1

 

UBS AG London Branch

5 Broadgate

London

EC2M 2QS

Allen & Overy LLP

52, avenue Hoche

75379 Paris Cedex 08

Tel

+33

(0)1 40 06 54 00

Fax

+33 (0)1 40 06 54 54

Our ref

0036335

-

0000808

29 October

2021

Dear Sir or Madam

 

UBS SEC registration as a non-resident security-based swap dealer

 

1.

 

BACKGROUND

1.1

 

We understand that UBS AG, a bank authorised in Switzerland, is seeking to register with the United

States (

US

) Securities andExchange Commission (

SEC

) as a non-residentsecurity-based swap (

SBS

)

dealer (

SBSD

).

1.2

 

To register as an SBSD with the SEC, a non-resident SBSD

1

such as UBS AG must attach an opinion

of counsel to Form SBSE, SBSE-A or SBSE-BD affirming that the SBSD can, asa matter of law:

(a)

 

provide theSEC withprompt accessto therelevant booksand recordsas definedin paragraphs

3.3 to 3.5 (

Covered Books and Records

); and

(b)

 

submit to on-siteinspection and examinationof its CoveredBooks and Records bythe SEC

(

On-Site Inspection

).

1.3

 

UBS EuropeSE FRis a branchof UBSEurope SE incorporatedin Germany andauthorized toprovide

services in Germany and France (among other jurisdictions).

Weunderstand that French Branchof UBS EuropeSE (

UBS ESE FR

) and respectively“associated

persons”

2

employed by it are effecting SBS Transactions in the name and for the account of UBS AG

(

SBS Transactions

). TheseSBS Transactions,being enteredinto withUBS AG,are bookedwith UBS

AG, London Branch, and the underlying relevant clients are clientsof UBS AG, London Branch.

Accordingly,UBS ESEFR willmaintain certainCovered Booksand RecordsinUBS ESEFRon

behalf of UBS AG.

Given that UBSESE FR isacting in thename and forthe account ofUBS AG, UBSESE FR andUBS

AGhaveagreedthatinthecontextofUBSAG’sbusinessasanSBSD,theCoveredBooksand

Records in relationto the SBS Transactions willbe shared with UBSAG, London Branch,in London,

in particular for group-risk management purposes.

1.4

 

Youhave asked us to issue an opinion affirming thatunder applicable French law, UBS ESE FRcan

share withand makeavailable toUBS AG,London Branchthe CoveredBooks andRecords inrelation

totheSBSTransactions,suchthatthisinformationwillbeheldbyUBSAG,LondonBranch,in

London.

1

 

 

In the case of a corporation, an SBSD will be “non

-

resident” if it is incorporated

 

in or has its principal place of business in any place not in

the United States (see 17 Code of Federal Regulations (

CFR

) § 240.15Fb2-4(a)(2)). As UBS AG is incorporated in Switzerland, UBS AG

fulfils this definition of a “non-resident” SBSD.

2

 

 

We do

not give any views regarding this assumption.

 

 

 

2

 

1.5

 

This opinion is structured as follows:

(a)

 

Section 2:Summary of opinion;

(b)

 

Section 3:Scope, assumptions and qualifications;

(c)

 

Section 4:Revisions to applicable law;

(d)

 

Section 5:Reliance and confidentiality;

(e)

 

Annex 1: Opinion; and

(f)

 

Annex 2: Assumptions.

2.

 

SUMMARY OF OPINION

2.1

 

Subjecttotheassumptions andqualifications below,itisouropinion thatUBS ESEFRcan, asa

matter of applicableFrench law, share with andmake available tothe London Branchof UBS AG,the

Covered Books and Records in relation to the SBS Transactions.

Data Protection

3

 

2.2

 

Disclosure of personaldata (particularly specialcategories of dataor criminal data)relating to UBS

ESE FR’scounterparties and staffare subject tocertain restrictions under theData Protection Laws,

particularly where it involves a cross-border transfer to a country or territory the EU has not found to

have an ‘adequate’ dataprotection regime (bearing inmind that theUK has now beenrecognised as

being an ‘adequate’territory for thetransfer of personaldata). In addition,there are certainlegal bases

for making disclosures, and derogations from the prohibitionon international transfers that would be

available to UBSESE FR, shouldUBS AG, LondonBranch require UBSESE FR todisclose Covered

BooksandRecordscontainingpersonaldatatoUBSAGLondonBranchforthepurposesofrisk

management.

2.3

 

Our viewis thatthe ‘legitimateinterests’ legalbasis forprocessing personaldata wouldprovide an

applicable groundunder theEU GDPR,to enablethe disclosureof CoveredBooks andRecords to

UBS AG London Branch for the purpose of risk management.

Secrecy Rules

2.4

 

Article L. 511-33

et seq

. of theFrench Monetary andFinancial Code (the

MFC

) govern thedisclosure

by acredit institution,

inter alia

, ofconfidential informationregarding anyexisting orformer customer

(the

Secrecy Rules

).

2.5

 

TheSecrecyRulesnotablyapplytobranchesofcreditinstitutionsoperatinginFranceundera

European passport, such as UBS ESE FR.

2.6

 

Information protected under the Secrecy Rules generally includes any information received bycredit

institutions in the course of their activities, provided that such information is sufficiently confidential

andspecific.ThescopeoftheSecrecyRulesisbroadandincludesanyinformationrelatedtoa

customer, including their name andany details regardingtheir assets, debts,transactions or operations

carried out on their account (even transactions contemplated but not executed).

2.7

 

French lawprovides fora fewexceptions tothe SecrecyRules, includingfor riskmanagement and

consolidated supervision purposesof institutions establishedin France, inthe event ofa written and

case-specific waiver from the customeror of a request from Frenchcriminal or regulatory authorities.

3

 

 

Please refer to section

of

for definitions of Data Protection Laws, EU GDPR,and the French Data Protection Act.

 

 

3

 

2.8

 

Failing anysuch exceptions,breaches oftheSecrecy Rulescould resultincriminal andregulatory

sanctions and trigger risks of civil litigation.

2.9

 

We consider that Secrecy Rules do not prevent UBS ESE FRfrom sharing with and making available

to theLondon branchof UBSAG, theCovered Booksand Recordsin relationto theSBS Transactions.

Blocking Statute

2.10

 

The FrenchStatute No.68-678 dated26 July1968, asamended, governsthe request,search foror

disclosure of information of aneconomic, commercial, industrial, financialor technical nature, with a

view toestablishing evidence inforeign judicialor administrative proceedingsor inrelation thereto

(the

Blocking Statute

).

2.11

 

Asitstitlesuggests,theBlockingStatuteappliesto“

documentsorinformationofaneconomic,

commercial,industrial,financialortechnicalnature

”thatarelocatedinFrance.Itprohibitsthe

request, investigationor communicationof suchdocuments orinformation inthe contextor witha

view to foreign administrative or judicial proceedings.

2.12

 

Breaches of the Blocking Statute may lead to criminal sanctions and triggerrisks of civil litigation.

2.13

 

Weconsider that the Blocking Statute doesnot prevent UBS ESE FR fromsharing with and making

available tothe Londonbranch of UBSAG, the CoveredBooks and Recordsin relationto theSBS

Transactions.

Privacy and Human Rights

2.14

 

Protectionforthegeneralfundamentalrightto“

respectforprivateandfamilylife,homeand

correspondence

” isenshrined inArticle 8of theEuropean Conventionon HumanRights (

ECHR

).

Thisright isdirectly applicableinFrance. However,itis tobe highlightedthat, inFrance, iflegal

persons have a rightto see theircorrespondence protected, only natural personscan rely on /benefit

from a right to privacy

 

4

.

2.15

 

Actions inrespect ofArticle 8of the ECHRrequire aseparate causeof action,such asan actionarising

from a wrongful act or other legal obligation, such as under the Data ProtectionLaws.

2.16

 

Article 8 ECHR is, as it were, thelegal foundation on which the GDPRhas been based. The GDPR is

detailing thefundamental rightlaid downin Article8 ofthe ECHR.Thus, Article8 ECHRand the

GDPR areintertwined with eachother.As long asthe provisionof informationby UBS ESEFR to

the London branchof UBS AGfalls entirely withinthe scope ofand is incompliance with the Data

Protection Laws, we consider thegeneral fundamental right set out inArticle 8 of theECHR will be

protected.

This summary opinion is not a substitute for the full expression of our viewsset out in Annex 1.

3.

 

SCOPE, ASSUMPTIONS AND QUALIFICATIONS

3.1

 

This opinionrelates solelyto accessprovided toUBS AG,through itsLondon Branch,of Covered

Books and Records held on its behalf by UBS ESE FR in France.

3.2

 

This opinion has been prepared in accordance with UBS AG’s specific instructions as to the scope of

the opinion.

4

Cour de Cassation (French Supreme Court), Civ 1ère, 17 March 2016

 

 

 

4

 

3.3

 

This opinion only covers the provision and sharing by UBS ESE FR to UBS AG, LondonBranch, of

the Covered Books and Records held in France by UBS ESE FR inrelation to the SBS Transactions.

Covered Books and Records include only those books and records which:

(a)

 

relate to theUS business

5

of the non-residentSBSD.

6

These are therecords that relateto an

SBS Transaction that is either:

(i)

 

entered into, or offered to be entered into, by or on behalf of thenon-resident SBSD,

with a“U.S. Person” asdefined in17 CFR§ 240.3a71-3(a)(4)

7

(

US Person

) (other

than an SBS conducted through a foreign branch of such US Person

8

); or

(ii)

 

arranged, negotiated, or executed bypersonnel of the non-resident SBSDlocated in a

branch in the United States (

US branch

) or office or by personnelof an agent of the

non-resident SBSD located in a US branch or office;

9

or

(b)

 

constitutefinancialrecordsnecessaryfortheSECtoassessthenon-residentSBSD’s

compliance with the SEC’s margin and capital requirements, if applicable.

10

 

3.4

 

FurthertoAssumption1,thisopinionislimitedtothosetypesofrecordsthatarerelevantto

prudentially regulated SBSDs,which excludes financialrecords as notedin paragraph 3.3(b)above.

For this opinion, the term “Covered Books and Records” extends to theserecord types alone.

3.5

 

This opinion covers data relatingto SBS Transactions concludedbetween UBS AG, London Branch

through UBS ESE FR employees qualifying as associated persons.These SBS Transactions will only

be concluded by authorisedUBS ESE FR personnel,with UBS ESEFR acting inthe name andfor the

accountofUBSAG,LondonBranch.TheCoveredBooksandRecordsinrelationtothoseSBS

Transactionswill be,asagreed betweenUBS ESEFRand UBSAG, LondonBranch, alsoheld in

London.

This opinion only covers SBS Transactions entered into by UBS AG where UBS ESE FRis acting in

thenameandfortheaccountofUBSAG.ThisopiniondoesnotcoverdatarelatingtoSBS

Transactions concluded between UBS ESE FRand its own counterparties(even though UBS ESE FR

may berelying onthe counting exemptionset out in17 CFR§ 240.3a71-3(d) forsuch transactions,

we are instructedthat this datais not relevantfor the purposesof 17 CFR§ 240.15Fb2-4(c) andso this

data is not within scope of this opinion).

3.6

 

The issuesaddressed inthis opinionapply equallyacross thedifferent documenttypes whichconstitute

the Covered Books andRecords based upon theinformation actually containedin each of the relevant

Covered Books and Records. We have not examined any such documents or records.

3.7

 

In giving this opinion, we have made the further assumptions set outin Annex 2.

3.8

 

No opinion is expressed on matters of fact.

5

 

 

As defined in 17 CFR §240.3a71

-

3(a)(8).

 

6

 

 

Cross

-

Border Application of Certain

[SBS] Requirements, 85 Fed.

 

Reg. 6270, 6296 (Feb. 4, 2020) (the

SEC Guidance

).

7

 

 

A “

U.S. person

” means any personthat is “

(i) a natural personresident in the U.S.; (ii)a partnership, corporation,trust, investment vehicle,

or other legal person organized,incorporated, or established under the laws of theUnited States or having its principal place ofbusiness

in the United States; (iii) an account (whetherdiscretionary or non-discretionary) of a U.S. person; or (iv) an estate ofa decedent who was

a resident of the United States at the time of death.

” 17 CFR § 240.3a71-3(a)(4).

8

 

 

A “

foreign branch

” means “

any branch of a U.S. bank if: (i) the branch is located outside of the United States; (ii) the branch operates for

valid business reasons;and (iii) thebranch is engagedin the businessof banking andis subject tosubstantive banking regulationin the

jurisdiction where located.

” (17 CFR § 240.3a71-3(a)(2)). An “

SBS conducted through a foreign branch

” means an SBS that is “

arranged,

negotiated, and executed bya U.S. personthrough a foreignbranch of suchU.S. person if:(A) the foreignbranch is thecounterparty to

such security-based swap transaction; and (B) thesecurity-based swap transaction is arranged, negotiated, and executed onbehalf of the

foreign branch solely by persons located outside the United States.

” (17 CFR § 240.3a71-3(a)(3)(i)).

9

 

 

17 CFR

 

§

 

240.3a71

-

3(a)(8)(i)(B).

 

10

 

 

The requirementset outin thisparagraph

does notapply toUBS AGbecause itis notsubject tothe SEC’smargin andcapital

requirements as it is assumed that UBS AG has a prudentialregulator – please see Assumption

set out in

 

 

5

4.

 

REVISIONS TO APPLICABLE LAW

4.1

 

This opinion relates solely to French law andEuropean Union (

EU

) law that is directly applicable in

France(i.e.regulationspursuanttoArt.288(2)oftheTreatyontheFunctioningoftheEuropean

Union),ineachcase,inforceasatthedateofthisopinion.Wehavenoobligationtonotifyany

addressee of any change in any applicable law or its application after the date ofthis opinion.

5.

 

RELIANCE AND CONFIDENTIALITY

5.1

 

This opinion isgiven for thesole benefit ofthe addressee. Itmay not berelied upon byanyone else

without our prior written consent.

5.2

 

ThisopinionisnottobedisclosedtoanypersonoutsideofUBSAG’sgrouporused,circulated,

quoted or otherwise referred to for anyother purpose. However, we agree thata copy of this opinion

letter may be disclosed:

(a)

 

wheredisclosure isrequiredorrequestedbyanygovernmental, banking,taxationorother

regulatory authority or similar body having jurisdiction overUBS AG (including to the SEC

aspartofUBSAG’sSBSDregistrationapplication) orbytherulesofanyrelevantstock

exchange or pursuant to any applicable law or regulation; and

(b)

 

toUBSAG’saffiliates,andanyoftheirofficers,directors,employees,auditors,insurers,

reinsurers, insurance brokers and professional advisors (in their capacityas such).

5.3

 

Any such disclosuremust be madeon the basisthat it isfor information purposes only,no recipient

may relyon this advice,no client-lawyer relationship betweenus and therecipient arises following,

or as aresult of, anysuch disclosure. We assume noduty or liabilityto any recipient,and any recipient

under paragraph 5.2(b) above will be subject to the same restrictions on disclosureas set out above.

5.4

 

Weassume no obligationto adviseyou orany other personor tomake anyinvestigations as toany

legaldevelopmentsorfactualmattersarisingsubsequenttothedatehereofthatmightaffectthe

opinions expressed herein.

 

Yoursfaithfully,

 

 

Allen & Overy LLP

 

 

6

ANNEX 1

 

OPINION

1.

 

DATAPROTECTION

1.1

 

The GeneralData ProtectionRegulation 2016/679(

EU GDPR

),and theAct n°78-17of6 January

1978 on informationtechnology, data files andcivil libertiesas modified(

French DPA

) (together, the

Data ProtectionLaws

) willapply toUBS ESEFR’sdisclosure ofCovered Booksand Recordsto

UBS AGLondon Branchfor thepurpose ofrisk management,to theextent thatthese compriseor

contain personal data.Personal data isdata relating toan identified oridentifiable living individual,

and maytherefore extendto informationon UBSESE FR’s staffand USPerson counterpartiesof UBS

AG, London Branch with whom UBS ESE FR concludes SBS Transactions.

1.2

 

UndertheDataProtection Laws,specificadditional restrictionsapplyfordatarelatingtocriminal

convictions and offences.These laws alsoimpose heightened restrictionson the processingof ‘special

category data’– thisis datathat revealsracial orethnic background,political opinions,religious or

philosophicalbeliefs,ortradeunionmembership,geneticdata,biometricdatawhenusedforID

purposes, health information, data concerning sex lifeor sexual orientation. As special categorydata

arelesslikelytoberelevantinthecontextofUBSESEFR’sdisclosuresofCoveredBooksand

Records, the laws applicable to these data have not been consideredin detail in this opinion.

1.3

 

Key restrictionsin theData ProtectionLaws relatingto UBSESE FR’sability todisclose personal

data to UBS AG, London Branch are set out below.

Legal basis for the disclosure

1.4

 

UBS ESE FR requires a legal basisunder Article 6 of the EUGDPR to disclose personal data to UBS

AGLondonBranch

.Datacannotbedisclosed

,shouldsuchdisclosure

 

breacha

notherlegal

requirement under applicable French law (e.g. the Secrecy Rules – please see section 2). Whilst there

are a number of Article 6legal bases on which UBS ESE FRmay seek to rely,none on its own is so

comprehensive asto coverall actionsfalling withinthe scope ofrisk managementactivities.UBS ESE

FR will therefore need to consider the most appropriate legal basisto apply to any given situation.

1.5

 

The Article 6legal bases thatseem the mostrelevant and applicableto UBS ESEFR, together with

their respective limitations, are as follows:

(a)

 

Consent (Article 6(1)(a))

: In order for consentto be valid under theData Protection Laws, it

must satisfythe highstandard ofbeing afreely-given, specific,informed andunambiguous

indication ofwishes. Asa practicalmatter,in France, itwould bevery difficultto establish

that consentis freely givenwhere information relatesto UBS ESEFR staff,in an employment

context,duetotheinherentimbalanceofpowerbetweenanemployeranditsstaff(for

example, staffmay believe therecould be negativeconsequences should theyrefuse to give

consent). Further, consent will only bevalid if UBS ESE FR offers itsstaff a genuine choice

over how the data is used, and will onlycontinue to be an appropriate legal basis ifUBS ESE

FR also offers its staff the opportunity to withdraw consent at any time.

Consent might therefore not generally beconsidered as a valid legalbasis for disclosure and

UBS ESE FR should rely onan alternative basis for disclosure (e.g. the legitimate interests).

Please note that valid consent is assumed at Assumption 5.

(b)

 

Legitimate interests (Article6(1)(f))

: This isa more flexiblelegal basis forprocessing thatcan

apply to a multitude of business purposes,including with a view to ensuring compliancewith

regulatory obligations. To rely on the legitimate interests ground, UBS ESE FR must:

 

 

7

 

(i)

 

identify its,or athird party’s (e.g. UBSAG, LondonBranch’s) legitimateinterest (this

can include commercial interests, individual interests orbroader societal benefits) in

complying with UBS AG, London Branch’s disclosure request;

(ii)

 

show that thedisclosure of documents toUBS AG, LondonBranch is necessaryfor

achieving these interests; and

(iii)

 

balancetheseinterestsagainstthecompetinginterests,rightsandfreedomsofthe

individuals concerned, and satisfy itself that thoseinterests do not outweigh its own.

If individuals would notreasonably expect the disclosure, orif the disclosure would

causeunjustifiedharmtotheindividuals,theinterestsofthoseindividualswould

likely override the interests of UBS ESE FR or the third party.

AnindividualhastherighttoobjecttothedisclosureoftheirpersonaldatatoUBSAG,

London Branch under this basis for processing,and UBS ESE FR would needto demonstrate

‘compelling’legitimategroundstoprocessthedatathatoverridetherights,freedomsand

interests of that individual.

The balancing oflegitimate interests againstthe competing interests,rights and freedomsof

theindividualsconcerned shouldbemadeonacase-by-casebasisandshouldconsider all

available facts.In particular, Recital47 ofthe GDPRstates that,when balancingtheir interests

againstthoseoftheindividualsconcerned,controllersshouldtakeintoaccount“

the

reasonable expectationsof datasubjects basedon theirrelationship withthe controller

”. With

this in mind, UBS ESE FR may argue that its interests are not outweighedby those of the US

Person counterparties of UBS AG, London Branch with whom UBS ESE FR concludes SBS

Transactions or UBS ESE FR’s employees on the basis that:

(A)

 

USPersoncounterpartiesofUBSAG,LondonBranchwithwhomUBSESEFR

concludesSBSTransactionsareaware,duetostatementscontainedintheirclient

termsofbusinesswithUBSAG,andduetotheirunderstandingassophisticated

investors,thatclientmanagement(includingriskmanagement)willconductedby

UBSonagroup-widebasis,andsocertaininformationregardingtheirSBS

Transactions, includingin somecases their personaldata, maybe disclosed toUBS

AG, London Branch; and

(B)

 

theemployees whosepersonal datamaybe disclosedtoUBS AG,London Branch

understand their rolewill involve risk managementconducted by UBSAG, London

Branch and understandthat, asa result, certainof their personaldata maybe disclosed

to UBS AG, London Branch.

(c)

 

Disclosureisnecessaryforcompliance

 

withalegalobligationtowhichUBSESEFRis

subject (Article 6(1)(c))

: There must bea French nexus inorder for UBS ESEFR to beable

to rely on this legal basis. Article 6(3) requires that the legal obligation must be laid down by

French or EU law,although this doesnot have tobe an explicitstatutory obligation, as long

as the application ofthe law isforeseeable to UBS ESEFR as theperson subject toit.

11

We

have not identified a relevantFrench or EU law obligationand so we do not considerthat it is

possibleforUBSESEFRtorelyonthislegalbasisforthedisclosureofpersonaldata

contained in the Covered Books and Records from a French data protectionlaw perspective.

1.6

 

It is possible that information contained in Covered Books and Records provided by UBS ESE FR to

UBS AG, London Branch, including personaldata, might be disclosed tothe SEC in the course ofthe

conduct of supervisionof UBS AG,London Branch (in itscapacity as anSEC-registered SBSD) by

the SEC. In this context, it is also relevant that:

11

 

 

Recital 41

EU GDPR.

 

 

 

8

 

(a)

 

Consent (Article 6(1)(a))

: The considerations set out in paragraph 1.5(a) aboverelating to the

validity of consent apply in this context.

(b)

 

Legitimate interests (Article6(1)(f))

: In thiscontext, to relyon the legitimateinterests ground,

UBS ESEFR mustconduct thesame balancingof competingfactors asdescribed inparagraph

1.5(b) above. In this context, it is relevant that:

(A)

 

USPersoncounterpartiesofUBSAG,LondonBranchwithwhomUBSESEFR

concludesSBSTransactionsareaware,duetostatementscontainedintheirclient

termsofbusinesswithUBSAG,oftheUSnexuswhentheyengageinSBS

Transactions and, dueto their understandingas sophisticatedinvestors, thatregulatory

oversightwillbeexercisedbytheSEC,whichmayentailcertaininformation

regarding theirSBS Transactions,including insome casestheir personaldata, tobe

disclosed to the SEC by UBS AG London Branch; and

(B)

 

the employees whose personaldata may be disclosedto the SEC understandtheir role

will involve SEC oversight dueto their status as ‘associatedpersons’ for the purposes

of SBS Transactionsand understandthat, as aresult, certainof their personaldata may

bedisclosedtotheSEC.Morespecifically,eachassociatedpersonisrequiredto

complete an‘SBS associatedperson questionnaire’,which providesadvance notice

that theiractivities may involvethe disclosure oftheir personal datato theSEC and

potentially require them to undertake interviews with the SEC. Each employee thatis

an associated person isalso required to agreeor acknowledge their understandingthat

their data may be providedto the SEC in connectionwith the SEC’s oversight of SBS

Transactions.

It is also relevant to this balancing of interests that:

(1)

 

the SEC is expected to restrictits information requests for, and use of, any informationto

only the information thatit requires for thelegitimate and specificpurpose of fulfillingits

regulatorymandateandresponsibilities,withthetypeandamountofpersonaldata

requested being targetedbased on riskand related tospecific transactions, accountsand

employees;

12

and

(2)

 

information, data and documents received by the SEC are expected to be maintained in a

secure manner and only disclosed pursuant to strict US confidentialitylaws

13

.

(c)

 

Disclosureisnecessaryforcompliance

 

withalegalobligationtowhichUBSESEFRis

subject (Article 6(1)(c))

: For thesame reason asdescribed in paragraph1.5(c) above, wedo

not consider that it ispossible for UBS ESE FRto rely on this legal basisfor the disclosure of

personal data by UBS AG, London Branch to the SEC.

1.7

 

Based upon theabove, the legitimateinterests legal basisfor processing istherefore likely tobe the

most appropriate Article6 ground on whichUBS ESE FRcould rely in orderto disclose personaldata

included in Covered Books and Records.

1.8

 

It is considered very unlikely thatdata included in Covered Booksand Records provided to UBSAG,

LondonBranchwillincludespecialcategoriesofdata.Further,UBSESEFRmightnotholdall

informationdescribedin17C.F.R.§§.18a-5(b)(8)(i)(A)through(H)or240.18a-5(a)(10)(i)(A)

through (H), as thecase may be, for anassociated person who is nota US Person.

14

However, to the

12

 

 

Please refer to Assumption

in Annex 2, aswell as ArticleIV of theMemorandum of UnderstandingConcerning Consultation, Cooperation

and the Exchange of Information Related to the Supervision and Oversight of CertainCross-Border Over-the-Counter Derivatives Entities

In Connection with the Useof Substituted Compliance by SuchEntities entered into among the SEC,the FCA and the PRA (the

UK MoU

).

13

 

 

Please refer to Assumption

in Annex 2, as well as Article VII of the UKMoU.

14

 

 

As we understand is as defined in 17 C.F.R. §240.3a71

-

3(a)(4)(i)(A)

.

 

 

 

 

9

 

extent that thisdoes occur, andsuch information is heldby UBS ESE FRin addition toan Article 6

legal basis, UBS ESE FR will need toestablish an additional legal basis for processing under Article

9 of the EU GDPR and the French DPAif it discloses special categories of data to UBS AG, London

Branch. Other than valid consent

15

and public interest, the Article9 legal basis that may be applicable

to disclosure of Covered Booksand Records is processingis necessary for the establishment,exercise

ordefence oflegal claimsorwhenever courtsare actingin theirjudicial capacity(Article 9(2)(f)).

However,pleasenotethatthereisnoguidancefromtheFrenchdataprotectionauthority(the

“Commission Nationale del’Informatique et des Libertés”)

 

on the applicability ofthis particular legal

basis and that it is uncertain whether this legal basis can be extendedto this case.

1.9

 

Similarly, processing ofpersonal datarelating tocriminal convictionsand offencesis highlyrestricted,

and canonly bedisclosed whereis authorisedby arule ofEU law,by theFrench DPAor byother

French laws or rules that have theforce of law.In the absence of such rule ofEU law,by the French

DPAor by other French laws or rules – and we are aware of no such law or rule that would authorise

this disclosure to UBS AG, London Branch –UBS ESE FR could not disclose these personal data to

theUBSAG,LondonBranch.

 

Inpractice,thisrestrictiononUBSESEFRisdealtwithbythis

information being provided and/or transferred directly by the individual (here, staff of UBS ESE FR)

to the requesting party (here, UBS AG, London Branch).

 

 

Data protection principles

1.10

 

In addition to establishing a legal basis for the disclosure, UBS ESE FR would need to ensure that its

disclosures are compliant with the remainingrequirements under the Data ProtectionLaws, including

the data protection principles set out in Article 5 of the EU GDPR.For example, UBS ESE FR must:

(a)

 

be transparent with those whose personaldata is to be disclosed to UBSAG, London Branch,

who mustbe providedwith fairprocessing information(usually inthe formof aprivacy notice

or statement);

(b)

 

withrespecttothedataitself,ensurethatitonlyprovidespersonaldatathatisadequate,

relevant and limitedto what isnecessary in relationto the purposesof its regulatoryactivities;

(c)

 

be careful to avoid participatingin ‘data dumps’ and shouldconsider withholding documents,

anonymising personal data(or pseudonymisingdata where fullanonymisation is notpossible)

and redacting personal data from documents as appropriate;

(d)

 

ensure that the data is accurate and, where necessary, kept up to date;

(e)

 

keep the personal datain a form that enablesidentification of individuals forno longer than is

necessary for the purposes for which the personal data is processed;and

(f)

 

ensurethattheconfidentialityandintegrityofpersonaldataismaintained,andassuch,

implement appropriate security measures (e.g. encryption) to protectthe personal data.

1.11

 

UBS AG,London Branch isbound by therequirements ofthe EU GDPR(even thoughit is established

outside theEEA),

16

as wellas theGeneral DataProtection Regulation2016/679 asit formspart of

15

 

 

Article 9(2)(a) of the EU GDPR

.

 

16

 

 

Per Article 71 of the EU

-

UK Withdrawal Agreement

, the EU GDPR remains applicable in the UKfollowing the end on 31 December 2020

of the transition periodeffecting the UK’sexit from the EUin respect of theprocessing of personal data ofdata subjects outside theUK,

provided that the personal data: (a) were processed under EU law inthe UK before the end of the transition period;or (b) are processed in

the UKafter theend ofthe transition periodon thebasis ofthe EU-UKWithdrawal Agreement.In particular,EU GDPRapplies inthe

absence ofan adequacy decisionmade bythe European Commissionin respectof theUK. On28 June2021 theEuropean Commission

adopted adequacy decisions

for the UK, including CommissionImplementing Decision of 28.6.2021pursuant to Regulation (EU) 2016/679

oftheEuropeanParliamentandoftheCouncilontheadequateprotectionofpersonaldatabytheUnitedKingdom(the

European

Commission’s UK Adequacy Decision

), thereby enabling the free-flow of personal data from theEU to the UK.

However, for the first time, the adequacy decisions each include a so-called ‘sunset clause', which strictly limits their duration. This means

that the decisions will automaticallyexpire four years after theirentry into force. After thatperiod, the adequacy findings mightbe renewed,

but only if the UKcontinues to ensure anadequate level of dataprotection. During these fouryears, the European Commissionwill continue

 

 

10

 

“retained EU law” in the UK as defined in the UK’s European Union (Withdrawal)Act 2018 and the

UK’sData Protection Act2018. Accordingly,UBS AG, LondonBranch must takethese EU GDPR

principlesintoaccountwhenrequestingaccesstotheCoveredBooksandRecords(albeitthatthe

responsibility remains with UBS ESEFR to ensure thatits disclosures comply with allrequirements

under the Data Protection Laws and to implement its own compliancemeasures to that end).

International transfers

1.12

 

ThegeneralprincipleintheEUGDPRisthatUBSESEFRmaynottransferpersonaldatatoa

jurisdiction outside the EEA, unlessit can satisfy acondition for the transferas set out inChapter V

of the EU GDPR.

1.13

 

Article 45 of theEU GDPR allowsfor UBS ESEFR to transferpersonal data toa recipient outsidethe

EEAwherethetransferisbasedonanadequacydecisionoftheEuropeanCommission.Forthe

purposesofprovidingCoveredBooksandRecordstoUBSAGLondonBranch,theEuropean

Commission’sUKAdequacyDecisionallowstransfersofpersonaldatafromtheEEA,including

France, tothe UKto bemade freely.Any transferfrom UBSESE FRto UBSAG LondonBranch

would therefore bepermitted without limitation(provided that thedisclosure otherwisecomplied with

the EU GDPR).

1.14

 

As noted above, itis possible that UBSAG, London Branchmight share informationprovided to it by

UBS ESE FR withthe SEC. Thismight involve aninternational transfer ofthis personal data fromthe

UK tothe US.Where thisoccurs, suchpersonal datawould remainsubject tothe DataProtection Laws

when held byUBS AG, LondonBranch and soan international transfer madeby UBS AG,London

Branch must comply with the Data Protection Laws.

17

1.15

 

In this regard it is helpful that the EuropeanCommission’s UK Adequacy Decision addresses onward

transfers from the UK and notes that the regime on international transfers under theUK GDPR

18

and

UKDataProtectionAct2018is“

insubstanceidentical

”tothetransferregimeundertheEU

GDPR.

19

The primaryoptions available toUBS AG LondonBranch under theData Protection Laws

when making such a transfer are set out below.

1.16

 

Derogations(Article49)

20

:WhereatransfermechanismadoptedbytheEuropeanCommissionin

respect of a transfer of personal data to theUS is not available (as is currently the case),a transfer or

a setof transfers tothe SEC ofpersonal data containedin Covered Booksand Records providedby

UBS ESE FR to UBS AG London Branch may take place pursuant to a derogation under EUGDPR,

providedthattheconditionsofsuchaderogationaremet.Thesederogationsincludeconsentand

legitimate interests,which arethe derogationsmost likelyapplicable inthis situation,together with

their respective conditions.

 

 

(a)

 

Consent

:thedatasubjectwouldhavetoexplicitlyconsenttotheproposedtransfer,after

having beeninformed ofthe possiblerisks ofsuch transfersfor thedata subjectdue tothe

absenceofanadequacydecisionandappropriatesafeguards.Inpractice,itwouldbevery

difficult toestablish thatconsent isfreely givenwhere informationrelates toUBS ESEFR

staff in an employment context, dueto the inherent imbalance of powerbetween an employer

and its staff (forexample, staff may believethere could be negativeconsequences should they

refuse togive consent). Further,consent will onlybe valid ifUBS ESEFR offersits staffa

genuine choice over how the datais used as part of thetransfer, and willonly continue to be

to monitor the legal situation in the UK and could intervene at any point, if the UK deviates from the level of protection currently in place.

Should the Commission decide to renew the adequacy finding,the adoption process would start again.

17

 

 

Article 44 sent. 1, Recital 101 of the EU GDPR

.

 

18

 

 

The

General Data Protection Regulation2016/679 as it forms partof “retained EU law” asdefined in the European Union(Withdrawa

l) Act

2018 in the UK (

UK GDPR

).

19

 

 

Paragraph 2.5.7, recitals (74) and (75) of the

European Commission’s UK Adequacy Decision

.

 

20

 

 

The EuropeanData ProtectionBoard hasissued guidelinesto provideguidance asto theapplication ofArticle 49of theEU GD

PR on

derogations in the context of transfers of personal data tothird countries.

 

 

11

 

a valid derogation if UBS ESE FR also offers its staff the opportunity to withdraw consent at

any time. Consentshould therefore notbe considered asa valid derogationfor disclosure of

personal data relatingto such staff andUBS AG, LondonBranch should relyon an alternative

basis for transfers of personal data (e.g. the legitimate interests).

(b)

 

Legitimate interests

: In case consentand none of theother derogations are applicable, andif

the transfer(i) is notrepetitive, (ii) concernsonly alimited numberof datasubjects, (iii) is

necessary forthe purposesof compellinglegitimate interestspursued byUBS AG,London

Branch, (iv) UBSAG, LondonBranch’s legitimate interestsare notoverridden bythe interests

or rights and freedoms of the data subjects, (v) UBS AG, London Branch has assessed all the

circumstances surroundingthe datatransfer,and (vi) UBSAG, LondonBranch has,on the

basis ofthat assessment,provided suitablesafeguards withregard tothe protectionof personal

data, thelegitimate interestsderogation maybe reliedupon. Insuch acase, thecontroller shall,

in additionto providingthe informationreferred toin Articles13 and14 ofthe EUGDPR,

inform the data subject of the transfer and of the compellinglegitimate interests pursued.

Each of the consent and legitimate interest derogations need to be appliedon a case-by-case basis.

21

 

1.17

 

Access to CoveredBooks andRecords grantedto the SECin the courseof On-SiteInspections ofUBS

AG, London Branchwould not entailUBS AG, LondonBranch effecting an internationaltransfer and

so restrictions in Chapter V of the EU GDPR would not applyto that situation.

2.

 

SECRECY RULES

2.1

 

ArticleL.511-33

etseq

.oftheMFCgovernthedisclosurebyacreditinstitution,

interalia

,of

confidential information regarding any existing or former customer (the

Secrecy Rules

).

2.2

 

Articles L.511-33I andL. 511-34 ofthe MFCapply tobranches ofcredit institutionsoperating in

France under a European passport, pursuant to Article L. 511-24 5° of the MFC.

Scope of protection

2.3

 

Information protected under the Secrecy Rules generally includes any information received bycredit

institutions in the course of their activities, provided that such information is sufficiently confidential

andspecific.ThescopeoftheSecrecyRulesisbroadandincludesanyinformationrelatedtoa

customer, including their name andany details regardingtheir assets, debts,transactions or operations

carried out on their account (even transactions contemplated but not executed).

2.4

 

TheSecrecyRulesapplyequallytoindividualandcorporatecustomers,includingmanagers,

employeesandcounterparts ofcorporatecustomers. Anonymizedtransactiondata,which doesnot

enable the direct or indirect identification of a customer, is not protected by the Secrecy Rules.

2.5

 

The viewof mostscholars andpractitioners isthat pursuantto theFrench principleof territoriality,

the Secrecy Rules apply to information collected byinstitutions established in France in the course of

their businessrelationships witha customeror potentialcustomer, regardless oftheir citizenship.Thus,

information collectedby aFrench branchof aforeign creditinstitution operatingunder aEuropean

passport in Franceand transmittedto its foreignhead office oranother foreignbranch remains covered

by the Secrecy Rules.

Application and relevant exceptions

2.6

 

We understand that UBS ESE FR will be acting in the name and for the account of UBS AG,London

Branch in relation to the SBSTransactions. In principle, information relating to theSBS Transactions

21

 

 

Article 49(1) EU GDPR at sentence 1 paragr

aph (a) and sentence 2, respectively.

 

 

 

 

 

12

 

carried out in the name and forthe account of UBS AG, London Branch, by UBS ESEFR should be

disclosed by UBS ESE FR to UBS AG, London Branch.

2.7

 

The information held by UBS ESE FR in relation to the SBS Transactions may contain details which

do not need to be disclosed to UBSAG, London Branch or belong to UBSAG, London Branch (such

as information pertainingto the USPerson counterpartyof UBS AG,London Branch); whichmay fall

within the ambit of the Secrecy Rules applicable to UBS ESE FR.

Risk management and consolidated supervision

2.8

 

Pursuant to Article L.511-34 of theMFC, institutions established inFrance belonging to afinancial

groupareallowedtosharecertaininformationwithforeignentitiesbelongingtothesamegroup,

provided that the headquarters of theseforeign entities are located in anEU or EEA Member State, or

inaStatewhoseauthoritieshaveenteredintoacooperationagreementwiththeFrenchFinancial

Markets Authority (the

AMF

) or the French Banking Regulator (the

ACPR

).

2.9

 

ThisexceptiontotheSecrecyRulesislimitedtoinformationwhichisdeemednecessaryforthe

purposes of:

●

 

Supervising the group entities on a consolidated basis;

●

 

Assisting the fight against money laundering and terrorism financing;

●

 

Detecting and preventing market abuse; or,

●

 

Managing conflicts of interest.

2.10

 

To that extent, we note that:

●

 

UBS AG,London Branch and UBS ESE FR belong to the same group;

●

 

In relationto theSBS Transactions,UBS AGis subjectto regulatorysupervision bySwiss

supervisoryauthorities(e.g. theFinancialMarketSupervisoryAuthority(

FINMA

));for

activities carriedout inthe LondonBranch ofUBS AG,also bythe UKsupervisory authorities

(thePrudential RegulationAuthority(

PRA

)andtheFinancialConductAuthority (

FCA

));

and, pursuant to UBSAG’s statusas an SEC-registered SBSD (which includesthe activities

of UBS AG, London Branch),the SEC;

●

 

UBS AG,London Branch, is located inthe United Kingdom, whose authorities, forinstance

the PRA andthe FCA, executeda MoU withthe ACPR“

to formalise supervisorycooperation

and informationsharing arrangements

[…]

inordertopromotethe integrity,stability and

efficiency of the supervised entities and financial system

” on 10 April 2019

22

.

●

 

The headquarters ofUBS AG arelocated in Switzerland,whose authorities, for instancethe

Commissionfédéraledesbanques

(thepredecessortoFINMA)executedaMoUwiththe

Commission bancaire

(the predecessor tothe ACPR) witha view “

to cooperate andexchange

all relevantinformation for theeffective supervision of supervisionof financial marketsand

banking and financial institutions

”, on 2 December 2002

23

;

●

 

UBS ESE FR willbe effecting SBS Transactionsin the name andfor the accountof UBS AG,

LondonBranch,whichmaygiverisetoavarietyofrisks,includingpotentialmoney

laundering, market abuse or conflict of interest risks.

22

 

 

Available of the FCA website:

https://www.fca.org.uk/publication/mou/mou-acpr-boe-fca.pdf

.

23

 

 

A

vailable on the

ACPR

’s website

 

in French onl

y

:

https://acpr.banque-france.fr/sites/default/files/20021206-accord-entre-cb-cfb-suisse.pdf

.

 

 

13

 

2.11

 

Whilst the very purposeof this exception isto enable intra-group exchangeof information for internal

risk managementpurposes, ourview isthat UBSESE FRwould beable toshare informationwith

UBS AGLondon Branchon thebasis ofsuch exception,subject tosuch informationbeing strictly

limited toinformation obtainedor collectedby UBSESE FRwhen actingin thename andfor the

account of UBS AG,in the context of the SBS Transactions.

Waiver

2.12

 

Should it obtain a written waiver from the relevant customer,UBS ESE FR would be in a position to

disclose protectedinformation

24

revolving aroundthat customerto UBS AGLondon Branch.Pursuant

to ArticleL. 511-33of theMFC, suchwaiver mustbe grantedon acase-by-case basis(i.e. general

consent allowing the transfer of information in any circumstancemay not be sufficient).

Request from French criminal or regulatory authorities

2.13

 

A branch of a credit institution operating undera European passport in France cannot use the Secrecy

Rules to oppose disclosure to the French criminal and regulatory authorities.

25

 

Potential sanctions

2.14

 

Breaches of theSecrecy Rules couldresult in criminaland regulatory sanctions,and trigger risksof

civil litigation.

Criminal sanctions

2.15

 

In the event of a breachof the Secrecy Rules, the entity’sdirectors and employees may incur up to 1

year’s imprisonmentand/or afine ofup toEUR 15 000.The entityitself mayincur afine ofup to

EUR75 000aswellasadditionalpenalties,suchasthetemporaryordefinitiveclosureofthe

establishment that was used to commit the breach.

26

 

Regulatory sanctions

2.16

 

The ACPRis incharge ofmonitoring complianceby creditinstitutions operating inFrance undera

EuropeanpassportwiththeprovisionsthatareapplicabletothemunderFrenchlaw,takinginto

account the supervision performedby the relevant authoritiesof the Member Statein which they have

theirheadoffice(whicharesolelyresponsible,inparticular,fortheassessmentoftheirfinancial

situation, theiroperating conditions,solvability,liquidity andtheir abilityto fulfilat alltimes their

commitmentswithrespecttotheirpolicyholders,

subscribers

,

beneficiaries

 

andreinsured

companies).

27

 

2.17

 

In thiscontext, theACPR hasinspection and sanctionpowers, includingthe powerto prohibitsuch

credit institutionsfrom continuing to provide banking services on French territory.

28

2.18

 

If the ACPR noticesthat a credit institutionoperating in France under aEuropean passport breaches

ormaybreachtheprovisions ofChapter1ofTitle1 ofBook5oftheMFC–whichincludesthe

Secrecy Rules –, it shouldinform the relevant authoritiesof the Member Stateof the country in which

the credit institution hasits registered office, sothat the latter canimmediately take any measuresto

ensure compliance with these provisions.Should it consider thatthe latter have not fulfilledor are not

going fulfil their obligations, it can make a requestfor assistance to the European Banking Authority

in accordance withArticle 19 ofRegulation (EU) no.1093/2010 of theEuropean Parliament andof

24

 

 

See Article L. 511

-

33

 

I

 

of the MFC.

 

25

 

 

See

Article L. 511

-

33

I

of the MFC.

 

26

 

 

See Articles L. 571

-

1 and 571

-

4 of the MFC and Articles 226

-

13, 131

-

38 and 131

-

39 of the French Criminal Code.

 

27

 

 

See

Article L. 612

-

2 III of the MFC.

 

28

 

 

See Article L. 613

-

33 of the MFC.

 

 

 

 

 

 

 

14

 

the Council of 24November 2010 establishinga European SupervisoryAuthority (European Banking

Authority).

29

Risk of litigation

2.19

 

Customersandthirdpartieswhoseprotecteddatawouldbeillicitlytransferredcouldseek

compensatory damages under French law. Punitive damages are not available.

2.20

 

Toseek compensation before theFrench courts, the allegedvictims would need todemonstrate (i) a

failure by UBS ESE FR (i.e. a breach of the Secrecy Rules), (ii) the damages they havesuffered, and

(iii) a direct link of causation between such failure and damages.

3.

 

BLOCKING STATUTE

3.1

 

TheBlockingStatutegoverns therequest,searchfor ordisclosure ofinformation ofaneconomic,

commercial, industrial, financialor technical nature,with a viewto establishing evidencein foreign

judicial or administrative proceedings or in relation thereto.

Scope of protection

3.2

 

The BlockingStatute applies to“

documents or informationof aneconomic, commercial,industrial,

financialor technicalnature

”that arelocatedinFrance andprohibits therequest, investigationor

communication of documentsor information in thecontext or with aview to foreign administrativeor

judicial proceedings.

Application and relevant exceptions

3.3

 

The prohibitions imposed by the Blocking Statute do not apply to transfersof documents,which:

●

 

are not madein the contextor with aview to foreign administrativeor judicial proceedings;

or,

●

 

aremadeincompliancewithapplicableFrenchlaw,anapplicableinternationaltreatyor

agreement (e.g. theHague Convention,a Memorandum ofUnderstanding (

MoU

) entered into

by the ACPR or the AMF,

30

or a mutual legal assistance treaty)

31

.

3.4

 

In the caseat hand,we understandthat the provisionand sharingby UBSESE FRto UBSAG, London

Branch, ofthe CoveredBooks andRecords heldin Franceby UBSESE FRin relationto theSBS

Transactions:

●

 

wouldbemade

 

forriskmanagementpurposes,giventheroleofUBSESEFR,and

respectively associated persons employed by UBS ESEFR, to effect SBS Transactions in the

name and for the account of UBS AG,

and therefore,

●

 

wouldnotbemadeinthecontextorwithaviewtoforeignadministrativeorjudicial

proceedings.

3.5

 

In this context, webelieve that the BlockingStatute should not prevent theprovision and sharing by

UBS ESE FR toUBS AG, LondonBranch, of theCovered Books andRecords held inFrance by UBS

ESE FR in relation to the SBS Transactions.

29

 

 

See Article R. 613

-

34 of

the MFC.

 

 

 

 

 

15

 

Potential sanctions

3.6

 

Breaches tothe BlockingStatute maylead tocriminal sanctions,of upto6 months’imprisonment

and/or a fine of up to EUR 18 000 for individuals or a fine of up to EUR 90000 for entities.

3.7

 

A risk of civillitigation may alsoarise where partiescould evidence adirect link ofcausation between

the violation of the Blocking Statute and the damages they have suffered.

4.

 

PRIVACYAND HUMAN RIGHTS

4.1

 

Article 8 of theEuropean Convention on HumanRights (

ECHR

) confers ageneral right to “

respect

for his private andfamily life, his homeand his correspondence

”. This right isdirectly applicable in

theFrance

.

32

 

Therighttoprivacyclearlyappliestonaturalpersons.However,inFrance,iflegal

persons have a rightto see theircorrespondence protected, only natural personscan rely on /benefit

from a right to privacy

33

.

4.2

 

Article 8 ECHRdoes not initself give riseto a free-standingcause of action– instead anaction arising

from a wrongful act,a breach of agreementor other legal obligation,such as under theGDPR, must

be brought, and the court will then be obliged to consider the applicationof Article 8 ECHR.

4.3

 

Article 8 ECHR is, as it were, the fundamental legal foundation onwhich the GDPR has been based.

The GDPR elaborateson the applicableprinciples of andthe rules on theprotection of naturalpersons

when itcomes toprocessing ofpersonal data.

34

The ECHRcan furtherbe reliedupon wheninterpreting

theseGDPRprinciplesandrulesifnecessary.TheGDPRcanthereforebeseenastheregulation

detailing the right laid down in Article 8 ECHR, when it comes to the processingof personal data.

Application and exceptions

4.4

 

There shall be no interferenceby a public authority withthe exercise of the rightto respect for private

and family life,his home andhis correspondence, exceptin situationswhere the specificconditions

set out under Article 8(2) ofthe ECHR are met. Article8 is therefore a qualified right,meaning that it

can be breached in accordance with Article 8(2) – that is, where doingso is:

(a)

 

in accordance with the law;

Thiscriterionhastwoaspects:themeasurecomplainedaboutmusthavesomebasisin

domestic law,and secondly,that thedomestic lawhas tobe sufficientlyprecise sothat an

individual can foresee with a reasonable degree of certainty theconsequences of their actions

or the circumstances in which the authority may take a particular courseof action.

35

 

(b)

 

is necessary in a democratic society;

This criterionis intendedto ensurethe proportionalityof anintrusion intoprivate life.To meet

this criterion, there must be a “

pressing social need

” for the interference, and the interference

must be proportionate to that need.

36

and

(c)

 

in the interestsof national security,public safety or theeconomic well-being of thecountry,

forthepreventionofdisorderorcrime,fortheprotectionofhealthormorals,orforthe

protection of the rights and freedoms of others (i.e. a legitimate aim).

32

 

 

Article 9 of the French Civil Code and Article 226

-

15 of the French Criminal Code

 

33

Cour de Cassation (French Supreme Court), Civ 1ère, 17 March 2016

 

34

 

 

See also Whereas (1) and (2) GDPR.

 

35

 

 

Malone v UK [1984] ECHR 10 at 68.

 

36

Dudgeon v UK

(1982) 4 E.H.R.R. 149 at 164.

 

16

Thiscriterionisintendedtoensurethatthepurposeofanintrusionintoprivatelifeis

adequately serious so as to justify the intrusion.

 

 

 

 

 

17

 

ANNEX 2

 

ASSUMPTIONS

This opinion relies on the following assumptions:

1.

 

In the context of the SBS Transactions, UBS ESE FR will provide investment services in accordance

with all applicable French laws and regulations.

2.

 

UBS AG hasa “prudential regulator”as defined bySection 3 ofthe US SecuritiesExchange Act of

1934(the

Securities ExchangeAct

).Assuch,theCovered BooksandRecords consideredinthis

opinion are limited to what a prudentially regulated SBSD must be able toshare with the SEC.

3.

 

Additionally, in accordance with SEC Guidance at85 FR 6297, books and records pertaining to SBS

Transactions entered into prior tothe date that UBSAG submits an applicationfor registration are not

Covered Books and Records.

4.

 

Where transfersof personaldata aremade byUBS ESEFR toUBS AG,London Branch,in theabsence

of an adequacy determination, such disclosure will be made in compliance with Articles 44

et seq

. of

the EUGDPR and limitedto whatis necessary forthe purposeof thetransfer (i.e. compliancewith

theprincipleofdataminimisation,e.g.byapplyinglessintrusiveprocessingactivitiessuchas

redaction).

5.

 

UBS AG or, asthe case maybe, UBS ESEFR has obtained anynecessary prior consentof the persons

(e.g

.

,counterparties,employees)whoseinformationisorwillbeincludedinCoveredBooksand

Records, to the extent, as considered in this opinion, such consent would constitute valid consent and

such consent has notbeen withdrawn. Insofar as Covered Booksand Records relate to employeesof

UBSESEFR,suchemployeesare“associatedpersons”

37

ofUBSAGforpurposesof17CFR§

240.18a-5(b)(8).

6.

 

Similarly,UBSESEFRwillensurethatitsdisclosuresarecompliantwiththedataprotection

principles set out in Article 5 of the EU GDPR and the French DPA

38

.

7.

 

All termsof businessentered intoby UBSAG, LondonBranch withits clientsthat areUS Person

counterpartiesconductingSBSTransactionscontainclearstatementssuchthatcounterpartiesare

awarethatthattheirdatamaybesharedwithUBSgroupaffiliatesforthepurposesofclient

managementandthatregulatoryoversightwillbeexercisedbyregulatoryauthoritiesandthat

information regarding their transactions, including their personal data, canbe disclosed to regulatory

authorities(forexample,clause10ofthetermsofbusinessforprofessionalclientsandeligible

counterparties (March 2019)

39

).

8.

 

UBS AGand UBSESE FR donot includethe informationdescribed in 17C.F.R. §§.18a-5(b)(8)(i)(A)

through(H)or240.18a-5(a)(10)(i)(A)through(H),asthecasemaybe,inquestionnairesor

applications for employment executed by an associated person who is not a US Person (as defined in

17C.F.R.§240.3a71-3(a)(4)(i)(A)),unlessUBSAGorUBSESEFRarerequiredtoobtainsuch

information underapplicable lawinthe jurisdictionin whichthe associatedperson isemployed or

located or obtains such information in conducting a background check that is customaryfor UBS AG

orUBSESEFRinthatjurisdictionandthecreationormaintenanceofrecordsreflectingthat

information would notresult in aviolation of applicablelaw in thejurisdiction in whichthe associated

person is employed or located.

37

 

 

We do not give any views regarding this assumption.

 

 

38

 

 

These principles are set out in

at section 1.

39

 

 

Available at:

 

https://www.ubs.com/global/en/investment-

bank/regulatory/_jcr_content/mainpar/toplevelgrid/col1/linklist_1815406319/link.1894740908.file/PS9jb250ZW50L2RhbS9JbnZlc3RtZ

W50QmFuay9kb2N1bWVudHMvaWJ0ZXJtcy90ZXJtcy1vZi1idXNpbmVzcy5wZ%20GY=/terms-of-business.pdf

.

 

 

18

 

9.

 

The SEC will,as a matterof practice, restrictits information requeststo UBS AG,London Branch for,

and use of, any information pursuant to its access toUBS AG, London Branch’s Covered Books and

Records andOn-Site Inspections ofUBS AG, LondonBranch toonly theinformation that theSEC

requires for thelegitimate and specificpurpose of fulfillingits regulatory mandateand responsibilities

by evaluating compliance with legal obligations designed to ensure the properlegal administration of

SEC-regulated firms(which includesregulating, administering, supervising,enforcing andsecuring

compliance with the securities or derivatives laws in its jurisdiction).

10.

 

Information, dataand documentsreceived bythe SECare,as amatter ofpractice, maintainedina

secure mannerand, understrict USlaws ofconfidentiality,information about individualscannot be

onwardsharedsaveforcertainusespubliclydisclosedbytheSEC,includinginanenforcement

proceeding, pursuantto avalid andnon-exempt USFreedom ofInformation Act(

FOIA

) request,

40

 

pursuant to a lawful request of the US Congress or aproperly issued subpoena, or to other regulators

who have demonstrated a need for the information and provide assurancesof confidentiality.

40

 

 

Wedo notgive anyviews inthe opinionto mattersof USlaw,though weunderstand thatinformation canbe

made publicpursuant to

requests underthe USFOIA,and thatcertain informationis exemptfrom suchrequests, including(among others):(1) atrade secretor

privileged or confidential commercial or financial informationobtained from a person; (2) apersonnel, medical, or similar file therelease

of which would constitute a clearly unwarranted invasion of personal privacy; (3) information compiled for law enforcement purposes, the

release of which (a) could reasonably be expected to interfere with law enforcement proceedings;(b) would deprive a person of a right to a

fair trial or an impartial adjudication; (c) could reasonably be expected to constitute an unwarrantedinvasion of personal privacy; (d) could

reasonablybeexpectedtodisclosetheidentityofaconfidentialsource;(e)woulddisclosetechniques,procedures,orguidelinesfor

investigations or prosecutions;or (f) couldreasonably be expectedto endanger anindividual's life orphysical safety; (4)contained in or

related to examination, operating, or condition reports about financialinstitutions that the SEC regulates or supervises.