1
UBS AG London Branch
5 Broadgate
London
EC2M 2QS
Allen & Overy - Studio Legale Associato
Via Ansperto 5
20123 Milan Italy
Tel +39 02 2904 91
Fax +39 02 2904 9333
Corso Vittorio Emanuele II 284
00186 Rome Italy
Tel +39 06 6842 71
Fax +39 06 6842 7333
Our ref 0010023-0022577 EUO2: 2001685421.2
22 October 2021
Dear Madam/Sir
UBS AG SEC registration as a non-resident security-based swap dealer
1.
BACKGROUND
1.1
We understand that UBS AG, a bank authorised in Switzerland, is seeking to register with the United
States (
US
) Securities and Exchange Commission (
SEC
) as a non-resident security-based swap (
SBS
)
dealer (
SBSD
).
1.2
To register as an SBSD with the SEC, a non-resident SBSD
1
of counsel to Form SBSE, SBSE-A or SBSE-BD affirming that the SBSD can, as a matter of law:
(a)
provide the SEC with prompt access to the relevant books and records as defined in paragraphs
3.3 to 3.5 (
Covered Books and Records
); and
(b)
submit to on-site inspection and examination of its Covered Books and Records by the SEC
(
On-Site Inspection
).
1
In the case of a corporation, an SBSD will be “non
-
resident” if it is incorporated in or has its principal place of business in any place not in
the United States (see 17 Code of Federal Regulations (
CFR
) § 240.15Fb2-4(a)(2)). As UBS AG is incorporated in Switzerland, UBS AG
fulfils this definition of a “non-resident” SBSD.
STUDIO LEGALE ASSOCIATO
Partner
Craig Byrne
1,2
Avv. Livio Bossotto
Avv. Giovanni Gazzaniga
Avv. Paolo Ghiglione
Avv. Massimo Greco
Avv. Dott. Comm. Francesco Guelfi
Avv. Paolo Nastasi
Avv. Pietro Scarfone
1
Avv. Stefano Sennhauser
Avv. Cristiano Tommasi
Counsel
Avv. Luca Amicarelli
Avv. Pietro Bellone
Avv. Juri Bettinelli
Avv. Nunzio Bicchieri
Lisa Curran
1,3
Avv. Emilio De Giorgi
Frederic Demeulenaere
1
Avv. Emiliano La Sala
Avv. Alessandra Pala
Avv. Amilcare Sada
1 Solicitor, England and Wales
2 Barrister and Solicitor, British Columbia
3 Barrister and Solicitor, Ontario
Milan Office: Via Ansperto 5; 20123 Milan (tel +39 02 2904 91; fax +39 02 2904 9333)
Rome Office: Corsco Vittorio Emanuele II, 284; 00186 Rome (tel +39 06 6842 71; fax +39 06 6842 7333)
Studio Legale Associato is affiliated with Allen & Overy LLP, a limited liability partnership in England and Wales.
Allen & Overy or an affiliated undertaking has an office in each of: Abu Dhabi, Amsterdam, Antwerp, Bangkok, Beijing, Belfast, Bratislava, Brussels, Budapest,
Casablanca, Dubai, Dusseldorf, Frankfurt, Hamburg, Hanoi, Ho Chi Minh City, Hong Kong, Istanbul, Jakarta (associated office), Johannesburg, London, Los
Angeles, Luxembourg, Madrid, Milan, Moscow, Munich, New York, Paris, Perth, Prague, Rome, Sao Paulo, Seoul, Shanghai, Silicon Valley, Singapore,
Sydney, Tokyo, Warsaw, Washington, D.C. and Yangon.
2
1.3
UBS Europe SE is a credit institution incorporated in Germany and subject to prudential supervision
by the Federal Financial Supervisory Authority (
Bundesanstalt für Finanzdienstleistungsaufsicht
,
BaFin
). UBS Europe SE is authorised to provide services in Italy (among other jurisdictions).
Associated persons of UBS AG located in Italy who effect SBS transactions on behalf of UBS AG
will be employed by the Italian branch of UBS Europe SE (
UBS ESE IT
)
2
. Accordingly, UBS ESE
IT will maintain certain Covered Books and Records in Italy on behalf of UBS AG.
You have asked us to issue an opinion affirming that (a) UBS AG London Branch will be able to
provide the SEC with prompt access to its Covered Books and Records that are maintained by UBS
ESE IT in Italy on its behalf and (b) UBS ESE IT can submit to On-Site Inspection by the SEC of
UBS AG’s Covered Books and Records it maintains on behalf of UBS AG, in each case in accordance
with paragraph 1.2 above.
3
1.4
This opinion is structured as follows:
(a)
Section 2: Summary of opinion;
(b)
Section 3: Scope, assumptions and qualifications;
(c)
Section 4: Revisions to applicable law;
(d)
Section 5: Reliance and confidentiality;
(e)
Annex 1: Opinion; and
(f)
Annex 2: Assumptions.
1.5
For the purposes of this opinion, the legal or natural person imparting the information subject to the
duty of confidentiality will be the
Rights Holder
and the person receiving that information, in this
case UBS ESE IT, will be the
Recipient.
2.
SUMMARY OF OPINION
Subject to the assumptions and qualifications below it is our opinion that, subject to all the conditions set out
in this opinion, as a matter of applicable Italian law:
2.1
UBS ESE IT can submit to On-Site Inspection by the SEC. There is no restriction on UBS ESE IT
submitting to On-Site Inspection by the SEC
4
. The remainder of this opinion focuses on UBS ESE
IT’s ability to disclose information contained in Covered Books and Records to the SEC in the course
of On-Site Inspection in Italy and the ability to provide UBS AG London Branch with prompt access
to Covered Books and Records.
2.2
UBS ESE IT can provide the SEC with prompt access to Covered Books and Records held by UBS
ESE IT in Italy either by disclosure of Covered Books and Records to UBS AG London Branch for
the purpose of providing information to the SEC or to the SEC in the course of On-Site Inspections in
Italy.
5
2
Please see Assumption 13 set
out in Annex 2.
3
In accordance with Assumption 9 in Annex 2, this opinion does not cover the direct provision of Covered Books and Records by
UBS ESE
IT to the SEC as this information will instead be provided to UBS AG London Branch and sent by UBS AG London branch to the SEC.
4
Please see
Footnote 48 below
.
5
Where a restriction on the ability to transfer personal data or to disclose confidential information applies as a matter of I
talian rules on data
protection, confidentiality obligations and bank secrecy, consent from the Rights Holder, validly given in accordance with the relevant
standard for consent under each applicable legal obligation, would allow for such information to be lawfully transferred to the SEC or
disclosed to the SEC during On-Site Inspection. Please note that valid consent is assumed in Assumption 6.
0036335-0000808 UKO1: 2005583510.12
3
Data Protection
6
2.3
Disclosures of personal data (particularly special categories of data or criminal data) relating to UBS
ESE IT’s clients and staff are subject to certain restrictions under the Data Protection Laws,
particularly where this involves a cross-border transfer to a country or territory the EU has not found
to have an ‘adequate’ data protection regime. However, there are certain legal bases for making
disclosures, and derogations from the prohibition on international transfers, which would be available
to UBS ESE IT were it to be required by the SEC to make available personal data either by disclosure
of Covered Books and Records to UBS AG London Branch for the purpose of providing information
to the SEC or to the SEC in the course of On-Site Inspections in Italy.
2.4
We anticipate that the legitimate interest and consent legal bases for processing are likely to be the
most likely applicable grounds under the GDPR to enable disclosure of Covered Books and Records
to UBS AG London Branch for the purpose of providing information to the SEC and to permit On-
Site Inspection.
Duties of confidentiality under Italian civil law applicable to contracts
2.5
By way of general principle, Italian civil law does not expressly provide for specific confidentiality
requirements applicable to the parties of a contract governed by Italian law or for a standard model of
confidentiality agreements. In particular, and in contrast to requirements applying to other types of
contracts (e.g., purchase or service agreements), neither the Italian Civil Code nor other related civil
laws provide for pre-determined effects and consequences arising from the execution of a
confidentiality agreement or specify the scope of the obligations arising therefrom.
2.6
In the absence of a specific legal framework or restrictions imposed by Courts’ precedents, parties to
a non-disclosure or a confidentiality agreement are generally free, in principle, to agree the scope and
terms and conditions of any obligation in that respect.
2.7
Given the above, from the sole perspective of confidentiality duties applicable to the parties under
Italian contract law, the transfer of data from UBS ESE IT to the SEC would be possible provided that
contractual arrangements in place with clients either allow such dissemination of information, or the
transfer is consented to, from time to time, by clients themselves, so that UBS ESE IT is not in breach
of any contractual arrangement arising from a non-confidentiality/non-disclosure clause, absent
possible exemptions. This is without prejudice to the remarks set forth under Section 2.8 below as
regards the Italian bank secrecy rules.
Bank secrecy
2.8
Despite the absence of a specific bank secrecy regime in Italy, the duty to keep customers’ data
confidential within the provision of financial services stems from statutory obligations on
“professionals” (including bankers) and civil law which provides that market practices such as the
duty of confidence, which is widely accepted and complied with by Italian financial institutions,
including Italian branches of foreign institutions operating in Italy, form legally binding obligations.
The breach of confidentiality obligations may entail a liability for the bank towards its customers
unless the customer has given consent to the disclosure or an exemption applies (
e.g.
for disclosing the information). There is no definition of “just cause” under Italian law; however, in
general terms, this could be considered as a set of circumstances that legitimate the disclosure of
confidential information, such as the existence of a legislative provision or an order from an authority
imposing the disclosure.
2.9
The duty of confidentiality would likely apply to UBS ESE IT in respect of the information contained
in the Covered Books and Records described at paragraph 3.3(a) below, insofar as that information
relates to UBS ESE IT’s clients and is not information owned by or relating to UBS ESE IT itself. As
6
Please refer to section 1 of Annex 1 for definitions of Data Protection Laws and the GDPR.
0036335-0000808 UKO1: 2005583510.12
4
such, in principle UBS ESE IT may not provide such information to third parties unless it gets the
Rights Holder’s consent or is able to rely on a just cause.
2.10
As regards the ability of UBS ESE IT to rely on just cause to disclose information to the SEC, under
the Memorandum of Understanding entered into between the CONSOB
7
2020 (the
CONSOB MoU
)
8
, it is expressly envisaged that the SEC may conduct On-Site Inspection
at UBS ESE IT according to the provisions of the CONSOB MoU. Moreover, despite the lack of
specific / express provisions in this respect, we consider that a direct request of information from the
SEC to UBS ESE IT or UBS AG should be consistent with the terms of the CONSOB MoU. As such,
in principle a request of information from the SEC (whether directly or through On-Site Inspection as
per the terms of the CONSOB MoU) should constitute a just cause for disclosure. The Memorandum
of Understanding entered into by the SEC and the European Central Bank (
ECB
)
9
ECB MoU
)
10
contemplates similar provisions to the CONSOB MoU.
2.11
In the absence of a specific exemption, UBS ESE IT may rely on consent from Rights Holders.
Privacy and Human Rights
2.12
Protection for the general fundamental right to “
respect for private and family life, home and
correspondence
” is enshrined in Article 8 of the European Convention on Human Rights (
ECHR
).
This right is directly applicable in Italy. Actions in respect of Article 8 of the ECHR require a separate
cause of action, such as an action arising from a wrongful act or other legal obligation, such as under
the Data Protection Laws.
2.13
Article 8 ECHR is, as it were, the legal foundation on which the GDPR has been based. The GDPR is
detailing the fundamental right laid down in Article 8 of the ECHR. Thus, Article 8 ECHR and the
GDPR are intertwined with each other. As long as the provision of information to the SEC by UBS
ESE IT falls entirely within the scope of and is in compliance with the Data Protection Laws, we
consider the general fundamental right set out in Article 8 of the ECHR will be protected.
2.14
This summary opinion is not a substitute for the full expression of our views set out in Annex 1.
3.
SCOPE, ASSUMPTIONS AND QUALIFICATIONS
3.1
This opinion relates solely to access provided to the SEC by UBS AG, through its London Branch, of
Covered Books and Records held on its behalf by UBS ESE IT in Italy and On-Site Inspection of UBS
ESE IT by the SEC in Italy. The restrictions noted under this opinion apply equally to remote access
from the US to Covered Books and Records held in Italy. This opinion excludes books and records
held in the US.
7
Commissione Nazionale per le Società e la Borsa
(
i.e.
supervising firms operating in Italy in relation to the performance of investment services and dealing in financial instruments.
8
Memorandum of Understanding concerning consultation, cooperation and the exchange of information related to market oversight and the
supervision of covered firms.
Available here in English:
https://www.consob.it/documents/46180/46181/MOU_Consob_Sec_20201222.pdf/bae3b1d6-3ef6-438b-bba0-0b7943cce7a8.
9
As UBS Europe SE qualifies as a “significant institution”
within the meaning of Art. 6(4) of the Regulation der (EU) No. 1024/20
13 (the
Single Supervisory Mechanism Regulation
), it is, as regards prudential supervision, also subject to direct supervision by the ECB.
10
The Memorandum of Understanding between the United States Securities and Exchange Commission and the European Cent
ral Bank
concerning consultation, cooperation and the exchange of information related to the supervision and oversight of certain cross-border over-
the-counter derivatives entities in connection with the use of substituted compliance by such entities dated 16 August 2021 (available at
https://www.bankingsupervision.europa.eu/legalframework/mous/html/ssm.mou_2021_sec~220403db9b.en.pdf).
We consider that it is not completely clear whether the ECB MoU would be applicable in this scenario, as we assume that the receiving
entity of the SEC request (UBS AG London branch, which is also the entity seeking to register as SBSD) is not subject to the supervision of
the ECB. However, the existence of the ECB MoU might be considered as an element that could confirm that the EU accepts that the SEC
has a duty to regulate SBS markets and may need to access information, including personal data, maintained by financial institutions located
in the EU for this purpose.
0036335-0000808 UKO1: 2005583510.12
5
3.2
This opinion has been prepared in accordance with UBS AG’s specific instructions as to the scope of
the opinion. For this purpose you have issued us with guidance from a third party US law firm which
we have used to inform the scope of our opinion.
3.3
This opinion covers data relating to:
(a)
SBS transactions concluded between UBS AG (through its associated persons employed by
UBS ESE IT) and US Person counterparties
11
, insofar as this data is held on behalf of UBS
AG by UBS ESE IT (e.g. voice recordings and client communications
12
) (these transactions
will be concluded by staff of UBS ESE IT acting in the name and for the account of UBS AG
London Branch and so some data relating to such transactions will be held by UBS AG
London Branch in the United Kingdom (
UK
) – access to Covered Books and Records and
On-Site Inspections by the SEC of data that is held in the UK is not within scope of this
opinion); and
(b)
the activities of the staff of UBS ESE IT pertaining to UBS AG’s SBS transactions that are
also arranged, negotiated, or executed by personnel of UBS AG located in a US branch or
office or by personnel of an agent of UBS AG located in a US branch or office (irrespective
of whether UBS AG’s counterparty is a US Person or a non-US Person).
This opinion only covers transactions entered into by UBS AG where UBS ESE IT is acting on behalf
of UBS AG. This opinion does not cover data relating to SBS transactions concluded between UBS
ESE IT and its own counterparties (even though UBS ESE IT may be relying on the counting
exemption set out in 17 CFR § 240.3a71-3(d) for such transactions, we are instructed that this data is
not relevant for the purposes of 17 CFR § 240.15Fb2-4(c) and so this data is not within scope of this
opinion).
3.4
This opinion only covers access to and the On-site Inspection of Covered Books and Records. Covered
Books and Records include only those books and records which:
(a)
relate to the US business
13
14
SBS that is either:
(i)
entered into, or offered to be entered into, by or on behalf of the non-resident SBSD,
with a “U.S. Person” as defined in 17 CFR § 240.3a71-3(a)(4)
15
US Person
) (other
than an SBS conducted through a foreign branch of such US Person
16
); or
(ii)
arranged, negotiated, or executed by personnel of the non-resident SBSD located in a
branch in the US (
US branch
) or office or by personnel of an agent of the non-resident
SBSD located in a US branch or office;
17
11
Please see Assumption 13 set out in Annex 2.
12
Legal analysis from local data protection and/or employment law perspective on possibility to record voice calls and/or monit
or
communications with a client is excluded from the scope of this opinion – please see the Assumption 12 set out in Annex 2.
13
As defined in 17 CFR §240.3a71
-
3(a)(8).
14
Cross
-
Border Application of Certain [SBS] Requirements, 85 Fed.
Reg. 6270, 6296 (Feb. 4, 2020) (the
SEC Guidance
).
15
A “U.S. person” means any person that
is “(i) a natural person resident in the U.S.; (ii) a partnership, corporation, trust, investment vehicle,
or other legal person organized, incorporated, or established under the laws of the United States or having its principal place of business in
the United States; (iii) an account (whether discretionary or non-discretionary) of a U.S. person; or (iv) an estate of a decedent who was a
resident of the United States at the time of death.” 17 CFR § 240.3a71-3(a)(4).
16
A “foreign branch” means “any branch
of a U.S. bank if: (i) the branch is located outside of the United States; (ii) the branch operates for
valid business reasons; and (iii) the branch is engaged in the business of banking and is subject to substantive banking regulation in the
jurisdiction where located.” (17 CFR § 240.3a71-3(a)(2)). An “SBS conducted through a foreign branch” means an SBS that is “arranged,
negotiated, and executed by a U.S. person through a foreign branch of such U.S. person if: (A) the foreign branch is the counterparty to such
security-based swap transaction; and (B) the security-based swap transaction is arranged, negotiated, and executed on behalf of the foreign
branch solely by persons located outside the United States.” (17 CFR § 240.3a71-3(a)(3)(i)).
17
17 CFR
§
240.
3a71
-
3(a)(8)(i)(B).
0036335-0000808 UKO1: 2005583510.12
6
(b)
constitute financial records necessary for the SEC to assess the non-resident SBSD’s
compliance with the SEC’s margin and capital requirements, if applicable.
18
3.5
Further to Assumption 1, this opinion is limited to those types of records that are relevant to
prudentially regulated SBSDs, which excludes financial records as noted in paragraph 3.4(b) above.
For this opinion, the term “Covered Books and Records” extends to these record types alone.
3.6
The issues addressed in this opinion apply equally across the different document types which constitute
the Covered Books and Records based upon the information actually contained in each of the relevant
Covered Books and Records. We have not examined any such documents or records.
3.7
In giving this opinion, we have made the further assumptions set out in Annex 2.
3.8
No opinion is expressed on matters of fact. The advice provided in this opinion is limited to the matters
expressly dealt with herein and does not cover other matters.
4.
REVISIONS TO APPLICABLE LAW
4.1
We note that the SEC rules
19
changes in the legal or regulatory framework that would:
(a)
impact the ability of the SBSD to provide prompt access to its Covered Books and Records;
(b)
impact the manner in which it would provide prompt access to its Covered Books and Records;
or
(c)
impact the ability of the SEC to conduct On-Site Inspections.
4.2
Upon a change in law or regulatory framework of the sort outlined in paragraph 4.1 above, the SBSD
is required to submit a revised opinion describing how, as a matter of law, the SBSD will continue to
meet its obligations.
4.3
This opinion relates solely to the laws of Italy and European Union (
EU
) law that is directly applicable
in Italy (i.e. regulations pursuant to Art. 288(2) of the Treaty on the Functioning of the European
Union), in each case in force as at the date of this opinion. We have no obligation to notify any
addressee of any change in any applicable law or its application after the date of this opinion.
5.
RELIANCE AND CONFIDENTIALITY
5.1
This opinion is given for the sole benefit of the addressee. It may not be relied upon by anyone else
without our prior written consent.
5.2
This opinion is not to be disclosed to any person outside of UBS AG’s group or used, circulated,
quoted or otherwise referred to for any other purpose. However, we agree that a copy of this opinion
letter may be disclosed:
(a)
where disclosure is required or requested by any governmental, banking, taxation or other
regulatory authority or similar body having jurisdiction over UBS AG (including to the SEC
as part of UBS AG’s SBSD registration application) or by the rules of any relevant stock
exchange or pursuant to any applicable law or regulation; and
18
The requirement set out in this paragraph 3.3(b) does not apply to UBS
AG
because it is not subject
to the SEC’s margin and capital
requirements as it is assumed that UBS AG has a prudential regulator– please see the Assumption 1 set out in Annex 2.
19
17 CFR § 240.15Fb2
-
4(c)(2).
0036335-0000808 UKO1: 2005583510.12
7
(b)
to UBS AG’s affiliates, and any of their officers, directors, employees, auditors, insurers,
reinsurers, insurance brokers and professional advisors (in their capacity as such).
5.3
Any such disclosure must be made on the basis that it is for information purposes only, no recipient
may rely on this advice, no client-lawyer relationship between us and the recipient arises following,
or as a result of, any such disclosure. We assume no duty or liability to any recipient, and any recipient
under paragraph 5.2(b) above will be subject to the same restrictions on disclosure as set out above.
5.4
We assume no obligation to advise you or any other person or to make any investigations as to any
legal developments or factual matters arising subsequent to the date hereof that might affect the
opinions expressed herein.
Yours faithfully,
Allen &Overy - Studio Legale Associato
0036335-0000808 UKO1: 2005583510.12
8
ANNEX 1
OPINION
1.
DATA PROTECTION
1.1
The General Data Protection Regulation 2016/679 (
GDPR
), the General Data Protection Regulation
2016/679 and its local implementation, the Legislative Decree no. 196/2003, as amended in 2018 (the
Privacy Code
) and guidelines and decisions issued by the Italian Data Protection Authority (the
Garante per la Protezione dei dati personali
, the
Garante
) (together, the
Data Protection Laws
) will
apply to UBS ESE IT’s disclosure of Covered Books and Records to UBS AG London Branch for the
purpose of providing information to the SEC and to the SEC in the course of On-Site Inspections, to
the extent that these comprise or contain personal data. Personal data is data relating to an identified
or identifiable living individual, so may extend to information on UBS ESE IT staff as well as clients.
1.2
Under the Data Protection Laws, specific additional restrictions apply for data relating to criminal
convictions and offences. These laws also impose heightened restrictions on the processing of ‘special
category data’ – this is data that reveals racial or ethnic background, political opinions, religious or
philosophical beliefs, or trade union membership, genetic data, biometric data when used for ID
purposes, health information, data concerning sex life or sexual orientation. As special category data
are less likely to be relevant in the context of UBS ESE IT’s disclosures to the SEC, the laws applicable
to this data have not been considered in detail in this opinion.
1.3
Key restrictions in the Data Protection Laws relating to UBS ESE IT’s ability to disclose personal data
to the SEC are set out below.
Legal basis for the disclosure
1.4
UBS ESE IT requires a legal basis under Article 6 of the GDPR to disclose personal data to the SEC
in the course of On-Site Inspections and to provide UBS AG London Branch with access to its Covered
Books and Records for the purpose of providing information to the SEC. Data cannot be disclosed if
doing so would breach another legal requirement (e.g. confidentiality – please see section 2 below).
Whilst there are a number of Article 6 legal bases on which UBS ESE IT may seek to rely, none on its
own is so comprehensive as to cover all disclosures of personal data to the SEC, so UBS ESE IT will
need to consider the most appropriate legal basis to apply to any given situation.
1.5
The Article 6 legal bases most applicable to UBS ESE IT, together with their respective limitations,
are as follows:
(a)
Consent (Article 6(1)(a))
: In order for consent to be valid under the Data Protection Laws, it
must satisfy the high standard of being a freely-given, specific, informed and unambiguous
indication of wishes.
20
(b)
Processing is necessary for the performance of a contract to which the data subject is party
(Article 6(1)(b))
: this legal basis could be used by UBS ESE IT to provide UBS AG London
Branch with access to its Covered Books and Records for the purpose of providing information
to the SEC depending on type of agreements in place between UBS AG London Branch and
UBS ESE IT about execution by personnel of the latter of SBS transaction on behalf of UBS
20
As a
practical matter, it may be particularly difficult to establish that consent is freely given where information relates to UBS
ESE IT staff
because consent is very difficult to rely on in an employment context, due to the inherent imbalance of power between an employer and its
staff (for example, staff may believe there could be negative consequences should they refuse to give consent). Further, consent will only be
valid if UBS ESE IT offers its staff a genuine choice over how the data is used and will only continue to be an appropriate legal basis if UBS
ESE IT also offers its staff the opportunity to withdraw consent at any time. Where consent is relied upon in this opinion, it is on the basis
that this practical matter has been overcome. Where consent is not available as a legal basis for disclosure (including where valid consent
cannot be obtained), UBS ESE IT may be able to rely on an alternative basis for disclosure (e.g. the legitimate interest). In this respect, it
could be worth mentioning EDPB’s guidelines on consent under regulation 2016/679, adopted on 4 May 2020, available at
https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf
. Please note that valid consent is assumed at
Assumption 4 of Annex 2.
0036335-0000808 UKO1: 2005583510.12
9
AG London Branch. In any event, however, reliance on this basis would not exempt UBS ESE
IT from assessing any onward transfer of data to the SEC
21
.
(c)
Disclosure is necessary for compliance
with a legal obligation to which UBS ESE IT is subject
(Article 6(1)(c))
: In order to take advantage of this legal basis, the legal obligation with which
UBS ESE IT would be required to comply should be the result of a local or EU law or
regulation, although this does not have to be an explicit statutory obligation, as long as the
application of the law is foreseeable to UBS ESE IT as the person subject to it.
22
In the context of this legal basis for processing, an SEC request in the absence of an Italian or
EU legal requirement (e.g. a lawful request from the Bank of Italy or the CONSOB in the
exercise of its powers as provided by mandatory laws and regulations) would not justify the
disclosure as being necessary for compliance with such an obligation.
We further note that neither the CONSOB MoU nor the ECB MoU create any legally binding
obligations.
23
(d)
Disclosure is necessary for the performance of a task carried out in the public interest (Article
6(1)(e))
: as per the previous legal basis, the task carried out in the public interest should be
linked to the Italian or EU law in order for UBS ESE IT to be able to rely on it. Indeed, as
mentioned by consideration no. 45 to GDPR, “
it should also be for Union or Member State
law to determine whether the controller performing a task carried out in the public interest or
in the exercise of official authority should be a public authority or another natural or legal
person governed by public law, or, where it is in the public interest to do so, including for
health purposes such as public health and social protection and the management of health
care services, by private law, such as a professional association
”. In this respect, however,
Italian scholars consider that this legal basis is mainly aimed at justifying data processing only
and exclusively by Italian or EU public authorities, in accordance with provisions of the Data
Protection Code.
(e)
Legitimate interests (Article 6(1)(f))
24
: This is one of the most flexible legal bases for
processing that can apply to a multitude of business purposes, including with respect to
ensuring compliance with regulatory obligations. To rely on the legitimate interests ground,
UBS ESE IT, as data controller, must:
(i)
identify its, or a third party’s legitimate interest (this can include commercial interests,
individual interests or broader societal benefits) in complying with the SEC’s
disclosure request;
(ii)
show that the disclosure of documents to the SEC is necessary for achieving these
interests; and
(iii)
balance these interests against the competing interests, rights and freedoms of the
individuals concerned, and satisfy itself that those interests do not outweigh its own.
If individuals would not reasonably expect the disclosure, or if the disclosure would
cause unjustified harm to the individuals, the interests of those individuals would
likely override the interests of UBS ESE IT or the third party.
21
Please see paragraph
1.13 and subs
below
in this respect.
22
Recital 41
GDPR
.
23
Article II, par. 13 of the CONSOB MoU and Article II
paragraph 27 of the ECB MoU.
24
With respect to the existence of a legitimate interest as a legal basis for processing of data, please consider conditions se
t out by the Garante
on 22 February 2018 (available here https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/8080493, in Italian
only) according to which any data controller, before deciding to rely on such legal basis, should,
inter alia
, and on top of the measures
indicated in points (i) to (iii) of this paragraph, perform in advance a data protection impact assessment pursuant to article 35 GDPR,
considering specific factors and circumstances.
0036335-0000808 UKO1: 2005583510.12
10
An individual has the right to object to the disclosure of their data to the SEC under this basis
for processing, and UBS ESE IT would need to demonstrate ‘compelling’ legitimate grounds
to process the data that override the rights, freedoms and interests of that individual.
The balancing of legitimate interests against the competing interests, rights and freedoms of
the individuals concerned should be made on a case-by-case basis and should consider all
available facts. In particular, Recital 47 of the GDPR states that, when balancing their interests
against those of the individuals concerned, controllers should take into account “
the
reasonable expectations of data subjects based on their relationship with the controller
”. With
this in mind, UBS ESE IT may argue that its interests are not outweighed by those of its clients
or its employees on the basis that:
(A)
clients are aware, due to statements contained in their terms of business with UBS
AG, of the US nexus when they engage in SBS transactions and, due to their
understanding as sophisticated investors, that regulatory oversight will be exercised
by the SEC, which may entail certain information regarding their transactions,
including in some cases their personal data, to be disclosed to the SEC; and
(B)
the employees whose personal data may be disclosed to the SEC understand their role
will involve SEC oversight due to their being classified as ‘associated persons’ for the
purposes of SBS transactions and understand that, as a result, certain of their personal
data may be disclosed to the SEC. More specifically, each associated person is
required to complete an ‘SBS associated person questionnaire’, which provides
advance notice that their activities may involve the disclosure of their personal data
to the SEC and potentially require them to undertake interviews with the SEC. Each
employee that is an associated person is also required to agree or acknowledge their
understanding that their data may be provided to the SEC in connection with the
SEC’s oversight of SBS transactions.
In addition, while focused on the relationship between the SEC and the CONSOB, the
existence of the CONSOB MoU arguably reflects an acceptance in Italy that the SEC has a
duty to regulate SBS markets and may need to access information maintained by financial
institutions located in Italy for this purpose. This argument is further supported by the ECB
MoU, which similarly reflects an understanding of the SEC’s duties and an acceptance
regarding the need for information, including personal data, to be provided to the SEC.
Also relevant to this balancing of interests are that the SEC will:
(1)
restrict its information requests for, and use of, any information to only the information
that it requires for the legitimate and specific purpose of fulfilling its regulatory
mandate and responsibilities and to prevent and/or enforce against potential illegal
behaviour, with the type and amount of personal data requested being targeted based
on risk and related to specific clients and accounts, and employees;
25
(2)
information, data and documents received by the SEC are maintained in a secure
manner and only disclosed pursuant to strict US confidentiality laws.
26
25
Please refer to Assumptions
5 and 7
in Annex 2, as well as
Article II
and
paragraph 49 of the ECB
MoU.
26
Please refer to Assumption
8
in Annex 2, as well
as Article VI of the CONSOB MoU and
paragraph 56 of the ECB MoU.
0036335-0000808 UKO1: 2005583510.12
11
As with the public interest basis, individuals have the right to object to processing under this
legitimate interest basis.
27
Based upon the above, the legitimate interests and consent bases for processing (provided that
all requirements for each of such two legal bases are met) are likely to be the most appropriate
Article 6 grounds on which UBS ESE IT could rely in relation to its disclosure of Covered
Books and Records to the SEC and to permit On-Site Inspection.
1.6
It is considered very unlikely that data included in Covered Books and Records or disclosed to the
SEC during On-Site Inspections will include special categories of data. Further, UBS ESE IT might
not hold all information described in 17 C.F.R. §§.18a-5(b)(8)(i)(A) through (H) or 240.18a-
5(a)(10)(i)(A) through (H), as the case may be an associated person who is not a US person.
28
However, to the extent that this does occur, in addition to an Article 6 legal basis, UBS ESE IT will
need to establish an additional legal basis for processing under Article 9 of the GDPR if it discloses
special categories of data to the SEC. In this respect, other than a valid consent
29
, the Article 9 legal
basis that is most likely to apply to disclosure of Covered Books and Records is found in Article
9(2)(f): processing is necessary for the establishment, exercise or defence of legal claims or whenever
courts are acting in their judicial capacity.
1.7
Similarly, as set out for special categories of personal data, UBS ESE IT’s processing of personal data
relating to criminal convictions and offences of its employees is highly restricted and can only be
disclosed subject to specific conditions being met. In this respect, it needs to be flagged that article 8-
octies of the Privacy Code, as amended by Legislative Decree no. 101/2018 following the entry into
force of GDPR and implementing Article 10 of the GDPR provides that processing of criminal data
by controllers that are not a “public authority”
30
, must be made in line with provisions of applicable
law, or specific regulation, to be made considering certain criteria set out by the same article 8-octies.
In its opinion issued on 24 June 2021
31
, the Garante gave its approval to a scheme of regulation drafted
by the Italian Ministry of Justice, to set out terms and conditions for processing criminal data by non-
public authorities. Further to such opinion, no regulation has been approved as yet.
However, paragraph 3 of the abovementioned article 8-octies seems to allow processing of criminal
data in some specific circumstances. In our opinion, the exemptions most likely to apply to disclosure
of Covered Books and Records are those under points: (c) verifying or ascertaining the integrity
requirements, subjective requirements and disqualification conditions in the cases provided for by laws
or regulations; (e) the ascertainment, exercise or defence of a right in court; or (m) the fulfilment of
the obligations established by the regulations in force concerning the prevention of the use of the
financial system for the purpose of money laundering and terrorist financing.
In this respect, however, and also considering the very unclear wording of such article 8-octies, par. 3
of the Privacy Code, the scope and validity of the abovementioned provision is debated by Italian
scholars in light of the lack of a regulation made by the Ministry of Justice, as said, not yet approved,
and which is supposed to set out,
inter alia
, guarantees to rights and freedom of data subjects.
27
Article 2(1), GDPR.
0036335-0000808 UKO1: 2005583510.12
28
As we understand, is
as
defined in 17 C.F.R. §240.3a71
-
3(a)(4)(i)(A).
29
Article 9(2)(a) GDPR
–
please also refer to
the discussion of consent at
footnote
no 12
above.
30
By “public authority”, it is intended any Italian public au
thority. Data processing by public authorities is subject to a different set of rules
(namely, EU regulation 2016/680, implemented in Italy by the Legislative Decree 51/2018).
31
Opinion available here at
https://www.garanteprivacy.it/home/docweb/
-
/docweb
-
display/docweb/9682603
, in Italian only.
0036335-0000808 UKO1: 2005583510.12
12
Data protection principles
1.8
In addition to establishing a legal basis for the disclosure, UBS ESE IT would need to ensure that its
disclosures are compliant with the remaining requirements under the Data Protection Laws, including
the data protection principles set out in Article 5 of the GDPR. For example, UBS ESE IT must:
(a)
be transparent with those whose personal data is to be disclosed to the SEC, who must be
provided in advance with fair processing information (usually in the form of a privacy notice
or statement);
(b)
with respect to the data itself, ensure that it only provides personal data that is adequate,
relevant and limited to what is necessary in relation to the purposes of its regulatory activities;
(c)
be careful to avoid participating in ‘data dumps’ and should consider withholding documents,
anonymising personal data (or pseudonymising data where full anonymisation is not possible)
and redacting personal data from documents as appropriate;
(d)
ensure that the data is accurate and, where necessary, kept up to date;
(e)
keep the personal data in a form that enables identification of individuals for no longer than is
necessary for the purposes for which the personal data is processed; and
(f)
ensure that the confidentiality and integrity of personal data is maintained, and as such,
implement appropriate security measures (e.g. encryption) to protect the personal data.
1.9
Whilst it is possible that the SEC has taken these principles into account in its request for access to the
Covered Books and Records, responsibility remains with UBS ESE IT to verify this and implement
its own compliance measures.
International transfers
1.10
The general principle in the GDPR is that UBS ESE IT may not transfer personal data to a jurisdiction
outside the European Economic Area, unless it can satisfy a condition for the transfer as set out in its
Chapter V.
1.11
Article 45 of GDPR allows for UBS ESE IT to transfer personal data to a recipient outside the EEA
where the transfer is based on adequacy decisions issued by the EU Commission. In this respect, on
16 July 2020 the Court of Justice of the European Union invalidated the Commission Decision
2016/1250 on the adequacy of the protection provided by the EU-US “Privacy Shield” agreement. The
judgment upheld the validity of standard contractual clauses to allow data transfers under the GDPR,
but requires data controllers to assess the level of data protection in the recipient’s country and to adopt
“supplementary measures” if needed.
1.12
For the purposes of providing Covered Books and Records to UBS AG London Branch, the adequacy
decision of the European Commission currently in effect in respect of the UK
32
personal data from the EEA, including Italy, to the UK to be made freely. Any transfer from UBS ESE
IT to UBS AG London Branch would therefore be permitted without limitation (provided that the
disclosure otherwise complied with the GDPR).
1.13
It should be noted that under Article 44 sent. 1, Recital 101 of the GDPR any onward transfer of UBS
ESE IT’s Covered Books and Records by UBS AG London Branch to the SEC is still subject to the
transfer requirements of the GDPR. In this regard it is helpful that the European Commission’s
adequacy decision for the UK addresses onward transfers from the UK and notes that the regime on
32
Commission Implementing Decision of 28.6.2021 pursuant to Regulation (EU) 2016/679 of the Eur
opean Parliament and of the Council on
the adequate protection of personal data by the United Kingdom. Please note that in the future the adequacy decision may be withdrawn, not
prolonged or restricted and that the current adequacy decision is limited to four years.
0036335-0000808 UKO1: 2005583510.12
13
international transfers under the UK GDPR
33
in substance
identical
” to the transfer regime under the GDPR.
34
UBS AG London Branch pursuant to this GDPR restriction applicable to UBS ESE IT when disclosing
personal data contained in UBS ESE IT’s Covered Books and Records to the SEC in the US are as
follows:
(a)
Derogations (Article 49)
: Where a transfer mechanism adopted by the European Commission
in respect of the US is not available (as is currently the case), derogations for specific situations
from the transfer prohibition are potentially available for facilitating UBS AG London
Branch’s transfer of personal data contained in UBS ESE IT’s Covered Books and Records to
the SEC. These derogations include:
35
(A)
Consent
:
according to the FAQs published by the EDPB
following the
abovementioned decision of the Court of Justice of the European Union
2020
36
, consent should be (i) explicit, (ii) specific for the particular data transfer or set
of transfers (meaning that the data exporter must make sure to obtain specific consent
before the transfer is put in place even if this occurs after the collection of the data has
been made), and (iii) informed, particularly as to the possible risks of the transfer
(meaning the data subject should also informed of the specific risks resulting from the
fact that their data will be transferred to a country that does not provide adequate
protection and that no adequate safeguards aimed at providing protection for the data
are being implemented).
37
(B)
Legitimate interests:
Article 49, par. 1 of the GDPR makes clear that a data transfer
on the basis of legitimate interests may only take place if (i) the transfer is not
repetitive, (ii) the transfer concerns only a limited number of data subjects, (iii) the
transfer is necessary for the purposes of compelling legitimate interests pursued by
UBS ESE IT, (iv) UBS ESE IT’s legitimate interests are not overridden by the
interests of rights and freedoms of the Rights Holder, (v) UBS ESE IT has assessed
all the circumstances surrounding the transfer, and (vi) UBS ESE IT has, on the basis
of that assessment, provided suitable safeguards with regard to the protection of data.
UBS ESE IT must also ensure it applies the ‘necessary’ test to ensure that only the
personal data necessary for the SEC’s purposes is transferred
38
.
UBS ESE IT should not rely on any of the derogations for making transfers on a large scale
and/or in a systematic manner, and their use must be considered on a case-by-case basis for
separate requests of the SEC, with UBS ESE IT keeping records of the transfers that evidence
the careful analysis that led them to rely on that derogation.
(b)
Public local authorities route
: In certain situations, for example where UBS ESE IT considers
the transfer of data to UBS AG London Branch for the purpose of providing information to
the SEC to be high risk, it may be possible to arrange for the disclosure to be made to local
authorities, which could then transfer the data to the SEC in the US.
33
The General Data Protection Regulation 2016/679 as it forms part of “retained EU law” as defined in the European Union (Withd
rawal) Act
2018 in the UK.
34
Paragraph 2.5.7, rec
itals (74) and (75) of the Commission Implementing Decision of 28.6.2021 pursuant to Regulation (EU) 2016/679 of
the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom.
0036335-0000808 UKO1: 2005583510.12
35
These derogations should
not
36
Also adopted by the Italian DPA and available in Italian on i
ts website at the following link:
https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9443857
37
Please note that valid consent is assumed in Assumption 4 of Annex 2.
38
Please also refer to par. 1.5(d) and footnote no. 14.
0036335-0000808 UKO1: 2005583510.12
14
In this respect, please refer to our paragraph 3.14 below regarding the MoU in place between
the SEC and CONSOB as well as the “Administrative arrangement for the transfer of personal
data” between each of the EEA Authorities and the SEC (among other non-EEA authorities)
39
,
setting out safeguards and restrictions applicable to transfer of data between authorities, as
well as of the opinion issued by the European Data Protection Board (
EDPB
) on 12 February
2019, no. 4.
40
1.14
Mere access to Covered Books and Records granted to the SEC in the course of On-Site Inspections
would not entail UBS ESE IT effecting an international transfer and so restrictions in Chapter V of the
EU GDPR would not apply to that situation.
2.
DUTIES OF CONFIDENTIALITY UNDER ITALIAN CIVIL LAW
Italian civil law applicable to contracts
2.1
By way of general principle, Italian civil law does not expressly provide for specific confidentiality
requirements applicable to the parties to a contract governed by Italian law or for a standard model of
confidentiality agreements. In particular, in contrast to requirements that are applicable to other types
of contracts (e.g., purchase or service agreements), neither the Italian Civil Code nor other civil laws
provide for pre-determined effects and consequences arising from the execution of a confidentiality
agreement or specify the scope of the obligations arising therefrom.
2.2
There is very limited Courts’ precedents in this context, since this is a matter which Courts rarely
debated about. In any event, pursuant to article 1322, of the Italian Civil Code, parties to an agreement
are free to determine content of an obligation within the limits imposed by applicable law and to the
extent that such obligation is aimed at achieving an interest deserving protection by the legal system.
2.3
There are, however, some cases in which Italian law provided for some general confidentiality
obligations, by listing duties of confidentiality of employees in favour of their employers (in article
2105 of the Italian Civil Code), or by describing scope of the breach of a company’s secrets in the
context of unfair competition (article 98 of legislative decree no. 30/2005, so-called Code of the
Industrial Property).
2.4
In the vast majority of cases, however, the obligation not to disclose some information and/or not to
use or to limit the use of certain information, is agreed among parties by setting out specific covenants
or clauses, which can be independent from other agreements or connected to and dependent on other
arrangements.
2.5
In absence of a specific legal framework or restrictions imposed by Courts’ precedents, in principle
parties to a non-disclosure or a confidentiality agreement, are generally free
41
matters, (i) what information is and is not covered by the covenant; (ii) if there are some exceptions to
the confidentiality obligations (e.g., whether some information can be disclosed to certain third
parties); (iii) whether this is fixed-term or open-ended; (iv) if information covered by the contractual
restrictions can be used by the bound party (e.g. in the context of a due diligence process) or not, and
to what extent.
2.6
In order for a non-disclosure agreement to be valid under Italian law, the reason why two or more
parties are executing the agreement does not generally matter.
39
To which SEC is signatory
as from 10 May 2019 and CONSOB from 7 June 2019. Text available at the following link
https://www.iosco.org/about/?subsection=administrative_arrangement
.
40
Available
at the following link
https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-42019-draft-aa-
between-eea-and-non-eea_en
.
41
Parties are bound by the limits envisaged by Article 1322 of the Italian Civil Code (p
lease
see Section 2.2 above).
0036335-0000808 UKO1: 2005583510.12
15
Penalty clause
2.7
Parties are generally free to include in confidentiality/non-disclosure agreements some penalty clauses,
in order to further secure the obligation.
2.8
In this respect, however, it is relevant that, pursuant to article 1384 of the Italian Civil Code, Courts
have the power to reduce to an equitable sum the amount to be paid by way of penalty by a party in
breach of its confidentiality obligations, in the event that such amount is deemed openly exaggerated
in relation to the overall value of the obligation and the interests at stake.
Consent
2.9
Disclosure of confidential information is permissible where the disclosing party has given their
consent to the disclosure of their confidential information to certain or, in general pre-determined,
third parties. Please note that we have assumed at Assumption 4 of Annex 2 that UBS ESE IT has
validly obtained, or will validly obtain, such consent as is necessary for such disclosure of confidential
information.
2.10
Lists of third parties to whom information can be disclosed can be also set out in advance in the
agreement or agreed from time to time.
Compulsion of law
2.11
Information that would otherwise be confidential may be disclosed when required by a statutory
provision or court order. Indeed, as mentioned, parties are free to determine content of an obligation,
to the extent that it is in compliance with the legal framework.
2.12
By way of example, with decision dated 14 March 2018, the Civil Court of Milan stated that a
shareholder of a company who, at the same time, is not its director has the power granted by article
2476 of the Italian Civil Code to inspect and have access to corporate documents, notwithstanding the
existence of a non-disclosure agreement among the other shareholders.
2.13
Similarly, with a recent decision on 2 August 2021, the Administrative Court of Rome stated that
access right to documentation of public interest granted by Italian laws to citizens under specific
circumstances prevails over the existence of a confidentiality agreement among the private parties that
drafted such documentation.
2.14
To satisfy this compulsion of law exception it is likely that UBS ESE IT would have to rely on an
Italian (or an EU) statute – a provision of US law, such as an SEC Rule, is unlikely to be sufficient for
this purpose.
2.15
Equally, a US court order is also unlikely to be sufficient for this purpose, unless this order is properly
recognised by the Italian legal system according to ordinary civil or criminal procedure rules in place
from time to time.
2.16
Please note that the remarks set forth above are without prejudice to the principles and requirements
applicable under the Italian banks secrecy rules (please see Section 3 below and in particular paragraph
3.5 and ff. below).
3.
BANK SECRECY
Bank secrecy under Italian Law
3.1
There is no specific bank secrecy regime under Italian law, meaning that under the Italian banking and
financial laws there is not a separate set of statutory provisions which specifically set forth strict bank
0036335
-
0000808 UKO1: 2005583510.12
16
secrecy
requirements
applicable to financial institutions (such as banks
)
operating in Italy
.
In
particular, under Italian banking and financial laws there are no statutory provisions setting forth (i) an
express or strict obligation for banks to keep the information acquired within the performance of
banking or financial services confidential, (ii) the conditions under which the disclosure of customers’
information may be allowed, and (iii) the exemptions from the conditions under (ii) above.
3.2
Nonetheless, a duty of confidentiality is considered by the Italian Courts and legal theory as an implied
term of the contract between banks (or other financial institutions) and their customers. In particular,
such duty of confidentiality is based on certain general rules of Italian law including:
(a)
Article 622 of the Italian Criminal Code which imposes a general secrecy obligation on
professionals (
segreto professionale
i.e.
“professional secrecy”) by providing criminal
sanctions for those professionals who, being aware of certain confidential information due to
the performance of their office, disclose such secrets to third parties, save where they act
pursuant to a “just cause” (
giusta causa
) – in this context, banks are considered to be
“professionals”;
(b)
Articles 1(4) and 8 of the introductory provisions to the Italian Civil Code (“
Preleggi
”)
provide that “usages” (
usi
,
rights and obligations in matters which are not governed by specific laws or regulations. The
existence of a duty to keep customers’ data confidential within the provision of financial
services is widely accepted and complied with by Italian financial institutions, including
Italian branches of foreign institutions operating in Italy
42
, and the general market practice is
to acquire the customer’s prior written consent before disclosing its information to third
parties. In our view this practice forms a “usage” that is binding upon the parties to a contract
pursuant to Article 1374 of the Italian Civil Code; and
(c)
Articles 1175 and 1375 of the Italian Civil Code which set forth the principles of fairness and
good faith in the execution of a contract.
3.3
In addition, we consider that the general duty of confidentiality for banks may be grounded on the rule
which imposes on banks an obligation to act according to the principle of fairness when providing
banking or financial services to clients, as envisaged under the Italian banking transparency
regulation
43
.
3.4
Given the absence of statutory provisions setting forth a specific bank secrecy regime in Italy, the
scope of the bank secrecy obligations currently remains within a grey-area under Italian law. In
principle the duty of confidentiality should apply to any client’s information which is not already
public. As the information contained in the Covered Books and Records is not publicly available, it
will likely be qualified as confidential information insofar as that information relates to UBS ESE IT’s
clients and is not information owned by or relating to UBS ESE IT itself. In any case, the restrictions
under the Italian bank secrecy regime mentioned herein should not apply if the Covered Books and
Records and relevant information do not relate to Italian counterparties.
Consent requirement
3.5
Based on the principles mentioned above, even in the absence of specific bank secrecy regime in Italy,
the breach of the duty of confidentiality may entail a liability for the bank towards its customers unless
the customer has given consent to the disclosure or an exemption applies.
42
Despite the absence of specific guidance on the issue, we beli
eve that the bank secrecy principles as set forth in this Section should reasonably
apply also to Italian branches of foreign banks, as it is the case also for other regulatory conduct-related requirements.
43
Bank of Italy Regulation of 29 July 2009 as am
ended from time to time.
0036335-0000808 UKO1: 2005583510.12
17
3.6
This entails in practice that by way of general principle, the Rights Holder’s written consent may be
required in order for UBS ESE IT to be able to disclose confidential information to third parties (please
see below)
44
.
3.7
Please note that the duty of confidentiality and the related consent requirement does not depend on
whether the Rights Holder is a professional or institutional client or a retail client as they should apply
to any customer of the bank.
Exemptions from the consent requirement – Just cause
3.8
Based on the general rules mentioned above under paragraph 3.2 of this Annex 1, as a matter of Italian
law it should be possible to exclude the need for an express consent from the Rights Holder when the
disclosure is justified by a “just cause”.
3.9
The principle of “just cause” (as outlined in Article 622 of the Italian Criminal Code mentioned above)
would exempt professionals (including banks) that disclose confidential information to third parties
from being alleged with a breach of the confidentiality obligation. There is no definition of “just cause”
under Article 622 of the Italian Criminal Code nor have the Italian courts clarified the scope/meaning
of this concept. However, in general terms (
i.e.
be considered as a set of circumstances that legitimate the disclosure of confidential information, such
as the existence of a legislative provision imposing the disclosure or the order of an authority (
e.g.
court order).
3.10
In this respect, we note that under Italian law, banks operating in Italy may be subject to mandatory
requests to provide information to supervisory authorities under certain circumstances. In particular,
the mandatory nature of such requests may be inferred from certain provisions which envisage the
application of sanctions in case of non-compliance with the request of information
45
. We consider that
in principle responding to a request of disclosure from an Italian regulator may theoretically be
considered as a “just cause” for the disclosure of confidential information.
3.11
However, we cannot exclude that the just cause as per Paragraph 3.10 and 3.11 above could be limited
to mandatory requests for information coming from
Italian
banking and financial regulations there are no specific prohibitions or restrictions to the effect that the
Italian branch of an EEA bank may not submit to inspections by, or provide documents to, a foreign
(e.g. third country) authority, by way of general principle we cannot exclude that under certain
circumstances a request for information coming from a foreign authority may be considered as non-
binding as a matter of Italian law and thus may not exempt a firm from the confidentiality duties
imposed on it under the bank secrecy rules
46
. As such, lacking a specific provision in the context of a
bank secrecy regime, it is not clear under Italian law whether a request of information coming from
44
As mentioned above, based on Assumption 4 we assume that if a consent for the disclosure is required, this will be validly pr
ovided by the
Rights Holder.
45
We c
onsider that the “legitimate” nature of the request should be presumed to the extent the request comes from a public authorit
y who has
effective supervisory powers on the banks as envisaged under the law.
46
We note that under the Italian banking and finan
cial regulation, certain provisions envisage the carrying out of on
-
site inspections by foreign
regulators. In particular, pursuant to Article 54 of Legislative Decree No. 385 of 1st September 1993 (the
Italian Banking Act
) the Bank of
Italy may agree with the supervisory authority of a third country the modalities for carrying out inspections at the branches of banks based
in the respective countries, on a reciprocity basis. In addition, pursuant to Article 6-
ter
(8) of Legislative Decree No. 58 of 24 February 1998
(the
Italian Financial Act
) the Bank of Italy and CONSOB (within the respective areas of supervision) may agree with the supervisory
authorities of third countries the modalities for inspections of branches of investment firms or banks located within the respective territories.
We consider that these provisions relate to bilateral relationships between the Bank of Italy and CONSOB (on one side) and a third country
regulator (on the other side) having as object local inspections within the respective territories but limited to branches of firms based in such
territories, in principle including e.g. inspections by the SEC at Italian branches of US banks (or
vice versa
). Therefore, we consider that
these provisions should not be relevant here as the target firm (UBS ESE IT) is not the Italian branch of a US bank. In any case, whilst these
provisions empower the Bank of Italy and CONSOB to agree on the
modalities
with the third country regulator (e.g. through a cooperation agreement or memorandum of understanding), such arrangement (or the lack
thereof) should not of itself be conclusive to determine the legal basis for the powers of a foreign regulator to be able to carry out said
inspections at (or to obtain documents / information from) branches located in Italy. Indeed we assume that we are not required to provide
advice on the general ability of the SEC as a prudential regulator to exercise supervisory functions including through local access or
inspections (including the carrying out of On-Site Inspection) and to obtain documents and information from firms/branches located in Italy
which are under the jurisdiction of the SEC in respect of the provision of services in the US and we assume this matter is out of scope of this
opinion. In particular, our analysis as set forth herein focuses on the restrictions applicable to UBS ESE IT for submitting to inspections and
providing access to Covered Books and Records and particularly on the issue of whether a request from the SEC to UBS ESE IT may
constitute the legal ground in order to UBS ESE IT be exempted from the duty confidentiality under the Italian bank secrecy regime.
0036335-0000808 UKO1: 2005583510.12
18
the SEC may be considered as “binding” upon UBS ESE IT and thus as a just cause for the purposes
of exempting UBS ESE IT from the requirement to obtain prior consent from the Rights Holder
47
.
3.12
Moreover, we note that, although not expressly set forth under Article 622 of the Italian Criminal
Code, it seems that a pre-condition for a disclosure of information to be in breach of professional
secrecy is that said disclosure is made to “third parties”. In this scenario, the Covered Books and
Records would be provided by UBS ESE IT to UBS AG London branch (and then sent by UBS AG
London branch to the SEC) and, therefore, to another entity of the same group. Based on general
principle of Italian financial regulation, entities within the same corporate group are generally not
considered as “third parties”. Therefore we consider that, in principle, it might be argued that the duty
of confidentiality might not be applicable in this scenario as the disclosure of information would occur
at an intra-group level and not towards “third parties”. However, given the absence of a specific
exemption for intra-group transfers, we are unable to provide a definitive confirmation that intra-group
disclosure of information would be considered as a just cause or an exemption from the requirement
to obtain prior consent from the Right Holder.
3.13
Provided the above, consent would therefore provide a more reliable basis on which to provide the
SEC access to Covered Book and Records and to submit to On-Site Inspection.
Cooperation agreements entered into by the SEC
3.14
On 22 December 2020, CONSOB and the SEC entered into the CONSOB MoU. The CONSOB MoU
is a
Memorandum of Understanding
c
oncerning consultation, cooperation and the exchange of
information related to market oversight and the supervision of covered firms
48
.
3.15
Generally speaking, the CONSOB MoU is a “
statement of intent to consult, cooperate, and exchange
information in connection with the with the supervision and oversight of Covered Firms that conduct
financial services business in either, or both, the United States and Italy
”
49
.
3.16
The CONSOB MoU defines:
(a)
“
Covered Firm
” as a “
Person authorized, designated, qualified, registered, or otherwise
regulated by, supervised by or subject to the oversight of, one or both of the Authorities
[i.e.
CONSOB and the SEC]
, who conducts investment, securities, derivatives, asset management,
securities processing, or banking business or participates in securities or derivatives markets
(collectively “financial services business”) in either, or both, the United States and Italy
”
50
;
(b)
“
Covered Firms
” as
inter alia
security-based swap dealers
”
51
;
47
In
particular, w
e have not been able to find a specific case law which would clarify whether banks may rely on this “just cause” in order to
disclose information to third parties.
48
Pursuant to Article 4(3) of the Italian Financial Act, the Bank of Italy an
d CONSOB may cooperate with the authorities of third countries
including through the exchange information (as noted under Footnote 48 above, the Bank of Italy and CONSOB may agree with third country
authorities the modalities for local inspections). Please note that according to Article 7(7) of the Italian Banking Act the Bank of Italy may
exchange information with the authorities of third countries pursuant to the terms of cooperation agreements concluded with such authorities.
We were not able to find a memorandum of understanding entered into by the SEC with the Bank of Italy which is the Italian prudential
regulator for credit institutions, with limited supervisory powers on Italian branches of EEA banks. Please see Footnote 48 above.
49
Paragraph 12 of
the CONSOB MoU.
50
Paragraph 3(a) of the CONSOB MoU.
51
Paragraph 3(b) of the
CONSOB
MoU.
0036335-0000808 UKO1: 2005583510.12
19
(c)
“
Books and Records”
as “
documents, electronic media, and books and records within the
possession, custody, or control of, and other information about, a Covered Firm, and which
may include personal data
”
52
;
(d)
“
On-Site Visit
” as “
any regulatory visit to the premises of a Covered Firm
for the
purposes of ongoing supervision and oversight, including the inspection of Books and
Records
”
53
.
3.17
The CONSOB MoU provides for the possibility for the SEC to conduct On-Site Visits of Covered
Firms located in Italy, including to inspect, examine, and obtain Books and Records of a Covered Firm
directly through such On-Site Visits
54
. An On-Site Visit should be carried out in accordance with
Paragraph 28 of the CONSOB MoU, which requires the SEC,
inter alia
, to notify CONSOB of its
intent to conduct the inspection.
3.18
In addition, the CONSOB MoU prescribes that the SEC can submit a “request for assistance” to
CONSOB in order to,
inter alia
, obtain “
information not reasonably otherwise available to the
Requesting Authority
”, which could include also “
Information responsive to requests from an
Authority, or an entity to which an Authority has delegated registration functions, related to the fitness
of an applicant for authorization, registration, or exemption therefrom
”. The request for assistance
shall be submitted pursuant to Paragraph 22 of the CONSOB MoU.
3.19
The CONSOB MoU does not contain a specific provision setting out the possibility for the SEC to
directly request Covered Books and Records when necessary to fulfil its regulatory mandate. However,
Paragraph 32 of the CONSOB MoU, in dealing with the permissible use of the information acquired,
provides that “
The restrictions in this MOU do not apply to an Authority’s use of information that an
Authority obtains
directly from a Covered Firm, whether during an On-Site Visit or otherwise
”.
3.20
In light of the above, despite the absence of a specific provision in the CONSOB MoU granting the
SEC with the power of directly requesting access to the Books and Records, such possibility does not
seem to be restricted by the CONSOB MoU, which sets out remedies (such as the possibility to submit
a request for assistance to CONSOB or to carry out an On-Site Visit) in order for the SEC to obtain
information not otherwise available to it, including information obtained directly
from a Covered Firm.
In particular, the CONSOB MoU and the ECB MoU seems to anticipate that the SEC could obtain
relevant information from Covered Firms in ways other than through the carrying out of an On-Site
Visit pursuant to the terms of the CONSOB MoU and thus does not restrict the ability of the SEC to
obtain information in such other ways.
3.21
We consider that this interpretation is consistent with the intent and purpose of the CONSOB MoU
which is to facilitate cooperation and exchange of information with the SEC
55
. In addition, we consider
that this interpretation is in line with the scope of the CONSOB MoU which should not of itself restrict
the general ability of the SEC to carry out On-Site Visits or request information to firms which are
under its jurisdictions, in the context of fulfilling its supervisory duties in accordance with US laws
56
.
52
Paragraph 2 of the CONSOB MoU.
53
Paragraph 7 of the CONSOB MoU.
54
Paragraph 27 of the CONSOB MoU.
55
Pursuant to Article II, Section 12 of the CONSOB MoU “
This MOU is a statement of intent to consult, cooperate, and exchange information
in connection with the supervision and oversight of Covered Firms that conduct financial services business in either, or both, the United
States and Italy
”.
56
As mentioned under
Footnote
48
above
, we consider that the general ability
/ permission of a foreign regulator to carry out inspections at,
or ask information to, firms based in Italy should be governed by general international law rules. As such we assume that the SEC is generally
able to perform those actions in Italy under applicable international law rules and the CONSOB MoU and ECB MoU (and relevant rights of
the SEC thereunder) is consistent with such rules. This statement seems to be confirmed by the provisions of the CONSOB MoU and the
ECB MoU. In particular, pursuant to Article II, Section 12 of the CONSOB MoU “
The cooperation and information sharing arrangements
under this MOU should be interpreted and implemented in a manner that is permitted by, and consistent with, the legal requirements
applicable to each Authority
”. Pursuant to Article II, Section 13 of the CONSOB MoU “
This MOU does not create any legally binding
obligations, confer any rights or supersede applicable laws
”. In addition, pursuant to Article II, Section 14 of the CONSOB MoU “
This
MOU is not intended to limit or condition the discretion of an Authority in any way in the discharge of its regulatory responsibilities or to
prejudice the individual responsibilities or autonomy of any Authority. This MOU does not limit the ability of an Authority to take measures
not described in this MOU in fulfilment of its supervisory and oversight functions or preclude Authorities from sharing information or
documents with respect to Persons that are not Covered Firms but may be subject to regulatory requirements in the United States and in
Italy. In particular, this MOU does not limit any right of any Authority to communicate with, conduct an On-Site Visit of (subject to the
procedures described in Article IV), or obtain information or documents from, any Person subject to its jurisdiction that may be physically
located in the jurisdiction of another Authority in accordance with applicable laws
”.
20
3.22
Based on the above remarks, we consider that in principle a direct request of information from the
SEC to UBS ESE IT or UBS AG, and the subsequent disclosure of Covered Books and Records by
UBS ESE IT to UBS AG London Branch for the purpose of providing information to the SEC, should
be consistent with the terms of the CONSOB MoU and implicitly allowed by the CONSOB MoU
57
.
3.23
In any case, we note that the CONSOB MoU regulates the relationship between the SEC and
CONSOB. As such, in (implicitly) allowing that the SEC may request information directly from
Covered Firms such as UBS ESE IT, the CONSOB MoU does not stipulate or imply that UBS ESE
IT would be able to provide information to the SEC without obtaining a consent from the Rights
Holder
58
.
3.24
In this respect, as mentioned above, considering the lack of a specific bank secrecy regime under
Italian law, it is not completely clear whether under Italian law a request of information from the SEC
may represent a “just cause” under the Italian bank secrecy rules in order for UBS ESE IT be exempted
from obtaining the Rights Holder’s consent. Based on the Assumptions
59
, we consider that in principle
a request of information coming from the SEC should be deemed as mandatory for UBS AG (or UBS
ESE IT, as applicable) to the extent that a sanction could be applied to UBS AG (or UBS ESE IT, as
applicable) in case of non-compliance with such request
60
. In this context, a sanction might include
restrictions on UBS AG’s ability to rely on or maintain its registration with the SEC as a non-resident
SBSD although in the absence of a specific exemption this position is not free from all doubt.
Based on the remarks above, a request for information from the SEC may be considered as a “just
cause” for UBS ESE IT
i.e.
Rights Holders provided that UBS ESE IT (or UBS AG) would be subject to sanctions in case of non-
compliance with such request, although as noted above in the absence of an express guidance on this
specific issue under the Italian bank secrecy rules, this position is not free from all doubt
61
.
4.
PRIVACY AND HUMAN RIGHTS
4.1
Article 8 of the European Convention on Human Rights (
ECHR
) confers a general right to “
respect
for his private and family life, his home and his correspondence
”. This right is directly applicable in
Italy.
62
as companies, have been held to benefit from a right to privacy in certain situations. The European
Court of Human Rights assumed in a September 2014 case that the reputation of a company fell under
the notion of private life under Article 8 ECHR.
63
4.2
Article 8 ECHR does not in itself give rise to a free-standing cause of action – instead an action arising
from a wrongful act, a breach of agreement or other legal obligation, such as under the GDPR, must
be brought, and the court will then be obliged to consider the application of Article 8 ECHR.
57
Please note that this conclusion is grounded on a consequential interpretation of the provisions of the
CONSOB
MoU, whilst as
said there is
not an express provision to the effect that the SEC may directly request information to Covered Firms (such as UBS ESE IT) without
activating the procedures envisaged under the CONSOB MoU. As such, a prudent approach would be to verify with CONSOB that this
interpretation is consistent with the CONSOB MoU and more generally with CONSOB’s position.
58
Subject to the applicability of the ECB MoU mentioned in footnote No. 10 above, we note that the ECB MoU contains similar pro
visions to
those of the CONSOB MoU mentioned in this section.
59
Reference is to Assumption
5, 7 and 8
.
60
As mentioned above the CONSOB MoU and the ECB MoU seem to recognise that the SEC may request and obtain information from
Covered Firms directly, which we assume should reasonably include
inter alia
clients.
61
In any case, please note that
client’s consent is assumed as per Assumption 4 of Annex 2.
62
Article
10 of the Italian Constitution and law no. 848/1955, that ratified ECHR convention by Italy.
63
Firma EDV Für Sie, EFS Elecktronische Datenverarbeitung Dienstleistungs GMBH v Germany
0036335-0000808 UKO1: 2005583510.12
21
4.3
Article 8 ECHR is, as it were, the fundamental legal foundation on which the GDPR has been based.
The GDPR elaborates on the applicable principles of and the rules on the protection of natural persons
when it comes to processing of personal data.
64
this GDPR law if necessary. The GDPR can therefore be seen as the regulation detailing the right laid
down in Article 8 ECHR, when it comes to the processing of personal data. The GDPR and Article
ECHR cannot be seen entirely separately from each other.
Application and exceptions
4.4
Article 8 is a qualified right, meaning that it can be breached in accordance with Article 8(2) – that is,
where doing so is:
(a)
in accordance with the law;
This criterion has two aspects: the measure complained about must have some basis in
domestic law, whether that is an act of parliament, delegated legislation or case law, and
secondly, that the domestic law has to be sufficiently precise so that an individual can foresee
with a reasonable degree of certainty the consequences of their actions or the circumstances
in which the authority may take a particular course of action.
65
the first aspect is the legal basis on which the court would allow Article 8 ECHR to be
breached. The second aspect in effect requires that the domestic law cannot be so broad as to
enable arbitrary action. In determining whether to allow information to be provided to the
SEC, the court would have to balance the relevant legal duty with the merits of permitting
disclosure. These duties of confidence establish limits on the court’s actions, thus preventing
arbitrary action by the court.
(b)
is necessary in a democratic society;
This criterion is intended to ensure the proportionality of an intrusion into private life. To meet
this criterion, there must be a “
pressing social need
” for the interference, and the interference
must be proportionate to that need.
66
and
(c)
in the interests of national security, public safety or the economic well-being of the country,
for the prevention of disorder or crime, for the protection of health or morals, or for the
protection of the rights and freedoms of others (i.e. a legitimate aim).
This criterion is intended to ensure that the purpose of an intrusion into private life is
adequately serious so as to justify the intrusion.
4.5
As the GDPR and Article 8 ECHR cannot been seen entirely separately from each other, and the
provision of information to the SEC by UBS ESE IT will, insofar this contains personal data, fall
entirely within the scope of the GDPR, we consider that the criteria set out in paragraph 4.4 are met,
as long as UBS ESE IT complies with the requirements set out in paragraphs 1 above.
64
See also considerations (1) and (2) GDPR.
65
Malone v UK [1984] ECHR 10 at 68.
66
Dudgeon v UK
0036335-0000808 UKO1: 2005583510.12
22
ANNEX 2
ASSUMPTIONS
This opinion relies on the following assumptions:
1.
UBS AG has a “prudential regulator” as defined by Section 3 of the US Securities Exchange Act of
1934 (the
Securities Exchange Act
). As such, the Covered Books and Records considered in this
opinion are limited to what a prudentially regulated SBSD must be able to share with the SEC.
2.
Additionally, in accordance with SEC Guidance at 85 FR 6297, books and records pertaining to SBS
transactions entered into prior to the date that UBS AG submits an application for registration are not
Covered Books and Records.
3.
Where transfers of personal data are made to the SEC in the absence of an adequacy determination,
such disclosure will be made in compliance with Articles 44
et seq
. of the EU GDPR and limited to
what is necessary for the purpose of the transfer (i.e. compliance with the principle of data
minimisation, e.g. by applying less intrusive processing activities such as redaction).
4.
UBS ESE IT or, as the case may be, UBS AG, has obtained any necessary prior consent of the persons
(e.g., counterparties, employees) whose information is or will be included in Covered Books and
Records in order to provide the SEC with access to its Covered Books and Records or to allow On-
Site Inspections, to the extent, as considered in this opinion, such consent would constitute valid
consent and such consent has not been withdrawn. Insofar as Covered Books and Records relate to
employees of UBS ESE IT, such employees are “associated persons” of UBS AG for purposes of 17
CFR § 240.18a-5(b)(8) who have agreed to sharing of their personal/employment information with the
SEC in the event of a request for information from the SEC.
5.
The SEC will restrict its information requests for, and use of, any information pursuant to its access to
Covered Books and Records and On-Site Inspections to only the information that it requires for the
legitimate and specific purpose of fulfilling its regulatory mandate and responsibilities by evaluating
compliance with legal obligations designed to ensure the proper legal administration of SEC-regulated
firms (which includes regulating, administering, supervising, enforcing and securing compliance with
the securities or derivatives laws in its jurisdiction) and to prevent and/or enforce against potential
illegal behaviour.
6.
Similarly, UBS ESE IT will ensure that its disclosures are compliant with the data protection principles
set out in Article 5 of the GDPR.
67
. We understand that UBS’ general experience in responding to
information requests from the SEC (or other US and non-US regulators) leads it to maintain a belief,
which it considers to be reasonable, that UBS ESE IT can and (subject to any changes in applicable
law and regulation and/or the approach of relevant regulators) will continue to be able to comply with
these data protection principles in the course of making disclosures of the sort required when providing
access to Covered Books and Records and submitting to On-Site Inspection.
7.
It is the SEC's practice to limit the type and amount of personal data it requests during examinations
to targeted requests based on risk and related to specific clients and accounts, and employees. The
requested information may include some limited criminal records data and ‘special category data’
under the GDPR (as described in paragraph 1.2 of Annex 1 to this opinion). We understand that this
aligns with UBS’ general experience in responding to information requests from the SEC, leading it
to maintain a belief, which it considers to be reasonable, that this assumption is, and will remain,
accurate (subject to any changes in applicable law and regulation and/or the approach of relevant
regulators).
68
67
These principles are set out in Annex 1
at paragraph 1.8.
68
See the
SEC
G
uidance at 85 FR 6298
.
0036335-0000808 UKO1: 2005583510.12
23
8.
Information, data and documents received by the SEC are maintained in a secure manner and, under
strict US laws of confidentiality, information about individuals cannot be onward shared save for
certain uses publicly disclosed by the SEC, including in an enforcement proceeding, pursuant to a
valid and non-exempt US Freedom of Information Act (
FOIA
) request,
69
of the US Congress or a properly issued subpoena, or to other regulators who have demonstrated a
need for the information and provide assurances of confidentiality and, in any event, data processing
is made in compliance with the “Administrative arrangement for the transfer of personal data” between
each of the EEA Authorities and each of the non-EEA authorities described at paragraph 1.13 of Annex
1 above.
9.
Any data held by UBS ESE IT that is subject to a disclosure request from the SEC, either by way of
access or On-Site Inspection, will be held by UBS ESE IT in Italy. Whilst UBS ESE IT will be subject
to direct On-Site Inspection by the SEC in Italy, UBS ESE IT will provide access to its Covered Books
and Records (beyond On-Site Inspections) to UBS AG London Branch, rather than providing this
access directly to the SEC.
10.
All terms of business entered into with clients conducting SBS transactions contain clear statements
such that clients are aware that that regulatory oversight will be exercised by regulatory authorities
and that information regarding their transactions, including their personal data, can be disclosed to
regulatory authorities (for example, clause 10, and in particular clause 10(b) of the terms of business
for professional clients and eligible counterparties (March 2019)
70
).
11.
UBS AG does not include the information described in 17 C.F.R. §§.18a-5(b)(8)(i)(A) through (H) or
240.18a-5(a)(10)(i)(A) through (H), as the case may be, in questionnaires or applications for
employment executed by an associated person who is not a US Person (as defined in 17 C.F.R.
§240.3a71-3(a)(4)(i)(A)), unless UBS AG is required to obtain such information under applicable law
in the jurisdiction in which the associated person is employed or located or obtains such information
in conducting a background check that is customary for UBS AG in that jurisdiction and the creation
or maintenance of records reflecting that information would not result in a violation of applicable law
in the jurisdiction in which the associated person is employed or located.
12.
Any assessment/legal analysis from local data protection and/or employment law perspective on
possibility to record voice calls and/or monitor communications with client has already been carried
out by UBS ESE IT and/or UBS AG and it is excluded from the scope of this opinion. Likewise any
assessment/legal analysis from an Italian financial regulatory perspective on the possibility for UBS
AG to carry out the SBS transactions through the modalities set forth herein has already been carried
out by UBS ESE IT and/or UBS AG and it is excluded from the scope of this opinion.
13.
We have not analysed contractual relationship(s) in place between UBS AG and UBS ESE IT for the
execution of SBS transactions concluded by associated persons of UBS AG employed by UBS ESE
IT.
14.
UBS AG will comply with the restrictions set forth in this opinion to the extent that it is the owner of
the information included in the Covered Books and Records for the purposes of the Italian bank
secrecy regime.
69
We do not give any views in the opinion to matters of US law, though we understand that information can be
made public pursuant
to
requests under the US FOIA, and that certain information is exempt from such requests, including (among others): (1) a trade secret or
privileged or confidential commercial or financial information obtained from a person; (2) a personnel, medical, or similar file the release
of which would constitute a clearly unwarranted invasion of personal privacy; (3) information compiled for law enforcement purposes, the
release of which (a) could reasonably be expected to interfere with law enforcement proceedings; (b) would deprive a person of a right to a
fair trial or an impartial adjudication; (c) could reasonably be expected to constitute an unwarranted invasion of personal privacy; (d) could
reasonably be expected to disclose the identity of a confidential source; (e) would disclose techniques, procedures, or guidelines for
investigations or prosecutions; or (f) could reasonably be expected to endanger an individual's life or physical safety; (4) contained in or
related to examination, operating, or condition reports about financial institutions that the SEC regulates or supervises.
70
Available at:
https://www.ubs.com/global/en/investment
-
bank/regulatory/_jcr_content/mainpar/toplevelgrid/col1/linklist_1815406319/
link.1894740908.file/PS9jb250ZW50L2RhbS9JbnZlc3RtZW50QmFuay9kb2N1bWVudHMvaWJ0ZXJtcy90ZXJtcy1vZi1idXNpbmVzcy
5wZ GY=/terms-of-business.pdf.
0036335-0000808 UKO1: 2005583510.12