EX-99.34 OPIN COUNSL 30 lonetherlands.htm lonetherlands
 
lonetherlandsp1i0.gif
 
1
 
 
 
UBS AG London Branch
5 Broadgate
London
EC2M 2QS
Allen & Overy LLP
Apollolaan 15
Amsterdam 1076 AB Amsterdam
Tel
+31 20 674 1000
Fax
+
31 20 674 1111
Our ref
0036335
-
0000808
22 October 2021
Dear Sir or Madam
 
UBS AG SEC registration as a non-resident security-based swap dealer
 
1.
 
BACKGROUND
1.1
 
We understand that UBS AG, a bank authorised in Switzerland, is seeking to register with the United
States (
US
) Securities and
 
Exchange Commission (
SEC
) as a non-resident
 
security-based swap (
SBS
)
dealer (
SBSD
).
1.2
 
To register as an SBSD with the SEC, a non-resident SBSD
1
 
such as UBS AG must attach an opinion
of counsel to Form SBSE, SBSE-A or SBSE-BD affirming that the SBSD can, as
 
a matter of law:
(a)
 
provide the
 
SEC with
 
prompt access
 
to the
 
relevant books
 
and records
 
as defined
 
in paragraphs
3.3 and 3.5 (
Covered Books and Records
); and
 
(b)
 
submit to on-site
 
inspection and examination
 
of its Covered
 
Books and Records by
 
the SEC
(
On-Site Inspection
).
1.3
 
Associated persons of UBS
 
AG located in the
 
Netherlands who effect
 
SBS transactions on behalf
 
of
UBS
 
AG
 
will
 
be
 
employed
 
by
 
the
 
Dutch
 
branch
 
of
 
UBS
 
Europe
 
SE
 
(
UBS
 
ESE
 
NL
)
 
which
 
is
 
a
subsidiary of
 
UBS incorporated in
 
Germany and authorised
 
to provide
 
services in Germany
 
and the
Netherlands (among
 
other jurisdictions).
 
Accordingly,
 
UBS ESE
 
NL will
 
maintain certain
 
Covered
Books and Records in the Netherlands on behalf of UBS AG.
 
1.4
 
You have asked us to issue
 
an opinion affirming
 
that (a) UBS
 
AG will be
 
able to provide
 
the SEC with
prompt
 
access
 
to
 
its
 
Covered
 
Books
 
and
 
Records
 
that
 
are
 
maintained
 
by
 
UBS
 
ESE
 
NL
 
in
 
the
Netherlands and
 
(b) UBS
 
ESE NL
 
can
 
submit to
 
On-Site Inspection
 
by the
 
SEC of
 
UBS AG’s Covered
Books and Records it maintains on behalf of UBS AG,
 
in each case in accordance with paragraph 1.2
above.
2
 
1
 
 
In the case of a corporation, an SBSD will be
“non
-
resident” if it is incorporated in or has its principal place of business in any place not in
the United States (see 17 Code of Federal Regulations (
CFR
) § 240.15Fb2-4(a)(2)). As UBS AG is incorporated in Switzerland, UBS AG
fulfils this definition of a “non-resident” SBSD.
2
 
 
In accordance with Assumption
10
in Annex 2, this
 
opinion does not cover the
 
direct provision of Covered
 
Books and Records by
 
UBS ESE
 
NL to the SEC as this information will instead be provided
 
to UBS AG London Branch and sent by UBS AG London
 
Branch to the SEC.
 
Allen &
 
Overy LLP
 
is a
 
limited liability
 
partnership registered
 
in England
 
and Wales
 
with registered
 
number OC306763.
 
It is
 
authorised and
 
regulated by
 
the Solicitors
 
Regulation
Authority of England and Wales.
 
The term partner is used to
 
refer to a member of Allen &
 
Overy LLP or an employee or
 
consultant with equivalent standing and qualifications.
 
A list
of the members of Allen & Overy LLP and of the non-members who are designated as partners is open
 
to inspection at its registered office, One Bishops Square, London E1 6AD.
Allen & Overy LLP or an affiliated undertaking has an office in each of: Abu Dhabi,
 
Amsterdam, Antwerp, Bangkok, Beijing, Belfast, Bratislava, Brussels, Budapest, Casablanca, Dubai,
Düsseldorf, Frankfurt, Hamburg, Hanoi, Ho Chi Minh
 
City, Hong Kong, Istanbul, Jakarta (associated office), Johannesburg, London, Los Angeles,
 
Luxembourg, Madrid, Milan, Moscow,
Munich, New York, Paris, Perth,
 
Prague, Rome, São Paulo, Seoul, Shanghai, Silicon Valley,
 
Singapore, Sydney, Tokyo,
 
Warsaw, Washington,
 
D.C. and Yangon.
 
 
2
 
1.5
 
This opinion is structured as follows:
(a)
 
Section 2:
 
Summary of opinion;
 
(b)
 
Section 3:
 
Scope, assumptions and qualifications;
 
(c)
 
Section 4:
 
Revisions to applicable law;
(d)
 
Section 5:
 
Reliance and confidentiality;
(e)
 
Annex 1: Opinion; and
(f)
 
Annex 2: Assumptions.
 
2.
 
SUMMARY OF OPINION
Subject to the assumptions and qualifications below, it is our opinion that:
2.1
 
UBS ESE NL can,
 
as matter of applicable
 
Dutch law, submit to On-Site Inspection
 
by the SEC. There
is no restriction on UBS ESE NL submitting to On-Site Inspection
 
by the SEC. The remainder of this
opinion focuses
 
on UBS
 
ESE NL’s
 
ability to
 
disclose information
 
contained in
 
Covered Books
 
and
Records to the
 
SEC in the course
 
of On-Site Inspection in
 
the Netherlands and the
 
ability to provide
UBS AG London Branch with prompt access to Covered Books and Records.
2.2
 
UBS ESE
 
NL can,
 
as a
 
matter of
 
applicable Dutch
 
law, provide the
 
SEC with
 
prompt access
 
to Covered
Books and Records held
 
by UBS ESE NL
 
in the Netherlands
 
either by disclosure of
 
Covered Books
and Records
 
to UBS
 
AG London
 
Branch for
 
the purpose of
 
providing information to
 
the SEC
 
or to
the SEC in the course of On-Site Inspections in the Netherlands.
3
 
Data Protection
4
 
2.3
 
Disclosures of personal data (particularly special categories of data
 
or criminal data) relating to UBS
ESE
 
NL’s
 
clients
 
and
 
staff
 
are
 
subject
 
to
 
certain
 
restrictions
 
under
 
the
 
Data
 
Protection
 
Laws,
particularly where this involves a cross-border transfer
 
to a non-EEA country or
 
territory the EU has
not
 
found to
 
have an
 
‘adequate’ data
 
protection regime.
 
However,
 
there are
 
certain legal
 
bases for
making
 
disclosures,
 
and
 
derogations
 
from
 
the
 
prohibition
 
on
 
international
 
transfers,
 
that
 
would
 
be
available to UBS ESE NL’s
 
were it to be required by the
 
SEC to make available personal data either
by disclosure of
 
Covered Books and
 
Records to UBS
 
AG London Branch
 
for the purpose
 
of providing
information to the SEC or to the SEC in the course of On-Site Inspections
 
in the Netherlands.
2.4
 
We anticipate that the legitimate interests legal basis for processing is
 
likely to be the most applicable
ground under
 
the GDPR
 
(and the
 
Dutch Implementation
 
Act) to
 
enable disclosure
 
of and
 
access to
Covered Books and Records to UBS AG London Branch for the purpose of providing information to
the SEC
 
and to
 
permit On-Site
 
Inspection.
 
To
 
the extent
 
that UBS
 
ESE NL
 
relies on
 
the legitimate
interest legal
 
basis, it
 
will also
 
need to
 
take into
 
account the
 
guidance of
 
the Dutch
 
Data Protection
Authority (
Autoriteit Persoonsgegevens,
the
Dutch DPA
) to satisfy
 
the conditions
 
for processing.
5
 
We
note that UBS ESE NL would need to assess the ability to rely on
 
this legal basis in each case.
3
 
 
Where a restriction on the
 
ability to transfer personal
 
data applies, consent from
 
the individual, validly given
 
in accordanc
e with the relevant
standard for
 
consent under
 
each applicable
 
legal obligation,
 
would allow
 
for such
 
information to
 
be lawfully
 
transferred to
 
the SEC
 
or
disclosed to the SEC during On-Site Inspection. Please
 
note that valid consent is assumed in Assumption 6.
 
4
 
 
Please refer to section 1 of Annex 1 for def
initions of Data Protection Laws, GDPR, and the Dutch
 
GDPR Implementation Act.
 
5
 
 
Dutch
 
DPA,
 
“Standard
 
explanation
 
legal
 
basis
 
‘legitimate
 
interest’”,(
Normuitleg
 
grondslag
 
‘gerechtvaardigd
 
belang’
)
 
(see
<https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/normuitleg_gerechtvaardigd_belang.pdf>
 
accessed
 
21
 
September
2021) (only available in Dutch)
.
 
 
0036335-0000808 UKO1: 2005491828.9
 
 
 
3
 
Duties of confidentiality under Dutch law
2.5
 
There
 
are
 
no
 
legal
 
obligations
 
from
 
a
 
Dutch
 
law
 
perspective,
 
other
 
than
 
the
 
data
 
protection
 
legal
obligations
 
set
 
out
 
in
 
paragraph
 
2.3
 
to
 
2.4
 
above,
 
that
 
prohibit
 
UBS
 
ESE
 
NL
 
from
 
providing
 
any
information to the SEC,
 
either when providing the
 
SEC with access to Covered
 
Books and Records or
when permitting
 
an On-Site
 
Inspection. However,
 
there is
 
a remote
 
risk that
 
an individual of
 
whom
information
 
is
 
disclosed
 
brings
 
an
 
action
 
on
 
the
 
basis
 
of
 
a
 
wrongful
 
act
 
(
onrechtmatige
 
daad
).
6
 
Whether such action will be successful depends on the circumstances at hand.
 
Privacy and Human Rights
2.6
 
Protection
 
for
 
the
 
general
 
fundamental
 
right
 
to
 
respect
 
for
 
private
 
and
 
family
 
life,
 
home
 
and
correspondence
” is
 
enshrined in
 
Article 8
 
of the
 
European Convention
 
on Human
 
Rights (
ECHR
).
This right
 
is directly
 
applicable in
 
the Netherlands.
 
Actions in
 
respect of
 
Article 8
 
ECHR require
 
a
separate cause of action, such as an action arising
 
from a wrongful act or other legal obligation, such
as under the Data Protection Laws.
 
2.7
 
Article 8 ECHR is, as it were, the
 
legal foundation on which the GDPR
 
has been based. The GDPR is
detailing the fundamental
 
right laid down
 
in Article 8
 
ECHR. Thus, Article
 
8 ECHR and
 
the GDPR
are intertwined with each other. As long as
 
the provision of information to the SEC by UBS ESE NL
falls entirely within the scope of and is in compliance
 
with the Data Protection Laws, we consider the
general fundamental right set out in Article 8 ECHR will be protected.
 
This summary opinion is not a substitute for the full expression of our views
 
set out in Annex 1.
3.
 
SCOPE, ASSUMPTIONS AND QUALIFICATIONS
3.1
 
This opinion relates solely to access provided to the SEC
 
by UBS AG, through its London Branch, of
Covered
 
Books
 
and
 
Records
 
held
 
on
 
its
 
behalf
 
by
 
UBS
 
ESE
 
NL
 
in
 
the
 
Netherlands
 
and
 
On-Site
Inspection of
 
UBS ESE
 
NL by
 
the SEC
 
in the
 
Netherlands.
 
This opinion
 
applies equally
 
to remote
access from
 
the United
 
States to
 
Covered Books
 
and Records
 
held in
 
the Netherlands.
 
This opinion
excludes books and
 
records held in
 
the US. Where
 
matters considered in
 
this opinion are
 
not governed
by laws applying to the entirety
 
of the Netherlands,
 
this opinion relates solely to
 
matters of Dutch law
and European Union (
EU
) law that is directly applicable in the Netherlands (i.e. regulations pursuant
to Art. 288(2) of the Treaty on the Functioning of the European Union).
3.2
 
This opinion has been prepared in accordance with UBS AG’s specific instructions as to the scope of
the opinion.
 
For this purpose you have issued us
 
with guidance from a third party US
 
law firm which
we have used to inform the scope of our opinion.
6
 
 
We
 
assume there are no
 
contractual confidentiality clauses in place
 
betwee
n UBS ESE
 
NL and any other
 
party, see
 
also paragraph 2.3 of
Annex 1 and Assumption 12 as set out in Annex 2.
 
0036335-0000808 UKO1: 2005491828.9
 
 
4
 
3.3
 
This opinion
 
only covers
 
access to
 
and the
 
On-site Inspection
 
of Covered
 
Books and
 
Records.
 
Covered
Books and Records include only those books and records which:
(a)
 
relate to the
 
US business
7
 
of the non-resident
 
SBSD.
8
 
These are the
 
records that relate
 
to an
SBS that is either:
(i)
 
entered into, or offered to be entered into, by or on behalf of the
 
non-resident SBSD,
with a
 
“U.S. Person” as
 
defined in
 
17 CFR
 
§ 240.3a71-3(a)(4)
9
 
(
US Person
) (other
than an SBS conducted through a foreign branch of such US Person
10
); or
(ii)
 
arranged, negotiated, or executed by
 
personnel of the non-resident SBSD
 
located in a
branch in the United States (
US branch
) or office or by personnel
 
of an agent of the
non-resident SBSD located in a US branch or office;
11
 
or
(b)
 
constitute
 
financial
 
records
 
necessary
 
for
 
the
 
SEC
 
to
 
assess
 
the
 
non-resident
 
SBSD’s
compliance with the SEC’s margin and capital requirements, if applicable.
12
 
3.4
 
Further
 
to
 
Assumption
 
1,
 
this
 
opinion
 
is
 
limited
 
to
 
those
 
types
 
of
 
records
 
that
 
are
 
relevant
 
to
prudentially regulated SBSDs,
 
which excludes financial
 
records as noted
 
in paragraph 3.3(b)
 
above.
 
For this opinion, the term “Covered Books and Records” extends to these
 
record types alone.
3.5
 
This opinion covers data relating to:
 
(a)
 
SBS transactions with concluded
 
between UBS AG (through
 
its associated persons employed
by UBS ESE NL) and US Person counterparties,
 
insofar as this data is held on
 
behalf of UBS
AG by
 
UBS ESE
 
NL (e.g.
 
voice recordings
 
and client
 
communications) (these
 
transactions
will be concluded
 
by staff of
 
UBS ESE NL
 
acting in the
 
name and for
 
the account of
 
UBS AG
London
 
Branch
 
and
 
so
 
some
 
data
 
relating
 
to
 
such
 
transactions
 
will
 
be
 
held
 
by
 
UBS
 
AG
London Branch
 
in the
 
United Kingdom
 
(
UK
)
 
– access
 
to Covered
 
Books and
 
Records and
On-Site
 
Inspections
 
by
 
the
 
SEC
 
of
 
data
 
that
 
is
 
held
 
in
 
the
 
UK
 
is
 
not
 
within
 
scope
 
of
 
this
opinion); and
 
(b)
 
The activities of the staff of UBS ESE NL pertaining to UBS AG’s
 
SBS transactions that are
also arranged,
 
negotiated, or
 
executed by
 
personnel of
 
UBS AG
 
located in
 
a US
 
branch or
office or by
 
personnel of an agent
 
of UBS AG located in
 
a US branch or
 
office (irrespective
of whether UBS AG’s counterparty is a US Person or a non-US Person).
 
This opinion
 
only covers
 
transactions entered
 
into by UBS
 
AG where
 
UBS ESE
 
NL is acting
 
on behalf
of UBS AG.
 
This opinion does
 
not cover data
 
relating to SBS
 
transactions concluded between
 
UBS
ESE
 
NL
 
and
 
its
 
own
 
counterparties
 
(even
 
though
 
UBS
 
ESE
 
NL
 
may
 
be
 
relying
 
on
 
the
 
counting
exemption set out in 17 CFR § 240.3a71-3(d) for such transactions, we are instructed that this data is
not relevant for the
 
purposes of 17 CFR
 
§ 240.15Fb2-4(c) and so this
 
data is not within
 
the scope of
this opinion).
 
7
 
 
As defined in 17 CFR §240.3a71
-
3(a)(8).
 
8
 
 
Cross
-
Border Application of Certain
 
[SBS] Requirements, 85 Fed.
 
Reg. 6270, 6296 (Feb. 4, 2020) (the
SEC Guidance
).
 
9
 
 
A “U.S. person” means any person that is “(i) a natural person resident
 
in the U.S.; (ii) a partnership, corporation, trust,
investment vehicle,
or other legal person organized, incorporated, or established under the laws of the United States or having its principal place of business in
the United States; (iii) an
 
account (whether discretionary or non-discretionary) of a
 
U.S. person; or (iv) an estate
 
of a decedent who was a
resident of the United States at the time of death.” 17 CFR
 
§ 240.3a71-3(a)(4).
10
 
 
A “foreign branch” means “any branch of
 
a U.S. bank if: (i)
 
the branch is located outside of the
 
United States; (ii) the bran
ch operates for
valid business
 
reasons; and
 
(iii) the
 
branch is
 
engaged in
 
the business
 
of banking
 
and is
 
subject to
 
substantive banking regulation
 
in the
jurisdiction where located.” (17 CFR § 240.3a71-3(a)(2)). An “SBS conducted through a
 
foreign branch” means an SBS that is “arranged,
negotiated, and executed by
 
a U.S. person through
 
a foreign branch of such
 
U.S. person if: (A) the
 
foreign branch is the counterparty
 
to such
security-based swap transaction; and (B) the security-based swap transaction is arranged, negotiated, and executed on behalf of the foreign
branch solely by persons located outside the United States.” (17
 
CFR § 240.3a71-3(a)(3)(i)).
11
 
 
17 CFR
 
§
 
240.3a71
-
3(a)(8)(i)(B).
 
12
 
 
The requirement
 
set out
 
in this
 
paragraph 3.3(b)
 
does n
ot apply
 
to UBS
 
AG because
 
it is
 
not
 
subject to
 
the SEC’s
 
margin and
 
capital
requirements as it is assumed that UBS AG has a prudential
 
regulator – please see Assumption 1 set out in Annex
 
2.
 
0036335-0000808 UKO1: 2005491828.9
 
 
5
 
3.6
 
The issues
 
addressed in
 
this opinion
 
apply equally
 
across the
 
different document
 
types which
 
constitute
the Covered Books and
 
Records based upon the
 
information actually contained
 
in each of the relevant
Covered Books and Records.
 
We have not examined any such documents or records.
 
3.7
 
In giving this opinion, we have made the further assumptions set out
 
in Annex 2.
 
3.8
 
No opinion is expressed on matters of fact.
 
3.9
 
As a
 
practical matter,
 
it may
 
be particularly
 
difficult to
 
establish that
 
consent is
 
freely given
 
where
information relates
 
to UBS ESE
 
NL staff because
 
consent is very
 
difficult to rely
 
on in an
 
employment
context, due to the inherent imbalance of power between an employer and its staff (for example, staff
may
 
believe
 
there
 
could
 
be
 
negative
 
consequences
 
should
 
they
 
refuse
 
to
 
give
 
consent).
 
Further,
consent will only be valid if UBS
 
ESE NL offers its staff
 
a genuine choice over how the data is
 
used
and
 
will
 
only
 
continue
 
to
 
be
 
an
 
appropriate
 
legal
 
basis
 
if
 
UBS
 
ESE
 
NL
 
also
 
offers
 
its
 
staff
 
the
opportunity to withdraw consent
 
at any time.
 
Where consent is relied
 
upon in this opinion,
 
it is on the
basis that this practical matter has been overcome.
 
Where consent is not available as a legal basis for
disclosure (including where valid consent
 
cannot be obtained), UBS
 
ESE NL may be
 
able to rely on
an alternative basis for disclosure (e.g. the legitimate
 
interest exception).
4.
 
REVISIONS TO APPLICABLE LAW
 
4.1
 
We
 
note
 
that
 
the
 
SEC
 
rules
13
 
require
 
a
 
non-resident
 
SBSD
 
to
 
re-certify
 
within
 
90
 
days
 
after
 
any
changes in the legal or regulatory framework that would:
(a)
 
impact the ability of the SBSD to provide prompt access to its Covered Books
 
and Records;
 
(b)
 
impact the
 
manner in
 
which it
 
would provide
 
prompt access
 
to its
 
Covered Books
 
and Records;
or
(c)
 
impact the ability of the SEC to conduct On-Site Inspections.
4.2
 
Upon a change in law or regulatory framework of the sort outlined in paragraph 4.1
 
above, the SBSD
is required to submit a revised opinion describing how, as a matter of law,
 
the SBSD will continue to
meet its obligations.
 
4.3
 
This opinion relates solely to the laws of the Netherlands
 
and EU law that is directly applicable in the
Netherlands (i.e. regulations pursuant to
 
Art. 288(2) of the Treaty on the Functioning
 
of the European
Union),
 
in
 
each
 
case,
 
in
 
force
 
as
 
at
 
the
 
date
 
of
 
this
 
opinion.
 
We
 
have no
 
obligation to
 
notify
 
any
addressee of any change in any applicable law or its application after the date of
 
this opinion.
5.
 
RELIANCE AND CONFIDENTIALITY
5.1
 
This opinion is given
 
for the sole benefit of
 
the addressee.
 
It may not be relied
 
upon by anyone else
without our prior written consent.
5.2
 
This
 
opinion
 
is
 
not
 
to
 
be
 
disclosed
 
to
 
any
 
person
 
outside
 
of
 
UBS
 
AG’s
 
group
 
or
 
used,
 
circulated,
quoted or otherwise referred to for any other purpose.
 
However, we agree that a copy of this opinion
letter may be disclosed:
 
(a)
 
where
 
disclosure is
 
required
 
or
 
requested
 
by
 
any
 
governmental, banking,
 
taxation
 
or
 
other
regulatory authority or similar body having jurisdiction over
 
UBS AG (including to the SEC
as
 
part
 
of
 
UBS
 
AG’s
 
SBSD
 
registration
 
application) or
 
by
 
the
 
rules
 
of
 
any
 
relevant
 
stock
exchange or pursuant to any applicable law or regulation; and
 
13
 
 
17 CFR § 240.15Fb2
-
4(c)(2).
 
 
0036335-0000808 UKO1: 2005491828.9
lonetherlandsp6i0.gif
 
6
(b)
 
to
 
UBS
 
AG’s
 
affiliates,
 
and
 
any
 
of
 
their
 
officers,
 
directors,
 
employees,
 
auditors,
 
insurers,
reinsurers, insurance brokers and professional advisors (in their capacity
 
as such).
5.3
 
Any such disclosure
 
must be made
 
on the basis
 
that it is
 
for information purposes
 
only,
 
no recipient
may rely
 
on this advice,
 
no client-lawyer relationship between
 
us and the
 
recipient arises following,
or as a
 
result of,
 
any such
 
disclosure.
 
We assume no duty
 
or liability
 
to any
 
recipient, and
 
any recipient
under paragraph 5.2(b) above will be subject to the same restrictions on disclosure
 
as set out above.
5.4
 
We
 
assume no obligation
 
to advise
 
you or
 
any other person
 
or to
 
make any
 
investigations as to
 
any
legal
 
developments
 
or
 
factual
 
matters
 
arising
 
subsequent
 
to
 
the
 
date
 
hereof
 
that
 
might
 
affect
 
the
opinions expressed herein.
 
Yours
 
faithfully,
 
 
Allen &Overy LLP
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
0036335-0000808 UKO1: 2005491828.9
 
 
7
 
ANNEX 1
 
OPINION
1.
 
DATA
 
PROTECTION
1.1
 
The
 
General Data
 
Protection Regulation
 
2016/679 (
GDPR
),
 
and the
 
implementation thereof
 
in
 
the
Dutch
 
GDPR
 
Implementation
 
Act
 
(
Uitvoeringswet
 
Algemene
 
verordening
 
gegevensbescherming
)
(together, the
Data Protection Laws
) will apply to UBS ESE NL’s
 
disclosure of Covered Books and
Records to UBS AG
 
London Branch for the
 
purpose of providing information to
 
the SEC and to
 
the
SEC in the
 
course of On-Site Inspections,
 
to the extent that
 
these comprise or contain
 
personal data.
Personal
 
data
 
is
 
data
 
relating
 
to
 
an
 
identified
 
or
 
identifiable
 
living
 
individual,
 
so
 
may
 
extend
 
to
information on UBS ESE NL’s
 
staff as well as clients.
 
1.2
 
Under
 
the
 
Data
 
Protection Laws,
 
specific
 
additional restrictions
 
apply
 
for
 
data
 
relating
 
to
 
criminal
convictions and
 
offences.
 
These laws
 
also impose
 
heightened restrictions
 
on the
 
processing of
 
‘special
category
 
personal
 
data’
 
 
this
 
is
 
data
 
that
 
reveals
 
racial
 
or
 
ethnic
 
background,
 
political
 
opinions,
religious or philosophical beliefs, or trade union membership, genetic data, biometric data when used
for ID
 
purposes, health
 
information, data
 
concerning sex
 
life or
 
sexual orientation.
 
As special
 
category
data are
 
less likely
 
to be
 
relevant in
 
the context
 
of UBS
 
ESE NL’s
 
disclosures to the
 
SEC, the laws
applicable to this data have not been considered in detail in this opinion.
1.3
 
Key restrictions
 
in the
 
Data Protection
 
Laws relating
 
to UBS
 
ESE NL’s
 
ability to
 
disclose personal
data to the SEC are set out below.
Legal basis for the disclosure
1.4
 
UBS ESE NL requires a legal basis under Article 6 GDPR to disclose personal data
 
to the SEC in the
course
 
of
 
On-Site Inspections
 
and to
 
provide
 
UBS
 
AG London
 
Branch
 
with
 
access
 
to
 
its
 
Covered
Books and Records for the purpose of providing information to the SEC.
 
Data cannot be disclosed if
doing so would
 
breach another legal requirement.
 
Whilst there are a
 
number of Article 6
 
legal bases
on
 
which
 
UBS
 
ESE
 
NL
 
may
 
seek
 
to
 
rely,
 
none
 
on
 
its
 
own
 
is
 
so
 
comprehensive
 
as
 
to
 
cover
 
all
disclosures
 
of personal data to
 
the SEC, so UBS
 
ESE NL will
 
need to consider the
 
most appropriate
legal basis to apply to any given situation.
1.5
 
The Article 6 legal bases most applicable to UBS ESE NL, together
 
with their respective limitations,
are as follows:
(a)
 
Consent (Article 6(1)(a))
: In order for consent
 
to be valid under the
 
Data Protection Laws, it
must satisfy
 
the high
 
standard of
 
being a
 
freely-given, specific,
 
informed and
 
unambiguous
indication of wishes.
14
 
(b)
 
Legitimate interests
 
(Article 6(1)(f))
: This
 
is one
 
of the
 
more flexible
 
legal bases
 
for processing
that
 
can
 
apply
 
to
 
a
 
multitude
 
of
 
purposes.
 
The
 
Dutch
 
DPA
 
interprets
 
this
 
legal
 
basis
 
very
strictly.
 
The
 
Dutch
 
DPA
 
has
 
previously
 
issued
 
an
 
opinion
 
that
 
compliance
 
with
 
(foreign)
regulatory
 
obligations could
 
qualify
 
as
 
legitimate
 
interests.
 
The
 
Dutch DPA
 
has
 
given
 
this
view in
 
relation to
 
foreign whistleblowing
 
requirements.
15
 
The Dutch
 
DPA states that
 
(foreign)
legal
 
obligations
 
could
 
qualify
 
as
 
a
 
legitimate
 
interest,
 
and
 
that
 
the
 
consequences
 
for
 
the
14
 
 
Please also refer to limitations
 
on the applicability of
 
consent discussed in paragraph
3.9
 
of section
 
3
:
scope, assumptions and
 
qualifications
.
 
Please note that valid consent is assumed at Assumption
 
5 in Annex 2.
15
 
 
Dutch DPA,
 
Whistle blowing
 
opinion D
utch DPA,
 
January 2006. Please
 
note that this
 
opinion was issued
 
under the predecessor of
 
the
GDPR (Directive 95/46/EC of the European Parliament and of the Council of 24 October
 
1995 on the protection of individuals with regard
to
 
the
 
processing
 
of
 
personal
 
data
 
and
 
on
 
the
 
free
 
movement
 
of
 
such
 
data)
 
(see
 
<
https://autoriteitpersoonsgegevens.nl/sites/default/files/downloads/uit/z2004-1233_opinie_whblowing.pdf> accessed 21 September
 
2021).
As the “legitimate interest” legal
 
basis was also included in this
 
predecessor, we expect that the opinion of
 
the Dutch DPA in relation hereto
remains the same.
 
 
0036335-0000808 UKO1: 2005491828.9
 
 
 
8
 
companies
 
in
 
case
 
they
 
cannot
 
comply
 
with
 
these
 
obligations
 
will
 
have
 
to
 
be
 
taken
 
into
account. To rely on the legitimate interests ground, UBS ESE NL must:
 
(i)
 
identify its, or a third
 
party’s
legitimate interest
 
(this can include individual
 
interests
or
 
broader
 
societal
 
benefits)
 
in
 
complying
 
with
 
the
 
SEC’s
 
disclosure
 
request.
 
The
Dutch DPA
 
specifically states
 
in its
 
guidance that
 
‘meeting obligations
 
imposed on
an entity
 
or institution’
 
qualifies as
 
a legitimate
 
interest
16
. The
 
Dutch DPA emphasizes
that
 
the
 
interest
 
must
 
be
 
real,
 
concrete
 
and
 
direct,
 
and
 
can
 
be
 
both
 
tangible
 
and
intangible. According to the Dutch DPA, a general interest such as ‘society’ does not
qualify as a legitimate interest;
 
(ii)
 
show that the disclosure of documents
 
by UBS ESE NL to the
 
SEC is
necessary
 
for
achieving these legitimate interests; and
 
(iii)
 
balance these legitimate
 
interests against the
 
competing interests, rights
 
and freedoms
of the individuals concerned, and satisfy itself
 
that those interests do not outweigh its
own. If
 
individuals would
 
not reasonably
 
expect the
 
disclosure, or
 
if the
 
disclosure
would
 
cause
 
unjustified
 
harm
 
to
 
the
 
individuals,
 
the
 
interests
 
of
 
those
 
individuals
would likely override the interests of UBS ESE NL or the third party.
An individual
 
has the
 
right to
 
object on
 
grounds relating to
 
his or
 
her particular
 
situation to
the disclosure of their personal data
 
to the SEC under this basis for
 
processing, and UBS ESE
NL would then need to
 
demonstrate ‘compelling’ legitimate grounds to process the
 
data that
override the rights, freedoms and interests of that individual.
The balancing of
 
legitimate interests against
 
the competing interests,
 
rights and freedoms
 
of
the
 
individuals
 
concerned should
 
be
 
made
 
on
 
a
 
case-by-case
 
basis
 
and
 
should
 
consider all
available facts.
 
In particular, Recital
 
47 of
 
the GDPR
 
states that,
 
when balancing
 
their interests
against
 
those
 
of
 
the
 
individuals
 
concerned,
 
controllers
 
should
 
take
 
into
 
account
 
the
reasonable expectations
 
of data
 
subjects based
 
on their
 
relationship with the
 
controller
”. With
this
 
in
 
mind,
 
UBS ESE
 
NL may
 
argue
 
that
 
its interests
 
are
 
not
 
outweighed by
 
those
 
of
 
its
clients or its employees on the basis that:
(A)
 
clients are
 
aware, due
 
to
 
statements contained
 
in their
 
terms
 
of business
 
with UBS
AG,
 
of
 
the
 
US
 
nexus
 
when
 
they
 
engage
 
in
 
SBS
 
transactions
 
and,
 
due
 
to
 
their
understanding as
 
sophisticated investors,
 
that regulatory
 
oversight will
 
be exercised
by
 
the
 
SEC,
 
which
 
may
 
entail
 
certain
 
information
 
regarding
 
their
 
transactions,
including in some cases their personal data, to be disclosed to the SEC;
 
and
(B)
 
the employees whose
 
personal data may
 
be disclosed to
 
the SEC understand
 
their role
will involve SEC
 
oversight due
 
to their being
 
classified as
 
‘associated persons’
 
for the
purposes of SBS
 
transactions and understand
 
that, as a
 
result, certain of their
 
personal
data
 
may
 
be
 
disclosed
 
to
 
the
 
SEC.
 
More
 
specifically,
 
each
 
associated
 
person
 
is
required
 
to
 
complete
 
an
 
‘SBS
 
associated
 
person
 
questionnaire’,
 
which
 
provides
advance notice that
 
their activities may
 
involve the
 
disclosure of their
 
personal data
to the SEC and
 
potentially require them to undertake
 
interviews with the SEC. Each
employee that is an
 
associated person is also
 
required to agree or
 
acknowledge their
understanding
 
that
 
their
 
data
 
may
 
be
 
provided
 
to
 
the
 
SEC
 
in
 
connection
 
with
 
the
SEC’s oversight of SBS transactions.
 
 
16
 
 
Dutch
 
DPA,
 
“Standard
 
explanation
 
legal
 
basis
 
‘legitimate
 
interest’”,(
Normuitleg
 
grondslag
 
‘gerechtvaardigd
 
belang’
)
 
(see
<
 
https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/normuitleg_gerechtvaardigd_belang.pdf>
 
accessed 21 September
 
2021
)
(only available in Dutch)
.
 
0036335-0000808 UKO1: 2005491828.9
 
 
9
 
In addition, while focused on
 
the relationship between the SEC
 
and the ECB, the existence of
the Memorandum of Understanding entered into by the
 
SEC and the European Central Bank
(
ECB
)
17
 
(the
ECB MoU
)
18
 
arguably reflects an acceptance in the EU that the SEC
 
has a duty
to
 
regulate
 
SBS
 
markets
 
and
 
may
 
need
 
to
 
access
 
information,
 
including
 
personal
 
data,
maintained by financial institutions located in the Netherlands for this purpose.
19
 
Also relevant to this balancing of interests are that the SEC will:
(1)
 
restrict its
 
information requests
 
for, and
 
use of,
 
any information
 
to only
 
the information
that
 
it
 
requires
 
for
 
the
 
legitimate
 
and
 
specific
 
purpose
 
of
 
fulfilling
 
its
 
regulatory
mandate
 
and
 
responsibilities
 
and
 
to
 
prevent
 
and/or
 
enforce
 
against
 
potential illegal
behaviour, with the type
 
and amount of personal data requested being
 
targeted based
on risk and related to specific clients and accounts, and employees;
20
 
and
(2)
 
information,
 
data
 
and
 
documents
 
received
 
by
 
the
 
SEC
 
are
 
maintained
 
in
 
a
 
secure
manner and only disclosed pursuant to strict US confidentiality laws.
21
 
(c)
 
Disclosure
 
is
 
necessary
 
for
 
compliance
 
with
 
a
 
legal
 
obligation
 
to
 
which
 
UBS
 
ESE
 
NL
 
is
subject (Article 6(1)(c))
: There must be a
 
Dutch nexus in order for
 
UBS ESE NL to be able
 
to
rely on this
 
legal basis. Article
 
6(3) GDPR
 
requires that the
 
legal obligation
 
must be laid
 
down
by EU law or Dutch law, although this does not have to be an explicit statutory obligation, as
long as the application of the law is foreseeable to UBS ESE NL as the person
 
subject to it.
22
 
In the
 
context of
 
this legal
 
basis for
 
processing, an
 
SEC request
 
in
 
the absence
 
of
 
a EU
 
or
Dutch
 
legal
 
requirement
 
(e.g.
 
a
 
lawful
 
request
 
from
 
the
 
Dutch
 
Central
 
Bank
 
(
De
Nederlandsche
 
Bank,
DNB
)
 
or
 
the
 
Dutch
 
Authority
 
for
 
the
 
Financial
 
Markets
 
(
Autoriteit
Financiële
 
Markten
,
AFM
)
in
 
the
 
exercise
 
of
 
its
 
powers
 
under
the
 
Dutch
 
Financial
Supervision Act (
Wet
 
op het financieel toezicht
) or from another
 
European legislator) would
not justify the disclosure to
 
the SEC as being necessary
 
for compliance with such an
 
foreign
law obligation.
We further note that the ECB MoU does not create any legally binding obligations.
23
 
(d)
 
Disclosure is necessary
 
for the performance
 
of a task
 
carried out
 
in the public
 
interest (Article
6(1)(e))
:
 
According
 
to
 
the
 
Dutch
 
interpretation
 
of
 
this
 
legal
 
basis,
 
only
 
entities
 
who
 
are
performing a public
 
task or are vested
 
with public authority
 
are able to rely
 
on this legal basis.
European or
 
Dutch law must
 
lay down
 
these public
 
tasks or
 
the vested
 
public authority
 
and
designate the entity
 
who will carry
 
out these tasks,
 
and therefore may
 
be able to
 
process the
personal data
 
involved. In
 
general, only
 
(semi-)public institutions
 
will be
 
able to
 
base their
processing on this legal basis. The Dutch DPA acknowledges this view.
24
 
As a result, it
 
is not possible for
 
UBS ESE NL to
 
rely on this legal
 
basis. UBS ESE NL will
not be
 
performing a public
 
task, or vested
 
with authority under
 
Dutch law or
 
European law.
17
 
 
As UBS Europe SE
 
qualifies as a “significant institution”
 
within the meaning of
 
Art. 6(4) of the Regulation
 
der (EU) No. 1024/2013 (the
Single Supervisory Mechanism Regulation
), it is, as regards prudential supervision, also
 
subject to direct supervision by the ECB.
18
 
 
The
 
Memorandum of
 
Understanding between
 
the
 
United States
 
Securities and
 
Exchange Commission
 
and
 
the
 
European Central
 
Bank
concerning consultation, cooperation and the exchange of information related
 
to the supervision and oversight of certain cross-border over-
the-counter derivatives entities
 
in connection
 
with the
 
use of
 
substituted compliance by
 
such entities dated
 
16 August
 
2021 (available
 
at
https://www.bankingsupervision.europa.eu/legalframework/mous/html/ssm.mou_2021_sec~220403db9b.en.pdf).
19
 
 
For the avoidance
 
of doubt, we
 
note however that
the ECB MoU does
 
not stipulate
 
any exemptions from the
 
compliance with applicable
data protection rules under the GDPR, including from the
 
international transfer rules.
20
 
 
Please r
efer to Assumptions
6 and 8
in Annex 2, as well as Article II
 
and
 
paragraph 49 of the ECB MoU.
 
21
 
 
Please refer to Assumption
9
in Annex 2, as well as paragraph 56 of the ECB MoU.
 
22
 
 
Recital 41 GDPR.
 
23
 
 
Article II paragraph 27 of the ECB MoU
.
 
24
 
 
Dutch
 
DPA,
FAQ
 
“Are
 
you
 
allowed
 
to
 
process
 
personal
 
data?”,
 
(see
<https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/algemene
-
informatie-avg/mag-u-persoonsgegevens-verwerken> reviewed on
 
10 September 2021) (only available in Dutch).
 
 
0036335-0000808 UKO1: 2005491828.9
 
 
10
 
For the avoidance
 
of doubt, the
 
SEC will also
 
not be able
 
to rely on
 
this legal basis,
 
as their
powers are not laid down in either Dutch law or European law.
 
1.6
 
Based
 
upon
 
the
 
above,
 
the
 
legitimate
 
interests
 
legal
 
basis
 
for
 
processing
 
is
 
likely
 
to
 
be
 
the
 
most
appropriate Article 6 GDPR ground on which UBS ESE NL could rely in relation to
 
its disclosure of
Covered Books and Records to the SEC and to permit On-Site Inspection.
1.7
 
It is
 
considered very
 
unlikely that
 
data included
 
in Covered
 
Books and
 
Records or
 
disclosed to
 
the
SEC during On-Site Inspections will include special categories of data.
 
Further, UBS ESE NL might
not
 
hold
 
all
 
information
 
described
 
in
 
17
 
C.F.R.
 
§§.18a-5(b)(8)(i)(A)
 
through
 
(H)
 
or
 
240.18a-
5(a)(10)(i)(A)
 
through
 
(H),
 
as
 
the
 
case
 
may
 
be
 
an
 
associated
 
person
 
who
 
is
 
not
 
a
 
US
 
Person.
25
 
However, to the extent that this
 
does occur, and such information
 
is held by UBS
 
ESE NL, in addition
to an Article
 
6 GDPR legal basis,
 
UBS ESE NL will
 
need to establish
 
an exemption under
 
Article 9
GDPR (and its
 
equivalent in
 
Articles 22 to
 
33 Dutch GDPR
 
Implementation Act) if
 
it discloses special
categories of data to the SEC, such as where it is necessary for the establishment, exercise or defence
of legal claims. Other than valid consent,
26
 
the Article 9 GDPR exemption that is most
 
likely to apply
to disclosure
 
of Covered
 
Books and
 
Records is
 
“processing is
 
necessary for
 
the establishment,
 
exercise
or
 
defence of
 
legal claims
 
or
 
whenever courts
 
are
 
acting in
 
their
 
judicial capacity”
 
(Article 9(2)(f)
GDPR). Although
 
the Dutch
 
GDPR Implementation
 
Act has
 
included several
 
other exemptions
 
for
processing special categories of personal data, none of these additional bases
 
is likely to be available
for disclosing special categories of personal data to the SEC by UBS
 
ESE NL.
1.8
 
Similarly as set out for special categories of personal data, UBS ESE NL processing
 
of personal data
relating to criminal
 
convictions and offences
 
is highly restricted,
 
and can only
 
be disclosed when
 
there
is
 
an
 
exemption
 
set
 
out
 
in
 
Articles
 
32
 
or
 
33
 
Dutch
 
GDPR
 
Implementation
 
Act
 
applicable.
 
The
exemption most
 
likely to
 
apply to
 
disclosure of
 
Covered Books
 
and Records
 
is “processing
 
is necessary
for the establishment,
 
exercise or
 
defence of
 
legal claims
 
or whenever courts
 
are acting
 
in their judicial
capacity” (Article 32(d) Dutch
 
GDPR Implementation Act)
27
. Also, the Dutch GDPR
 
Implementation
Act
 
has
 
included
 
several
 
other
 
exemptions
 
for
 
processing
 
of
 
personal
 
data
 
relating
 
to
 
criminal
convictions and offences, however, none of these exemptions are likely to
 
be available for disclosing
personal data relating to criminal convictions and offences to the SEC by UBS ESE
 
NL.
 
Data protection principles
1.9
 
In addition to establishing a legal basis for the disclosure, UBS ESE NL would need
 
to ensure that its
disclosures are compliant with the remaining
 
requirements under the Data Protection Laws,
 
including
the data protection principles set out in Article 5 GDPR.
 
For example, UBS ESE NL must:
(a)
 
be
 
transparent with
 
those whose
 
personal data
 
is
 
to
 
be
 
disclosed to
 
the
 
SEC, who
 
must
 
be
provided
 
with
 
fair
 
processing
 
information
 
(usually
 
in
 
the
 
form
 
of
 
a
 
privacy
 
notice
 
or
statement);
(b)
 
with
 
respect
 
to
 
the
 
data
 
itself,
 
ensure
 
that
 
it
 
only
 
provides
 
personal
 
data
 
that
 
is
 
adequate,
relevant and limited
 
to what is
 
necessary in relation
 
to the purposes
 
of its regulatory
 
activities;
 
(c)
 
be careful to avoid participating
 
in ‘data dumps’ and should
 
consider withholding documents,
anonymising personal data
 
(or pseudonymising
 
data where full
 
anonymisation is not
 
possible)
and redacting personal data from documents as appropriate;
(d)
 
ensure that the data is accurate and, where necessary, kept up to date;
25
 
 
As we understand,
is as defined in 17 C.F.R. §240.3a71
-
3(a)(4)(i)(A).
 
26
 
 
Article 9(2)(a)
 
GDPR
 
 
please also
 
refer
 
to limitations
 
on the
 
applicability of
 
consent discussed
 
in paragraph
3.9
 
of
 
section
 
3
:
scope,
assumptions and qualifications.
27
 
 
See also
A
rticle 3
3 Dutch GDPR Implementation Act.
 
 
0036335-0000808 UKO1: 2005491828.9
 
 
11
 
(e)
 
keep the personal data
 
in a form that enables
 
identification of individuals for
 
no longer than is
necessary for the purposes for which the personal data is processed;
 
and
(f)
 
ensure
 
that
 
the
 
confidentiality
 
and
 
integrity
 
of
 
personal
 
data
 
is
 
maintained,
 
and
 
as
 
such,
implement appropriate security measures (e.g. encryption) to protect
 
the personal data.
1.10
 
Whilst it is possible
 
that the SEC has
 
taken these principles
 
into account in its
 
request for access
 
to the
Covered Books and Records, responsibility remains with
 
UBS ESE NL to verify
 
this and implement
its own compliance measures.
International transfers
1.11
 
The general
 
principle in
 
the GDPR
 
is that UBS
 
ESE NL
 
may not
 
transfer personal
 
data to
 
a jurisdiction
outside the EEA,
 
unless it can satisfy a condition for the transfer as set out
 
in Chapter V GDPR.
 
1.12
 
Article 45 GDPR allows UBS ESE NL to transfer personal data to a recipient outside the EEA where
the transfer
 
is based
 
on adequacy
 
decision of
 
European Commission.
 
For the
 
purposes of
 
providing
Covered
 
Books
 
and
 
Records
 
to
 
UBS
 
AG
 
London
 
Branch,
 
the
 
adequacy
 
decision
 
of
 
the
 
European
Commission currently in effect in
 
respect of the UK
28
 
allows transfers of personal data
 
from the EEA,
including the Netherlands, to the UK to be made freely. Any transfer from UBS ESE NL to UBS AG
London
 
Branch
 
would
 
therefore
 
be
 
permitted
 
without
 
limitation
 
(provided
 
that
 
the
 
disclosure
otherwise complied with the EU GDPR).
1.13
 
It should be noted that
 
under Article 44 sent. 1, Recital
 
101 of the EU GDPR any
 
onward transfer of
UBS ESE NL’s
 
Covered Books and
 
Records by UBS AG
 
London Branch to
 
the SEC is
 
still subject
to
 
the
 
transfer
 
requirements
 
of
 
the
 
EU
 
GDPR.
 
In
 
this
 
regard
 
it
 
is
 
helpful
 
that
 
the
 
European
Commission’s adequacy decision
 
for the UK addresses onward
 
transfers from the UK and
 
notes that
the regime on international
 
transfers under the
 
UK GDPR
29
 
and UK Data
 
Protection Act 2018 is
 
in
substance identical
” to
 
the transfer
 
regime under
 
the EU
 
GDPR.
30
 
The primary
 
options available
 
to
UBS
 
AG
 
London
 
Branch
 
pursuant
 
to
 
this
 
EU
 
GDPR restriction
 
applicable to
 
UBS ESE
 
NL
 
when
disclosing UBS ESE NL’s
 
Covered Books and Records to the SEC in the US are as follows:
 
(a)
 
Derogations (Article 49)
: Where a transfer mechanism
 
adopted by the European
 
Commission
in respect
 
of the
 
US is
 
not available
 
(as is
 
currently the
 
case), derogations
 
for specific
 
situations
from the
 
transfer prohibition
 
are potentially
 
available under
 
EU GDPR
 
for facilitating
 
UBS
AG London Branch’s
 
transfer of personal
 
data contained in
 
UBS ESE NL’s
 
Covered Books
and Records to the SEC. The derogations include:
31
 
(i)
 
Consent:
 
In order to
 
be consent to
 
be valid under
 
the Data
 
Protection Laws, it
 
must
satisfy the
 
high standards
 
of being
 
a freely-given,
 
specific, informed
 
and unambiguous
indication of wishes.
32
 
(ii)
 
Legitimate
 
interests:
 
Article 49
 
GDPR makes
 
clear
 
that
 
reliance
 
on
 
the
 
derogation
based on
 
a compelling
 
legitimate interest,
 
may only
 
take place
 
if (A) the
 
transfer is
not repetitive,
 
(B) the transfer
 
concerns only
 
a limited
 
number of
 
data subjects,
 
(C) the
transfer is
 
necessary for
 
the purposes
 
of compelling
 
legitimate interests
 
pursued by
UBS
 
ESE
 
NL,
 
(D) UBS
 
ESE
 
NL’s
 
legitimate
 
interests
 
are
 
not
 
overridden
 
by
 
the
28
 
 
Commission Implementing Decision of 28.6.2021
 
pursuant to Regulation (EU) 2016/679 of the
 
European
Parliament and of the Council on
the adequate protection of
 
personal data by the United
 
Kingdom. Please note that
 
in the future the adequacy
 
decision may be withdrawn,
 
not
prolonged or restricted and that the current adequacy decision is
 
limited to four years.
29
 
 
The General Data Protection Regulation
 
2016/679 as it forms part
 
of “retained EU law” as
 
defined in the European Union
 
(Withd
rawal) Act
2018 in the UK.
30
 
 
Paragraph 2.5.7, recitals (74)
 
and (75) of
 
the Commission Implementing Decision of
 
28.6.2021 pursuant to Regulation
 
(EU) 2016
/679 of
the European Parliament and of the Council on the adequate
 
protection of personal data by the United Kingdom.
31
 
 
These dero
gations should
not
 
be considered a blanket approval for UBS ESE NL to transfer
 
data to the SEC under this basis.
32
 
 
Please also refer to limitations on the
 
applicability of consent discussed in paragraph
 
3.9 of section 3: scope assumptions a
nd qualificatio
ns.
Please note that valid consent is assumed in Assumption
 
5 of Annex 2.
 
0036335-0000808 UKO1: 2005491828.9
 
12
interests
 
of
 
rights
 
and freedoms
 
of
 
the
 
individuals involved,
 
(E) UBS
 
ESE
 
NL
 
has
assessed all
 
the circumstances
 
surrounding the
 
data transfer,
 
and (F)
 
UBS ESE
 
NL
has, on
 
the basis
 
of that
 
assessment provided
 
suitable safeguards
 
with regard
 
to the
protection of
 
data. UBS
 
ESE NL
 
must also
 
ensure it
 
applies the
 
‘necessary’ test
 
to
ensure that only the personal data necessary for the SEC’s purposes is transferred.
UBS ESE NL should not rely on any of the
 
derogations for making transfers on a large scale
and/or in
 
a systematic manner,
 
and their use
 
must be considered
 
on a case-by-case
 
basis for
separate requests
 
of the
 
SEC,
 
with UBS
 
ESE NL
 
keeping records
 
of the
 
transfers that
 
evidence
the careful analysis that led them to rely on that derogation.
 
1.14
 
Access to Covered Books and
 
Records granted to the SEC
 
in the course of On-Site Inspections
 
would
not entail UBS ESE NL effecting an
 
international transfer and so restrictions in Chapter V of the
 
EU
GDPR would not apply to that situation.
 
1.15
 
AFM or DNB
 
route
: In certain
 
situations, for example where
 
UBS ESE NL
 
considers the transfer of
data to UBS AG London Branch for the purpose of providing information to the SEC to be high risk,
it may
 
be possible
 
to arrange
 
for the
 
disclosure to
 
be made
 
to the
 
AFM or
 
DNB,
 
which could
 
then
transfer the data to the SEC in the
 
US. However, we note that there
 
is no administrative arrangement
to govern the
 
transfer of personal data
 
between the two regulators
 
and the SEC, that
 
aims to comply
with GDPR principles. As the AFM
 
or DNB are able to rely
 
on other derogations, such as
 
the transfer
is
 
necessary for
 
important reasons
 
of
 
public interest
 
(which is
 
not
 
available to
 
UBS ESE
 
NL), this
route
 
may
 
avoid
 
UBS
 
ESE
 
NL
 
being
 
responsible
 
for
 
ensuring
 
the
 
international
 
transfer
 
was
 
fully
compliant with the GDPR.
2.
 
DUTIES OF CONFIDENTIALITY UNDER DUTCH LAW
 
2.1
 
There is no bank secrecy obligation
 
laid down in Dutch law with
 
respect to data exchanged between
 
a
financial institution
 
and a
 
client.
 
Therefore, UBS
 
ESE
 
NL
 
is
 
not limited
 
in
 
providing
 
information
contained in
 
Covered Books and
 
Records to the
 
SEC and
 
in permitting the
 
SEC to
 
conduct On-Site
Inspections from
 
a Dutch
 
financial regulatory
 
law perspective.
 
Further,
 
Dutch law
 
does
 
not
 
have a
general blocking statute that prohibits UBS ESE NL from providing any data
 
to the SEC.
 
2.2
 
Although there is
 
no obligation laid
 
down in Dutch
 
law that prohibits
 
UBS ESE NL
 
from providing
information contained
 
in Covered
 
Books and
 
Records to
 
the SEC
 
and in
 
permitting the
 
SEC to
 
conduct
On-Site
 
Inspections,
 
it
 
follows
 
from
 
Dutch
 
law
 
that
 
an
 
action
 
on
 
the
 
basis
 
of
 
a
 
wrongful
 
act
(
onrechtmatige daad
) may
 
be brought
 
against UBS
 
ESE NL,
 
if the
 
following requirements
 
are met
(article 6:162 Dutch Civil Code):
 
(a)
 
there is a
 
wrongful act. The
 
following scenarios
 
are deemed
 
to be wrongful
 
acts: (i) a
 
violation
of a right; (ii) an act
 
or omission breaching a duty imposed by law
 
or a rule; or (iii) an
 
act or
omission breaching unwritten law pertaining to proper social conduct;
 
(b)
 
the wrongful act must
 
be attributable (
toerekenbaar
) to the party
 
who commits the wrongful
act;
 
(c)
 
the party against whom the wrongful act was committed suffers damages (
schade
);
 
(d)
 
there is causality between the
 
wrongful act committed and
 
the damages suffered (
causaliteit
);
and
 
(e)
 
the violated
 
standard, as
 
set out
 
under paragraph
 
2.2(a) above,
 
serves to
 
protect against
 
the
damages suffered by the party against whom the wrongful act was committed (
relativiteit
).
 
 
0036335-0000808 UKO1: 2005491828.9
 
 
 
 
13
 
Whether such
 
action succeeds
 
depends highly
 
on the
 
circumstances at
 
hand, and
 
each disclosure
 
of
information should
 
be assessed
 
on a
 
case-by-case basis.
 
We believe however
 
that the
 
risk of
 
such claim
being honoured by a
 
court is remote if
 
the disclosure of
 
personal data is allowed
 
under the GDPR,
 
and
there is no applicable
 
confidentiality condition applicable between UBS ESE NL and its client.
33
 
2.3
 
UBS ESE NL should
 
take into account the
 
contractual terms agreed upon
 
with its client or
 
employers,
under which UBS ESE
 
NL could be prohibited from
 
disclosing any information contained
 
in Covered
Books and
 
Records to the
 
SEC and
 
in permitting the
 
SEC to
 
conduct On-Site Inspections.
 
We
 
have
assumed at Assumption 11 of Annex 2 that no such contractual terms exist.
3.
 
PRIVACY
 
AND HUMAN RIGHTS
3.1
 
Article 8
 
ECHR confers
 
a general
 
right to
 
respect for
 
his private
 
and family
 
life, his
 
home and
 
his
correspondence
”. This
 
right is
 
directly applicable
 
in the
 
Netherlands.
34
 
The right
 
to privacy
 
clearly
applies to
 
natural persons.
 
In certain
 
situations legal
 
persons,
 
such as
 
companies, have
 
been held
 
to
benefit from a right to privacy in
 
certain situations. The European Court
 
of Human Rights assumed in
a September
 
2014 case
 
that the
 
reputation of
 
a company
 
fell
 
under the
 
notion of
 
private life
 
under
Article 8 ECHR.
35
 
3.2
 
Article 8 ECHR
 
does not in
 
itself give rise
 
to a free-standing
 
cause of action
 
– instead an
 
action arising
from a
 
wrongful act
(onrechtmatige daad
), a
 
breach of
 
agreement or
 
other legal
 
obligation, such
 
as
under the
 
GDPR, must
 
be brought,
 
and the
 
court will
 
then be
 
obliged to
 
consider the
 
application of
Article 8 ECHR.
 
3.3
 
Article 8 ECHR is, as it were, the fundamental legal foundation on
 
which the GDPR has been based.
The GDPR elaborates
 
on the applicable
 
principles of and
 
the rules on the
 
protection of natural
 
persons
when it
 
comes to
 
processing of
 
personal data.
36
 
The ECHR
 
can further
 
be relied
 
upon when
 
interpreting
this GDPR law if necessary. The GDPR can therefore
 
be seen as the regulation detailing
 
the right laid
down in
 
Article 8
 
ECHR, when it
 
comes to
 
the processing
 
of personal
 
data. The GDPR
 
and Article
ECHR cannot be seen entirely separately from each other.
Application and exceptions
3.4
 
Article 8 is a qualified right,
 
meaning that it can be breached
 
in accordance with Article 8(2) – that
 
is,
where doing so is:
(a)
 
in accordance with the law;
This
 
criterion
 
has
 
two
 
aspects:
 
the
 
measure
 
complained
 
about
 
must
 
have
 
some
 
basis
 
in
domestic law,
 
whether that is an act of parliament (
wet in formele zin
), delegated
 
legislation
or
 
case
 
law,
 
and
 
secondly,
 
that
 
the
 
domestic
 
law
 
has
 
to
 
be
 
sufficiently
 
precise
 
so
 
that
 
an
individual can foresee with a reasonable degree of certainty
 
the consequences of their actions
or
 
the
 
circumstances
 
in
 
which
 
the
 
authority
 
may
 
take
 
a
 
particular
 
course
 
of
 
action.
37
 
The
relevant consideration
 
on the
 
first aspect
 
is the
 
legal basis
 
on which
 
the court
 
would allow
Article 8
 
ECHR to
 
be breached.
 
The second
 
aspect in
 
effect requires
 
that the
 
domestic law
cannot be so broad as
 
to enable arbitrary action.
 
In determining whether to
 
allow information
to be
 
provided to
 
the SEC,
 
the court
 
would have
 
to balance
 
the relevant
 
legal duty
 
with the
merits
 
of
 
permitting
 
disclosure.
 
These
 
duties
 
of
 
confidence
 
establish
 
limits
 
on
 
the
 
court’s
actions, thus preventing arbitrary action by the court.
 
 
33
 
 
We refer to Assumption 13 as
set out in
Annex 2
 
regarding confidentiality conditions.
 
34
 
 
Article 94 Dutch Constit
ution law.
 
35
 
Firma EDV Für Sie, EFS Elecktronische Datenverarbeitung Dienstleistungs
 
GMBH v Germany
 
Application 32783/08.
36
 
 
See also considerans (1) and (2) GDPR.
 
37
 
 
Malone v UK [1984] ECHR 10 at 68.
 
 
0036335-0000808 UKO1: 2005491828.9
 
 
14
 
(b)
 
is necessary in a democratic society;
 
This criterion
 
is intended
 
to ensure
 
the proportionality
 
of an
 
intrusion into
 
private life.
 
To meet
this criterion, there must be a “
pressing social need
” for the interference, and the interference
must be proportionate to that need.
38
 
and
(c)
 
in the interests
 
of national security,
 
public safety or the
 
economic well-being of the
 
country,
for
 
the
 
prevention
 
of
 
disorder
 
or
 
crime,
 
for
 
the
 
protection
 
of
 
health
 
or
 
morals,
 
or
 
for
 
the
protection of the rights and freedoms of others (i.e. a legitimate aim).
This
 
criterion
 
is
 
intended
 
to
 
ensure
 
that
 
the
 
purpose
 
of
 
an
 
intrusion
 
into
 
private
 
life
 
is
adequately serious so as to justify the intrusion.
 
3.5
 
As
 
the
 
GDPR
 
and
 
Article
 
8
 
ECHR
 
cannot
 
been
 
seen
 
entirely
 
separately
 
from
 
each
 
other,
 
and
 
the
provision of
 
information to
 
the SEC
 
by UBS
 
ESE NL
 
will, insofar
 
this contains
 
personal data,
 
fall
entirely within the scope of
 
the GDPR, we consider that
 
the criteria set out in
 
paragraph 3.5 are met,
as long as UBS ESE NL complies with the requirements set out in paragraphs
 
1.1 to 1.12 above.
38
 
Dudgeon v UK
 
(1982) 4 E.H.R.R. 149 at 164.
 
0036335-0000808 UKO1: 2005491828.9
 
 
15
 
ANNEX 2
 
ASSUMPTIONS
This opinion relies on the following assumptions:
1.
 
UBS AG has
 
a “prudential regulator”
 
as defined by
 
Section 3 of
 
the US Securities
 
Exchange Act of
1934.
 
As
 
such,
 
the
 
Covered
 
Books
 
and
 
Records
 
considered
 
in
 
this
 
opinion
 
are
 
limited
 
to
 
what
 
a
prudentially regulated SBSD must be able to share with the SEC.
 
2.
 
Additionally, in accordance with SEC Guidance at
 
85 FR 6297, books and records pertaining to SBS
transactions entered into prior to the date that UBS AG submits an application for registration are not
Covered Books and Records.
 
3.
 
In relation to each disclosure of information, UBS ESE NL will assess each disclosure to the SEC on
a case-by-case basis and will verify, for each disclosure of information based on the circumstances at
hand, whether
 
all requirements
 
under Dutch
 
law, including but
 
not limited
 
to the
 
Data Protection
 
Laws,
are met.
 
4.
 
Where transfers of
 
personal data are
 
made to the
 
SEC in the
 
absence of an
 
adequacy determination,
such disclosure will
 
be made in
 
compliance with Articles 44
et seq
. of the
 
EU GDPR and
 
limited to
what
 
is
 
necessary
 
for
 
the
 
purpose
 
of
 
the
 
transfer
 
(i.e.
 
compliance
 
with
 
the
 
principle
 
of
 
data
minimisation, e.g. by applying less intrusive processing
 
activities such as redaction).
5.
 
UB ESE NL or, as the case may be, UBS AG has obtained
 
any necessary prior consent of the persons
(e.g
.
,
 
counterparties,
 
employees)
 
whose
 
information
 
is
 
or
 
will
 
be
 
included
 
in
 
Covered
 
Books
 
and
Records in order
 
to provide the
 
SEC with access
 
to its Covered
 
Books and Records
 
or to allow
 
On-
Site
 
Inspections,
 
to
 
the
 
extent,
 
as
 
considered
 
in
 
this
 
opinion,
 
such
 
consent
 
would
 
constitute
 
valid
consent and such
 
consent has not
 
been withdrawn.
 
Insofar as Covered
 
Books and Records
 
relate to
employees of UBS ESE NL,
 
such employees are “associated persons” of UBS AG
 
for purposes of 17
CFR §
 
240.18a-5(b)(8)
 
who have agreed
 
to sharing
 
of their
 
personal/employment information with
the SEC in the event of a request for information from the SEC.
 
6.
 
The SEC will restrict
 
its information requests
 
for, and use of, any information
 
pursuant to its access
 
to
Covered Books
 
and Records and
 
On-Site Inspections to
 
only the
 
information that
 
it requires
 
for the
legitimate and specific purpose of fulfilling
 
its regulatory mandate and responsibilities by
 
evaluating
compliance with
 
legal obligations
 
designed to
 
ensure the proper
 
legal administration
 
of SEC-regulated
firms (which includes regulating,
 
administering, supervising, enforcing
 
and securing compliance with
the
 
securities or
 
derivatives laws
 
in its
 
jurisdiction) and
 
to
 
prevent and/or
 
enforce against
 
potential
illegal behaviour.
 
7.
 
Similarly,
 
UBS
 
ESE
 
NL
 
will
 
ensure
 
that
 
its
 
disclosures
 
are
 
compliant
 
with
 
the
 
data
 
protection
principles set out in Article 5 GDPR.
39
 
We understand that UBS’
 
general experience in responding to
information requests from the SEC (or other US and
 
non-US regulators) leads it to maintain a belief,
which it considers to be reasonable, that
 
UBS ESE NL can and (subject to
 
any changes in applicable
law and regulation
 
and/or the
 
approach of relevant
 
regulators, including the
 
Dutch DPA) will continue
 
to be able
 
to comply with
 
these data protection
 
principles in the
 
course of making disclosures
 
of the
sort
 
required
 
when
 
providing
 
access
 
to
 
Covered
 
Books
 
and
 
Records
 
and
 
submitting
 
to
 
On-Site
Inspection.
40
 
8.
 
It is the SEC's
 
practice to limit the type
 
and amount of personal data
 
it requests during examinations
to targeted
 
requests based
 
on risk
 
and related
 
to specific
 
clients and
 
accounts, and
 
employees.
 
The
requested
 
information
 
may
 
include
 
some
 
limited
 
criminal
 
records
 
data
 
and
 
‘special
 
category
 
data’
39
 
 
These principles are set out in Annex 1 at paragraph
 
1.9.
 
40
 
 
See the
SEC
 
G
ui
dance at 85 FR 6298
.
 
 
0036335-0000808 UKO1: 2005491828.9
 
 
16
 
under the GDPR (as described in paragraph 1.2 of Annex 1 to
 
this opinion).
 
We understand that
 
this
aligns with UBS’
 
general experience in responding
 
to information requests
 
from the SEC,
 
leading it
to
 
maintain
 
a
 
belief,
 
which
 
it
 
considers
 
to
 
be
 
reasonable,
 
that
 
this
 
assumption is,
 
and
 
will
 
remain,
accurate
 
(subject
 
to
 
any
 
changes
 
in
 
applicable
 
law
 
and
 
regulation
 
and/or
 
the
 
approach
 
of
 
relevant
regulators, including the Dutch DPA).
41
 
9.
 
Information, data and documents received
 
by the SEC are
 
maintained in a secure manner
 
and, under
strict
 
US
 
laws
 
of
 
confidentiality,
 
information
 
about
 
individuals
 
cannot
 
be
 
onward
 
shared
 
save
 
for
certain
 
uses
 
publicly disclosed
 
by
 
the
 
SEC, including
 
in
 
an
 
enforcement proceeding,
 
pursuant to
 
a
valid and non-exempt US Freedom of
 
Information Act (
FOIA
) request,
42
 
pursuant to a lawful request
of the
 
US Congress
 
or a
 
properly issued
 
subpoena, or
 
to other
 
regulators who
 
have demonstrated
 
a
need for the information and provide assurances of confidentiality.
10.
 
Any data held by UBS ESE NL that is subject to a disclosure request from the SEC, either by way of
access or On-Site Inspection, will be held by UBS
 
ESE NL in the Netherlands.
 
Whilst UBS ESE NL
will be subject to direct On-Site Inspection
 
by the SEC in the Netherlands,
 
UBS ESE NL will provide
access to its Covered
 
Books and Records (beyond On-Site
 
Inspections) to UBS AG London
 
Branch,
rather than providing this access directly to the SEC.
11.
 
No confidentiality condition which would restrict
 
disclosure to the SEC is
 
applicable in any contract
between UBS ESE NL and
 
the individual (either a legal entity
 
or a natural person) whose information
will
 
be
 
included
 
in
 
Covered
 
Books
 
and
 
Records
 
made
 
available
 
to
 
the
 
SEC
 
or
 
subject
 
to
 
On-Site
Inspection by the SEC.
12.
 
All terms of
 
business entered into
 
with clients conducting
 
SBS transactions contain clear
 
statements
such that
 
clients are
 
aware that
 
that regulatory
 
oversight will
 
be exercised
 
by regulatory
 
authorities
and that
 
information regarding
 
their transactions,
 
including their
 
personal data,
 
can be
 
disclosed to
regulatory authorities (for example, clause 10, and
 
in particular clause 10(b) of the terms
 
of business
for professional clients and eligible counterparties (March 2019)
43
).
13.
 
UBS AG does not include the information
 
described in 17 C.F.R. §§.18a-5(b)(8)(i)(A) through (H) or
240.18a-5(a)(10)(i)(A)
 
through
 
(H),
 
as
 
the
 
case
 
may
 
be,
 
in
 
questionnaires
 
or
 
applications
 
for
employment
 
executed
 
by
 
an
 
associated
 
person
 
who
 
is
 
not
 
a
 
US
 
Person
 
(as
 
defined
 
in
 
17
 
C.F.R.
§240.3a71-3(a)(4)(i)(A)), unless UBS
 
AG is required to
 
obtain such information under
 
applicable law
in the jurisdiction in which
 
the associated person is employed
 
or located or obtains such
 
information
in conducting a background check that is customary for UBS AG in that jurisdiction and the
 
creation
or maintenance of records reflecting that information
 
would not result in a violation of applicable
 
law
in the jurisdiction in which the associated person is employed or located.
41
 
 
See the
SEC
 
G
uidance at 85 FR 6298
.
 
42
 
 
We
 
do not
 
give any
 
views in
 
the opinion
 
to matters
 
of US
 
law,
 
though we
 
understand that
 
information can
 
be
made public
 
pursuan
t to
requests under
 
the US
 
FOIA, and
 
that certain
 
information is
 
exempt from
 
such requests,
 
including (among
 
others): (1)
 
a trade
 
secret or
privileged or confidential commercial or financial information
 
obtained from a person; (2) a
 
personnel, medical, or similar file the
 
release
of which would constitute a clearly unwarranted invasion of personal privacy; (3) information compiled for law enforcement purposes, the
release of which (a) could reasonably be expected to interfere with law enforcement proceedings;
 
(b) would deprive a person of a right to a
fair trial or an impartial adjudication; (c) could reasonably be expected to constitute an unwarranted
 
invasion of personal privacy; (d) could
reasonably
 
be
 
expected
 
to
 
disclose
 
the
 
identity
 
of
 
a
 
confidential
 
source;
 
(e)
 
would
 
disclose
 
techniques,
 
procedures,
 
or
 
guidelines
 
for
investigations or prosecutions;
 
or (f) could
 
reasonably be expected
 
to endanger an
 
individual's life or
 
physical safety; (4)
 
contained in or
related to examination, operating, or condition reports about financial
 
institutions that the SEC regulates or supervises.
43
 
 
Available
 
at:
 
https://www.ubs.com/global/en/investment
-
bank/regulatory/_jcr_content/mainpar/toplevelgrid/col1/linklist_1815406319/
link.1894740908.file/PS9jb250ZW50L2RhbS9JbnZlc3RtZW50QmFuay9kb2N1bWVudHMvaWJ0ZXJtcy90ZXJtcy1vZi1idXNpbmVzcy
5wZ GY=/terms-of-business.pdf.
 
0036335-0000808 UKO1: 2005491828.9