1
UBS AG London Branch
5 Broadgate
London
EC2M 2QS
Allen & Overy
Serrano 73
28006 Madrid Spain
Tel
+
34 91 782 98 00
Fax
+
34 91 782 98
99
Our ref
0036335
-
0000808
25 October 2021
Dear Sir or Madam
UBS AG registration as a non-resident security-based swap dealer
1.
BACKGROUND
1.1
We understand that UBS AG, a bank authorised in Switzerland, is seeking to register with the United
States (
US
) Securities and Exchange Commission (
SEC
) as a non-resident security-based swap (
SBS
)
dealer (
SBSD
).
1.2
To register as an SBSD with the SEC, a non-resident SBSD
1
of counsel to Form SBSE, SBSE-A or SBSE-BD affirming that the SBSD can, as a matter of law:
(a)
provide the SEC with prompt access to the relevant books and records as defined in paragraphs
3.3 to 3.5 (
Covered Books and Records
); and
(b)
submit to on-site inspection and examination of its Covered Books and Records by the SEC
(
On-Site Inspection
).
1.3
Associated persons of UBS AG located in Spain who effect UBS transactions on behalf of UBS AG
will be employed by the Spanish branch of UBS Europe SE (
UBS ESE ES
) which is incorporated in
Germany and authorised to provide services in Germany and Spain (among other jurisdictions).
Accordingly, UBS ESE ES will maintain certain Covered Books and Records in UBS ESE ES on
behalf of UBS AG.
1.4
You have asked us to issue an opinion affirming that (a) UBS AG will be able to provide the SEC with
prompt access to its Covered Books and Records that are maintained by UBS ESE ES in Spain and
(b) UBS ESE ES can submit to On-Site Inspection by the SEC of UBS ESE ES’ Covered Books and
Records it maintains on behalf of UBS AG, in each case in accordance with paragraph 1.2 above
2
.
1.5
This opinion is structured as follows:
(a)
Section 2: Summary of opinion;
(b)
Section 3: Scope, assumptions and qualifications;
(c)
Section 4: Revisions to applicable law;
1
In the case of a corporation, an SBSD will be “non
-
resident” if it is incorporated in or has its principal place of business in any place not in
the United States (see 17 Code of Federal Regulations (
CFR
) § 240.15Fb2-4(a)(2)). As UBS AG is incorporated in Switzerland, UBS AG
fulfils this definition of a “non-resident” SBSD.
2
In accordance with
Assumption
ES to the SEC as this information will instead be provided to UBS AG London Branch and sent by UBS AG London Branch to the SEC.
2
(d)
Section 5: Reliance and confidentiality;
(e)
Annex 1: Opinion; and
(f)
Annex 2: Assumptions.
1.6
For the purposes of this opinion, the legal or natural person imparting the information subject to the
duty of confidentiality will be the
Rights Holder
and the person receiving that information, in this
case UBS ESE ES, will be the
Recipient.
2.
SUMMARY OF OPINION
Subject to the assumptions and qualifications below it is our opinion that:
2.1
UBS ESE ES can, as a matter of applicable Spanish law, submit to On-Site Inspection by the SEC.
There is no restriction on UBS ESE ES submitting to On-Site Inspection by the SEC. The remainder
of this opinion focuses on UBS ESE ES’ ability to disclose information contained in Covered Books
and Records to the SEC in the course of On-Site Inspection in Spain and the ability to provide UBS
AG London Branch with prompt access to Covered Books and Records.
2.2
UBS ESE ES can, as a matter of applicable Spanish law, provide the SEC with prompt access to
Covered Books and Records held by UBS ESE ES in Spain either by disclosure of Covered Books
and Records to UBS AG London Branch for the purpose of providing information to the SEC or to
the SEC in the course of On-Site Inspections in Spain
3
.
Data Protection
4
2.3
Disclosures of personal data (particularly special categories of data or criminal data) relating to UBS
ESE ES’ clients and staff are subject to certain restrictions under the Data Protection Laws, particularly
where this involves a cross-border transfer to a country or territory the EU has not found to have an
‘adequate’ data protection regime. However, there are certain legal bases for making disclosures, and
derogations from the prohibition on international transfers, that would be available to UBS ESE ES
were it to be required by the SEC to make available personal data either by disclosure of Covered
Books and Records to UBS AG London Branch for the purpose of providing information to the SEC
or to the SEC in the course of On-Site Inspections in Spain.
2.4
We anticipate that the legitimate interest legal basis for processing is likely to be the most applicable
ground under the EU GDPR and Spanish DPA to enable disclosure of Covered Books and Records to
the SEC and to permit On-Site Inspection.
2.5
Where UBS AG London Branch makes onward transfers to the SEC in the US of personal data
received from UBS ESE ES on the basis of the legitimate interests derogation, UBS ESE ES must
inform the Spanish Data Protection Authority and data subjects prior to the transfer: we note that UBS
ESE ES would need to assess the ability to rely on this derogation in each case.
Credit institutions’ duty of confidentiality
2.6
Spanish law sets out a duty of confidentiality applicable to UBS ESE ES – it is a Spanish branch of a
credit institution and so is subject to Spanish rules on organisation and discipline of credit institutions.
By virtue of this, UBS ESE ES is obliged to keep confidential information on its customers' balances,
positions, transactions and other operations, which shall not be communicated to third parties or
3
Where a restriction on the ability to transfer personal data or to disclose confidential information applies, consent from th
e
Rights Holder,
validly given in accordance with the relevant standard for consent under each applicable legal obligation, would allow for such information
to be lawfully transferred to the SEC or disclosed to the SEC during On-Site Inspection. Please note that valid consent is assumed in
Assumption
4
Please refer to section
0036335-0000808 UKO1: 2005598297.13
3
publicly disclosed. This duty only applies to information held or controlled by UBS ESE ES that relates
to its customers.
2.7
Nevertheless, disclosure with consent, or under another recognised exception, would not amount to a
breach of these legal duties. Ideally, the consent should specify not only the purpose of the disclosure
(to provide UBS AG London Branch with access to the Covered Books and Records in order to
forward this information to the SEC), but also which specific entities will be the recipients of the
Covered Books and Records (UBS AG London Branch). However, the consent clause agreed with the
client could be broad enough that any UBS entity could be entitled to have access to the Covered
Books and Records and could be delivered to the SEC. In this regard, it should be noted that in
accordance with assumption 4 (set out in Annex 2) UBS ESE ES has obtained or will obtain the
necessary consents. On that basis, UBS ESE ES would not breach the duty of confidentiality.
2.8
In addition, disclosure to a supervisory authority is also exempted from confidentiality. Therefore, the
disclosure to the Spanish National Securities Market Commission (
CNMV
) in exercise of its
supervisory powers on the grounds of a request in the context of a cooperation with the supervisory
authorities of a third country such as the SEC (such cooperation being a specific power of the CNMV
recognised by Spanish law) would also be, in our view, deemed exempted for the On-Site Inspection
to the extent the request for the On-site Inspection is made to the regulatory authorities of UBS ESE
and it is covered by the cooperation arrangements with the CNMV or the ECB. This request to conduct
On-Site Inspection should be addressed to the relevant legal entity subject to the duty of confidentiality
(in this case, UBS ESE or UBS ESE ES) by the relevant supervisory authority (the CNMV or the
ECB) in the context of a cooperation with the supervisory authorities of a third country such as the
SEC, and not under a demand addressed to a branch of a third country credit institution (UBS AG
London Branch).
Spanish authorities arrangements with the SEC
2.9
In 1992, the CNMV and the SEC signed a Memorandum of Understanding (the
1992
CNMV MoU
)
5
for cooperation between authorities, agreeing to provide each other with all the assistance permitted
by their respective regulations, including in relation to granting information and documents from
persons, and conducting inspections or reviews of entities carrying out securities market activities for
their own account or for the account of others.
Although the 1992 CNMV MoU is recognised as a mere statement of intent and does not imply the
imposition of any legal obligations on either partynor can it in any way operate as a substitute for the
local law applicable in each case, the CNMV has broad supervisory powers conferred by Spanish law
6
and the exercise of these powers in the context of a cooperation by the CNMV with third country
supervisory authorities such as the SEC would waive the application of the confidentiality duties that
apply to UBS ESE ES.
2.10
Additionally, on August 16, 2021, the SEC and the European Central Bank (
ECB
)
7
Memorandum of Understanding (the
ECB MoU
).
8
5
Memorandum of Understanding between the Securities and Exchange Commission of the United States and the Comisión Nacional del
Mercado de Valores of Spain for consultation and cooperation in the application of legal provisions relating to securities markets, 8 July
1992 (
Memorandum de Entendimiento entre la Securities and Exchange Commission de Estados Unidos y la Comisión Nacional del
Mercado de Valores de España para la realización de consultas y cooperación en la aplicación de las disposiciones legales relativas a los
mercados de valores, de 8 de julio de 1992
).
6
Article 234 of the Royal Legislative Decree 4/2015, of 23 October, approving the revised text of the Securitie
s Market Law.
7
As UBS ESE qualifies as a “significant institution” within the meaning of Art. 6(4) of the Regulation der (EU) No. 1024/2013
(the
Single
Supervisory Mechanism Regulation
), it is, as regards prudential supervision, also subject to direct supervision by the ECB.
8
The Memorandum of Understanding between the United States Securities and Exchange Commission and the European Central Bank
concerning consultation, cooperation and the exchange of information related to the supervision and oversight of certain cross-border over-
the-counter derivatives entities in connection with the use of substituted compliance by such entities dated 16 August 2021 (available at
https://www.bankingsupervision.europa.eu/legalframework/mous/html/ssm.mou_2021_sec~220403db9b.en.pdf
).
0036335-0000808 UKO1: 2005598297.13
4
2.11
Lastly, on October 21,2021, the SEC, the CNMV and the Bank of Spain (
BoS
) signed a Memorandum
of Understanding (the
2021 MoU
)
9
regarding consultation, cooperation and the exchang
e of
information in the supervisory and oversight of certain over-the-counter derivatives entities that
operate on a cross-border basis in the United States and Spain in connection with the use of substituted
compliance by such entities.
Privacy and Human Rights
2.12
Protection for the general fundamental right to “
respect for private and family life, home and
correspondence
” is enshrined in Article 8 of the European Convention on Human Rights (
ECHR
).
This right is directly applicable in Spain. Actions in respect of Article 8 ECHR require a separate cause
of action, such as an action arising from a wrongful act or other legal obligation, such as under the EU
GDPR and Spanish DPA.
2.13
Article 8 ECHR is, as it were, the legal foundation on which the EU GDPR has been based. The EU
GDPR is detailing the fundamental right laid down in Article 8 ECHR. Thus, Article 8 ECHR and the
EU GDPR are intertwined with each other. As long as the provision of information to the SEC by UBS
ESE ES falls entirely within the scope of and is in compliance with the EU GDPR and Spanish DPA,
we consider the general fundamental right set out in Article 8 ECHR will be protected.
This summary opinion is not a substitute for the full expression of our views set out in Annex 1.
3.
SCOPE, ASSUMPTIONS AND QUALIFICATIONS
3.1
This opinion relates solely to access provided to the SEC by UBS AG, through its London branch, of
Covered Books and Records held on its behalf by UBS ESE ES in Spain and On-Site Inspection of
UBS ESE ES by the SEC in Spain. This opinion applies equally to remote access from the United
States to Covered Books and Records held in Spain. This opinion excludes books and records held in
the US. Where matters considered in this opinion are not governed by laws applying to the entirety of
Spain, this opinion relates solely to matters of Spanish law and European Union (
EU
) law that is
directly applicable in Spain (i.e. regulations pursuant to Art. 288(2) of the Treaty on the Functioning
of the European Union).
3.2
This opinion has been prepared in accordance with UBS AG’s specific instructions as to the scope of
the opinion. For this purpose you have issued us with guidance from a third party US law firm which
we have used to inform the scope of our opinion.
3.3
This opinion only covers access to and the On-site Inspection of Covered Books and Records. Covered
Books and Records include only those books and records which:
(a)
relate to the US business
10
11
SBS that is either:
(i)
entered into, or offered to be entered into, by or on behalf of the non-resident SBSD,
with a “U.S. Person” as defined in 17 CFR § 240.3a71-3(a)(4)
12
US Person
) (other
than an SBS conducted through a foreign branch of such US Person
13
); or
9
Memorandum
of Understanding between
the Securities and Exchange Comm
ission of the United States,
the Comisión Nacional del Mercado
de Valores of Spain and the Bank of Spain concerning consultation, cooperation and the exchange of information related to the supervision
and oversight of certain cross-border over-the-counter derivatives entities in connection with the use of substituted compliance by such
entities.
10
As defined in 17 CFR §240.3a71
-
3(a)(8).
11
Cross
-
Border Application of Certain [SBS] Requirements, 85 Fe
d.
Reg. 6270, 6296 (Feb. 4, 2020) (the
SEC Guidance
).
12
A “
U.S. person
” means any person that is “
(i) a natural person resident in the U.S.; (ii) a partnership, corporation, trust, investment vehicle,
or other legal person organized, incorporated, or established under the laws of the United States or having its principal place of business
in the United States; (iii) an account (whether discretionary or non-discretionary) of a U.S. person; or (iv) an estate of a decedent who was
a resident of the United States at the time of death.
” 17 CFR § 240.3a71-3(a)(4).
13
A “
foreign branch
” means “
any branch of a U.S. bank if: (i) the branch is located outside of the United States; (ii) the branch operates for
valid business reasons; and (iii) the branch is engaged in the business of banking and is subject to substantive banking regulation in the
jurisdiction where located.
” (17 CFR § 240.3a71-3(a)(2)). An “
SBS conducted through a foreign branch
” means an SBS that is “
arranged,
5
(ii)
arranged, negotiated, or executed by personnel of the non-resident SBSD located in a
branch in the United States (
US branch
) or office or by personnel of an agent of the
non-resident SBSD located in a US branch or office;
14
(b)
constitute financial records necessary for the SEC to assess the non-resident SBSD’s
compliance with the SEC’s margin and capital requirements, if applicable.
15
3.4
Further to Assumption 1, this opinion is limited to those types of records that are relevant to
prudentially regulated SBSDs, which excludes financial records as noted in paragraph 3.3(b) above.
For this opinion, the term “Covered Books and Records” extends to these record types alone.
3.5
This opinion covers data relating to:
(a)
SBS transactions concluded between UBS AG (through its associated persons employed by
UBS ESE ES) and US Person counterparties, insofar as this data is held on behalf of UBS AG
by UBS ESE ES (e.g. voice recordings and client communications) (these transactions will be
concluded by staff of UBS ESE ES acting in the name and for the account of UBS AG London
Branch and so some data relating to such transactions will be held by UBS AG London Branch
in the United Kingdom (
UK
) – access to Covered Books and Records and On-Site Inspections
by the SEC of data that is held in Spain is not within scope of this opinion); and
(b)
the activities of the staff of UBS ESE ES pertaining to UBS AG’s SBS transactions that are
also arranged, negotiated, or executed by personnel of UBS AG located in a US branch or
office or by personnel of an agent of UBS AG located in a US branch or office (irrespective
of whether UBS AG’s counterparty is a US Person or a non-US Person).
This opinion only covers transactions entered into by UBS AG where UBS ESE ES is acting on behalf
of UBS AG. This opinion does not cover data relating to SBS transactions concluded between UBS
ESE ES and its own counterparties (even though UBS ESE ES may be relying on the counting
exemption set out in 17 CFR § 240.3a71-3(d) for such transactions, we are instructed that this data is
not relevant for the purposes of 17 CFR § 240.15Fb2-4(c) and so this data is not within scope of this
opinion).
3.6
The issues addressed in this opinion apply equally across the different document types which constitute
the Covered Books and Records based upon the information actually contained in each of the relevant
Covered Books and Records. We have not examined any such documents or records.
3.7
In giving this opinion, we have made the further assumptions set out in Annex 2.
3.8
No opinion is expressed on matters of fact.
3.9
As a practical matter, it may be particularly difficult to establish that consent is freely given where
information relates to UBS ESE ES staff because consent is very difficult to rely on in an employment
context, due to the inherent imbalance of power between an employer and its staff (for example, staff
may believe there could be negative consequences should they refuse to give consent). Further, consent
will only be valid if UBS ESE ES offers its staff a genuine choice over how the data is used and will
only continue to be an appropriate legal basis if UBS ESE ES also offers its staff the opportunity to
withdraw consent at any time. Where consent is relied upon in this opinion, it is on the basis that this
practical matter has been overcome. Where consent is not available as a legal basis for disclosure
negotiated, and executed by a U.S. person through a foreign branch of such U.S. person if: (A) the foreign branch is the counterparty to
such security-based swap transaction; and (B) the security-based swap transaction is arranged, negotiated, and executed on behalf of the
foreign branch solely by persons located outside the United States.
” (17 CFR § 240.3a71-3(a)(3)(i)).
14
17 CFR
§
240.3a71
-
3(a)(8)(i)(B).
15
The requirement set out in this paragraph
requirements as it is assumed that UBS AG has a prudential regulator – please see Assumption
0036335-0000808 UKO1: 2005598297.13
6
(including where valid consent cannot be obtained), UBS ESE ES may be able to rely on an alternative
basis for disclosure (e.g. the public interest exception).
4.
REVISIONS TO APPLICABLE LAW
4.1
We note that the SEC rules
16
changes in the legal or regulatory framework that would:
(a)
impact the ability of the SBSD to provide prompt access to its Covered Books and Records;
(b)
impact the manner in which it would provide prompt access to its Covered Books and Records;
or
(c)
impact the ability of the SEC to conduct On-Site Inspections.
4.2
Upon a change in law or regulatory framework of the sort outlined in paragraph 4.1 above, the SBSD
is required to submit a revised opinion describing how, as a matter of law, the SBSD will continue to
meet its obligations.
4.3
This opinion relates solely to the laws of Spain and EU law that is directly applicable in Spain (i.e.
regulations pursuant to Art. 288(2) of the Treaty on the Functioning of the European Union), in each
case, in force as at the date of this opinion. We have no obligation to notify any addressee of any
change in any applicable law or its application after the date of this opinion.
5.
RELIANCE AND CONFIDENTIALITY
5.1
This opinion is given for the sole benefit of the addressee. It may not be relied upon by anyone else
without our prior written consent.
5.2
This opinion is not to be disclosed to any person outside of UBS AG’s group or used, circulated,
quoted or otherwise referred to for any other purpose. However, we agree that a copy of this opinion
letter may be disclosed:
(a)
where disclosure is required or requested by any governmental, banking, taxation or other
regulatory authority or similar body having jurisdiction over UBS AG (including to the SEC
as part of UBS AG’s SBSD registration application) or by the rules of any relevant stock
exchange or pursuant to any applicable law or regulation; and
(b)
to UBS AG’s affiliates, and any of their officers, directors, employees, auditors, insurers,
reinsurers, insurance brokers and professional advisors (in their capacity as such).
5.3
Any such disclosure must be made on the basis that it is for information purposes only, no recipient
may rely on this advice, no client-lawyer relationship between us and the recipient arises following,
or as a result of, any such disclosure. We assume no duty or liability to any recipient, and any recipient
under paragraph 5.2(b) above will be subject to the same restrictions on disclosure as set out above.
5.4
We assume no obligation to advise you or any other person or to make any investigations as to any
legal developments or factual matters arising subsequent to the date hereof that might affect the
opinions expressed herein.
16
17 CFR §
240.15Fb2
-
4(c)(2).
0036335-0000808 UKO1: 2005598297.13
7
Yours faithfully,
Allen &Overy
0036335-0000808 UKO1: 2005598297.13
8
ANNEX 1
OPINION
1.
DATA PROTECTION
1.1
The General Data Protection Regulation 2016/679 (
EU GDPR
) and the Organic Law 3/2018 of 5
December on the Protection of Personal Data and Guarantee of Digital Rights (
Spanish DPA
)
(together, the
Data Protection Laws
) will apply to UBS ESE ES’ disclosure of Covered Books and
Records to UBS AG London Branch for the purpose of providing information to the SEC and to the
SEC in the course of On-Site Inspections, to the extent that these comprise or contain personal data.
Personal data is data relating to an identified or identifiable living individual, so may extend to
information on UBS ESE ES’s staff as well as clients.
1.2
Under the Data Protection Laws, specific additional restrictions apply for data relating to criminal
convictions and offences. These laws also impose heightened restrictions on the processing of ‘special
category data’ – this is data that reveals racial or ethnic background, political opinions, religious or
philosophical beliefs, or trade union membership, genetic data, biometric data when used for ID
purposes, health information, data concerning sex life or sexual orientation. As special category data
are less likely to be relevant in the context of UBS ESE ES’ disclosures to the SEC, the laws applicable
to this data have not been considered in detail in this opinion.
1.3
Key restrictions in the Data Protection Laws relating to UBS ESE ES’ ability to disclose personal data
to the SEC are set out below.
Legal basis for the disclosure
1.4
UBS ESE ES requires a legal basis under Article 6 of the EU GDPR and the Spanish DPA to disclose
personal data to the SEC in the course of On-Site Inspections and to provide UBS AG London Branch
with access to its Covered Books and Records for the purpose of providing information to the SEC.
Data cannot be disclosed if doing so would breach another legal requirement under applicable Spanish
law (e.g. confidentiality duties – please see section 2). Whilst there are a number of Article 6 legal
bases on which UBS ESE ES may seek to rely, none on its own is so comprehensive as to cover all
disclosures of personal data to the SEC, so UBS ESE ES will need to consider the most appropriate
legal basis to apply to any given situation.
1.5
The Article 6 legal bases that seem the most relevant and applicable to UBS ESE ES, together with
their respective limitations, are as follows:
(a)
Consent (Article 6(1)(a))
: In order for consent to be valid under the Data Protection Laws, it
must satisfy the high standard of being a freely-given, specific, informed and unambiguous
indication of wishes. As a practical matter, in Spain, it would be very difficult to establish that
consent is freely given where information relates to UBS ESE ES staff, in an employment
context, due to the inherent imbalance of power between an employer and its staff (for
example, staff may believe there could be negative consequences should they refuse to give
consent). Further, consent will only be valid if UBS ESE ES offers its staff a genuine choice
over how the data is used, and will only continue to be an appropriate legal basis if UBS ESE
ES also offers its staff the opportunity to withdraw consent at any time.
0036335-0000808 UKO1: 2005598297.13
9
(b)
Legitimate interests (Article 6(1)(f))
: This is a more flexible legal basis for processing that can
apply to a multitude of business purposes, including with respect to ensuring compliance with
regulatory obligations. To rely on the legitimate interests ground, UBS ESE ES must:
(i)
identify its, or a third party’s legitimate interest (this can include commercial interests,
individual interests or broader societal benefits) in complying with the SEC’s
disclosure request;
(ii)
show that the disclosure of documents to the SEC is necessary for achieving these
interests; and
(iii)
balance these interests against the competing interests, rights and freedoms of the
individuals concerned, and satisfy itself that those interests do not outweigh its own.
If individuals would not reasonably expect the disclosure, or if the disclosure would
cause unjustified harm to the individuals, the interests of those individuals would
likely override the interests of UBS ESE ES or the third party.
An individual has the right to object to the disclosure of their data to the SEC under this basis
for processing, and UBS ESE ES would need to demonstrate ‘compelling’ legitimate grounds
to process the data that override the rights, freedoms and interests of that individual.
The balancing of legitimate interests against the competing interests, rights and freedoms of
the individuals concerned should be made on a case-by-case basis and should consider all
available facts. In particular, Recital 47 of the GDPR states that, when balancing their interests
against those of the individuals concerned, controllers should take into account “
the
reasonable expectations of data subjects based on their relationship with the controller
”. With
this in mind, UBS ESE ES may argue that its interests are not outweighed by those of its
clients or its employees on the basis that:
(A)
clients are aware, due to statements contained in their terms of business with UBS
AG, of the US nexus when they engage in SBS transactions and, due to their
understanding as sophisticated investors, that regulatory oversight will be exercised
by the SEC, which may entail certain information regarding their transactions,
including in some cases their personal data, to be disclosed to the SEC; and
(B)
the employees whose personal data may be disclosed to the SEC understand their role
will involve SEC oversight due to their being classified as ‘associated persons’ for the
purposes of SBS transactions and understand that, as a result, certain of their personal
data may be disclosed to the SEC. More specifically, each associated person is
required to complete an ‘SBS associated person questionnaire’, which provides
advance notice that their activities may involve the disclosure of their personal data
to the SEC and potentially require them to undertake interviews with the SEC. Each
employee that is an associated person is also required to agree or acknowledge their
understanding that their data may be provided to the SEC in connection with the
SEC’s oversight of SBS transactions.
In addition, while focused on the relationship between the SEC and the CNMV, the existence
of the 2021MoU arguably reflects an acceptance in Spain that the SEC has a duty to regulate
SBS markets and may need to access information maintained by financial institutions located
in Spain for this purpose.
17
similarly reflects an understanding of the SEC’s duties and an acceptance regarding the need
for information, including personal data, to be provided to the SEC.
18
17
Please refer to Articles IV and V of the 2021 MoU.
18
For the avoidance of doubt, we note however that neither
the 1992 CNMV
MoU nor the ECB MoU stipul
ates any exemptions from the
compliance with applicable data protection rules under the GDPR, including from the international transfer rules.
0036335-0000808 UKO1: 2005598297.13
10
Also relevant to this balancing of interests are that the SEC will:
(1)
restrict its information requests for, and use of, any information to only the information
that it requires for the legitimate and specific purpose of fulfilling its regulatory
mandate and responsibilities and to prevent and/or enforce against potential illegal
behaviour, with the type and amount of personal data requested being targeted based
on risk and related to specific clients and accounts, and employees;
19
(2)
information, data and documents received by the SEC are maintained in a secure
manner and only disclosed pursuant to strict US confidentiality laws
20
.
(c)
Disclosure is necessary for compliance
with a legal obligation to which UBS ESE ES is subject
(Article 6(1)(c))
: There must be a Spanish nexus in order for UBS ESE ES to be able to rely
on this legal basis. Article 6(3) of the EU GDPR and Article 8(1) of the Spanish DPA requires
that the legal obligation must be laid down by a Spanish rule with the status of a law (other
instruments such as decrees or regulations will not be sufficient) or EU law,
21
does not have to be an explicit statutory obligation, as long as the application of the law is
foreseeable to UBS ESE ES as the person subject to it.
22
In the context of this legal basis for processing, a direct request from the SEC in the absence
of a Spanish legal requirement (e.g. a lawful request from the CNMV in the exercise of its
powers) would not justify the disclosure as being necessary for compliance with such an
obligation.
(d)
Disclosure is necessary for the performance of a task carried out in the public interest (Article
6(1)(e))
: There must be a Spanish nexus in order for UBS ESE ES to be able to rely on this
legal basis. Article 8(2) of the Spanish DPA requires that the task carried out in the public
interest derives from the powers conferred by a Spanish rule with the status of a law (other
instruments such as decrees or regulations will not be sufficient) or EU law.
In the context of this legal basis for processing, a direct request from SEC in the absence of
powers conferred by a Spanish rule with the status of a law or EU law (e.g. a lawful request
from the CNMV in the exercise of its powers) would not justify the disclosure as being
necessary for the performance of a task carried out in the public interest.
1.6
Based upon the above, the legitimate interests basis for processing is likely to be the most appropriate
Article 6 ground on which UBS ESE ES could rely in relation to its disclosure of Covered Books and
Records to the SEC and to permit On-Site Inspection. However, to rely on the legitimate interests
ground, UBS ESE ES needs to undertake a balancing test as outlined above.
1.7
It is considered very unlikely that data included in Covered Books and Records or disclosed to the
SEC during On-Site Inspections will include special categories of data. Further, UBS ESE ES might
not hold all information described in 17 C.F.R. §§.18a-5(b)(8)(i)(A) through (H) or 240.18a-
5(a)(10)(i)(A) through (H), as the case may be, for an associated person who is not a US Person.
23
However, to the extent that this does occur, and such information is held by UBS ESE ES in addition
to an Article 6 legal basis, UBS ESE ES will need to establish an additional legal basis for processing
under Article 9 of the EU GDPR and the Spanish DPA if it discloses special categories of data to the
19
Please refer to Assumptions
MoU.
20
Please refer to Assumption
21
Article 8(1) of the
Spanish
DP
A
establishes that such
Spanish
rule with the status of a law
or EU
law
may: (i) determine
the general conditions
of the processing and the types of data to be processed as well as the transfers that may take place as a result of compliance with the legal
obligation; and (ii) impose special conditions on the processing, such as the adoption of additional security measures.
22
Recital 41
EU GDPR
.
23
As we understand is as defined in 17 C.F.R. §240.3a71
-
3(a)(4)(i)(A)
.
0036335-0000808 UKO1: 2005598297.13
11
SEC. Other than valid consent
24
25
interest due to the limitations discussed in paragraphs 1.5(a) and (d) above, the Article 9 legal basis
that may be applicable to disclosure of Covered Books and Records is processing is necessary for the
establishment, exercise or defence of legal claims or whenever courts are acting in their judicial
capacity (Article 9(2)(f)). However, please note that there is no guidance from the Spanish Data
Protection Authority on the applicability of this particular legal basis and that it is also uncertain
whether this legal basis can be extended to this case.
1.8
Similarly, processing of personal data relating to criminal convictions and offences is highly restricted,
and can only be disclosed where is authorised by a rule of EU law, by the Spanish DPA or by other
Spanish laws or rules that have the force of law. In the absence of such rule of EU law, by the Spanish
DPA or by other Spanish laws or rules – and we are aware of no such law or rule that would authorise
this disclosure to the SEC – UBS ESE ES could not disclose these personal data to the SEC. In practice,
this restriction on UBS ESE ES is dealt with by this information being provided and/or transferred
directly by the individual (here, staff of UBS ESE ES) to the requesting party (here, the SEC).
Data protection principles
1.9
In addition to establishing a legal basis for the disclosure, UBS ESE ES would need to ensure that its
disclosures are compliant with the remaining requirements under the Data Protection Laws, including
the data protection principles set out in Article 5 of the EU GDPR. For example, UBS ESE ES must:
(a)
be transparent with those whose personal data is to be disclosed to the SEC, who must be
provided with fair processing information (usually in the form of a privacy notice or
statement);
(b)
with respect to the data itself, ensure that it only provides personal data that is adequate,
relevant and limited to what is necessary in relation to the purposes of its regulatory activities;
(c)
be careful to avoid participating in ‘data dumps’ and should consider withholding documents,
anonymising personal data (or pseudonymising data where full anonymisation is not possible)
and redacting personal data from documents as appropriate;
(d)
ensure that the data is accurate and, where necessary, kept up to date;
(e)
keep the personal data in a form that enables identification of individuals for no longer than is
necessary for the purposes for which the personal data is processed; and
(f)
ensure that the confidentiality and integrity of personal data is maintained, and as such,
implement appropriate security measures (e.g. encryption) to protect the personal data.
1.10
Whilst it is possible that the SEC has taken these principles into account in its request for access to the
Covered Books and Records, responsibility remains with UBS ESE ES to verify this and implement
its own compliance measures.
International transfers
1.11
The general principle in the EU GDPR is that UBS ESE ES may not transfer personal data to a
jurisdiction outside the European Economic Area (
EEA
), unless it can satisfy a condition for the
transfer as set out in Chapter V of the EU GDPR.
24
Article 9(2)(a) of the E
U GDPR
–
please also refer to limitations on the applicability of consent discussed in paragraph
:
25
i.e.,
genetic data, biometric data wh
en used for ID purposes and health information. Article 9(1) of the Spanish DPA establishes that
processing may not be based on consent alone if its main purpose for the processing is to identify racial or ethnic background, political
opinions, religious or philosophical beliefs, or trade union membership, data concerning sex life or sexual orientation. This shall not prevent
the processing of such special categories of data under the other legal basis of Article 9 of the EU GDPR.
0036335-0000808 UKO1: 2005598297.13
12
1.12
Article 45 of the EU GDPR allows for UBS ESE ES to transfer personal data to a recipient outside the
EEA where the European Commission has decided that this third country ensures an adequate level of
protection. For the purposes of providing Covered Books and Records to UBS AG London Branch,
the adequacy decision of the European Commission currently in effect in respect of the UK
transfers of personal data from the EEA, including Spain, to the UK to be made freely. Any transfer
from UBS ESE ES to UBS AG London Branch would therefore be permitted without limitation
(provided that the disclosure otherwise complied with the EU GDPR).
1.13
It should be noted that under Article 44 sent. 1, Recital 101 of the EU GDPR any onward transfer of
UBS ESE ES’ Covered Books and Records by UBS AG London Branch to the SEC is still subject to
the transfer requirements of the EU GDPR. In this regard it is helpful that the European Commission’s
adequacy decision for the United Kingdom addresses onward transfers from the UK and notes that the
regime on international transfers under the UK GDPR
27
in
substance identical
” to the transfer regime under the EU GDPR.
28
UBS AG London Branch pursuant to this EU GDPR restriction applicable to UBS ESE when
disclosing UBS ESE ES’ Covered Books and Records to the SEC in the US are set out in paragraph
1.14 of this Annex 1, below.
1.14
Derogations (Article 49 of the EU GDPR)
29
: Where a transfer mechanism adopted by the European
Commission in respect of the US is not available (as is currently the case), derogations from the
transfer prohibition are potentially available under EU GDPR for facilitating UBS AG London
Branch’s transfer of personal data contained in UBS ESE ES’ Covered Books and Records to the SEC.
1.15
These derogations include:
30
(a)
Consent
: Consent must be freely given in order to be valid.
31
(b)
Legitimate interests
: a data transfer on the basis of legitimate interests may take place if (i) the
transfer is not repetitive, (ii) the transfer concerns only a limited number of data subjects,
(iii) the transfer is necessary for the purposes of compelling legitimate interests pursued by
UBS ESE ES, (iv) UBS ESE ES’ legitimate interests are not overridden by the interests or
rights and freedoms of the Rights Holder, (v) UBS ESE ES has assessed all the circumstances
surrounding the data transfer, and (vi) UBS ESE ES has, on the basis of that assessment,
provided suitable safeguards with regard to the protection of personal data,
32
interests derogation may be the most appropriate Article 49 of the EU GDPR ground on which
UBS ESE ES could rely to transfer data to the SEC. In addition, according to Article 43 of the
Spanish DPA, UBS ESE ES shall inform the Spanish Data Protection Authority of the
international data transfer to the SEC based on legitimate interests. UBS ESE ES shall also
inform data subjects of the transfer and of the overriding legitimate interests pursued. This
information shall be provided prior to the carrying out of the transfer.
26
Commission Implementing Decision of 28.6.2021 pursuant to Regulation (EU) 2016/679 of the Eu
ropean Parliament and of the Council on
the adequate protection of personal data by the United Kingdom. Please note that in the future the adequacy decision may be withdrawn, not
prolonged or restricted and that the current adequacy decision is limited to four years.
27
The
General Data Protection Regulation 2016/679 as it forms part of “retained EU law” as defined in the European Union (Withdrawa
l) Act
2018 in the UK.
28
Paragraph 2.5.7, recitals (74) and (75) of the Commission Implementing Decision of 28.
6.2021 pursuant to Regulation (EU) 2016/679 of
the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom.
29
The European Data Protection Board has issued guidelines to provide guidance as to the applicati
on of Article 49 of the EU GDPR on
derogations in the context of transfers of personal data to third countries.
30
The available derogations also include, among others, a derogation based on public interest. However, the
public interest derogation in
Article 49(1)(d) of the EU GDPR regarding international transfers of personal data refers to the transfer being ‘necessary for reasons of
public interest’ and differs from the public interest legal basis in Article 6(1)(e) of the EU GDPR (referring to the processing being ‘necessary
for the performance of a task carried out in the public interest’). However, please note that there is no guidance from the Spanish Data
Protection Authority on the applicability of this particular derogation and that it is also uncertain whether this derogation can be extended to
this case.
31
Please refer to paragraph
32
Last paragraph of Article 49(1) of the EU GDPR.
0036335-0000808 UKO1: 2005598297.13
13
Each of the consent and legitimate interest derogations need to be applied on a case-by-case basis.
33
1.16
Access to Covered Books and Records granted to the SEC in the course of On-Site Inspections would
not entail UBS ESE ES effecting an international transfer and so restrictions in Chapter V of the EU
GDPR would not apply to that situation.
2.
CREDIT INSTITUTIONS’ DUTY OF CONFIDENTIALITY
Scope of duties
2.1
UBS ESE ES, as a branch of a credit institution, is subject to the regulations governing the organisation
and discipline of credit institutions in Spain. Accordingly, it shall comply with its duty of
confidentiality towards the balances, positions, transactions and other operations of its clients as Right
Holders.
2.2
In particular, article 83 of Law 10/2014
34
“Article 83. Duty to reserve information.
1. Institutions and other persons subject to the regulations governing the organisation and
discipline of credit institutions are obliged to keep confidential information relating to the
balances, positions, transactions and other operations of their customers, which may not be
communicated or disclosed to third parties.
2. Exempt from this duty shall be information in respect of which the customer or the law
permits its communication or disclosure to third parties or which, as the case may be, is
required or must be sent to the respective supervisory authorities or within the framework of
compliance with the obligations established in Law 10/2010, of 28 April, on the prevention of
money laundering and the financing of terrorism. In this case, the transfer of the information
must comply with the provisions of the client itself or with the law. […].
3.
Information exchanges between credit institutions belonging to the same consolidated
group are likewise an exception to this rule”.
2.3
First, it is worth considering whether or not this rule would apply to the Recipient. In this regard, we
must consider the provisions of Law 10/2014
35
, which stipulates that branches in Spain of EU credit
institutions shall
"respect, in the exercise of their activity in Spain, the provisions on the organisation
and discipline of credit institutions which, where applicable, are applicable, as well as any others
issued for reasons of general interest, whether at the state, regional or local level".
2.4
These so-called organisational and disciplinary provisions include the duty of confidentiality as set out
in Article 83 of Law 10/2014, which is a rule of Spanish law not derived from EU harmonisation and
is applicable to institutions or branches providing banking services in Spain through a passport regime,
as the Recipient does.
2.5
By application of the first paragraph of the aforementioned provision, therefore, in the event that the
Covered Books and Records contain information relating to the balances, positions, transactions and
other operations of the Right Holders, UBS ESE ES would be restricted by this duty in its ability to
transmit this information to the SEC. This duty only applies to information held or controlled by UBS
ESE ES that relates to its customers.
33
Article 49(1) EU GDPR at sentence 1 paragraph (a) and sentence 2, respectively.
34
Law 10/2014, of 26 June, on the regulation, supervision and solvency of credit institutions (
Law 10/2014
).
35
In particular, a
rticle 12.2
of
Law 10/2014
.
0036335-0000808 UKO1: 2005598297.13
14
Consent
2.6
However, Article 83(2) of this provision establishes a number of possible waivers or exceptions to this
confidentiality duty. Among them, of particular interest and application to the case at hand is the
exception whereby the consent of the client to the transfer of data about his balances, positions,
transactions and other operations (to UBS AG London Branch for the purpose of providing
information to the SEC or to the SEC in the course of On
-
Site
Inspections in Spain
)
would
automatically
mean that
such transfer
would
not constitut
e
a breach by UBS ESE ES of the
abovementioned regulation.
2.7
The consent of the client must be sufficiently broad in its drafting to allow the disclosure or delivery
of information regarding the Covered Books and Records to UBS AG London Branch and for its
providing to the SEC. Ideally, the consent should include that UBS ESE ES is providing access to the
Covered Books and Records to UBS AG London Branch and allow UBS AG London Branch to
disclose it to regulatory authorities (or specifically to the SEC) or otherwise the consent might be not
valid. However, the consent clause agreed with the client could be broad enough that any UBS entity
could be entitled to have access to the Covered Books and Records (e.g. the consent clause could
include that the information would be transferred to any UBS entity in order to fulfil SBSD
requirements before the SEC or other regulatory authorities).
2.8
Thus, the right of UBS ESE ES' banking clients to have their banking data covered by confidentiality
(which derives from the obligation of the institutions concerned to ensure banking secrecy) is waivable
and can be excluded by way of consent. Since this consent, as stated in assumption 4 in Annex 2, is
assumed to have been properly gathered, there would be no obstacle arising from the Spanish banking
secrecy regulations that would prevent the Recipient from being able to share the Covered Books and
Records with the SEC for regulatory compliance purposes.
Credit institution consolidated group exemption
2.9
The provision of access to Covered Books and Records by UBS ESE ES to UBS AG London Branch
is also exempted if both credit institutions are part of the same consolidated group (“
grupo
consolidable
”) as set out in article 83 (3) of Law 10/2014
36
. Article 83 (3) of Law 10/2014 does not
specifically define the concept of consolidated group (“
grupo consolidable
”). However, taking into
account that Law 10/2014 is the implementation of CRD IV under Spanish law it is our view that this
concept should be interpreted in accordance with Regulation (EU) No 575/2013 of the European
Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and
investment firms and amending Regulation (EU) No 648/2012 (
CRR
). Point (47) of Article 4(1) of
CRR defines the concept of “consolidation situation” (name that CRR gives to consolidated group
(“
grupo consolidable
”)) as:
“
the situation that results from applying the requirements of this Regulation in accordance
with Part One, Title II, Chapter 2 to an institution as if that institution formed, together with
one or more other entities, a single institution.
”
Article 11.1 of CRR, which is the first article of Part One Title II, Chapter 2 of CRR, sets out the
following:
“
Parent institutions in a Member State shall comply, to the extent and in the manner
prescribed in Article 18, with the obligations laid down in Parts Two to Four and Part Seven
on the basis of their consolidated situation.”
2.10
In light of the above, an EU consolidated group (“
grupo consolidable
”), which can be a sub-group of
a larger non-EU consolidation group (as is the case for UBS) exists when the parent company is
36
Law 10/2014, of 26 June, on the regulation, supervision and solvency of credit institutions (
Law 10/2014
).
0036335-0000808 UKO1: 2005598297.13
15
constituted in an EU Member State. In this regard, it should be noted that in accordance with
assumption 5 (set out in Annex 2) UBS AG (a) is the parent company of the UBS group and (b) is not
incorporated in an EU Member State (it is a Swiss bank). Under this assumption, UBS ESE ES and
UBS AG London Branch would not be part of the same EU consolidated group, the requirements of
the exemption to the duty of confidentiality are not met and disclosure would not be allowed.
Supervisory authorities exemption
2.11
When the consent of the Rights Holder has been duly obtained, as noted above, the aforementioned
article 83(2) of Law 10/2014 also includes, as an exception that discharges the Recipient's duty of
confidentiality, the case where information is shared at the request or requirement of supervisory
authorities:
“[…] Exempt from this duty shall be information in respect of which the customer or the law
permits its communication or disclosure to third parties or which, as the case may be, is
required or must be sent to the respective supervisory authorities […]”.
2.12
It is uncertain whether a request issued directly by the SEC would fall within this exemption. In our
view, and given that the entity to be registered with the SEC is in fact UBS AG as a Swiss bank (i.e.
an entity not subject to the supervision of the Spanish supervisory authorities), we consider that the
SEC does not fall within the supervisory authorities whose request would be considered to be issued
by "
the respective supervisory authorities
" for the purposes of Spanish law, thus not benefiting from
this exemption.
2.13
Nevertheless, it is uncontroversial that the CNMV is indeed an authority with supervisory powers over
UBS ESE ES for these purposes, so that a request from this organisation would doubtlessly fall within
this exemption. The CNMV's powers under Spanish law
37
out its supervisory duties and exercise its powers in cooperation with supervisory authorities from
other countries (these powers, of course, include requesting information and carrying out on-site
inspections, as the Spanish provisions generally provide the CNMV with broad supervisory powers)
and, in particular, the Spanish law also provides for the establishment, by the CNMV, of cooperation
mechanisms or agreements with supervisory authorities of non-EU countries
38
ECB is also an authority with supervisory powers over UBS ESE ES, and cooperation mechanisms
between the ECB and the SEC are set out under the ECB MoU
39
.
2.14
Thus, we consider that this exemption would be applicable in the event that the relevant information
or requirement is requested or issued by the CNMV or the ECB in the framework of a supervisory
request in the context of cooperation between authorities, such as in the context described in the
following section 3. This interpretation can be applied in the context of an On-Site Inspection.
2.15
However, it is our view that this exemption from confidentiality could not be applied in relation to the
provision of the Covered Books and Records to UBS AG London if any such request of information
has been addressed solely to UBS AG London. For this exemption to be applied, the request of
information has to be addressed to the relevant legal entity subject to the duty of confidentiality (in
this case, UBS SE or UBS SE Spanish branch) by the relevant supervisory authority (the CNMV or
the ECB) in the context of a cooperation with the supervisory authorities of a third country such as the
SEC, and not under a demand addressed to a branch of a third country credit institution (UBS AG
London Branch). The CNMV could request the Covered Books and Records from UBS ESE ES out
of a cooperation mechanism or agreement with
a
non
-
EU authority (SEC)
,
but
the duty of
confidentiality may not be exempted solely on the basis of a request of a branch of a third country
credit institution (UBS AG London Branch) (unless the consent exemption applies).
37
Article 234 of the Royal Legislative Decree 4/2015, of 23 October, approving the revised text of the Securities Market Law.
38
Article 2
47
of the Royal Legislative Decree 4/2015, of 23 October, approving the revised text of the Securities Market Law.
39
Please refer to Article II, Article III and Article V of the ECB MoU.
0036335-0000808 UKO1: 2005598297.13
16
3.
SUPERVISORY AUTHORITIES’ ARRANGEMENTS WITH THE SEC
1992 Memorandum of Understanding
3.1
In 1992, the CNMV and the SEC signed the 1992 CNMV MoU. The 1992 CNMV MoU is a
Memorandum of Understanding for cooperation between authorities. In particular, these supervisory
authorities agreed to provide each other with all the assistance permitted by their respective
regulations, including in the event that any of the rules of their markets had been infringed, even if
such infringement was not a violation in the jurisdiction of the authority receiving the request for
assistance.
3.2
The assistance agreed to be provided includes the following capabilities:
(a)
Providing access to information in the records and files of the authority receiving the request
for assistance.
(b)
Taking testimony and statements from persons.
(c)
Obtaining information and documents from persons.
(d)
Conducting inspections or reviews of entities carrying out securities market activities for their
own account or for the account of others (for this functionality, it is specifically mentioned in
the 1992 CNMV MoU that the option for the requesting authority to be present at the
inspection is envisaged, although there is no mention of the ability of the requesting authority
to conduct an inspection for its own account without the intervention of the local authority).
3.3
The listed functions can indeed be interpreted as enabling access to the Covered Books and Records
and the completion of On-site Inspections (in particular points (c) and (d)). However, in the 1992
CNMV MoU the authorities acknowledge that, in some circumstances, they may not have the legal
authority to provide the assistance in question and, indeed, recognise that it is merely a statement of
intent and does not imply the imposition of any legal obligations on either party nor can it in any way
operate as a substitute for the local law applicable in each case.
3.4
Notwithstanding the fact that the 1992 CNMV MoU signing authorities have indeed stated that they
may not have the legal authority to carry out their cooperation activities as described therein, it should
be noted that in general Spanish law
40
both obtaining information and documentation and conducting on-site inspections. These powers also
include the exercise of its powers in a framework of collaboration with supervisory authorities of other
states and, in particular, of third states such as the SEC.
3.5
The exercise of these powers by the CNMV to exercise the relevant supervisory activities, as
mentioned in paragraphs 2.8 to 2.11 above, would also mean that the duty of banking secrecy required
from UBS ESE ES towards its customers' balances, positions, transactions and other operations would
be exempted by applying the exception whereby this duty of confidentiality does not apply in the event
of a request from authorities with supervisory powers, in this case the CNMV (which, in the exercise
of its powers, would cooperate in this context with the SEC for the fulfilment of its supervisory duties
over SBSDs)
41
.
3.6
It should be noted, however, that the purpose of these supervisory and cooperation exercises by the
CNMV to issue requirements or carry out supervisory activities should be clearly defined and
sufficiently substantiated. Indeed, as explained above, in no case are we talking about legal obligations
deriving from the 1992 CNMV MoU and enforceable against the CNMV, which could refuse to carry
40
Article 234 of the Royal Legislative Decree 4/2015, of 23 October, approving the revised text of the Securities Market Law.
41
Article 83(2) of Law 10/2014.
0036335-0000808 UKO1: 2005598297.13
17
out the supervisory tasks requested by the SEC on the grounds of, among others, reasons of general
interest.
2021 Memorandum of Understanding
3.7
In 2021, the SEC, the CNMV and the BoS signed the 2021 MoU. The 2021 MoU is a Memorandum
of Understanding for cooperation between authorities. In specific, these supervisory authorities agreed
to cooperate to support the facilitation of the ability of certain entities to complain with particular U.S.
requirements through substituted compliance with certain provisions under the laws of Spain and
supervision and enforcement by the SEC of its laws and regulations, including as contemplated under
substituted compliance. The entities covered by the 2021 MoU are security-based swap entities that
operate in the United States and Spain on a cross-border basis.
3.8
Under the 2021 MoU, the SEC, the CNMV and the BoS agreed to consult regularly:
42
(a)
General supervisory and oversight issues or other related developments;
(b)
Issues relevant to the operations, activities and regulation related to the activities raised under
security-based swaps agreements;
(c)
The operation of the 2021 MoU and the subsisted compliance order explained below; and
(d)
Any other areas of mutual interest.
3.9
In particular, the SEC, the CNMV and the BoS agreed to cooperate and exchange information through
the following commitments:
43
(a)
The CNMV and BoS intend to provide to the SEC on an ongoing basis information of the
SBSD (
Ongoing Notification
);
(b)
Provision of information for the purposes of supervision and oversight of the relevant security-
based swap entity. Such information may include information relevant to the financial and
operational condition of the security-based swap entity (
Request-Based Information
Sharing
);
(c)
Consultations between authorities to update each other’s on their respective functions and
regulatory oversight programs (
Periodic Consultations
);
(d)
Provision of information on a voluntary basis without request (
Provision of Unsolicited
Information
).
3.10
The cooperation between the SEC, the CNMV and the BoS also includes providing access to
information (
Direct Requests Made to Covered Firms
)
44
On
Site Visits
).
45
3.11
None of the provisions contained in the 2021 MoU should be construed as a limitation on: (i) the
SEC´s ability to obtain Covered Books and Records or conduct On-Site Inspections; (ii) the security-
based swap entity obligations under U.S. law, including the obligation to provide its Covered Books
and Records directly to the SEC; or (iii) a SBSD to provide an opinion of counsel and certification
pursuant to Exchange Act Rule 15Fb2-4(c)(1) regarding the SEC´s ability to obtain the Covered Books
and Records or conduct On-Site Inspections.
46
42
Please refer to Article III of the 2021 MoU.
43
Please refer to Article III of the 2021 MoU.
44
Please refer to Article IV of the 2021 MoU.
45
Please refer to Article V of the 2021 MoU.
46
Please refer to paragraph 46 of the 2021 MoU.
0036335-0000808 UKO1: 2005598297.13
18
3.12
With respect to security swap dealer entities under supervision of the ECB, the commitments contained
in the MoU 2021 do not include any information, document or action which is in the sole remit of the
ECB or otherwise cannot be shared by the CNMV or the BoS without the consent of the ECB.
47
3.13
The MoU 2021 states that with respect to cooperation under the MoU, no banking secrecy, blocking
laws, or other regulations or legal barriers should prevent the authorities from providing assistance to
the SEC.
48
3.14
Lastly, the 2021 MoU does not create any legally binding obligations confer any rights or supersede
domestic laws or other laws.
49
ECB MoU
3.15
On August 16, 2021, the SEC and the European Central Bank signed the ECB MoU. The ECB MoU
is a Memorandum of Understanding concerning consultation, cooperation and the exchange of
information related to the supervision and oversight of certain cross-border over-the-counter
derivatives entities in connection with the use of substituted compliance by such entities.
3.16
Under the ECB MoU, the SEC and the ECB agree to provide each other with the fullest cooperation
permissible as permitted by their respective regulations. The ECB MoU further states that with respect
to cooperation under the ECB MoU, no banking secrecy, blocking laws, or other regulations or legal
barriers should prevent the ECB from providing assistance to the SEC under the ECB MoU.
50
3.17
The cooperation to be provided by the ECB includes providing access to information
51
On-Site Inspections by the SEC
52
. Where necessary in order to fulfil its supervisory and oversight
responsibilities, the SEC may conduct On-Site Inspections to inspect, examine, and obtain books and
records of the firm being inspected
53
.
3.18
For the sake of clarity we note that the ECB MoU does not create any legally binding obligations,
confer any rights or supersede domestic laws or other laws
54
.
Substituted compliance order
3.19
On 22 October 2021, the SEC granted an application of the CNMV determining that compliance with
Spanish legal requirements by the class of market participants specified and described therein satisfies
the analogous requirements applicable to a security-based swap dealer or major security-based swap
participant registered with the SEC that is not a US Person under Section 15F of the Securities
Exchange Act of 1934 and regulations thereunder.
4.
PRIVACY AND HUMAN RIGHTS
4.1
Article 8 ECHR confers a general right to “
respect for his private and family life, his home and his
correspondence
”. This right is directly applicable in Spain. The right to privacy clearly applies to
natural persons. In certain situations legal persons, such as companies, have been held to benefit from
a right to privacy in certain situations. The European Court of Human Rights assumed in a September
2014 case that the reputation of a company fell under the notion of private life under Article 8 ECHR.
55
47
Please refer to Article I of the 2021 MoU.
48
Please refer to paragraph 26 of the 2021 MoU.
49
Please refer to paragraph 27 of the 2021 MoU
50
Please refer to Article II of the ECB MoU.
51
Please refer to Article III of the ECB MoU.
52
Please refer to Article V of the ECB MoU
53
Please refer to paragraph 45 of the ECB MoU.
54
Please refer to paragraph 27 of the ECB MoU.
55
Firma EDV Für Sie, EFS Elecktronische Datenverarbeitung Dienstleistungs GMBH v Germany
0036335-0000808 UKO1: 2005598297.13
19
4.2
Article 8 ECHR does not in itself give rise to a free-standing cause of action – instead an action arising
from a wrongful act, a breach of agreement or other legal obligation, such as under the EU GDPR,
must be brought, and the court will then be obliged to consider the application of Article 8 ECHR.
4.3
Article 8 ECHR is, as it were, the fundamental legal foundation on which the EU GDPR has been
based. The EU GDPR elaborates on the applicable principles of and the rules on the protection of
natural persons when it comes to processing of personal data.
56
when interpreting this EU GDPR law if necessary. The EU GDPR can therefore be seen as the
regulation detailing the right laid down in Article 8 ECHR, when it comes to the processing of personal
data. The EU GDPR and Article ECHR cannot be seen entirely separately from each other.
Application and exceptions
4.4
Article 8 is a qualified right, meaning that it can be breached in accordance with Article 8(2) – that is,
where doing so is:
(a)
in accordance with the law;
This criterion has two aspects: the measure complained about must have some basis in
domestic law, whether that is an act of parliament, delegated legislation or case law, and
secondly, that the domestic law has to be sufficiently precise so that an individual can foresee
with a reasonable degree of certainty the consequences of their actions or the circumstances
in which the authority may take a particular course of action.
57
the first aspect is the legal basis on which the court would allow Article 8 ECHR to be
breached. The second aspect in effect requires that the domestic law cannot be so broad as to
enable arbitrary action. In determining whether to allow information to be provided to the
SEC, the court would have to balance the relevant legal duty with the merits of permitting
disclosure. These duties of confidence establish limits on the court’s actions, thus preventing
arbitrary action by the court.
(b)
is necessary in a democratic society;
This criterion is intended to ensure the proportionality of an intrusion into private life. To meet
this criterion, there must be a “
pressing social need
” for the interference, and the interference
must be proportionate to that need.
58
and
(c)
in the interests of national security, public safety or the economic well-being of the country,
for the prevention of disorder or crime, for the protection of health or morals, or for the
protection of the rights and freedoms of others (i.e. a legitimate aim).
This criterion is intended to ensure that the purpose of an intrusion into private life is
adequately serious so as to justify the intrusion.
4.5
As the EU GDPR and Article 8 ECHR cannot been seen entirely separately from each other, and the
provision of information to the SEC by UBS ESE ES will, insofar this contains personal data, fall
entirely within the scope of the EU GDPR, we consider that the criteria set out in paragraph 4.4 are
met, as long as UBS ESE ES complies with the requirements set out in paragraphs 1.1 to 1.12 above.
56
See also recitals (1) and (2) EU GDPR.
57
Malone v UK [1984] ECHR 10 at 68.
58
Dudgeon v UK
0036335-0000808 UKO1: 2005598297.13
20
ANNEX 2
ASSUMPTIONS
This opinion relies on the following assumptions:
1.
UBS AG has a “prudential regulator” as defined by Section 3 of the US Securities Exchange Act of
1934 (the
Securities Exchange Act
). As such, the Covered Books and Records considered in this
opinion are limited to what a prudentially regulated SBSD must be able to share with the SEC.
2.
Additionally, in accordance with SEC Guidance at 85 FR 6297, books and records pertaining to SBS
transactions entered into prior to the date that UBS AG submits an application for registration are not
Covered Books and Records.
3.
Where transfers of personal data are made to the SEC in the absence of an adequacy determination,
such disclosure will be made in compliance with Articles 44
et seq
. of the EU GDPR and limited to
what is necessary for the purpose of the transfer (i.e. compliance with the principle of data
minimisation, e.g. by applying less intrusive processing activities such as redaction).
4.
UBS ESE ES has obtained all necessary prior consent of the persons (e.g
.
, counterparties, employees)
whose information is or will be included in Covered Books and Records to provide UBS AG London
with access to the Covered Books and Records including for forwarding this information to the SEC
or to allow On-Site Inspections to the SEC, to the extent, as considered in this opinion, such consent
would constitute valid consent and such consent has not been withdrawn. Insofar as Covered Books
and Records relate to employees of UBS ESE ES, such employees are “associated persons” of UBS
AG
for purposes of
17 CFR §
240.18a
-
5(b)(8) who ha
ve
agreed to sharing of their
personal/employment information with the SEC in the event of a request for information from the
SEC.
5.
UBS AG is not constituted in the EU and is the parent company of the UBS group.
6.
The SEC will restrict its information requests for, and use of, any information pursuant to its access to
Covered Books and Records and On-Site Inspections to only the information that it requires for the
legitimate and specific purpose of fulfilling its regulatory mandate and responsibilities by evaluating
compliance with legal obligations designed to ensure the proper legal administration of SEC-regulated
firms (which includes regulating, administering, supervising, enforcing and securing compliance with
the securities or derivatives laws in its jurisdiction) and to prevent and/or enforce against potential
illegal behaviour.
7.
Similarly, UBS ESE ES will ensure that its disclosures are compliant with the data protection
principles set out in Article 5 of the EU GDPR.
59
responding to information requests from the SEC (or other US and non-US regulators) leads it to
maintain a belief, which it considers to be reasonable, that UBS ESE ES can and (subject to any
changes in applicable law and regulation and/or the approach of relevant regulators, including the
ICO) will continue to be able to comply with these data protection principles in the course of making
disclosures of the sort required when providing access to Covered Books and Records and submitting
to On-Site Inspection.
60
8.
It is the SEC's practice to limit the type and amount of personal data it requests during examinations
to targeted requests based on risk and related to specific clients and accounts, and employees. The
requested information may include some limited criminal records data and ‘special category data’
under the EU GDPR (as described in paragraph 1.2 of Annex 1 to this opinion). We understand that
this aligns with UBS’ general experience in responding to information requests from the SEC, leading
59
These principles are set out in
60
See the
SEC
G
uidance at 85 FR 6298
.
0036335-0000808 UKO1: 2005598297.13
21
it to maintain a belief, which it considers to be reasonable, that this assumption is, and will remain,
accurate (subject to any changes in applicable law and regulation and/or the approach of relevant
regulators).
61
9.
Information, data and documents received by the SEC are maintained in a secure manner and, under
strict US laws of confidentiality, information about individuals cannot be onward shared save for
certain uses publicly disclosed by the SEC, including in an enforcement proceeding, pursuant to a
valid and non-exempt US Freedom of Information Act (
FOIA
) request,
62
of the US Congress or a properly issued subpoena, or to other regulators who have demonstrated a
need for the information and provide assurances of confidentiality.
10.
Any data held by UBS ESE ES that is subject to a disclosure request from the SEC, either by way of
access or On-Site Inspection, will be held by UBS ESE ES in Spain. Whilst UBS ESE ES will be
subject to direct On-Site Inspection by the SEC in Spain, UBS ESE ES will provide access to its
Covered Books and Records (beyond On-Site Inspections) to UBS AG London Branch, rather than
providing this access directly to the SEC.
11.
All terms of business entered into with clients conducting SBS transactions contain clear statements
such that clients are aware that that regulatory oversight will be exercised by regulatory authorities
and that information regarding their transactions, including their personal data, can be disclosed to
regulatory authorities (for example, clause 10, and in particular clause 10(b) of the terms of business
for professional clients and eligible counterparties (March 2019)
63
).
12.
UBS AG does not include the information described in 17 C.F.R. §§.18a-5(b)(8)(i)(A) through (H) or
240.18a-5(a)(10)(i)(A) through (H), as the case may be, in questionnaires or applications for
employment executed by an associated person who is not a US Person (as defined in 17 C.F.R.
§240.3a71-3(a)(4)(i)(A)), unless UBS AG is required to obtain such information under applicable law
in the jurisdiction in which the associated person is employed or located or obtains such information
in conducting a background check that is customary for UBS AG in that jurisdiction and the creation
or maintenance of records reflecting that information would not result in a violation of applicable law
in the jurisdiction in which the associated person is employed or located.
61
See the
SEC
G
uidance at 85 FR 6298
. This assumption also
aligns with the information that we understand was provided by the SEC to the
ICO per page 2 of the ICO Letter.
62
We do not give any views in the opinion to matters of US law, though we understand that information can be
made public pursuant to
requests under the US FOIA, and that certain information is exempt from such requests, including (among others): (1) a trade secret or
privileged or confidential commercial or financial information obtained from a person; (2) a personnel, medical, or similar file the release
of which would constitute a clearly unwarranted invasion of personal privacy; (3) information compiled for law enforcement purposes, the
release of which (a) could reasonably be expected to interfere with law enforcement proceedings; (b) would deprive a person of a right to a
fair trial or an impartial adjudication; (c) could reasonably be expected to constitute an unwarranted invasion of personal privacy; (d) could
reasonably be expected to disclose the identity of a confidential source; (e) would disclose techniques, procedures, or guidelines for
investigations or prosecutions; or (f) could reasonably be expected to endanger an individual's life or physical safety; (4) contained in or
related to examination, operating, or condition reports about financial institutions that the SEC regulates or supervises.
63
Available at:
https://www.ubs.com/global/en/investment-bank/regulatory/_jcr_content/mainpar/toplevelgrid/col1/linklist_1815406319/
link.1894740908.file/PS9jb250ZW50L2RhbS9JbnZlc3RtZW50QmFuay9kb2N1bWVudHMvaWJ0ZXJtcy90ZXJtcy1vZi1idXNpbmVzcy
5wZ GY=/terms-of-business.pdf
.
0036335-0000808 UKO1: 2005598297.13