1
LAST UPDATED: August 2024
Table of Contents
Introduction
Personal Data We Collect
Sensitive Information
Processing Activities and Legal Basis
Disclosure of Personal Data
Third Party Services
Security
Choices and Access
Retention Period
Use of Services by Minors
Jurisdiction and Cross-Border Transfer
Updates to This Privacy Notice
Contacting Us
Additional Information for Germany and France
Introduction
This privacy notice explains how Merrill Lynch International, Bank of America Europe Designated Activity Company, BofA
Securities Europe Société Anonyme, Bank of America N.A., Merrill Lynch Kingdom of Saudi Arabia Company and each other
affiliate or subsidiary (“affiliate”) of Bank of America Corporation which is established in the European Union, Switzerland,the
United Kingdom or the Kingdom of Saudi Arabia (“KSA”, each a “BofA EU/UK/Swiss/KSA Entity” or “we” or “our” or “us”),
collect, use or disclose personal data online and offline in connection with the services we provide to our corporate and
institutional clients as defined in the Processing Activities and Legal Basis section below. We refer to the individuals whose
personal data (as defined below) we process, such as individuals who work for or are otherwise engaged by, or interact with,
our corporate, institutional, and prospective clients, their affiliates or other third parties in connection with the services, as
“you” in this notice. This notice also explains how we collect, use, share and protect personal data from registrants for events
that these entities host. See relevant sections on event management and execution.
Personal Data We Collect
“Personal Data” is information that identifies an individual or relates to an identifiable individual. The table below contains a
list of the Personal Data we collect. In the table in the section Processing Activities and Legal Basis, we have associated the
categories of Personal Data we collect with the categories of our processing activities/processing purposes and relevant legal
bases. The Personal Data will not be subsequently processed in a manner inconsistent with the collection purpose.
Categories of
Personal Data
Description
Personal Data
Attendance Data
Confirmation of an individual's attendance at
in
-person or virtual events
Events attended
Biographies
Information pertaining to an individual’s work
history,
professional experience, languages
spoken, and/or education
Job history, professional experience (including
company names and titles)
, education (schools,
degrees), languages spoken
, photograph
Business Contact Data
An employee or customer's corporate contact
information
Name, company, business address, business phone
number, business email address
Place of Birth
Name of city and/or country of birth
Name of city and/or country of birth
2
Categories of
Personal Data
Description
Personal Data
Contact Details - Minors
Information pertaining to the contact
information for a minor
in relation to an even
t
hosted by us
Name, relationship to attendee, dietary restrictions
(if applicable)
Criminal Records
An individual's criminal records and/or
convictions
Arrest records, arraignment details, behavior,
criminal convictions
Date of Birth
An individual’s date of birth
Date of birth
Dietary Data
Information regarding a person's dietary
requirements
Dietary requirements (Note: religion may be inferred
from a person’s dietary requirements)
Disability Data
Information regarding a person’s disabilities
required to accommodate special needs
Disability data
Gender
Information regarding a person's gender
Gender
Miscellaneous Data
Personal Data, as relevant to satisfy ad hoc
regulatory, judicial, or law enforcement
requests or obligations or as affirmatively
provided by you in furtherance of the Services
Personal data, as defined by regulatory body,
judiciary, or law enforcement or as otherwise
affir
matively provided by you to us.
National Identifier
Information containing a person's country-
specific National Identifier
Examples: European SSN, United Kingdom National
Insurance Number
, Ireland PPS numbers
Online Authentication
Information
Information required to access an individual's
personal account
, online or through mobile
application
s
User ID, PIN/Password, IP address, challenge
q
uestions, device ID, mobile phone number
Online Identifier
A means of identifying an individual by
associating informational traces an individual
leaves when operating online
Cookies, pixel tags, web beacons, locally stored
objects
, unique device identifiers (for example
Media Access Control (MAC) and Internet Protocol
(IP) addresses
, smart device information, mobile
phone network information
Personal Contact Data
An individual’s personal contact information
Name, alias, home address, home/personal phone
number, personal email address
Proof of Address
Information found on utility bills and/or
financial statements
Utility bills, financial statements
Readership Data
Records of online interaction with material on
online platforms to allow access and use of
the content
Name, IP address, email address, viewer use data
and sta
tistics
Signature
Any symbol, character, sound or mark made
by an individual with the intent to
authenticate or authorize a transaction,
agreement, or written or electronic document
eSignature, DocuSign, web signature, copy of written
signature, ink signature
Unique Personal Identifier
(Driver's License,
Tax
Identification Number)
Information containing a person's unique
identifier for a driver's license or Individual
Tax Identification Number
Driver's license number, ID issue date, ID expiration,
Individual Ta
x Identification Number (“TIN”)
Visa, Passport, Nationality
and Citizenship Data
Information containing a person's visa,
passport, nationality and/or citizenship data
Visa, passport copy, nationality, citizenship
Sensitive Information
We do not typically collect special categories of Personal Data as defined in the General Data Protection Regulation (“GDPR”),
the UK Data Protection Act (“PDA”).the Swiss Federal Act on Data Protection (“FADP”) and the Kingdom of Saudi Arabia
Personal Data Protection Law (“PDPL”) (e.g., information related to racial or ethnic origin, political opinions, religious or other
beliefs, health, biometrics or genetic characteristics, criminal background or trade union membership) (“Special Data”) in
connection with the Services. Please do not send us any Special Data through the Services or otherwise, unless we specifically
3
request this information from you or make a due diligence enquiry of you where the response necessitates you disclosing
Special Data to us. In such a case, please ensure you notify us that you are providing Special Data.
Event management and execution: At the time of registration, participants may tell us about disabilities that may require
accommodation, or special needs related to religious beliefs, and/or health characteristics, e.g., dietary requirements. This
information will be used only to the extent necessary to facilitate any disability or special accommodations. Similarly, certain
registration details may include Special Data (e.g., dietary restrictions may indicate a particular religious belief). Such Special
Data will be used only to facilitate event participation.
Processing Activities and Legal Basis
We need to collect and process Personal Data in order to provide the requested services, or because we are legally required
to do so. If we do not receive the information that we request, we may not be able to provide the requested services. The
below table contains an indicative summary of our activities which require the processing of your Personal Data, and the
associated legal basis. Unless otherwise stated, we collect Personal Data directly from the individual.
Purpose
Reasons for Processing
Categories of Personal Data
Legal Basis (for EU/UK/Switzerland/KSA)
Anti-Money
Laundering/
Know-your-
Customer
Requirements
• To comply with applicable AML/KYC
laws and regulations, including
identifying beneficial owners,
conducting background checks,
monitoring, and performing other
checks to meet anti-terrorism financing
legal requirements. As required by
applicable laws, this may involve
processing your political affiliations,
criminal convictions or allegations of
offenses.
Business Contact Data,
Personal Contact Data,
Date of Birth, Place of
Birth, National Identifier,
Visa, Passport, Nationality
and Citizenship Data,
Unique Personal
Identifier (Driver's
License, TIN), Signature,
Proof of Address
Sensitive Personal Data
Criminal Records
Third Party Source:
internet search providers
and database providers
specialized in intelligence
used to verify and
authenticate identities
and intelligence on
financial crimes
Legal obligations
See Appendix 2- Key Statutes
Example 1
Account Opening
• To obtain all enterprise and regulatory
requirements for your onboarding,
expansion of services and account
maintenance.
• To obtain the necessary information to
open accounts as required to enable
your trading or other activities.
Personal Contact Data,
Business Contact Data
Legitimate Interests
To capture and maintain
accurate data for your accounts
4
Purpose
Reasons for Processing
Categories of Personal Data
Legal Basis (for EU/UK/Switzerland/KSA)
Regulatory and
Compliance
Obligations
• To comply with applicable laws and
regulations (including any legal or
regulatory guidance, codes or
opinions).
• To comply with sanctions procedures
and other legal process and law
enforcement requirements including
any internal policies which are based
on, or reflecting, legal or regulatory
guidance, codes or opinions.
• To comply with non-financial
regulatory reporting requirements
established by regulators, tax
authorities and government bodies
across jurisdictions. See
Disclosure of
Personal Data for additional
information.
Personal Data as relevant
for each specific
regulatory and
compliance obligation.
Legal Obligations
See Appendix 2- Key Statutes
Legitimate Interests
• To implement internal controls
• To comply with reporting
requirements of regulators, tax
authorities and governmental
bodies
Delivery of
Global Banking
and Global
Markets
Products and
Services
• To contact nominated individuals in
connection with existing transactions
and contractual agreements.
• To validate authorized signatories
when executing agreements.
• To compile working group lists for
communication purposes.
• To respond to your enquiries and fulfil
requests and contractual obligations
and to administer account(s).
• To circulate transaction documents to
you, such as trade confirmations or
relevant agreements, or in amending
trade terms.
• To arrange virtual or in-person
roadshows or meetings with investors
• To authenticate your identity prior to
granting access to certain websites,
systems or accounts.
• To assist in detecting and preventing
fraud, identity theft and other risks to
you or us.
Business Contact Data,
Online Authentication
Information, Personal
Contact Data, Online
Identifier
Legitimate interests
• To provide services
• To authenticate individuals
before giving access to systems
or accounts
• To allow for communications
required in respect of the
services we provide
5
Purpose
Reasons for Processing
Categories of Personal Data
Legal Basis (for EU/UK/Switzerland/KSA)
Delivery of our
Global
Transactions
Services
• If you are a Global Transaction Services
client or a majority-owned affiliate of
such that receives or has access to one
or more forms of deposit-taking
services, account services, treasury
services, payment services, trade
finance services and/or, supply chain
finance services and/or referral
arrangements, we further process
Personal Data:
o To administer those products or
services in connection with
fulfilling your instructions (e.g.,
Personal Data obtained through
our relationship with you, the way
you operate your accounts and/or
services, such as the payments
made to and from your accounts,
services you ask us to provide to
you, etc.).
o To perform our regulatory
obligations, such as compliance
with the Funds Transfer Regulation
and the Payment Services
Directive.
Personal Data of
individuals related to or
associated with you, our
client (e.g., a beneficiary,
counterparty, payee,
employee, contractor,
supplier etc.) such as
their Personal Contact
Data, Business Contact
Data, Date of Birth, Place
of Birth , National
Identifiers, Gender,
Nationality, Visa,
Passport, Nationality and
Citizenship Data, Online
Identifier, Online
Authentication
Information
Legitimate Interests
• For the purpose of, or as a
result of, providing products
and services to you or
otherwise in connection with
fulfilling your instructions
• Where it is necessary in
connection with any contract
that you enter into with us
(including prior to entering into
such contract with us)
Legal Obligations
See Appendix 2- Key Statutes
Client
Communications
and Relationship
Management
• To directly communicate with you in
order to help improve the products
and services we provide, or in relation
to a product or service in which you
have expressed an interest, such as
sharing of our case studies, capabilities
materials, deal proposals, offers,
market trends, insights, strategies and
trade ideas.
• To handle your complaints.
Business Contact Data
Legitimate Interests
•
To provide information to and
to communicate with you
regarding the services we
provide or in relation to other
services/products in which you
have expressed an interest
•
To handle any complaints in
relation to the services we
provide
6
Purpose
Reasons for Processing
Categories of Personal Data
Legal Basis (for EU/UK/Switzerland/KSA)
Events
Management
and Execution
• To register and confirm attendance at
virtual or in-person events and
conferences.
• To notify your organization about
events for awareness, as part of our
services to you.
• To facilitate event management, virtual
or in-person.
• To facilitate special accommodations,
including disabilities, dietary
requirements or other special needs
Business Contact Data,
Signature,
Personal Contact Data,
Contact Data – Minors,
Attendance Data
Sensitive Personal Data:
Dietary Data, Disability
Data
Legitimate interest
• To inform our internal event
sponsor on attendance, and for
gift ordering and
entertainment booking
• To accommodate requirements
of events attendees whenever
possible
Legal and
Compliance
• To fulfil our legal and compliance-
related obligations.
• To enforce our terms and conditions.
• To protect our operations.
• To protect our rights, privacy, or our
property.
• To allow us to pursue available legal
remedies, defend claims and limit the
damages that we may sustain.
Personal Data as relevant
for each specific legal
action, regulatory
investigation, and/or
other legal processes in
question
Legal obligations
• Such as complying with legal
processes.
Legitimate interests
• Such as enforcing terms and
conditions, protecting
trademarks and bringing or
defending legal claims.
Readership
• To protect our Intellectual Property (IP)
• To understand readership levels and
use
• To fulfill our regulatory obligations
• To provide quotations for and price
consumption of our products and
services
• To ensure compliance with terms and
conditions
Readership Data including
records of online
interaction with
research content and
other materials to track
access and use
Legal Obligation
• Complying with regulatory
obligations including MiFID II
Legitimate Interest
• For the purpose of, or as a
result of, providing and
improving products and
services to you or otherwise in
connection with fulfilling your
or your employer’s instructions
• Where it is necessary in
connection with any agreement
that you or your employer
enter into with us (including
prior to entering into such
agreement with us)
• To protect our intellectual
property
Cookies and Similar Technologies
We may collect personal information through the use of cookies and similar technologies. See our Cookie Policy for additional
details about cookies and tracking technologies including how you can manage cookies.
7
Disclosure of Personal Data
Personal Data may be disclosed to affiliates and third parties in connection with the Services we are providing. The recipients
of any such information will depend on the Services that are being provided. Subject to any restrictions around confidentiality
we have expressly agreed with you or other transaction parties, such disclosures may include disclosures made to categories
of third parties listed in the table below:
Categories of third parties
Personal Data
Purpose of processing your
Personal Data
Destination Countries
Communication and
Collaboration Software and
Software Services providers who
enable individuals and teams to
work together over geographic
distances by providing tools that
aid communication, collaboration
and the process of problem
solving (includes appliances,
maintenance and support
services.)
Business Contact
Data
To service your accounts and
share transaction documents
with you
Globally where we have
presence
Bank of America
Locations
External law firms
Personal Data as
relevant in each
specific situation
To provide legal support in
preparing transactional
documents with you, in support
of the services we provide to you,
or in defending claims involving
you
Globally where we have
presence
Bank of America
Locations
Regulators
Personal Data as
relevant in each
specific situation
To comply with regulatory
requirements that obligate us to
share your Personal Data
In jurisdictions where
entities in Appendix 1 are
subject to regulatory
oversight and non-
financial regulatory
reporting requirements
Tax Service Providers who assist
us on tax rules and regulations,
including legal analysis, technical
calculations, form preparation,
planning and controversy
management associated with
meeting our local and
international tax obligations.
Business Contact
Data, Personal
Contact Data,
National Identifier,
Date of Birth, Place
of Birth, Visa,
Passport, Nationality
and Citizenship data
To comply with the Foreign
Account Tax Compliance Act
(“FATCA”) & Client Relationship
Summary (“CRS”) related tax
reporting requirements that
obligate us to share your
Personal Data
Globally where we have
presence
Bank of America
Locations
Account Management Software
Service Providers who help us
with the management of financial
accounts and processes with
tools and controls that support
our organizational, operational,
and legislative requirements
(includes maintenance and
support services.)
Business Contact
Data
To help process invoices and
statements to you on services we
provided or transactions we
conducted with you
Globally where we have
presence
Bank of America
Locations
8
Categories of third parties
Personal Data
Purpose of processing your
Personal Data
Destination Countries
Digital Commerce and Payment
Services providers who enable
you to conduct transactions
online and via mobile devices
Business Contact
Data, Online
Authentication
Information, Online
Identifier
If you are a client of Global
Transaction Services, to
authenticate you when you log
into online portals, to access your
account, to review and conduct
your transactions
Belgium, Hong Kong,
Netherlands, Switzerland,
United States
Banks with which we have made
arrangements to enable us to
provide the Services to you
Your information
relating to you or
your accounts with
us or your
relationship with us
as is necessary to
enable us to provide
you with the services
To allow our partner banks to
process payments to or from
individuals related to your
account with us in places where
we do not have a presence or we
are unable to provide the
relevant services
Denmark, Finland, Latvia,
Norway, Sweden
Corporate Business Application
vendors who provide software
and software services to support
our Global Banking and Global
Markets businesses, including
technology for Sales and Trading
functions within Global Equities,
Fixed Income Currency and
Commodities, Global Research
and technology for Credit, Cash
Management, FX, Equipment
Finance and Merchant Services
within Global Banking
Business Contact
Data
To send you service or
transactional emails or
communications, as applicable
and appropriate.
United States, United
Kingdom
Digital Process Automation
Software Services Providers who
automate and digitize our
transaction documentation
workflow
Signature, Business
Contact Data
To enable you to review and sign
contracts with us electronically
United States
Beneficial Owner Registries
required by EU and UK regulators
aimed to increase transparency
on people with significant control
or ownership of companies and
entities
Personal Data as
required by law, rules
or regulations
If you are beneficial owners, to
share your Personal Data to the
extent required by the relevant
Beneficial Owner Registries in the
jurisdiction applicable to you
Belgium, France, Germany,
Ireland, Italy, Sweden,
United Kingdom
Tax Authorities
Business Contact
Data, Personal
Contact Data,
National Identifier,
Date of Birth, Place
of Birth, Visa,
Passport, Nationality
and Citizenship data
To share your Personal Data in
order for us comply with FATCA,
CRS and other tax-related
reporting requirements
Belgium, France, Germany,
Greece, Hong Kong,
Ireland, Italy, Netherlands,
Qatar, Spain, Switzerland,
United Arab Emirates,
United Kingdom,
United States
Third parties in connection with a
sale or business transaction
Dependent on the
specific sale or
business transaction
We have a legitimate interest in
disclosing or transferring your
Personal Data to a third party in
the event of any reorganization,
merger, sale, joint venture,
assignment, transfer, or other
Dependent on the sale or
business transaction
9
Categories of third parties
Personal Data
Purpose of processing your
Personal Data
Destination Countries
disposition of all or any portion of
our business, assets, or stock
(including in connection with any
bankruptcy or similar
proceedings). You will be notified
of any such business transaction
and of possible changes to the
processing of your Personal Data
in accordance with applicable
law.
Hotels, Restaurants, Virtual event
platforms, Transportation
Companies, and Corporate
Security
Business Contact
Data, Personal
Contact Data
Dietary and Disability
Data
To assist with our events
management and execution
Globally where we have
presence
Bank of America
Locations
Digital Tracking Providers:
Companies that provide digital
tracking services (like cookies,
tags, etc) and whose scripts we
use to add to our webpages.
IP Address
To improve technical and
design features of our
websites and platforms
USA, UK, EU, India
Business Partners who assist in the
creation of the products or
services provided to you
Business Contact
Data
To create and provide Research
products and services
Philippines, Thailand
Third Party Services
This Privacy Notice does not address, and we are not responsible for, the privacy information or other practices of any third
parties, including any third party operating any website or service to which the Services link. The inclusion of a link does not
imply endorsement of the linked site or service by us or by our affiliates.
Security
We seek to use reasonable organizational, technical and administrative measures to protect Personal Data within our
organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason
to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the “Contacting
Us” section below.
Choices and Access
Receiving electronic communications from us
If you no longer wish to receive marketing-related emails from us in the future, you may opt-out by following the instructions
in the relevant electronic communication or contacting your relationship manager.
We will try to comply with your request(s) as soon as reasonably practicable. Please note that if you opt-out of receiving
marketing-related emails from us, we may still send you important administrative and Service or transaction-related
messages, which you cannot opt out of.
Rights of individuals afforded to you
You may have certain rights under EU GDPR, UK DPA, Swiss FADP or KSA PDPL regarding your access to, information about, or
the processing of your personal data. These rights include, where permitted under applicable law and subject to certain
exceptions:
• The right to be informed, which means we tell you what personal data we process, why we process your personal data,
and with which third parties we share your personal data;
10
• The right to access, which is your right to see the personal data that we have about you;
• The right to rectification, which is your right to have your personal data corrected or amended if it is incorrect;
• The right to erasure, which means you may request that we delete the personal data we have about you;
• The right to data portability, which is your right to ask for a copy of your personal data in a commonly-used machine-
readable format;
• The right to object to further processing of your personal data in a manner that is inconsistent with the primary purpose
of its initial collection; and
• The right to withdraw your consent if the processing of your personal data is based on your consent
To learn more about how you can exercise your rights, where permitted under applicable law, please see the section below.
How individuals can access, change or suppress their Personal Data
If you would like to request to access, correct, update, suppress, restrict or delete Personal Data, object to or opt out of the
processing of Personal Data, withdraw your consent (which will not affect the lawfulness of processing prior to the
withdrawal) or if you would like to request to receive an electronic copy of your Personal Data for purposes of transmitting it
to another company (to the extent the right to data portability is provided to you by applicable law), you may contact us by
emailing: individua[email protected]. We will respond to your request consistent with applicable law.
In your request, please make clear what Personal Data you would like to have changed, whether you would like to have the
Personal Data suppressed from our database or otherwise let us know what limitations you would like to put on our use of
the Personal Data. For your protection, we may only implement requests with respect to the Personal Data associated with
the particular email address that you use to send us your request, and we may need to verify your identity before
implementing your request. We will try to comply with your request as soon as reasonably practicable.
Please note that we may need to retain certain information for recordkeeping purposes and/or to complete any transactions
that you began prior to requesting a change or deletion. There may also be residual information that will remain within our
databases and other records, which will not be removed.
You may lodge a complaint with a UK, Swiss or EU/EEA data protection authority for your country or region where you have
your habitual residence or place of work or where an alleged infringement of applicable data protection law occurs. A list of
data protection authorities for the EU is available at https://ec.europa.eu/newsroom/article29/items/612080
. The Swiss data
protection authority is the Federal Data Protection and Information Commissioner and the UK data protection authority is the
Information Commissioners Office.
Retention Period
We will retain Personal Data for as long as needed or permitted in light of the purpose(s) for which it was obtained. The
criteria used to determine our retention periods include: (i) the length of time we have an ongoing relationship with our client
and provide the Services; (ii) whether there is a legal obligation to which we are subject; and (iii) whether retention is
advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory
investigations).
The appropriate retention period is determined on a case-by-case basis and will depend upon the length of time we need to
keep your Personal Data for the purpose(s) for which it was collected. For instance, we may need to retain your Personal
Data to provide our client(s) with services, to comply with a legal obligation to which we are subject or in situations where
retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or
regulatory investigations). The retention period may vary between jurisdictions. For example, Personal Data processed for
the purposes of meeting our legal and regulatory obligations related to the prevention of money laundering and terrorist
financing (as described below) is retained for up to 20 years from the date it is received by the Bank or for up to 10 years from
the end date of the client relationship, depending on the jurisdiction.
For example:
11
• We are required to retain certain Personal Data to deliver services to our clients at least until the termination of the
relationship, and sometimes for a period of time thereafter;
• We preserve your Personal Data where it is reasonably necessary for reasons related to a legal claim or complaint,
where we are subject to a regulatory investigation or where we may need to defend ourselves in legal proceedings or
respond to a regulator or to respond to a valid legal request, such as a preservation order, subpoena or search
warrant;
• We keep information collected using Cookies in accordance with the Cookie Policy
;
• We are required to retain certain Personal Data in order to meet our legal and regulatory obligations related to the
prevention of money laundering and terrorist financing, and this information is retained in accordance with
applicable money laundering laws included the 5th Anti-money Laundering Directive (Directive (EU) 2018/843) and
implementing UK and EU member state laws;
• We are required to retain information regarding payments in accordance with the Payment Services (PSD 2) Directive
(EU) 2015/2366 and applicable implementing UK and EU member state laws;
• We are required to retain information regarding funds transfers under Regulation (EU) 2015/847 of the European
Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing
Regulation (EC) No 1781/2006 (the ‘Funds Transfer Regulation’);
• We are required to retain information regarding all services, activities and transactions that our in-scope entities
undertake under the Markets in Financial Instruments Directive (2014/65/EU) (‘MiFID II’) and applicable
implementing EU member state laws, and the Markets in Financial Instruments Regulation (EU) No 600/2014
(‘MIFIR’), and related acts and regulations, together with provisions of UK domestic law or regulation which
implement, adopt or set out provisions substantially similar to MiFID II/MIFIR (as each of the foregoing may be
amended from time to time). Such information includes recording of telephone conversations or electronic
communications relating to, at least, transactions concluded when dealing on own account and providing client order
services that relate to the reception, transmission and execution of client orders.
Use of Services by Minors
The Services are not directed to individuals under the age of eighteen (18), and we do not knowingly collect Personal Data
from individuals under 18.
Individuals may submit Personal Data about their minor children or legal wards in relation to attendance at or participation in
an event. Individual parents or guardians must have the legal authority to disclose such Personal Data to us and make
decisions related to processing of such Personal Data in connection with the event. This Personal Data of minors will only be
used for event registration and participation purposes.
Jurisdiction and Cross-Border Transfer
Personal Data may be stored and processed in any country where we have facilities or in which we engage service providers,
including the United States. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security
authorities in those other countries may be entitled to access Personal Data.
If you are located in the European Economic Area (EEA): Some non-EEA countries are recognized by the European Commission
as providing an adequate level of data protection according to EEA standards. These countries are Andorra, Argentina, Canada
(commercial organisations only), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea,
Switzerland, Uruguay and the United Kingdom.
If you are located in the United Kingdom: the countries recognized by the UK as adequate are all the countries in the EEA,
including the EU institutions as well as Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey,
Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, Gibraltar and Uruguay.
12
If you are located in Switzerland: The countries recognized by Switzerland as adequate are Andorra, Argentina, Austria,
Belgium, Bulgaria, Canada (commercial organizations only), Croatia, Cyprus, Czech Republic, Denmark, Estonia, Faroe Islands,
Finland, France, Germany, Gibraltar, Greece, Guernsey, Hungary, Iceland, Ireland, Isle of Man, Israel, Italy, Jersey, Latvia,
Liechtenstein, Lithuania, Luxembourg, Malta, Monaco, Netherlands, New Zealand, Norway, Poland, Portugal, Romania,
Slovakia, Slovenia, Spain, Sweden, United Kingdom, Uruguay.
For transfers from the UK, Switzerland and the EEA, and KSA to countries not considered adequate by the European
Commission, UK, or Switzerland, we have put in place adequate measures, such as standard contractual clauses adopted by
the European Commission, Switzerland, UK, and KSA to protect Personal Data.
Given the global nature of the Company’s activities, the Company may transfer your Personal Data to countries located outside
of the EEA, UK, Switzerland or KSA . Some of these countries are recognized by the European Commission as providing an
adequate level of protection according to EEA standards (the full list of these countries is available within the European
Commission site. With regard to transfers from the EEA, UK, Switzerland or KSA to other countries, we have put in place
adequate measures, such as standard contractual clauses adopted by the European Commission to protect your information.
Employees and Contractors in the EEA may obtain a copy of these measures by using the European Commission site
here: https://commission.europa.eu/index_en
Updates to This Privacy Notice
We may change this Privacy Notice, including the list of BofA EU/UK/Swiss/KSA Entities, from time to time. The “LAST
UPDATED” legend at the top of this Privacy Notice indicates when this Privacy Notice was last revised. Any changes will
become effective when we post the revised Privacy Notice. Use of the Services following these changes (or your continued
provision of Personal Data to us) signifies acceptance of the revised Privacy Notice.
Contacting Us
The BofA EU/UK/Swiss/KSA Entity who provides the Services in connection with which your Personal Data has been provided
is the company responsible for collection, use and disclosure of your Personal Data under this Privacy Notice.
If you do not know which BofA EU/UK/Swiss/KSA Entity is responsible for those Services or you have any questions about this
Privacy Notice, please contact your Client Relationship Manager. You may also contact our Data Protection Officer for EU/UK
Swiss/KSA at
You can also find contact details for our Affiliates by following this link:
https://business.bofa.com/content/boaml/en_us/contactus.html
To help us to manage your query, please include your full name and the name of the BofA EU/UK/Swiss/KSA Entity you
understand is processing your Personal Data and/or any reference number that was made available by a BofA
EU/UK/Swiss/KSA Entity to you.
Additional Information for Germany
For enquiries about your Personal Data processed or controlled by Bank of America N.A. Frankfurt branch or Bank of America
Europe Designated Activity Company, Zweigniederlassung Frankfurt am Main or to exercise rights granted by the Federal Data
Protection Act, you can also contact the Data Protection Officer at Taunusanlage 9-10, 60329 Frankfurt am Main, directly at
datenschutzbamlfrankfur[email protected] or by telephone on +49 69 5899 5028.
Additional Information for France
Under French law, in addition to the above, individuals shall have the right to set guidelines regarding the retention, erasure
and disclosure of their Personal Data after their death. Such right can be exercised by contacting us as set out in the ‘Choices
and Access’ section above.
Appendix 1 – BofA EU/UK/Swiss/KSA Entities
(a)
1. BAL Global Finance (Deutschland) GmbH
13
2. BAL Global Finance (UK) Limited
3. Banc of America Leasing Ireland Co., Limited.
4. BofA Securities Europe Société Anonyme
5. BofA Europe Designated Activity Company
6. Bank of America, National Association - London Branch
7. Merrill Lynch International
8. BofA Europe Designated Activity Company, Zurich Branch
9. Merrill Lynch Kingdom of Saudi Arabia Company
(a) Including all branches of EU, Swiss or UK established BofA entities and all EU, Swiss or United Kingdom branches of
Bank of America, National Association.
Appendix 2 – Examples of Key Statutes related to Legal Obligations as Legal Basis
Compliance with applicable laws rules and regulations for which the Bank is in scope, including the following
examples of key statutes (and in relation to legislation including any successor legislation from time to time as amended or,
extended, re-enacted, supplemented from time to time and as implemented or otherwise given effect in the relevant Member
State of the European Economic Area or the United Kingdom from time to time, including such legislation as it forms part of
domestic law of the United Kingdom by virtue of the European Union (Withdrawal) Act 2018):
Purpose
Example of Processing
Activities
Key Statutes
Anti-Money
Laundering/ Know-
Your Customer
Requirements
•
Recording of personal
information include
Business Contact Data,
Personal Contact Data,
Date of Birth, Place of
Birth, National Identifier,
Visa, Passport, Nationality
and Citizenship Data,
Unique Personal Identifier
(Driver's License, TIN),
Signature, Proof of
Address
• Criminal Records Review
• Political Exposed Person
Review
•
Negative News Review
2018/843 Anti-money Laundering
14
Purpose
Example of Processing
Activities
Key Statutes
Legal & Compliance
Regulatory &
Compliance
Obligations
• As required by regulators
including client’s
employee business
contact information
2004/39/EC Markets in Financial Instruments
Regulation No 596/2014 Market Abuse
Regulatory Technical Standards of the European
Supervisory Authority
Directive 2002/47/EC on financial collateral
arrangements
Financial Collateral Arrangements (No 2) Regulations
2003 (S.I. 2003/3226)
Applicable opinions and guidelines of applicable
regulators (e.g., the opinion of the European Banking
Authority of 18 February 2021 on supervisory actions
to ensure the removal of obstacles to account access
under PSD2, and EBA Guidelines of 25 February 2019
on outsourcing arrangements, etc.)
Applicable rules of applicable payments and clearing
schemes (e.g., SEPA Instant Credit Transfer Rulebook,
SEPA Core Direct Debit Scheme Rulebook, SEPA
Business to Business Direct Debit Scheme Rulebook
Delivery of Global
Transaction Services
• Personal Data such as
Personal Contact Data,
Business Contact Data,
Date of Birth, Place of
Birth, National Identifiers,
Gender, Nationality, Visa,
Passport, Nationality and
Citizenship Data, Online
Identifier, Online
Authentication
Information
Directive 2015/2366/EU Payment Services Directive
Regulation 2021/1230 Cross Border Payments
Regulation 2019/410 European Banking Authority
Regulation No 2015/847 Accompanying transfers of
funds and repealing regulation EC no 1781/2006
Regulation EU No 260/2012 Establishes technical and
business requirements for credit transfers and direct
debits in euro and amending Regulation
Payment Services Regulations 2017
