragraph 1.2 of Annex 1 to
 
this opinion).
 
We understand that
 
this
aligns with UBS’
 
general experience in responding
 
to information requests
 
from the SEC,
 
leading it
to
 
maintain
 
a
 
belief,
 
which
 
it
 
considers
 
to
 
be
 
reasonable,
 
that
 
this
 
assumption is,
 
and
 
will
 
remain,
accurate
 
(subject
 
to
 
any
 
changes
 
in
 
applicable
 
law
 
and
 
regulation
 
and/or
 
the
 
approach
 
of
 
relevant
regulators).
68
 
67
 
 
These principles are set out in Annex 1
at paragraph 1.8.
 
68
 
 
See the
SEC
 
G
uidance at 85 FR 6298
.
 
 
0036335-0000808 UKO1: 2005583510.12
 
 
23
 
8.
 
Information, data and documents received
 
by the SEC are
 
maintained in a secure manner
 
and, under
strict
 
US
 
laws
 
of
 
confidentiality,
 
information
 
about
 
individuals
 
cannot
 
be
 
onward
 
shared
 
save
 
for
certain
 
uses
 
publicly disclosed
 
by
 
the
 
SEC, including
 
in
 
an
 
enforcement
 
proceeding,
 
pursuant to
 
a
valid and non-exempt US Freedom of
 
Information Act (
FOIA
) request,
69
 
pursuant to a lawful request
of the
 
US Congress
 
or a
 
properly issued
 
subpoena, or
 
to other
 
regulators who
 
have demonstrated
 
a
need for the information and provide
 
assurances of confidentiality and, in any event,
 
data processing
is made
 
in compliance
 
with the
 
“Administrative arrangement
 
for the
 
transfer of
 
personal data”
 
between
each of
 
the EEA
 
Authorities and
 
each of
 
the non-EEA
 
authorities described
 
at paragraph
 
1.13 of
 
Annex
1 above.
9.
 
Any data held by
 
UBS ESE IT that is
 
subject to a disclosure request
 
from the SEC, either
 
by way of
access or On-Site
 
Inspection, will be
 
held by UBS
 
ESE IT in
 
Italy. Whilst UBS ESE IT
 
will be subject
to direct On-Site
 
Inspection by
 
the SEC in
 
Italy, UBS ESE IT
 
will provide access
 
to its Covered
 
Books
and
 
Records
 
(beyond
 
On-Site
 
Inspections) to
 
UBS
 
AG
 
London
 
Branch,
 
rather
 
than
 
providing
 
this
access directly to the SEC.
 
10.
 
All terms of
 
business entered into
 
with clients conducting
 
SBS transactions contain clear
 
statements
such that
 
clients are
 
aware that
 
that regulatory
 
oversight will
 
be exercised
 
by regulatory
 
authorities
and that
 
information regarding
 
their transactions,
 
including their
 
personal data,
 
can be
 
disclosed to
regulatory authorities (for example, clause 10, and
 
in particular clause 10(b) of the terms
 
of business
for professional clients and eligible counterparties (March 2019)
70
).
11.
 
UBS AG does not include the information
 
described in 17 C.F.R. §§.18a-5(b)(8)(i)(A) through (H) or
240.18a-5(a)(10)(i)(A)
 
through
 
(H),
 
as
 
the
 
case
 
may
 
be,
 
in
 
questionnaires
 
or
 
applications
 
for
employment
 
executed
 
by
 
an
 
associated
 
person
 
who
 
is
 
not
 
a
 
US
 
Person
 
(as
 
defined
 
in
 
17
 
C.F.R.
§240.3a71-3(a)(4)(i)(A)), unless UBS
 
AG is required to
 
obtain such information under
 
applicable law
in the jurisdiction in which
 
the associated person is employed
 
or located or obtains such
 
information
in conducting a background check that is customary for UBS AG in that jurisdiction and the
 
creation
or maintenance of records reflecting that information
 
would not result in a violation of applicable
 
law
in the jurisdiction in which the associated person is employed or located.
12.
 
Any
 
assessment/legal
 
analysis
 
from
 
local
 
data
 
protection
 
and/or
 
employment
 
law
 
perspective
 
on
possibility to record
 
voice calls and/or
 
monitor communications with client
 
has already been
 
carried
out by UBS ESE IT and/or
 
UBS AG and it is
 
excluded from the scope of this
 
opinion. Likewise any
assessment/legal analysis from
 
an Italian financial
 
regulatory perspective on
 
the possibility for
 
UBS
AG to carry out the SBS transactions through the modalities set forth herein has already been carried
out by UBS ESE IT and/or UBS AG and it is excluded from the scope
 
of this opinion.
13.
 
We
 
have not analysed contractual relationship(s) in place between UBS AG and UBS ESE IT for the
execution of SBS
 
transactions concluded by
 
associated persons of
 
UBS AG employed
 
by UBS ESE
IT.
 
14.
 
UBS AG will comply with the restrictions set forth in this opinion to the extent that it is the owner of
the
 
information
 
included
 
in
 
the
 
Covered
 
Books
 
and
 
Records
 
for
 
the
 
purposes
 
of
 
the
 
Italian
 
bank
secrecy regime.
69
 
 
We
 
do not
 
give any
 
views in
 
the opinion
 
to matters
 
of US
 
law,
 
though we
 
understand that
 
information can
 
be
made public
 
pursuant
to
requests under
 
the US
 
FOIA, and
 
that certain
 
information is
 
exempt from
 
such requests,
 
including (among
 
others): (1)
 
a trade
 
secret or
privileged or confidential commercial or financial information
 
obtained from a person; (2) a
 
personnel, medical, or similar file the
 
release
of which would constitute a clearly unwarranted invasion of personal privacy; (3) information compiled for law enforcement purposes, the
release of which (a) could reasonably be expected to interfere with law enforcement proceedings;
 
(b) would deprive a person of a right to a
fair trial or an impartial adjudication; (c) could reasonably be expected to constitute an unwarranted
 
invasion of personal privacy; (d) could
reasonably
 
be
 
expected
 
to
 
disclose
 
the
 
identity
 
of
 
a
 
confidential
 
source;
 
(e)
 
would
 
disclose
 
techniques,
 
procedures,
 
or
 
guidelines
 
for
investigations or prosecutions;
 
or (f) could
 
reasonably be expected
 
to endanger an
 
individual's life or
 
physical safety; (4)
 
contained in or
related to examination, operating, or condition reports about financial
 
institutions that the SEC regulates or supervises.
70
 
 
Available
 
at:
https://www.ubs.com/global/en/investment
-
bank/regulatory/_jcr_content/mainpar/toplevelgrid/col1/linklist_1815406319/
link.1894740908.file/PS9jb250ZW50L2RhbS9JbnZlc3RtZW50QmFuay9kb2N1bWVudHMvaWJ0ZXJtcy90ZXJtcy1vZi1idXNpbmVzcy
5wZ GY=/terms-of-business.pdf.
 
0036335-0000808 UKO1: 2005583510.12

louk
 
loukp1i0.gif
 
1
 
 
 
 
 
 
 
UBS AG London Branch
5 Broadgate
London
EC2M 2QS
Allen & Overy LLP
One Bishops Square
London
 
E1 6AD
 
United Kingdom
Tel
+44 (0)20 3088 0000
Fax
+44 (0)20 3088 0088
Our ref
0036335
-
0000808
22 October 2021
Dear Sir or Madam
 
UBS London Branch SEC registration as a non-resident security-based swap dealer
 
1.
 
BACKGROUND
1.1
 
We
 
understand that UBS AG (
UBS
), a bank authorised in Switzerland, is seeking to register with the
United States
 
(
US
) Securities
 
and Exchange
 
Commission (
SEC
) as
 
a non-resident
 
security-based swap
(
SBS
) dealer (
SBSD
).
1.2
 
To
 
register as an SBSD
 
with the SEC, a
 
non-resident SBSD
1
 
such as UBS must
 
attach an opinion of
counsel to Form SBSE, SBSE-A or SBSE-BD affirming that the SBSD can, as a
 
matter of law:
(a)
 
provide the
 
SEC with
 
prompt access
 
to the
 
relevant books
 
and records
 
as defined
 
in paragraphs
 
to
 
(
Covered Books and Records
); and
 
(b)
 
submit to on-site
 
inspection and examination
 
of its Covered
 
Books
 
and Records by
 
the SEC
(
On-Site Inspection
).
1.3
 
Associated persons of UBS located in
 
the UK who effect
 
SBS transactions on behalf of UBS will
 
be
employed
 
by
 
UBS.
 
UBS
 
will
 
maintain
 
certain
 
Covered
 
Books
 
and
 
Records
 
in
 
its
 
London
 
Branch
(
UBSLB
), which is authorised in the United Kingdom (
UK
).
1.4
 
You
 
have asked
 
us to
 
issue an
 
opinion affirming
 
that UBSLB
 
will be
 
able to
 
provide the
 
SEC with
prompt access
 
to its
 
books and
 
records and
 
submit to
 
On-Site Inspection
 
by the
 
SEC in
 
accordance
with paragraph
 
1.5
 
This opinion is structured as follows:
(a)
 
Section
:
 
(b)
 
Section
:
;
 
1
 
 
In the case of a corporation, an SBSD will be “non
-
resident” if it is incorporated in or has its principal place of
business in any place not in
the United States (see
 
17 Code of Federal
 
Regulations (
CFR
) § 240.15Fb2-4(a)(2)). As
 
UBS is incorporated in
 
Switzerland, UBS fulfils
 
this
definition of a “non-resident” SBSD.
 
Allen & Overy LLP is a limited liability partnership registered in
 
England and Wales with registered number OC306763.
 
It is authorised and regulated by the Solicitors Regulation Authority of
 
England
and Wales.
 
The term partner is used to refer to a member of Allen & Overy LLP or an employee or consultant with equivalent standing and qualifications.
 
A list of the members of Allen & Overy LLP
and of the non-members who are designated as partners is open to inspection at its registered office, One Bishops Square, London E1 6AD.
Allen & Overy LLP or
 
an affiliated undertaking has an office
 
in each of: Abu Dhabi, Amsterdam,
 
Antwerp, Bangkok, Beijing, Belfast, Bratislava, Brussels,
 
Budapest, Casablanca, Dubai, Düsseldorf,
Frankfurt, Hamburg, Hanoi, Ho Chi Minh City, Hong Kong, Istanbul, Jakarta (associated office), Johannesburg, London, Los
 
Angeles, Luxembourg, Madrid, Milan, Moscow, Munich, New York, Paris,
Perth, Prague, Rome, São Paulo, Seoul, Shanghai, Silicon Valley,
 
Singapore, Sydney, Tokyo, Warsaw,
 
Washington, D.C. and Yango
 
n.
 
 
 
2
 
(c)
 
Section
:
 
(d)
 
Section
:
 
(e)
 
: Opinion; and
(f)
 
: Assumptions.
 
1.6
 
For the purposes
 
of this opinion,
 
the legal or
 
natural person imparting the
 
information subject to
 
the
duty of
 
confidentiality will
 
be the
Rights Holder
and the
 
person receiving
 
that information,
 
in this
case UBSLB, will be the
Recipient.
 
2.
 
SUMMARY OF OPINION
Subject to the assumptions and qualifications below it is our opinion
 
that:
2.1
 
UBSLB can, as
 
a matter of
 
applicable UK, English
 
and Welsh
 
law,
 
submit to On-Site
 
Inspection by
the
 
SEC.
 
There
 
is
 
no
 
restriction
 
on
 
UBSLB
 
submitting
 
to
 
On-Site
 
Inspection
 
by
 
the
 
SEC.
 
The
remainder of this
 
opinion focuses on
 
UBSLB’s ability
 
to disclose information
 
contained in Covered
Books and Records
 
to the SEC
 
in the course of
 
On-Site Inspection in
 
the UK and
 
the ability to
 
provide
the SEC with prompt access to Covered Books and Records.
2.2
 
UBSLB
 
can,
 
as
 
a
 
matter
 
of
 
applicable UK,
 
English
 
and
 
Welsh
 
law,
 
provide the
 
SEC
 
with
 
prompt
access to Covered Books and Records held by UBSLB in the UK.
2
 
Data Protection
3
 
2.3
 
Disclosures
 
of
 
personal
 
data
 
(particularly
 
special
 
categories
 
of
 
data
 
or
 
criminal
 
data)
 
relating
 
to
UBSLB’s
 
clients
 
and
 
staff
 
are
 
subject
 
to
 
certain
 
restrictions
 
under
 
the
 
Data
 
Protection
 
Laws,
particularly where this involves a cross-border transfer to a country or territory the UK has not found
to
 
have
 
an
 
‘adequate’
 
data
 
protection
 
regime.
 
However,
 
there
 
are
 
certain
 
legal
 
bases
 
for
 
making
disclosures, and derogations from
 
the prohibition on international
 
transfers, that would be
 
available to
UBSLB were it
 
to be required
 
by the SEC
 
to make available
 
personal data. We
 
note that these
 
legal
restrictions and derogations that
 
UBSLB would rely on
 
when making disclosures to
 
the SEC are
 
the
same legal bases
 
and derogations to
 
which the Bank
 
of England would be
 
subject, and on
 
which the
regulators have agreed to rely,
 
in the 2021 Memorandum of Understanding
 
between the (i) FCA and
Bank
 
of
 
England
 
and
 
(ii)
 
the
 
SEC
 
regarding
 
consultation,
 
cooperation
 
and
 
the
 
exchange
 
of
information
4
 
(the
2021 MoU
).
2.4
 
We
 
anticipate that the
 
legitimate interests and
 
public interest legal
 
bases for
 
processing are likely
 
to
be the most applicable grounds under
 
the UK GDPR and EU GDPR to
 
enable disclosure of Covered
Books and Records to the SEC and to permit On-Site Inspection.
 
To the extent that UBSLB relies on
the public interest legal
 
basis, it will also
 
need to satisfy
 
one of the conditions
 
for processing set out
 
in
the DPA 2018.
2.5
 
Further, we consider
 
that UBSLB could make transfers
 
of personal data to the
 
SEC in the US
 
on the
basis of the public
 
interest derogation:
 
we note that UBSLB
 
would need to assess
 
the ability to rely
 
on
this derogation in each case.
 
 
 
2
 
 
Where a restriction o
n the ability to transfer personal data
 
or to disclose confidential information applies, consent from
 
the Rights Holder,
validly given in accordance with the relevant standard for
 
consent under each applicable legal obligation, would
 
allow for such information
to be
 
lawfully transferred
 
to the
 
SEC or
 
disclosed to
 
the SEC
 
during On-Site
 
Inspection.
 
Please note
 
that valid
 
consent is
 
assumed in
Assumption
 
3
 
 
Please
refer to section
 
of
 
for definitions of Data Protection Laws, EU GDPR,
 
UK GDPR and the DPA 2018.
4
 
 
Available here:
https://www.fca.org.uk/publication/mou/sec-fca-boe-mou-2021.pdf
.
 
0036335-0000808 UKO1: 2004471715.25
 
3
Common law duties of confidentiality
2.6
 
The general
 
duty of
 
confidentiality applies to
 
non-public information
 
held or
 
controlled by
 
UBSLB
that
 
relates
 
to
 
any
 
person.
 
The
 
banker’s
 
duty
 
of
 
confidentiality
 
arises
 
due
 
to
 
the
 
nature
 
of
 
the
relationship between a banker and their customer (and this duty does not
 
apply to information held or
controlled by UBSLB that relates
 
to any person other
 
than its customers).
 
Finally, every employment
relationship held
 
by UBSLB
 
contains
 
an implied
 
legal duty
 
of mutual
 
confidence, however,
 
this is
very narrow in scope and is unlikely
 
to apply where UBSLB is making disclosures to
 
the SEC in the
normal course of its SBS business and in accordance with SEC
 
requirements.
 
2.7
 
Disclosure with
 
consent, or
 
under another
 
recognised exception,
 
would not
 
amount to
 
a breach
 
of these
legal duties.
2.8
 
These duties of confidentiality will not apply to any information contained in the Covered Books and
Records or
 
to On-Site
 
Inspection insofar
 
as information
 
made available
 
to the
 
SEC is
 
owned by
 
or
relates
 
to
 
UBSLB
 
itself,
 
rather
 
than
 
by
 
or
 
to
 
UBSLB’s
 
clients
 
or,
 
in
 
the
 
case
 
of
 
the
 
general
 
and
employer’s duties only, its staff.
Privacy and Human Rights
2.9
 
Protection from
 
intrusion into
 
rights of
 
privacy is
 
enshrined in
 
the Human
 
Rights Act
 
1998 (
HRA
)
which
 
establishes
 
the
 
general
 
right
 
to
 
respect
 
for
 
his
 
private
 
and
 
family
 
life,
 
his
 
home
 
and
 
his
correspondence
 
set
 
out
 
in
 
Article
 
8
 
of
 
the
 
European
 
Convention
 
on
 
Human
 
Rights
 
in
 
UK
 
law
(
Article 8
).
 
2.10
 
Actions
 
in
 
respect
 
of
 
Article
 
8
 
require
 
a
 
separate
 
cause
 
of
 
action,
 
such
 
as
 
a
 
misuse
 
of
 
private
information (or a
 
breach of confidence
 
– in respect
 
of which, see
 
above), in order
 
to be permissible.
 
In certain cases, though
 
we expect these to
 
be limited, legal (rather
 
than natural) persons can
 
benefit
from a
 
right to
 
privacy.
 
An action
 
for a
 
misuse of
 
private information
 
requires a
 
reasonable expectation
of privacy to exist – this is unlikely where valid consent to
 
disclosure of the relevant information has
been given.
2.11
 
It is
 
permissible to
 
breach Article
 
8 in
 
specified situations.
 
In summary,
 
the intrusion
 
must not
 
be
arbitrary, must be
 
proportionate in respect of a pressing social need, and must be done in
 
pursuit of a
legitimate aim.
 
In our
 
view,
 
the disclosure
 
to the
 
SEC of
 
private information
 
contained in
 
Covered
Books and
 
Records and that
 
would be made
 
available to the
 
SEC during On-Site
 
Inspections would
be permissible for the purposes of Article 8.
2.12
 
Further, it is not clear that rights of
 
privacy provide any enhancement
 
to the protection afforded under
the duties of confidence considered above to those persons on whom information is held by
 
UBSLB,
given
 
the
 
nature
 
of
 
the
 
information
 
contained
 
in
 
Covered
 
Books
 
and
 
Records
 
and
 
that
 
would
 
be
disclosed to the SEC during On-Site Inspections.
This summary opinion is not a substitute for the full expression of our views
 
set out in
 
3.
 
SCOPE, ASSUMPTIONS AND QUALIFICATIONS
3.1
 
This
 
opinion
 
relates
 
solely to
 
access
 
provided
 
to
 
the
 
SEC
 
of
 
Covered
 
Books
 
and
 
Records
 
held
 
by
UBSLB in
 
the
 
UK and
 
On-Site Inspection
 
of UBSLB
 
by the
 
SEC in
 
the UK.
 
This opinion
 
applies
equally to
 
remote access
 
from the
 
US to
 
Covered Books
 
and Records
 
held in
 
the UK.
 
This opinion
excludes books
 
and records
 
held in the
 
US.
 
Where matters
 
considered in
 
this opinion
 
are not governed
by laws applying to the entirety
 
of the UK, this opinion
 
relates solely to matters of
 
English and Welsh
law.
 
 
 
 
 
 
 
 
 
4
 
 
 
 
 
 
0036335-0000808 UKO1: 2004471715.25
3.2
 
This opinion has been prepared in accordance with
 
UBS’s specific instructions as
 
to the scope of the
opinion.
 
For this purpose you have issued us with guidance
 
from a third party US law firm which we
have used to inform the scope of our opinion.
3.3
 
This opinion
 
only covers
 
access to
 
and the
 
On-site Inspection
 
of Covered
 
Books and
 
Records.
 
Covered
Books and Records include only those books and records which:
(a)
 
relate to the
 
US business
5
 
of the non-resident
 
SBSD.
6
 
These are the
 
records that relate
 
to an
SBS that is either:
(i)
 
entered into, or offered to be entered into, by or on behalf of the
 
non-resident SBSD,
with a
 
“U.S. Person” as
 
defined in
 
17 CFR
 
§ 240.3a71-3(a)(4)
7
 
(
US Person
) (other
than an SBS conducted through a foreign branch of such US Person
8
); or
(ii)
 
arranged, negotiated, or executed by
 
personnel of the non-resident SBSD
 
located in a
branch in
 
the US
 
(
US branch
) or
 
office or
 
by personnel
 
of an
 
agent of
 
the non-resident
SBSD located in a US branch or office;
9
 
or
(b)
 
constitute
 
financial
 
records
 
necessary
 
for
 
the
 
SEC
 
to
 
assess
 
the
 
non-resident
 
SBSD’s
compliance with the SEC’s margin and capital requirements, if applicable.
10
 
3.4
 
Further
 
to
 
Assumption
,
 
this
 
opinion
 
is
 
limited
 
to
 
those
 
types
 
of
 
records
 
that
 
are
 
relevant
 
to
prudentially regulated SBSDs,
 
which excludes financial
 
records as noted
 
in paragraph
.
 
For this opinion, the term “Covered Books and Records” extends to these
 
record types alone.
3.5
 
This opinion covers data relating to:
(a)
 
SBS
 
transactions
 
concluded between
 
UBS
 
(through
 
its
 
associated
 
persons)
 
and
 
US
 
Person
counterparties,
 
insofar
 
as
 
this
 
data
 
is
 
held
 
by
 
UBS
 
(e.g.
 
voice
 
recordings
 
and
 
client
communications); and
(b)
 
the
 
activities
 
of
 
the
 
staff
 
of
 
UBSLB
 
pertaining
 
to
 
UBS’
 
SBS
 
transactions
 
that
 
are
 
also
arranged, negotiated, or executed by personnel of UBS
 
located in a US branch or office or by
personnel of an agent of UBS located in a US branch or office (irrespective of whether UBS’
counterparty is a US Person or a non-US Person).
3.6
 
The issues
 
addressed in
 
this opinion
 
apply equally
 
across the
 
different document
 
types which
 
constitute
the Covered Books and
 
Records based upon the
 
information actually contained
 
in each of the relevant
Covered Books and Records.
 
We have not examined any such documents or records.
 
5
 
 
As defined in 17 CFR §240.3a71
-
3(a)(8).
 
6
 
 
Cross
-
Border Application of Certain [SBS] Requirements,
 
85 Fed.
 
Reg. 6270, 6296 (Feb. 4, 2020) (the
SEC Guidance
).
 
7
 
 
A “U.S. person” means any person that is “(i) a natural person resident
 
in the U.S.; (ii) a partnership, corporation, trust,
investment vehicle,
or other legal person organized, incorporated, or established under the laws of the United States or having its principal place of business in
the United States; (iii) an
 
account (whether discretionary or non-discretionary) of a
 
U.S. person; or (iv) an estate
 
of a decedent who was a
resident of the United States at the time of death.” 17 CFR
 
§ 240.3a71-3(a)(4).
8
 
 
A “foreign branch” means “any branch of
 
a U.S. bank if: (i)
 
the branch is located outside of the
 
United States; (ii) the bran
ch operates for
valid business
 
reasons; and
 
(iii) the
 
branch is
 
engaged in
 
the business
 
of banking
 
and is
 
subject to
 
substantive banking
 
regulation in the
jurisdiction where located.” (17 CFR § 240.3a71-3(a)(2)). An “SBS conducted through a
 
foreign branch” means an SBS that is “arranged,
negotiated, and executed by
 
a U.S. person through
 
a foreign branch of such
 
U.S. person if: (A) the
 
foreign branch is the counterparty
 
to such
security-based swap transaction; and (B) the security-based swap transaction is arranged, negotiated, and executed on behalf of the foreign
branch solely by persons located outside the United States.” (17
 
CFR § 240.3a71-3(a)(3)(i)).
9
 
 
17 CFR
 
§
 
240.3a71
-
3(a)(8)(i)(B).
 
10
 
 
The requirement set
 
out in this
 
paragraph
 
does not apply
 
to UBS because
 
it is not
 
subject to the
 
SEC’s margin and capital
 
requirements
as it is assumed that UBS has a prudential regulator – please
 
see Assumption
 
set out in
 
 
0036335-0000808 UKO1: 2004471715.25
 
 
5
 
3.7
 
In giving this opinion, we have made the further assumptions set out
 
in
.
 
3.8
 
No opinion is expressed on matters of fact.
 
3.9
 
As a
 
practical matter,
 
it may
 
be particularly
 
difficult to
 
establish that
 
consent is
 
freely given
 
where
information
 
relates
 
to
 
UBSLB
 
staff
 
because
 
consent
 
is
 
very
 
difficult
 
to
 
rely
 
on
 
in
 
an
 
employment
context, due to the inherent imbalance of power between an employer and its staff (for example, staff
may
 
believe
 
there
 
could
 
be
 
negative
 
consequences
 
should
 
they
 
refuse
 
to
 
give
 
consent).
 
Further,
consent will
 
only be
 
valid if
 
UBSLB offers
 
its staff
 
a genuine
 
choice over
 
how the data
 
is used
 
and
will only
 
continue to
 
be an
 
appropriate legal
 
basis if
 
UBSLB also
 
offers
 
its staff
 
the opportunity
 
to
withdraw consent at any time.
 
Where consent is relied upon in this opinion,
 
it is on the basis that this
practical matter
 
has been
 
overcome.
 
Where consent
 
is not
 
available as
 
a legal
 
basis for
 
disclosure
(including where
 
valid consent
 
cannot be
 
obtained), UBSLB
 
may be
 
able to
 
rely on
 
an alternative
 
basis
for disclosure (e.g. the public interest exception).
4.
 
REVISIONS TO APPLICABLE LAW
 
4.1
 
We
 
note
 
that
 
the
 
SEC
 
rules
11
 
require
 
a
 
non-resident
 
SBSD
 
to
 
re-certify
 
within
 
90
 
days
 
after
 
any
changes in the legal or regulatory framework that would:
(a)
 
impact the ability of the SBSD to provide prompt access to its Covered
 
Books and Records;
 
(b)
 
impact the
 
manner in
 
which it
 
would provide
 
prompt access
 
to its
 
Covered Books
 
and Records;
or
(c)
 
impact the ability of the SEC to conduct On-Site Inspections.
4.2
 
Upon a change in law or regulatory framework of the sort outlined in paragraph
 
above, the SBSD
is required to submit a revised opinion describing how, as a matter of law,
 
the SBSD will continue to
meet its obligations.
 
4.3
 
This opinion relates solely to the laws of England
 
and Wales and the UK (as applicable) in force as at
the date
 
of this
 
opinion.
 
We have no obligation
 
to notify
 
any addressee
 
of any
 
change in
 
any applicable
law or its application after the date of this opinion.
5.
 
RELIANCE AND CONFIDENTIALITY
5.1
 
This opinion is given
 
for the sole benefit of
 
the addressee.
 
It may not be relied
 
upon by anyone else
without our prior written consent.
5.2
 
This
 
opinion
 
is
 
not
 
to
 
be
 
disclosed
 
to
 
any
 
person
 
outside
 
of
 
UBS
 
AG’s
 
group
 
or
 
used,
 
circulated,
quoted or otherwise referred to for any other purpose.
 
However, we agree that a copy of this opinion
letter may be disclosed:
 
(a)
 
where
 
disclosure is
 
required
 
or
 
requested
 
by
 
any
 
governmental, banking,
 
taxation
 
or
 
other
regulatory authority or similar body having jurisdiction over
 
UBS AG (including to the SEC
as
 
part
 
of
 
UBS
 
AG’s
 
SBSD
 
registration
 
application) or
 
by
 
the
 
rules
 
of
 
any
 
relevant
 
stock
exchange or pursuant to any applicable law or regulation; and
 
(b)
 
to
 
UBS
 
AG’s
 
affiliates,
 
and
 
any
 
of
 
their
 
officers,
 
directors,
 
employees,
 
auditors,
 
insurers,
reinsurers, insurance brokers and professional advisors (in their capacity as
 
such).
5.3
 
Any such disclosure
 
must be made
 
on the basis
 
that it is
 
for information purposes only,
 
no recipient
may rely
 
on this advice,
 
no client-lawyer relationship between
 
us and the
 
recipient arises following,
11
 
 
17 CFR § 240.15Fb2
-
4(c)(2).
 
 
0036335-0000808 UKO1: 2004471715.25
loukp6i0.gif
 
6
or as a
 
result of,
 
any such
 
disclosure.
 
We assume no duty
 
or liability
 
to any
 
recipient, and
 
any recipient
under paragraph
 
will be subject to the same restrictions on disclosure as set out above.
5.4
 
We
 
assume no obligation
 
to advise
 
you or
 
any other person
 
or to
 
make any
 
investigations as to
 
any
legal
 
developments
 
or
 
factual
 
matters
 
arising
 
subsequent
 
to
 
the
 
date
 
hereof
 
that
 
might
 
affect
 
the
opinions expressed herein.
 
Yours
 
faithfully,
 
 
Allen &Overy LLP
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
0036335-0000808 UKO1: 2004471715.25
 
 
 
7
 
ANNEX 1
 
OPINION
1.
 
DATA
 
PROTECTION
1.1
 
The
 
General
 
Data
 
Protection
 
Regulation
 
2016/679
 
(
EU
 
GDPR
),
12
 
the
 
General
 
Data
 
Protection
Regulation
 
2016/679
 
as
 
it
 
forms
 
part
 
of
 
“retained
 
EU
 
law”
 
as
 
defined
 
in
 
the
 
European
 
Union
(Withdrawal) Act 2018 (
UK GDPR
) and the UK
 
Data Protection Act
 
2018 (
DPA 2018
) (together, the
Data Protection Laws
) will apply to UBSLB’s disclosure of Covered
 
Books and Records to
 
the SEC
to the extent
 
that these
 
comprise or
 
contain personal
 
data.
 
Personal data
 
is data
 
relating to
 
an identified
or identifiable living individual, so may extend to information on UBSLB
 
staff as well as clients.
 
1.2
 
Under
 
the
 
Data
 
Protection Laws,
 
specific
 
additional restrictions
 
apply
 
for
 
data
 
relating
 
to
 
criminal
convictions and
 
offences.
 
These laws
 
also impose
 
heightened restrictions
 
on the
 
processing of
 
‘special
category data’
 
– this
 
is data
 
that reveals
 
racial or
 
ethnic background,
 
political opinions,
 
religious or
philosophical
 
beliefs,
 
or
 
trade
 
union
 
membership,
 
genetic
 
data,
 
biometric
 
data
 
when
 
used
 
for
 
ID
purposes, health information, data concerning sex life or sexual orientation.
 
As special category data
are less likely to be relevant in the
 
context of UBSLB’s disclosures to the SEC, the laws applicable to
this data have not been considered in detail in this opinion.
1.3
 
Key restrictions in the Data Protection
 
Laws relating to UBSLB’s
 
ability to disclose personal data to
the SEC are set out below.
Legal basis for the disclosure
1.4
 
UBSLB requires a
 
legal basis under
 
Article 6 of
 
the EU GDPR
 
and the UK
 
GDPR to disclose
 
personal
data
 
to
 
the
 
SEC.
 
Data
 
cannot
 
be
 
disclosed
 
if
 
doing
 
so
 
would
 
breach
 
another
 
legal
 
requirement
(e.g. confidentiality – please see section
).
 
Whilst there are a number of Article 6 legal bases
on which UBSLB may seek
 
to rely, none on its own is so
 
comprehensive as to cover all
 
disclosures of
personal data to the SEC,
 
so UBSLB will need to
 
consider the most appropriate
 
legal basis to apply to
any given situation.
1.5
 
The Article 6 legal bases most applicable to UBSLB, together with their respective
 
limitations, are as
follows:
(a)
 
Consent (Article 6(1)(a))
: In order for consent
 
to be valid under the
 
Data Protection Laws, it
must satisfy
 
the high
 
standard of
 
being a
 
freely-given, specific,
 
informed and
 
unambiguous
indication of wishes.
13
 
(b)
 
Legitimate interests (Article
 
6(1)(f))
: This
 
is one
 
of the
 
most flexible
 
legal bases
 
for processing
that
 
can
 
apply
 
to
 
a
 
multitude
 
of
 
business
 
purposes,
 
including
 
with
 
respect
 
to
 
ensuring
compliance with
 
regulatory obligations.
 
To
 
rely on
 
the legitimate
 
interests ground,
 
UBSLB
must:
 
12
 
 
Per Article 71 of the
EU
-
UK Withdrawal Agreement, the EU GDPR remains applicable in
 
the UK following the end on 31 December 2020
of the transition period
 
effecting the UK’s
 
exit from the EU
 
in respect of the
 
processing of personal data of
 
data subjects outside the
 
UK,
provided that the personal data: (a) were processed under EU law in
 
the UK before the end of the transition period;
 
or (b) are processed in
the UK
 
after the
 
end of
 
the transition period
 
on the
 
basis of
 
the EU-UK
 
Withdrawal Agreement.
 
In particular,
 
EU GDPR
 
applies in
 
the
absence of
 
an adequacy decision
 
made by
 
the European Commission
 
in respect
 
of the
 
UK. On
 
28 June
 
2021 the
 
European Commission
adopted
 
adequacy decisions
 
for the UK, thereby enabling
 
the free-flow of personal
 
data from the EU to the
 
UK
 
However, for the first time,
the
 
adequacy decisions
 
each include
 
a
 
so-called ‘sunset
 
clause', which
 
strictly limits
 
their duration.
 
This means
 
that the
 
decisions will
automatically expire four years
 
after their entry into
 
force. After that period, the
 
adequacy findings might be
 
renewed, but only if
 
the UK
continues to ensure
 
an adequate level of
 
data protection. During these
 
four years, the European
 
Commission will continue to
 
monitor the
legal situation in
 
the UK and
 
could intervene at
 
any point, if
 
the UK deviates
 
from the level
 
of protection currently
 
in place.
 
Should the
Commission decide to renew the adequacy finding, the
 
adoption process would start again.
13
 
 
Please also refer to limitations
 
on the applicability of
 
consent discussed in paragraph
 
of section
:
 
 
0036335-0000808 UKO1: 2004471715.25
 
 
 
 
8
 
(i)
 
identify its,
 
or a
 
third party’s legitimate
 
interest (this
 
can include
 
commercial interests,
individual
 
interests
 
or
 
broader
 
societal
 
benefits)
 
in
 
complying
 
with
 
the
 
SEC’s
disclosure request;
 
(ii)
 
show that
 
the
 
disclosure of
 
documents to
 
the SEC
 
is
 
necessary for
 
achieving these
interests; and
 
(iii)
 
balance
 
these
 
interests
 
against
 
the
 
competing
 
interests,
 
rights
 
and
 
freedoms
 
of
 
the
individuals concerned, and satisfy itself that those interests
 
do not outweigh its own.
 
If individuals would not
 
reasonably expect the disclosure, or
 
if the disclosure would
cause
 
unjustified
 
harm
 
to
 
the
 
individuals,
 
the
 
interests
 
of
 
those
 
individuals
 
would
likely override the interests of UBSLB or the third party.
An individual has the right to object
 
to the disclosure of their data to the SEC
 
under this basis
for processing,
 
and UBSLB
 
would need
 
to demonstrate
 
‘compelling’ legitimate
 
grounds to
process the data that override the rights, freedoms and interests of that individual.
(c)
 
Disclosure
 
is
 
necessary for
 
compliance
 
with a
 
legal
 
obligation to
 
which UBSLB
 
is
 
subject
(Article 6(1)(c))
: There
 
must be a
 
UK nexus
 
in order
 
for UBSLB
 
to be able
 
to rely on
 
this legal
basis.
 
Article 6(3)
 
requires that
 
the legal
 
obligation must
 
be laid
 
down by
 
UK or
 
EU law,
although this does not have to be an
 
explicit statutory obligation, as long as the
 
application of
the law is foreseeable to UBSLB as the person subject to it.
14
 
In the context of this legal basis
 
for processing, an SEC request in the
 
absence of a UK legal
requirement
 
(e.g.
 
a
 
lawful
 
request
 
from
 
the
 
Financial
 
Conduct
 
Authority
 
(
FCA
)
 
or
 
the
Prudential
 
Regulation
 
Authority
 
(
PRA
)
 
in
 
the
 
exercise
 
of
 
its
 
powers
 
under
 
the
 
Financial
Services and Markets Act 2000 (
FSMA
)) would not justify the disclosure as being necessary
for compliance with such an obligation.
We
 
further note
 
that neither
 
the 2021
 
MoU nor
 
the ICO
 
Letter (as
 
defined and
 
discussed at
paragraph
 
of Annex 1,
) create any legally binding obligations.
(d)
 
Disclosure is necessary
 
for the performance
 
of a
 
task carried
 
out in the
 
public interest (Article
6(1)(e))
: There must be a UK nexus in order for UBSLB to be able to rely on this legal basis.
 
It may
 
be possible to
 
establish a
 
UK nexus, as
 
well as valid
 
public interests, on
 
the basis
 
of
recent
 
commentary
 
on
 
international
 
transfers
 
of
 
personal
 
data
 
on
 
public
 
interest
 
grounds
contained in a
 
letter from
 
the UK Information
 
Commissioner’s Office (
ICO
) to the
 
SEC (
ICO
Letter
).
15
 
See paragraphs
 
and
 
of this Annex.
 
Although the wording
 
of the public interest
 
legal basis in
 
Article 6(1)(e) differs
 
from that in
the public interest derogation in Article 49(1)(d) regarding international transfers of personal
data (which refers to
 
the transfer being
 
‘necessary for reasons of
 
public interest’), the ICO’s
commentary nevertheless makes it
 
easier for UBSLB
 
to argue that
 
its disclosure of
 
Covered
Books and Records satisfies the legal basis of being ‘necessary for
 
the performance of a task
carried
 
out
 
in
 
the
 
public
 
interest’.
 
This
 
is
 
because
 
UBSLB’s
 
compliance
 
with
 
the
 
SEC’s
request is potentially necessary for the performance of the SEC’s
 
tasks which have a basis in
UK as
 
well as US
 
public interests.
 
For example,
 
compliance with
 
SEC rules
 
by SEC
 
regulated
UK firms:
 
(i) helps
 
to prevent
 
UK financial
 
crimes from
 
being committed;
 
and (ii)
 
helps to
prevent the commission in the US of conduct that would amount to a
 
UK financial crime.
16
 
 
 
14
 
 
Recital 41
EU GDPR and
 
UK GDPR.
15
 
Letter
 
from the ICO to the SEC, dated 11 September 2020.
16
 
Letter
 
from the ICO to the SEC, dated 11 September 2020.
 
0036335-0000808 UKO1: 2004471715.25
 
 
9
 
As with the legitimate interests basis, individuals have the right to object to processing under
this public interest basis.
17
 
The legitimate interests and public
 
interest legal bases for processing
 
are likely to be the
 
most
appropriate
 
Article
 
6
 
grounds
 
on
 
which
 
UBSLB
 
could
 
rely
 
in
 
relation
 
to
 
its
 
disclosure
 
of
Covered
 
Books and
 
Records to
 
the
 
SEC
 
and
 
to
 
permit On-Site
 
Inspection.
 
However,
 
it
 
is
worth noting that
 
the ICO’s
 
letter potentially makes the
 
public interest ground preferable
 
by
setting out its view that there are valid public interests for
 
data transfers to the SEC, whereas
if
 
UBSLB
 
were
 
to
 
rely
 
on
 
the
 
legitimate
 
interests
 
ground
 
it
 
will
 
still
 
need
 
to
 
undertake
 
a
balancing test as outlined above.
1.6
 
It is
 
considered very
 
unlikely that
 
data included
 
in Covered
 
Books and
 
Records or
 
disclosed to
 
the
SEC during
 
On-Site Inspections will
 
include special
 
categories of
 
data.
 
Further, UBSLB
 
might not
hold
 
all
 
information
 
described
 
in
 
17
 
C.F.R.
 
§§.18a-5(b)(8)(i)(A)
 
through
 
(H)
 
or
 
240.18a-
5(a)(10)(i)(A) through
 
(H), as
 
the case
 
may be,
 
for an
 
associated person
 
who is
 
not a
 
US Person.
18
 
However, to the extent that this does occur, and such
 
information is held by UBSLB,
 
in addition to an
Article
 
6
 
legal
 
basis,
 
UBSLB
 
will
 
need
 
to
 
establish
 
an
 
additional
 
legal
 
basis
 
for
 
processing
 
under
Article 9 of
 
the EU GDPR
 
and the UK
 
GDPR if it
 
discloses special
 
categories of data
 
to the SEC,
 
such
as where it is necessary for the establishment, exercise or defence of
 
legal claims, or where necessary
for reasons
 
of substantial
 
public interest
 
(such reasons
 
are set
 
out in
 
the Data
 
Protection Act
 
2018).
 
Other
 
than
 
valid
 
consent,
19
 
the
 
Article
 
9
 
legal
 
bases
 
that
 
are
 
most
 
likely
 
to
 
apply
 
to
 
disclosure
 
of
Covered Books and Records are:
(a)
 
processing is necessary for
 
the establishment, exercise or
 
defence of legal
 
claims or whenever
courts are acting in their judicial capacity
 
(
Article 9(2)(f))
; and
(b)
 
processing is necessary
 
for reasons of
 
substantial interest,
 
on the
 
basis of
 
domestic or
 
Member
State
 
law
 
(
Article
 
9(2)(g))
.
 
To
 
be
 
able
 
to
 
rely
 
on
 
this
 
substantial
 
public
 
interest
 
condition
UBSLB would also need
 
to meet one of
 
23 specific substantial public interest
 
conditions set
out
 
in
 
Part
 
2
 
of
 
Schedule
 
1
 
of
 
the
 
DPA
 
2018,
 
and
 
put
 
in
 
place
 
an
 
appropriate
 
policy
document.
20
 
Of these conditions, those most likely to apply to the disclosure to the
 
SEC are:
(i)
 
Preventing
 
or
 
detecting unlawful
 
acts
 
(paragraph 10(1),
 
Part
 
2,
 
Schedule 1)
:
 
This
condition
 
(A)
 
applies
 
where
 
the
 
processing
 
is
 
necessary
 
for
 
the
 
purpose
 
of
 
the
prevention or
 
detection of
 
an unlawful
 
act or
 
failure to
 
act; (B)
 
must be
 
carried out
without the
 
consent of the
 
relevant individual so
 
as not to
 
prejudice those purposes;
and (C) is necessary for reasons of substantial public interest.
(ii)
 
Protecting the
 
public against dishonesty etc.
 
(paragraph 11(1),
 
Part 2, Schedule
 
1)
:
This
 
condition
 
applies
 
where
 
the
 
disclosure:
 
(A)
 
is
 
necessary
 
for
 
the
 
exercise
 
of
 
a
protective
 
function;
 
(B)
 
must
 
be
 
carried
 
out
 
without
 
the
 
consent
 
of
 
the
 
relevant
individual so as not to
 
prejudice the exercise of
 
that function; and (C)
 
is necessary for
reasons of
 
substantial public
 
interest. In
 
this context,
 
‘protective function’
 
means a
function
 
that
 
is
 
intended
 
to
 
protect
 
members
 
of
 
the
 
public
 
against:
 
(I)
 
dishonesty,
malpractice, or other
 
serious improper conduct;
 
(II) unfitness or
 
incompetence; (III)
mismanagement
 
in
 
the
 
administration
 
of
 
a
 
body
 
or
 
association;
 
or
 
(IV)
 
failures
 
in
services provided by a body or association.
(iii)
 
Regulatory
 
requirements
 
relating
 
to
 
unlawful
 
acts
 
and
 
dishonesty
 
etc.
 
(paragraph
12(1),
 
Part
 
2,
 
Schedule
 
1)
:
 
This
 
condition
 
applies
 
where:
 
(A)
 
the
 
processing
 
is
necessary for complying with, or
 
assisting other persons to comply
 
with, a regulatory
17
 
 
Article 21(1),
EU GDPR and
UK GDPR
 
18
 
 
As we understand is as defined in 17 C.F.R. §240.3a71
-
3(a)(4)(i)(A)
.
 
19
 
 
Article 9(2)(a)
 
EU GDPR
 
and
UK GDPR
 
please also
 
refer to
 
limitations on the
 
applicability of
 
consent discussed in
 
paragraph
 
of
section
:
 
20
 
 
Section 10(3), and paragra
ph 34 of Part 4 to Schedule 1, DPA 2018
 
 
0036335-0000808 UKO1: 2004471715.25
 
 
10
 
requirement which involves
 
a person taking steps to
 
establish whether another person
has: (I)
 
committed an
 
unlawful act
 
or failure
 
to act;
 
or (II)
 
been involved
 
in dishonesty,
malpractice or
 
other seriously
 
improper conduct;
 
(B) in
 
the circumstances,
 
UBSLB
cannot reasonably be expected to
 
obtain the consent of the
 
relevant individual to the
processing;
 
and
 
(C)
 
the
 
processing
 
is
 
necessary
 
for
 
reasons
 
of
 
substantial
 
public
interest. In
 
this condition,
 
a ‘regulatory
 
requirement’ means
 
(a) a
 
requirement imposed
by legislation
 
or a
 
by a
 
person in
 
exercise of
 
a function
 
conferred by
 
legislation; or
(b)
 
a
 
requirement
 
forming
 
part
 
of
 
generally
 
accepted
 
principles
 
of
 
good
 
practice
relating to a type of body or an activity.
1.7
 
Similarly, UBSLB’s processing of
 
personal data
 
relating to
 
criminal convictions
 
and offences
 
is highly
restricted, and
 
can only
 
be disclosed
 
where authorised by
 
one of
 
the conditions in
 
Parts 1,
 
2 or
 
3 of
Schedule 1 of the DPA 2018.
21
 
Of these conditions, those most
 
likely to apply to the
 
disclosure to the
SEC are:
(a)
 
Legal claims (paragraph
 
33, Part 3,
 
Schedule 1)
: This
 
condition is met
 
if the
 
processing is:
(i)
 
necessary
 
for
 
the
 
purpose
 
of,
 
or
 
in
 
connection
 
with,
 
any
 
legal
 
proceedings
 
(including
prospective
 
legal
 
proceedings); (ii)
 
necessary
 
for
 
the
 
purpose
 
of
 
obtaining
 
legal advice;
 
or
(iii) otherwise necessary for the purpose of establishing, exercising
 
or defending legal rights.
(b)
 
Certain
 
conditions
 
from
 
Part
 
2
 
of
 
Schedule
 
1
 
(paragraph
 
36,
 
Part
 
3,
 
Schedule
 
1)
:
 
This
condition applies where the disclosure would meet a
 
condition in Part 2 of Schedule 1 but for
an express
 
requirement for
 
the
 
processing to
 
be necessary
 
for reasons
 
of
 
substantial public
interest. As set out
 
in paragraph
 
of this Annex 1,
 
the Part 2 conditions
 
most likely to apply
to UBSLB’s disclosure to the SEC are:
(i)
 
Preventing or detecting unlawful acts (paragraph 10(1), Part 2, Schedule 1)
.
(ii)
 
Protecting the public against dishonesty etc. (paragraph 11(1), Part 2, Schedule 1).
 
(iii)
 
Regulatory
 
requirements
 
relating
 
to
 
unlawful
 
acts
 
and
 
dishonesty
 
etc.
 
(paragraph
12(1), Part 2, Schedule 1)
.
Data protection principles
1.8
 
In
 
addition
 
to
 
establishing
 
a
 
legal
 
basis
 
for
 
the
 
disclosure,
 
UBSLB
 
would
 
need
 
to
 
ensure
 
that
 
its
disclosures are compliant with the remaining
 
requirements under the Data Protection
 
Laws, including
the data protection principles
 
set out in
 
Article 5 of the
 
EU GDPR and the
 
UK GDPR. For example,
UBSLB must:
(a)
 
be
 
transparent with
 
those whose
 
personal data
 
is
 
to
 
be
 
disclosed to
 
the
 
SEC, who
 
must
 
be
provided
 
with
 
fair
 
processing
 
information
 
(usually
 
in
 
the
 
form
 
of
 
a
 
privacy
 
notice
 
or
statement);
(b)
 
with
 
respect
 
to
 
the
 
data
 
itself,
 
ensure
 
that
 
it
 
only
 
provides
 
personal
 
data
 
that
 
is
 
adequate,
relevant and limited
 
to what is
 
necessary in relation
 
to the purposes
 
of its regulatory
 
activities;
 
(c)
 
be careful to avoid participating
 
in ‘data dumps’ and should
 
consider withholding documents,
anonymising personal data
 
(or pseudonymising
 
data where full
 
anonymisation is not
 
possible)
and redacting personal data from documents as appropriate;
(d)
 
ensure that the data is accurate and, where necessary, kept up to date;
 
 
21
 
 
Section 10(5) DPA 2018.
 
 
0036335-0000808 UKO1: 2004471715.25
 
 
11
 
(e)
 
keep the personal data
 
in a form that enables
 
identification of individuals for
 
no longer than is
necessary for the purposes for which the personal data is processed; and
(f)
 
ensure
 
that
 
the
 
confidentiality
 
and
 
integrity
 
of
 
personal
 
data
 
is
 
maintained,
 
and
 
as
 
such,
implement appropriate security measures (e.g. encryption) to protect
 
the personal data.
1.9
 
Whilst it is possible
 
that the SEC has
 
taken these principles
 
into account in its
 
request for access
 
to the
Covered Books and
 
Records, responsibility
 
remains with UBSLB
 
to verify this
 
and implement
 
its own
compliance measures.
International transfers
1.10
 
The general principle in
 
the EU GDPR and
 
the UK GDPR is
 
that UBSLB may not
 
transfer personal
data to a jurisdiction
 
outside the European
 
Economic Area, or
 
the UK, unless it
 
can satisfy a condition
for the transfer as set out in Chapter V of those Data Protection Laws.
 
1.11
 
Article 45 of the UK GDPR allows for UBSLB to transfer personal data to the US where the transfer
is based on adequacy regulations pursuant
 
to section 17A of the DPA 2018. However, the UK has not
passed
 
adequacy
 
regulations
 
pursuant
 
to
 
that
 
section
 
that
 
designate
 
the
 
US
 
as
 
providing
 
adequate
protections for personal data.
 
Additional steps would therefore be required where personal data is to
be sent to the US, or the
 
SEC could access documents held in the UK from the
 
US. The two primary
options available to UBSLB
 
are as follows:
(a)
 
Derogations (Article 49)
: Where a transfer mechanism
 
adopted by the European
 
Commission
in
 
respect
 
of
 
the
 
US
22
 
is
 
not
 
available
 
(as
 
is
 
currently
 
the
 
case),
 
derogations
 
for
 
specific
situations
 
from
 
the
 
transfer
 
prohibition
 
are
 
pote
ntially
 
available
 
under
 
UK
 
GDPR
 
for
facilitating UBSLB’s
 
transfer of
 
personal data
 
contained in
 
Covered Books
 
and Records
 
to
the SEC.
 
These derogations include consent, public interest and legitimate interests.
23
 
The ICO
 
Letter suggests
 
that the
 
most appropriate
 
derogation may
 
be that
 
the transfer
 
is strictly
necessary for
 
important reasons
 
of public
 
interest.
 
It explains
 
that there
 
is a
 
UK nexus
 
because:
(i) the SEC
 
rules help to
 
prevent UK financial
 
crimes being committed;
 
(ii) Principle 11 of
 
the
FCA Handbook
 
requires FCA-regulated firms
 
to deal with
 
regulators worldwide in
 
an open
and
 
cooperative way;
 
and (iii)
 
the
 
SEC rules
 
help
 
to
 
prevent the
 
commission in
 
the
 
US
 
of
conduct that would amount to a UK financial crime.
 
However, the ICO Letter should
not
 
be considered a blanket approval for UBSLB to transfer
data to the
 
SEC under this basis.
 
The ICO makes
 
clear that derogations
 
should not be
 
relied
on for making transfers “
on a large scale and in a systematic manner
”, and their use must be
considered on
 
a case-by-case
 
basis, with
 
UBSLB keeping
 
records of
 
the transfers
 
that evidence
the
 
careful
 
analysis
 
that
 
led
 
them
 
to
 
rely
 
on
 
the
 
derogation.
 
UBSLB
 
must
 
ensure
 
that
 
the
transfer
 
is
 
strictly
 
necessary
 
by
 
establishing
 
that
 
there
 
are
 
‘precise
 
and
 
particularly
 
solid
justifications’ for
 
the transfer.
 
As discussed
 
above, UBSLB
 
must also
 
ensure it
 
applies the
‘necessary
 
and
 
proportionate’
 
test
 
to
 
ensure
 
that
 
only
 
the
 
data
 
necessary
 
for
 
the
 
SEC’s
purposes is transferred.
(b)
 
FCA route
: In certain situations, for example where
 
UBSLB considers the transfer of data to
the US to be high risk,
 
it may be possible to
 
arrange for the disclosure
 
to be made to the
 
FCA,
which
 
could
 
then
 
transfer
 
the
 
data
 
to
 
the
 
SEC
 
in
 
the
 
US.
 
The
 
FCA
 
and
 
SEC
 
have
 
an
administrative arrangement
 
to govern the
 
transfer of
 
personal data between
 
the two
 
regulators,
which aims to comply
 
with UK GDPR principles,
 
and this route would avoid
 
UBSLB being
responsible for ensuring the international transfer was fully compliant with
 
the UK GDPR.
22
 
 
These SCCs remain valid for transfers from the UK to
 
non
-
adequate jurisdictions following Brexit.
 
23
 
 
Article 49(1) UK GDPR at paragraphs (a), (d) and (f), respectively.
 
 
0036335-0000808 UKO1: 2004471715.25
 
 
12
 
1.12
 
The 2021 MoU notes
 
that the UK regulators
 
are also subject to
 
the restrictions of the
 
UK GDPR when
transferring personal data to the SEC, or allowing the SEC
 
to access documents held in the UK from
the US.
24
 
At paragraph 25 of the 2021 MoU it is
 
stated that “transfer, onward transfer,
 
processing or
sharing
 
of
 
personal data
 
between
 
the
 
FCA and
 
the
 
SEC will
 
be carried
 
out
 
under
 
the
 
terms
 
of
 
the
Administrative Arrangement for the transfer of personal data
 
between the SEC and the FCA”.
 
In the
absence of such an agreement between the PRA and the SEC, it is
 
stated in the 2021 MoU that where
personal data is being
 
transferred to the SEC
 
by the PRA, such
 
transfer will be made
 
“in reliance on
appropriate
 
safeguards
 
or
 
derogations
 
(e.g.,
 
where
 
the
 
transfer
 
of
 
personal
 
data
 
is
 
necessary
 
for
important reasons of public interest).”
25
 
As such, the limitations noted in paragraph
 
apply
equally to the Bank of England and to UBSLB when transferring personal data
 
to the SEC.
 
2.
 
COMMON LAW
 
DUTIES OF CONFIDENTIALITY
2.1
 
The general, banker’s and employer’s duties of confidentiality are distinct duties.
 
However, the case
law on each duty informs the approach to the other,
 
with the banker’s and employer’s duties existing
in acknowledgement of
 
the specific circumstances
 
that arise as
 
between a bank
 
and its customers
 
or
employees (respectively).
 
Given the common
 
law position on
 
these duties is
 
largely aligned, these
 
are
dealt with together here.
2.2
 
Where Covered Books and Records do not contain any relevant forms of information, and it
 
is likely
that
 
many
 
aspects
 
of
 
the
 
information
 
required
 
will
 
not
 
(e.g. transaction
 
data
 
such
 
as
 
volumes
 
and
prices), these duties of confidentiality will not apply.
Scope of duties
2.3
 
The leading case on
 
the common law duty
 
of confidentiality is
Coco v A Clark
 
(Engineers) Ltd
[1968]
F.S.R.
 
415.
 
This case established that
 
to be protected under
 
the common law of
 
confidentiality, two
requirements must be met.
 
Firstly, the information must have the
 
necessary quality of confidence
”.
26
 
Secondly,
 
the
 
information
 
must
 
have
 
been
 
given
 
in
 
a
 
situation
 
which
 
imposed
 
an
 
obligation
 
of
confidence.
 
(a)
 
The necessary quality of confidence
 
is negatively defined as information
 
which is not “
public
property and
 
public knowledge
”.
27
 
As the
 
information contained in
 
the Covered Books
 
and
Records is
 
not publicly
 
available, it
 
will likely
 
possess this
 
necessary quality
 
of confidence
insofar as that
 
information relates to
 
UBSLB’s clients
 
or staff
 
and is not
 
information owned
by or relating to UBSLB itself.
(b)
 
To
 
be
 
protected
 
under
 
the
 
common
 
law duty
 
of
 
confidentiality,
 
the
 
information must
 
have
been communicated in a
 
situation where an obligation
 
of confidence was either
 
expressly or
impliedly imposed.
28
 
The court will consider whether the recipient of the information knew,
or ought to have known, that there was a
 
duty of confidentiality attached to that information.
 
This duty of confidentiality can be
 
imposed by contract, implied by the
 
circumstances of the
disclosure, or implied by a special relationship of the parties.
 
(c)
 
Where,
 
and
 
to
 
the
 
extent
 
that,
 
the
 
Covered
 
Books
 
and
 
Records
 
concern
 
either
 
customer
information
 
or
 
employee
 
information,
 
this
 
would
 
likely
 
satisfy
 
the
 
requirement
 
that
 
the
Recipient, in this case being UBSLB, knew or ought to have known that the information was
to be treated confidentially.
 
 
 
24
 
 
Paragraph 25(a) of the 2021 MoU.
 
25
 
 
Paragraph 25(b) of the 2021
MoU
 
26
 
 
Megarry J
 
in the
Coco v
 
AN Clark
 
(Engineers) Ltd
 
judgement at
 
419 used
 
the formulation
 
first used
 
by Lord
 
Greene, M.R.
 
in
 
Saltman
Engineering Co Ltd v Campbell Engineering Co Ltd
 
[1948] 65 RPC 203, [1963] 3 All ER 413.
27
 
Saltman Engineering Co Ltd v Campbell Engineering Co
 
Ltd
 
[1948] 65 RPC 203, [1963] 3 All ER 413 at 415.
28
 
 
Megarry J in
Coco v AN Clark (Engineers) Ltd
 
judgement at 420.
 
0036335-0000808 UKO1: 2004471715.25
 
 
13
 
2.4
 
The
 
common
 
law
 
banker’s
 
duty
 
of
 
confidence,
 
established by
Tournier
 
v
 
National
 
Provincial
 
and
Union Bank of
 
England
[1924] 1 KB
 
461 (
Tournier
), is one
 
such instance where
 
a special relationship
exists between
 
the parties.
 
Under this
 
duty of
 
confidence, banks,
 
such as
 
UBSLB, must
 
keep their
customers’ affairs
 
private–
 
in this
 
respect the
 
general duty
 
is broader
 
than the
 
banker’s duty
 
as the
general duty extends to benefit others, such as UBSLB’s staff.
 
(a)
 
The scope of the duty is wide – as Atkin LJ outlined in the judgement:
It
[the duty of confidentiality]
clearly goes beyond the state
 
of the account, that is,
 
whether
there is a debit or credit balance, and
 
the amount of the
 
balance.
 
It must extend at
 
least to all
the transactions that go through the
 
account, and to the securities, if any,
 
given in respect of
the account
29
 
(b)
 
The temporal scope of the banker’s duty is also wide. Atkin LJ judged that the banker’s
 
duty
of confidentiality “
extend
[s]
beyond the point when
 
the account is closed,
 
or cease
[s]
 
to be an
active account
”,
30
 
and this duty
 
also extends to cover
 
disclosures from one banking entity
 
to
another within the same corporate group.
31
 
2.5
 
Whilst an employer’s duty of confidence under common law
 
does exist,
32
 
it is very limited:
 
UBSLB
will only
 
be restricted
 
in its
 
use of
 
information held
 
in relation
 
to its
 
employees “
where
 
there
 
is no
reasonable and proper
 
cause for the employer
[’]
s conduct and only
 
then if the conduct
 
is calculated
to destroy or seriously damage the relationship of trust and confidence.
33
 
2.6
 
No distinction is drawn in
 
the case law on either of
 
the general or banker’s duties regarding
 
the nature
of the person to whom the duty is owed – i.e. a natural or a legal person – and so
 
we consider that the
duties apply equally to any person
 
irrespective of their legal status.
 
The employer’s duty can clearly
be owed only to a natural person.
Unauthorised disclosure
2.7
 
A successful claim for breach
 
of confidentiality must demonstrate
 
that there has been an unauthorised
use of confidential information to the detriment of the Rights Holder.
34
 
2.8
 
For those Covered Books
 
and Records that contain
 
customer information, which
 
is unlikely to
 
include
all Covered Books and Records, these duties
 
of confidentiality will apply and so
 
UBSLB will only be
able to disclose Covered Books and Records containing confidential information in un-redacted form
where one of the exceptions below is met.
2.9
 
Tournier
established four exceptions to the banker’s duty of confidentiality,
35
 
the first three of which
apply equally to the general and employer’s duties of confidentiality:
 
(a)
 
where the disclosure is made by the express or implied consent of
 
the customer;
 
36
 
(b)
 
under compulsion of law;
(c)
 
where the disclosure is in the public interest; or
 
 
29
 
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 485.
30
 
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 485.
31
 
Bank of Tokyo Ltd v Karoon
[1987] 1 AC 45 at 54.
32
 
Prout v British Gas Plc and Another
 
[1992] F.S.R. 478 at 482.
33
 
 
Malik v Bank o
f Credit and Commerce International SA [1998] A.C
 
20
 
at 53.
 
34
 
 
Megarry J in
Coco v A Clark (Engineers) Ltd
[1968] F.S.R. 415at 421.
35
 
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 485 at 473.
36
 
 
For the general
 
duty of confidentiality:
 
This was confirmed
 
by Arnold J
 
in
Primary Group (UK) Ltd
 
v The Royal
 
Bank of Scotland
 
Plc
[2014]
R.P.C. 26
 
at 246.
 
0036335-0000808 UKO1: 2004471715.25
 
 
14
 
(d)
 
for the banker’s
 
duty of confidentiality
 
only,
 
where it is
 
in the interests
 
of the bank
 
to make
disclosure.
Consent
2.10
 
Disclosure of
 
confidential information
 
is permissible
 
where the
 
Rights Holder
37
 
has given
 
their consent
to the disclosure
 
of their confidential
 
information
38
 
(though limitations apply
 
to the validity of
 
consent
that can provided
 
by an employee, as
 
described in in
 
paragraph
 
of section
:
).
39
 
Compulsion of law
2.11
 
Information
 
that
 
would
 
otherwise
 
be
 
confidential
 
may
 
be
 
disclosed
 
when
 
required
 
by
 
a
 
statutory
provision
40
 
or court order.
41
 
2.12
 
To satisfy this compulsion of law exception it is likely that UBSLB would have to rely on UK statute
– a provision of US law, such as an SEC Rule, is unlikely to be sufficient for this purpose.
42
 
(a)
 
Whilst there are numerous statutory provisions that require the disclosure of information that
would otherwise be confidential,
43
 
none applies directly to this situation.
(b)
 
UBSLB is obliged to comply with the FCA’s
 
and PRA’s
 
general rules, as set out in the FCA
Handbook
 
and
 
PRA
 
Rulebook,
44
 
and
 
these
 
include
 
the
 
FCA’s
 
Principle
 
11
 
and
 
the
 
PRA’s
Fundamental
 
Rule
 
7,
 
which
 
require
 
UBSLB
 
to
 
deal
 
with
 
its
 
regulators
 
in
 
an
 
open
 
and
cooperative way...
”.
 
This requirement includes disclosure to
 
overseas regulators such as the
SEC.
45
 
However, there
 
are specific powers available to
 
the FCA and
 
PRA to oblige UBSLB
37
 
 
Where the banker’s duty of
confidentiality applies this will be the customer.
 
38
 
 
Due of the overlap
 
between bank confidentiality and data
 
protection laws (as discussed in
paragraph
), it would be
 
advisable to clarify
when obtaining consent that another, separate, legal basis applied to the processing
 
of the personal data under data protection laws.
 
39
 
 
Whilst it is possible to rely on
 
implied consent
, there
 
is likely to be a high ba
r to meet
 
in order to do so
.
 
In
Turner v Royal Bank of Scotland
Plc
[1999] 2 All E.R, regarding the banker’s duty of confidentiality, it
 
was decided that established market practice of sharing of customer
information between banks (which
 
practice was generally
 
known only to the
 
banks themselves) did not
 
amount to implied consent
 
of the
customer as this practice was not known by the customer.
 
To amount to implied consent, the practice under which disclosure is made must
be “
notorious, certain and reasonable
” (
Turner v Royal
 
Bank of Scotland Plc
[1999] 2 All E.R
 
664 at 670, Sir
 
Richard Scott VC quoting
from
Chitty on Contracts
 
(27th edn, 1994), vol I, para 13-014.)
 
The practice
 
of sharing
 
information with
 
local regulators
 
in order
 
to enable
 
banking business
 
to be
 
conducted within
 
the relevant
 
local
jurisdiction is, in our experience, well
 
established such that it might be considered
 
notorious, certain and reasonable
”.
 
In this context, it is
possible that
 
much of
 
the information
 
contained in
 
the Covered
 
Books and
 
Records would
 
be information
 
of a
 
sort that
 
customers (and
particularly more sophisticated customers of the
 
kind that would normally be
 
offered services by UBSLB in
 
respect of SBSs) may expect
would be shared with the SEC.
 
In part, the ability
 
to rely on implied
 
consent will depend
 
on the information
 
provided to customers when
 
UBSLB provides services
 
in SBSs.
 
If no information about the jurisdiction or regulators involved
 
is provided then UBSLB would rely on the customer’s
 
own understanding of
regulatory obligations on banks, the US nexus
 
and the SEC’s role
 
in these services.
 
Conversely, if customers are
 
informed that UBSLB’s
activity in SBSs is conducted on a cross-border basis
 
into the US and is subject to oversight by
 
the SEC then the ability to rely on
 
implied
consent increases.
 
Similarly, if customers are
 
informed that detailed information on all
 
aspects of UBSLB’s activity
 
in SBSs is subject to
examination by the SEC then the ability to rely on implied consent
 
increases further still.
40
 
 
Se
e the
 
example given
 
by Bankes
 
LJ in
Tournier
 
v National
 
Provincial &
 
Union Bank
 
[1924] 1
 
K.B 461
 
at 473
 
of the
 
Bankers’ Books
Evidence Act 1879.
 
41
 
 
For the general duty
 
of confidentiality: E.g. a
subpoena duces tecum
 
issued by an English
 
court, as confirmed
 
in
Loyd v Freshfield and
 
Kaye,
Gents. Two, &c
 
(1826) 172 E.R. 147 at 329.
 
For the banker’s duty of confidentiality:
X AG and others v A bank
 
[1983] 2 All ER at 475.
42
 
 
We
 
are not aware of any
 
case law dealing with
 
whether foreign statute can satisfy the
 
compulsion of law exception.
 
In
A and Others v
 
B
Bank
 
(Governor and
 
Company of
 
the
 
Bank of
 
England intervening)
 
[1992] 3
 
WLR 705
 
it
 
was held
 
that
 
there
 
would be
 
no breach
 
of
confidentiality where disclosure was ordered
 
by a United Kingdom
 
regulator (in this case
 
the Bank of England)
 
who would then pass
 
the
information over to a foreign regulator, in this case the US Federal Reserve Board.
 
However, the judgement emphasised it was the United
Kingdom regulator’s compelling power
 
under the Banking Act 1987,
 
not that of the US Federal
 
Reserve Board, which was decisive.
 
Whilst
this case applies to the banker’s duty of confidentiality,
 
it is also of relevance to the general duty of confidentiality.
.
43
 
 
For example under
 
s.175(5)(d) of the
FSMA
, by virtue
 
of which a
 
person owing
 
a banker’s duty
 
of confidentiality may
 
be compelled to
disclose confidential
 
information when
 
a specific
 
requirement is
 
imposed on
 
the Recipient
 
by an
 
investigating authority
 
to disclose
 
the
information.
 
Additionally, under s.330 of
 
the Proceeds of Crime Act
 
2002 it is an offence
 
for someone in the regulated sector
 
to disclose
knowledge or
 
suspicion of
 
money laundering
 
activities.
 
A banker
 
who suspected
 
or
 
became aware
 
of a
 
customer’s
 
money laundering
activities, although owing their customer a duty of confidentiality by virtue of their relationship to the customer, who be compelled by this
to disclose.
 
Disclosure in this circumstance would be an authorised use
 
and as such would not constitute a breach of confidence.
44
 
 
These are rules published by the FCA in the exercise of its power under section 137A (for
 
the FCA) and 137G (for the PRA) of
FSMA and
enforceable by the FCA and PRA, respectively, pursuant to Part XIV of FSMA.
45
 
 
Principles for Business
 
section of the FCA Handbook at
 
l. l.6G
.
 
 
0036335-0000808 UKO1: 2004471715.25
 
 
15
 
to provide confidential information, such
 
as the power under
 
s175(5) FSMA.
 
As this power
applies equally to investigations
 
conducted by the FCA
 
and/or PRA on its/their own
 
behalf as
to investigations conducted in support
 
of a foreign regulator, such as the SEC,
 
it is not clearly
arguable that
 
it is
 
necessary to read
 
Principle 11
 
and
 
Fundamental Rule 7
 
more broadly for
the purposes
 
of disclosures
 
to the
 
SEC than
 
it is
 
read for
 
disclosures to
 
the FCA
 
and PRA.
Therefore, we do not
 
consider that Principle 11 and
 
Fundamental Rule 7 can
 
be relied upon to
override legal duties of confidentiality.
 
2.13
 
Equally,
 
a US
 
court order
 
is also
 
unlikely to
 
be sufficient
 
for this
 
purpose: it
 
was held
 
in
X AG
 
and
others v A bank
[1983] 2 All ER at 475 that a subpoena requiring disclosure issued by a foreign
 
court
did not qualify as
 
compulsion by law
 
on the basis
 
that “[t]
he fact is that
 
confidentiality is not
 
rendered
illegal by a subpoena requiring disclosure, which is to be contrasted with some form of legislation to
that end
”.
46
 
2.14
 
Finally,
 
as the
 
2021 MoU
 
lacks the
 
authority of
 
statute, is
 
very unlikely
 
to meet
 
this exception
 
and
should not be relied upon by UBSLB (though it
 
retains relevance in the context of the public interest
exception – please see paragraphs
 
to
).
Public interest
2.15
 
Determining whether the public interest exception applies
 
requires a balance to be struck between the
rights of the Rights Holders and
 
the public interest in the SEC
 
obtaining that information.
47
 
The test
to be
 
applied when
 
considering whether
 
confidentiality should
 
be breached
 
in favour
 
of freedom
 
of
expression is whether,
 
in all the circumstances,
 
it is in the
 
public interest that the
 
duty of confidence
should be breached.
48
 
2.16
 
Disclosure in the public interest has been narrowly construed by the English
 
courts, and the burden is
for UBSLB to
 
justify disclosure of
 
confidential information
49
 
(rather than for
 
e.g. a customer
 
to justify
continued confidentiality).
 
The general position is
 
that voluntary disclosure,
 
including in relation to
disclosures
 
to
 
the
 
police
 
in
 
respect
 
of
 
suspicions
 
of
 
criminal
 
activity,
 
would
 
breach
 
the
 
duty
 
of
confidence other than as
 
permitted under statute,
50
 
indicating that there is
 
a high bar to
 
be met when
arguing that
 
a disclosure
 
was made
 
lawfully in
 
pursuit of
 
a greater
 
public interest.
 
Bankes LJ
 
suggested
in
Tournier
that
 
national
 
security
 
concerns
 
would
 
meet
 
this
 
criterion,
51
 
while
 
Atkin
 
LJ
 
gave
 
the
example of disclosure in the interest of preventing fraud or crime.
52
 
2.17
 
However, there is well established
 
precedent for public
 
interest in effective
 
regulation and supervision
of
 
banking
 
institutions
 
outweighing
 
the
 
public
 
interest
 
in
 
maintaining
 
confidentiality
 
even
 
in
 
the
absence of
 
statutory authority.
53
 
This arguably
 
is a
 
continuation of Atkin
 
LJ’s
 
example in
Tournier
 
regarding the
 
prevention of
 
fraud or
 
crime.
 
In such
 
cases, the
 
weight of
 
the claim
 
for disclosure
 
is
greater when considering
 
limited disclosure,
 
such as to
 
a relevant authority
 
acting under its
 
own duties
of confidence, as opposed to public dissemination of information.
54
 
 
 
46
 
 
In both
X AG and
 
others v A
 
Bank
[1983] All
 
ER 464 and
 
in
A v B
 
Bank
 
Unreported, 13
 
August 1990
 
(see Hirst J’s judgment
 
in the subsequent
case
of A and
 
Others v B
 
Bank v (Governor
 
and Company of
 
the Bank of
 
England intervening)
 
[1992] 3 WLR
 
705).
 
Whilst these are
 
banker’s
duty of
 
confidentiality cases
 
they are
 
of more
 
general application.
 
For the
 
general duty
 
of confidentiality:
 
E.g. a
subpoena duces tecum
 
issued by an English court, as confirmed in
Loyd v Freshfield and Kaye, Gents. Two, &c
 
(1826) 172 E.R. 147 at 329.
47
 
AG v Guardian Newspapers (No 2) and Others [1990] 1 A.C. 109
 
(known as
Spycatcher
) at 268.
48
 
Prince of Wales v Associated Newspapers Ltd (CA)
[2007] 3 WLR at 68.
 
In the context of that case, it is relevant that
 
the test is not simply
whether the information
 
is a matter
 
of public
 
interest, as, unlike
 
disclosure to the
 
SEC, that
 
case involves
 
public dissemination
 
of information.
49
 
Price Waterhouse v BCCI Holdings (Luxembourg) SA
 
[1992] BCLC 583 at 597.
50
 
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 474.
51
 
Tournier v National Provincial and Union
 
Bank of England
[1924] 1 KB
 
461 at 485
 
at 473 where
 
Bankes LJ quotes
 
Lord Finlay’s judgement
in
Weld-Blundell v Stephens
[1920] A.C. 956
 
at 965 where “
danger to the state
” was given as
 
an example where an
 
exception could be made
to the duty of confidentiality.
52
 
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 486.
53
 
Price Waterhouse v BCCI Holdings (Luxembourg) SA
 
[1992] BCLC 583 at 596 and 601.
54
 
AG v Guardian Newspapers (No 2) and Others [1990] 1 A.C. 109
 
(known as
Spycatcher
) at 268.
 
0036335-0000808 UKO1: 2004471715.25
 
 
16
 
2.18
 
That there is a
 
public interest in banks making
 
adequate disclosures to foreign regulators is
 
reflected
in
 
the
 
FCA’s
 
Principle 11
 
and
 
the
 
PRA’s
 
Fundamental Rule
 
7, requiring
 
UBSLB to
 
deal
 
with its
regulators
 
in an
 
open and
 
cooperative way...
” which,
 
as
 
noted above,
 
cover disclosure
 
to
 
overseas
regulators such as the SEC.
55
 
Further evidence for this public interest is found in the existence of the
2021 MoU, which
 
relates to the
 
sharing of information such
 
as that contained in
 
the Covered Books
and
 
Records,
 
and
 
On-Site
 
Inspections,
 
in
 
recognition
 
of
 
the
 
public
 
interest
 
in
 
such
 
information
exchanges, as described at paragraph 25 thereof.
 
2.19
 
In an
 
example of
 
the application
 
of this
 
principle in
 
the context
 
of bank
 
confidentiality,
 
it has
 
been
held that
 
compliance with
 
a foreign
 
subpoena could
 
occur without
 
breaching the
 
duty of
 
confidentiality
on the basis of the public interest
 
exception.
56
 
This stands in contrast to the exception
 
for compulsion
of law, as discussed above.
 
 
2.20
 
It is assumed that disclosure
 
to the SEC is solely in
 
furtherance of the SEC’s supervisory mandate.
 
In
itself, on the
 
basis of the
 
points above, we consider
 
that this would
 
likely be sufficient
 
to establish a
public interest
 
in
 
disclosure, given
 
the
 
public interest
 
in
 
enabling effective
 
supervision of
 
financial
services business, including SBS business.
 
We further understand that such disclosure to the SEC is,
at
 
least
 
in
 
part
 
and/or
 
for
 
certain
 
types
 
of
 
records,
 
for
 
the
 
purposes
 
of
 
preventing
 
fraud
 
or
 
crime
(e.g. records
 
relating
 
to
 
transactions
 
and
 
persons
 
involved
 
in
 
transactions),
 
further
 
supporting
 
this
view.
 
2.21
 
Additionally,
 
there
 
is
 
close
 
alignment
 
in
 
the
 
intention
 
of
 
this
 
exception
 
and
 
the
 
public
 
interest
derogation established under
 
Article 49(1)(d) of the UK
 
GDPR as both essentially
 
require a balancing
exercise as regards competing
 
duties.
57
 
Whilst there is limited recent
 
case law on the
 
banker’s duty of
confidentiality, we anticipate that an English court
 
would follow a similar approach when addressing
these duties of confidentiality and the protection of personal data.
 
2.22
 
Therefore, the
 
reasons set
 
out here
 
and at
 
regarding the
 
application of
 
that derogation
 
under
the UK GDPR in the context of the
 
UK public interest in ensuring effective regulation is achieved in
other
 
jurisdictions,
 
we
 
anticipate
 
UBSLB
 
would
 
be
 
able
 
to
 
rely
 
on
 
this
 
exception
 
to
 
the
 
duties
 
of
confidence in
 
permitting the
 
SEC to
 
access its
 
Covered Books
 
and Records
 
and to
 
conduct On-Site
Inspection of UBSLB.
 
In the interests of the bank
2.23
 
In
 
limited
 
cases,
 
disclosure
 
of
 
confidential
 
information
 
that
 
is
 
subject
 
to
 
the
 
banker’s
 
duty
 
of
confidentiality may
 
be permissible
 
where it
 
is in
 
the interests
 
of the
 
bank.
 
This exception
 
does not
apply to information that is subject to the general duty of confidentiality.
 
However, we consider that
this exception is available to information that is subject to both such duties, leaving only
 
information
that does not relate
 
to customers (e.g.
 
information relating
 
to staff) beyond the
 
scope of this
 
exception.
 
2.24
 
It is clearly in the
 
interests of UBSLB to comply with
 
the SEC’s
 
requests.
 
However, the majority of
case law on this exception points to there being a high bar to meet.
 
2.25
 
In
X AG
 
and others
 
v A
 
Bank
[1983] All
 
ER 464
 
it was
 
held that
 
a bank
 
could not
 
comply with
 
a
subpoena
 
from
 
a
 
New
 
York
 
court
 
without
 
breaching
 
its
 
duty
 
of
 
confidentiality.
 
However,
 
in
considering arguments based on the banker’s own
 
interest, Leggatt J judged that it was not clearly in
the bank’s
 
own interests
 
to comply
 
with the
 
subpoena, as
 
the bank
 
would not,
 
as a
 
matter of
 
fact in
that particular case, face any
 
serious detriment for its
 
failure to comply.
58
 
In contrast, Bankes LJ
 
gave
the example
 
in
Tournier
of a
 
bank commencing
 
an action
 
against a
 
customer where
 
the customer’s
overdraft is in arrears, acknowledging that, in
 
that situation, the banker would be able
 
to disclose the
55
 
 
Principles for Business
 
section of the FCA Handbook at
 
l. l.6G
.
 
56
 
Pharaon v
 
Bank of
 
Credit and
 
Commerce International
 
SA
 
[1998] 4
 
All E.R.
 
455, a
 
banker’s duty
 
of confidentiality case,
 
which is also
applicable to the general duty of confidentiality.
57
 
 
As for the balancing approach to confidentiality claims:
X AG v A Bank
 
[1983] 2 All ER 464 at 478.
58
 
X AG and others v A bank
 
[1983] 2 All ER at 475.
 
0036335-0000808 UKO1: 2004471715.25
 
 
17
 
amount
 
of the overdraft in its claim.
 
These cases suggest that the bank’s own interest exception will
be construed
 
narrowly and
 
the court
 
will take
 
a view
 
on whether
 
the bank’s own
 
interests are
 
genuinely
threatened
 
by
 
non-disclosure.
 
In
 
the
 
context
 
of
 
requests
 
by
 
the
 
SEC,
 
it
 
is
 
assumed
 
that
 
failure
 
to
comply could
 
result in
 
enforcement action and
 
potentially even the
 
cessation of UBSLB’s
 
ability to
conduct
 
SBS
 
business
 
in
 
US
 
markets.
 
Accordingly,
 
it
 
is
 
expected
 
that
 
UBSLB
 
may
 
face
 
serious
detriment for a failure to comply
 
with the SEC’s
 
demands, and so this exception may
 
be available to
UBSLB.
2.26
 
However, to
 
rely on
 
this exception,
 
UBSLB must balance
 
its interests
 
in complying
 
with the
 
SEC’s
disclosure request against
 
the competing interest
 
of its customers
 
in the banker’s
 
duty of confidence
being maintained,
 
and UBSLB
 
must satisfy
 
itself that
 
those interests
 
do not
 
outweigh its
 
own. This
would
 
need
 
to
 
be
 
assessed
 
on
 
a
 
case-by-case
 
basis.
 
Due
 
to
 
the
 
differing
 
circumstances
 
of
 
each
customer,
 
this
 
exception
 
is
 
perhaps
 
less
 
likely
 
to
 
provide
 
a
 
consistent
 
basis
 
on
 
which
 
to
 
provide
information to the SEC than the public interest exception considered above.
3.
 
PRIVACY
 
AND HUMAN RIGHTS
Misuse of private information
3.1
 
Where
 
Covered
 
Books
 
and
 
Records
 
do
 
not
 
contain,
 
and
 
On-Site
 
Inspection
 
would
 
not
 
reveal,
 
any
relevant forms of information, an action for misuse of private
 
information will not be able to prevent
the sharing of information with the
 
SEC.
 
Considering the nature of the Covered Books
 
and Records
(e.g. transaction
 
data
 
such
 
as
 
volumes
 
and
 
prices),
 
and
 
the
 
focus
 
of
 
actions
 
for
 
misuse
 
of
 
private
information
 
(as
 
explained
 
below),
 
it
 
is
 
likely
 
that
 
many,
 
and
 
perhaps
 
most,
 
aspects
 
of
 
information
disclosed to the SEC required will not fall within scope of this action.
3.2
 
There is no stand-alone basis
 
to bring a claim for
 
‘invasion of privacy’ under
 
English law.
59
 
However,
since 2004,
 
the English courts have
 
recognised a cause of action
 
for ‘misuse of private
 
information’.
60
 
This addresses a different
 
component of privacy to the
 
protection of confidentiality (which relates to
the secrecy of private information), namely the prevention of intrusion into an
 
individual's privacy.
61
 
(a)
 
An action for misuse of private information extends
 
the law regarding a breach of confidence
as
 
it
 
does
 
not
 
require
 
that
 
the
 
information
 
is
 
confidential
62
 
as
 
such
 
an
 
action
 
can
 
relate
 
to
information that is to some extent already in the public domain.
63
 
(b)
 
An action for
 
misuse of private
 
information can be brought
 
where the information is
 
private
(i.e. the
 
person
 
in
 
question had
 
a
 
reasonable expectation
 
of
 
privacy)
64
 
and
 
that
 
privacy has
been breached.
 
It is not necessary
 
that the disclosure of
 
private information is conducted
 
with
an intention of dishonesty, malice,
 
or bad faith.
65
 
Further, a reasonable expectation
 
of privacy
is very unlikely
 
to exist where
 
valid consent to
 
disclosure of the
 
relevant information
 
has been
given.
66
 
3.3
 
In
 
the
 
context
 
of
 
the
 
SEC’s
 
ability
 
to
 
access
 
Covered
 
Books
 
and
 
Records
 
and
 
to
 
conduct
 
On-Site
Inspections of UBSLB, it is anticipated that most information that would be subject to such exercises
and which relates to
 
a person other than
 
UBSLB would properly fall
 
to be addressed by
 
an action in
confidence
 
regarding
 
secret
 
information
 
rather
 
than
 
an
 
action
 
in
 
misuse
 
of
 
private
 
information.
 
Information that is both confidential and private will be subject to the restrictions on confidential and
59
 
Wainwright v Home Office
 
[2003] A.C. 4.6 at 424.
60
 
Campbell v MGN
 
[2004] 2 A.C. 457 at 464.
61
 
PJS v News Group Newspapers Ltd
 
[2016] A.C. 1081 at 1108.
62
 
 
As is required to establish a case in confidence
 
AG v Guardian Newspapers (No 2) and Others [1990] 1 A.C. 109
 
(known as
Spycatcher
)
at 282.
63
 
PJS v News Group Newspapers Ltd
 
[2016] A.C. 1081 at 1100.
64
 
Campbell v MGN
 
[2004] 2 A.C. 457 at 466.
65
 
Duchess of Sussex v Associated Newspapers Ltd
 
[2020] E.M.L.R. 21 at 423.
66
 
Murray v Express Newspapers plc and another
 
[2009] Ch. 481 at 501.
 
0036335-0000808 UKO1: 2004471715.25
 
 
18
 
the restrictions on private information.
 
Please see section
 
regarding the ability of UBSLB to
share confidential information with the SEC.
3.4
 
In essence,
 
an action for
 
misuse of private
 
information seeks to
 
establish a right
 
of action
 
that gives
effect to
 
the right
 
to privacy
 
enshrined in
 
Article 8
 
of the
 
European Convention
 
on Human
 
Rights.
 
Therefore,
 
to
 
the
 
extent
 
that
 
the
 
ability
 
of
 
UBSLB
 
to
 
share
 
information
 
with
 
the
 
SEC
 
would
 
be
restricted by a
 
right to privacy,
 
beyond duties of
 
confidence, please refer
 
to the below
 
regarding the
right to privacy.
Right to privacy
Scope
3.5
 
Article 8
 
of the
 
European Convention
 
on Human
 
Rights, confers
 
a general
 
right to
 
respect
 
for his
private and family life, his
 
home and his correspondence
” (
Article 8
).
 
This right is established
 
in UK
law
 
pursuant
 
to
 
section
 
1(2)
 
of
 
the
 
Human
 
Rights
 
Act
 
1998
 
(
HRA
).
 
Sections
 
6(1)
 
and
 
(3)
 
HRA
establish that a
 
UK court
 
cannot act
 
in a way
 
that is incompatible
 
with Article 8
 
(and other
 
rights under
the European Convention on
 
Human Rights).
 
The effect of this is
 
that a court must
 
take Article 8 into
account, even if the action is one among private parties.
67
 
3.6
 
However, Article 8 of the Convention does not in itself give rise to
 
a free-standing cause of action
68
 
instead an
 
action in
 
misuse of
 
private information,
 
a breach
 
of confidence
 
or other
 
legal obligation,
such
 
as
 
under
 
the
 
UK
 
GDPR,
 
must
 
be
 
brought,
 
and the
 
court
 
will
 
then
 
be
 
obliged
 
to
 
consider the
application of Article 8.
 
3.7
 
Rights of privacy clearly
 
apply to natural persons.
 
In certain situations, but
 
not as yet under
 
the HRA,
legal persons have been held to benefit from a right to privacy
 
in certain situations.
3.8
 
Companies
 
have
 
been
 
held
 
to
 
enjoy
 
privacy
 
rights
 
in
 
certain
 
situations.
 
For
 
example,
 
in
R
 
v
Broadcasting Standards Commission ex
 
parte British
 
Broadcasting Corporation
 
[2000] 3 All
 
ER 989,
which related
 
to a complaint
 
under the Broadcasting
 
Act 1996
 
regarding infringement
 
of privacy
 
made
against the BBC by
 
a company,
 
the Court of
 
Appeal held that companies,
 
as well as individuals,
 
are
entitled to
 
protection from
 
unwarranted infringement
 
of
 
their
 
privacy under
 
that Act.
 
Although the
case arose prior to
 
the implementation of the HRA,
 
the European Convention on Human
 
Rights was
taken into account.
 
Furthermore, the European Court
 
of Human Rights assumed
 
in a September 2014
case that the reputation of a company fell under the notion of private life under Article
 
8.
69
 
3.9
 
However,
 
we anticipate
 
that the
 
courts will
 
be slow
 
to apply
 
Article 8
 
considerations to
 
businesses
other than as
 
a last resort.
 
This is in
 
part because businesses
 
are more likely than
 
natural persons to
have the means
 
to maintain their
 
privacy and in
 
part because of
 
the likelihood that
 
actions under duties
of confidence will provide adequate protection.
Application and exceptions
3.10
 
Article 8 is a qualified right,
 
meaning that it can be breached
 
in accordance with Article 8(2) – that
 
is,
where doing so is:
(a)
 
in accordance with the law;
(b)
 
is necessary in a democratic society; and
67
 
Campbell v MGN
 
[2004] 2 A.C. 457 at 465.
68
 
Venables and another v News Group Newspapers Ltd and others
 
[2001] EWHC QB 32 [2001] 2 W.L.R. 1038 at 446.
69
 
Firma EDV Für Sie, EFS Elecktronische Datenverarbeitung Dienstleistungs
 
GMBH v Germany
 
Application 32783/08.
 
0036335-0000808 UKO1: 2004471715.25
 
 
19
 
(c)
 
in the interests
 
of national security,
 
public safety or the
 
economic well-being of the
 
country,
for
 
the
 
prevention
 
of
 
disorder
 
or
 
crime,
 
for
 
the
 
protection
 
of
 
health
 
or
 
morals,
 
or
 
for
 
the
protection of the rights and freedoms of others (i.e. a legitimate aim).
3.11
 
For
 
the
 
reasons
 
set
 
out
 
below,
 
we
 
consider that
 
each criterion
 
is
 
likely
 
to
 
be met
 
in
 
respect
 
of
 
the
provision of information
 
contained in Covered
 
Books and Records
 
to the SEC
 
and in permitting
 
the
SEC to conduct On-Site Inspections.
(a)
 
In accordance with the law
(i)
 
This criterion is intended to prevent arbitrary intrusion into private
 
life.
 
(ii)
 
This criterion has two
 
aspects: the measure complained about
 
must have some
 
basis
in
 
domestic
 
law,
 
whether
 
that
 
is
 
statute
 
or
 
common
 
law,
 
and
 
secondly,
 
that
 
the
domestic law
 
has to
 
be sufficiently
 
precise so
 
that an
 
individual can
 
foresee with
 
a
reasonable degree of certainty the consequences of their actions or the circumstances
in which the authority may take a particular course of action.
70
 
(iii)
 
As the HRA provides that Article 8 must
 
be applied by the courts, rather than taking
direct effect against UBSLB itself, the
 
relevant consideration is legal basis on which
the court would allow Article 8 to be breached.
(iv)
 
Regarding the first
 
aspect, UBSLB
 
is obliged to
 
comply with
 
the FCA’s general rules,
which
 
are set
 
out
 
in
 
the
 
FCA Handbook.
71
 
These include
 
the
 
FCA’s
 
Principle 11,
which obliges
 
UBSLB to
 
deal with
 
its regulators in
 
an open
 
and cooperative
 
way...
”.
 
It is
 
noted in the
 
FCA’s
 
related guidance that
 
this includes
 
overseas regulators such
as the SEC.
72
 
The PRA’s
 
Fundamental Rule 7 also creates
 
a parallel and equivalent
obligation on UBSLB
73
 
and it is considered
 
that these regulatory requirements
 
extend
to covering private
 
information.
74
 
As a result,
 
in permitting disclosure
 
to the SEC,
 
the
court would be acting in support of UBSLB’s
 
legal obligations under FCA and PRA
rules, giving the court’s actions a basis in domestic law.
(v)
 
The second
 
aspect in
 
effect requires
 
that the
 
domestic law
 
cannot be
 
so broad
 
as to
enable arbitrary action.
 
In determining whether to allow
 
information to be provided
to the SEC, the court would have to balance the relevant duty
 
of confidence with the
merits
 
of
 
permitting disclosure.
 
These duties
 
of
 
confidence establish
 
limits
 
on the
court’s actions, thus preventing arbitrary action by the court.
(b)
 
Necessary in a democratic society
(i)
 
This criterion is
 
intended to
 
ensure the proportionality
 
of an intrusion
 
into private life.
 
(ii)
 
To meet this criterion, there
 
must be a “
pressing social need
” for the
 
interference, and
the interference must be proportionate
 
to that need.
75
 
As regards each, please refer to
paragraphs
 
to
 
which set
 
out the
 
basis on
 
which there
 
is
 
a need
 
to
provide in-scope information to the SEC in the
 
context of UBSLB’s conduct
 
of SBS
business.
70
 
Malone v UK
 
[1984] ECHR 10 at 68.
71
 
 
These are rules published
 
by the FCA in
 
the exercise of its
 
power under section 137A
 
of FSMA and
 
enforceable by the FCA
 
pursu
ant to
Part XIV of FSMA.
72
 
 
Principles for Business
 
section of the FCA Handbook at
 
l. l.6G
.
 
73
 
 
The PRA Rulebook is established
 
in the exercise of
 
its power under section 137G of
 
FSMA and enforceable by the
 
PRA pursuant t
o Part
XIV of FSMA.
74
 
 
Unlike the
 
application of these
 
regulatory requirements to
 
confidential information (per
 
paragraph
), there
 
are no
 
specific powers
available to the
 
FCA and PRA
 
to oblige UBSLB
 
to provide them
 
with private (as
 
opposed to confidential)
 
information in furtherance
 
of
investigations conducted by the
 
FCA and/or PRA (including
 
investigations conducted in support
 
of a foreign
 
regulator, such as
 
the SEC)
and so no similar limit is implied into the scope of the requirements
 
under Principle 11 and Fundamental Rule 7.
75
 
Dudgeon v UK
 
(1982) 4 E.H.R.R. 149 at 164.
 
0036335-0000808 UKO1: 2004471715.25
 
 
20
 
(c)
 
In pursuit of a legitimate aim
(i)
 
This criterion is intended to ensure that the purpose of an intrusion into private life
 
is
adequately serious so as to justify the intrusion.
 
(ii)
 
We
 
are
 
not
 
aware
 
of
 
any
 
case
 
law
 
regarding
 
this
 
criterion
 
which
 
is
 
directly
 
or
comparably applicable
 
in
 
this context.
 
However,
 
we consider
 
that it
 
is reasonable,
given the
 
purpose for
 
which the
 
SEC seeks
 
information from
 
UBSLB, to
 
conclude
that legitimate
 
aims
 
are established
 
in
 
the
 
prevention of
 
disorder or
 
crime (such
 
as
money laundering) and
 
even, in more
 
extreme cases (e.g. where
 
information is used
for counter-terrorist financing purposes), for national security reasons.
76
 
76
 
 
It could also arguably be for the
purpose of the economic well
-
being of the UK, insofar as enabling trading activity in SBSs in US markets
has such a benefit, though this is likely too limited a benefit
 
to be sufficient to meet this criterion.
 
0036335-0000808 UKO1: 2004471715.25
 
 
21
 
ANNEX 2
 
ASSUMPTIONS
This opinion relies on the following assumptions:
1.
 
UBS AG, including UBSLB,
 
has a “prudential regulator”
 
as defined by Section
 
3 of the US
 
Securities
Exchange Act
 
of
 
1934 (the
Securities
 
Exchange Act
).
 
As
 
such,
 
the
 
Covered Books
 
and
 
Records
considered in
 
this opinion
 
are limited
 
to what
 
a prudentially
 
regulated SBSD
 
must be
 
able to
 
share
with the SEC.
 
2.
 
Additionally, in accordance with SEC Guidance at
 
85 FR 6297, books and records pertaining to SBS
transactions entered into prior to
 
the date that UBSLB
 
submits an application for registration
 
are not
Covered Books and Records.
 
3.
 
Where transfers of
 
personal data are
 
made to the
 
SEC in the
 
absence of an
 
adequacy determination,
and
 
in
 
alignment with
 
the
 
view
 
expressed in
 
the
 
ICO Letter,
 
such
 
disclosure will
 
be
 
necessary for
important
 
reasons of public
 
interest. Such disclosure
 
will be made
 
in compliance with
 
Articles 44
et
seq
 
of the UK GDPR and limited to what is necessary for the purpose of the transfer (i.e. compliance
with the
 
principle of
 
data minimisation,
 
e.g. by
 
applying less
 
intrusive processing
 
activities such
 
as
redaction).
4.
 
UBSLB
 
has
 
obtained
 
any
 
necessary
 
prior
 
consent
 
of
 
the
 
persons
 
(e.g
.
,
 
counterparties,
 
employees)
whose information is or will be included
 
in Covered Books and Records in order to
 
provide the SEC
with
 
access
 
to
 
its
 
Covered
 
Books
 
and
 
Records
 
or
 
to
 
allow
 
On-Site
 
Inspections,
 
to
 
the
 
extent,
 
as
considered in this opinion,
 
such consent would constitute
 
valid consent and such
 
consent has not been
withdrawn.
 
Insofar as Covered Books
 
and Records relate to
 
employees of UBSLB, such
 
employees
are “associated
 
persons” of
 
UBS for
 
purposes of
 
17 CFR
 
§ 240.18a-5(b)(8)
 
who have
 
agreed to
 
sharing
of their personal/employment
 
information with the SEC
 
in the event of a
 
request for information from
the SEC.
 
5.
 
The SEC will restrict
 
its information requests
 
for, and use of, any information
 
pursuant to its access
 
to
Covered Books
 
and Records and
 
On-Site Inspections to
 
only the
 
information that
 
it requires
 
for the
legitimate and specific purpose of fulfilling
 
its regulatory mandate and responsibilities by
 
evaluating
compliance with
 
legal obligations
 
designed to
 
ensure the proper
 
legal administration
 
of SEC-regulated
firms (which includes regulating,
 
administering, supervising, enforcing
 
and securing compliance with
the
 
securities or
 
derivatives laws
 
in its
 
jurisdiction) and
 
to
 
prevent and/or
 
enforce against
 
potential
illegal behaviour.
 
6.
 
Similarly, UBSLB will ensure that its disclosures
 
are compliant with the data
 
protection principles set
out
 
in
 
Article
 
5
 
of
 
the
 
EU
 
GDPR
 
and
 
the
 
UK
 
GDPR.
77
 
We
 
understand
 
that
 
UBSLB’s
 
general
experience in responding to information requests from the
 
SEC (or other US and non-US regulators)
leads it to maintain a belief, which it considers to be reasonable, that UBSLB can and (subject to
 
any
changes
 
in
 
applicable
 
law
 
and
 
regulation
 
and/or
 
the
 
approach
 
of
 
relevant
 
regulators,
 
including
 
the
ICO) will continue
 
to be able to comply with these data
 
protection principles in the course of
 
making
disclosures of the sort required when providing access
 
to Covered Books and Records and submitting
to On-Site Inspection.
78
 
7.
 
It is the SEC's
 
practice to limit the type
 
and amount of personal data
 
it requests during examinations
to targeted
 
requests based
 
on risk
 
and related
 
to specific
 
clients and
 
accounts, and
 
employees.
 
The
requested
 
information
 
may
 
include
 
some
 
limited
 
criminal
 
records
 
data
 
and
 
‘special
 
category
 
data’
under the GDPR (as described in paragraph
 
of
 
to this opinion).
 
We understand that
 
this
aligns with UBSLB’s general experience
 
in responding to information
 
requests from the SEC,
 
leading
it to
 
maintain a
 
belief, which
 
it considers
 
to be
 
reasonable, that
 
this assumption
 
is, and
 
will remain,
77
 
 
These principles are set out in
 
at paragraph
 
78
 
 
See the
SEC
 
G
uidance at 85 FR 6298
.
 
 
0036335-0000808 UKO1: 2004471715.25
 
 
22
 
accurate
 
(subject
 
to
 
any
 
changes
 
in
 
applicable
 
law
 
and
 
regulation
 
and/or
 
the
 
approach
 
of
 
relevant
regulators, including the ICO).
79
 
8.
 
Information, data and documents received
 
by the SEC are
 
maintained in a secure manner
 
and, under
strict
 
US
 
laws
 
of
 
confidentiality,
 
information
 
about
 
individuals
 
cannot
 
be
 
onward
 
shared
 
save
 
for
certain
 
uses
 
publicly disclosed
 
by
 
the
 
SEC, including
 
in
 
an
 
enforcement proceeding,
 
pursuant to
 
a
valid and non-exempt US Freedom of
 
Information Act (
FOIA
) request,
80
 
pursuant to a lawful request
of the
 
US Congress
 
or a
 
properly issued
 
subpoena, or
 
to other
 
regulators who
 
have demonstrated
 
a
need for the information and provide assurances of confidentiality.
9.
 
UBS AG does not include the information
 
described in 17 C.F.R. §§.18a-5(b)(8)(i)(A) through (H) or
240.18a-5(a)(10)(i)(A)
 
through
 
(H),
 
as
 
the
 
case
 
may
 
be,
 
in
 
questionnaires
 
or
 
applications
 
for
employment
 
executed
 
by
 
an
 
associated
 
person
 
who
 
is
 
not
 
a
 
US
 
Person
 
(as
 
defined
 
in
 
17
 
C.F.R.
§240.3a71-3(a)(4)(i)(A)), unless UBS
 
AG is required to
 
obtain such information under
 
applicable law
in the jurisdiction in which
 
the associated person is employed
 
or located or obtains such
 
information
in conducting a background check that is customary for UBS AG in that jurisdiction and the
 
creation
or maintenance of records reflecting that information
 
would not result in a violation of applicable
 
law
in the jurisdiction in which the associated person is employed or located.
79
 
 
See the
SEC
 
G
uidance at 85 FR 6298
. This assumption also aligns with the information
 
that we understand was provided by the SEC
 
to the
ICO per page 2 of the ICO Letter.
80
 
 
We
 
do not
 
give any
 
views in
 
the opinion
 
to matters
 
of US
 
l
aw,
 
though we
 
understand that
 
information can
 
be
made public
 
pursuant to
requests under
 
the US
 
FOIA, and
 
that certain
 
information is
 
exempt from
 
such requests,
 
including (among
 
others): (1)
 
a trade
 
secret or
privileged or confidential commercial or financial information
 
obtained from a person; (2) a
 
personnel, medical, or similar file the
 
release
of which would constitute a clearly unwarranted invasion of personal privacy; (3) information compiled for law enforcement purposes, the
release of which (a) could reasonably be expected to interfere with law enforcement proceedings;
 
(b) would deprive a person of a right to a
fair trial or an impartial adjudication; (c) could reasonably be expected to constitute an unwarranted
 
invasion of personal privacy; (d) could
reasonably
 
be
 
expected
 
to
 
disclose
 
the
 
identity
 
of
 
a
 
confidential
 
source;
 
(e)
 
would
 
disclose
 
techniques,
 
procedures,
 
or
 
guidelines
 
for
investigations or prosecutions;
 
or (f) could
 
reasonably be expected
 
to endanger an
 
individual's life or
 
physical safety; (4)
 
contained in or
related to examination, operating, or condition reports about financial
 
institutions that the SEC regulates or supervises.
 
0036335-0000808 UKO1: 2004471715.25

 

 

 

Summary of Changes

 

-Sabine Keller Busse stepped down from her role as Chief Operating Officer and is no longer a principal.

-A supplemental response to Item 13A was added to describe our relationship to our outside auditor, Ernst & Young.

-Form 7R was filed with all amendments.

1 



 

 

 

Supplemental Response to Question 13A

 

Ernst & Young acts as our outside auditor and has access to UBS books and records in that capacity.

1 



form7rfinal.pdf
Attachment: form7rfinal.pdf